Re: red worm amusement
On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. the kernel hole (basically the same ptrace race the linux kernel had previous to 2.2.19) was only locally exploitable so that `doesn't count' since its not remote. prove them wrong, and get away with it? Assuming it is rubbish, as you say. try reading bugtraq. If anyone who reads the posts I made looks at them with an objective outlook, they will see that my message is clearly stated. no its not you change your position every time a falicy is pointed out. Starting services by default is a bad idea. and you keep pointing at OpenBSD as an example of a distribution that doesn't start any services, if you had ever actually installed an OpenBSD box you would see that is not true. as for debian services are only started if you install them, a very logical assumption. criticising debian's choices in regards to what services are priority: standard could be a valid argument. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: iptables logging
On Sun, Jul 22, 2001 at 08:18:34AM +0200, Matthias Richter wrote: You need to tell iptables which packages should be logged. For example: iptables -N log # This table logs and hands package over to delete iptables -N delete - This table rejects anything iptables -A INPUT RULE -j log # Rule to be logged iptables -A INPUT RULE -j delete # Rule not to be logged iptables -A log -j LOG --log-prefix Rejected: # be verbose in syslog iptables -A log -j delete # hand over package to delete iptables -A delete -j REJECT # gracefully reject package It would be bad to have iptables log everything by default -- man DOS No not really, you can use limit-module and define at which rate in maximum will you choose to LOG matching entries. -- ++ytti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:34:50AM -0500, Nathan E Norman wrote: On Sat, Jul 21, 2001 at 09:28:35PM -0700, Jacob Meuser wrote: PS We don't give guns to children, do we? What the hell does this have to do with running services on a freaking computer connected to the Internet? You are beginning to sound like a troll. You don't give a gun to a child because it is likely they will hurt themselves or others because they don't know what it does. Similarly, running a service without knowing what it does can hurt the operator, and leave their box open to attacks being launched from their box, thereby hurting others. I think it is quite fitting. HINT: It's difficult to kill someone with a computer without regard to whether the computer operator is a child. Obfuscating the issue with inane comparisons to loaded political issues generally means you can't argue your original position effectively. Well, it's kind of hard to argue a point, when pople start steering the discussion in bizzare directions. I thought maybe I had to put it in simpler terms. Aparently that was not a good idea, as now that has born yet another pointless post. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote: WARNING: You have started this car! You are about to drive this car. That means, you will be moving, what means that accidents could be harmful for you. Do you really want to proceed? [Yes] [No][Abort] Do you want something like that? or: WARNING: Coffee is served HOT! [0] -- Ethan Benson http://www.alaska.net/~erbenson/ [0] for those who don't remember there was a case some years ago where a woman sued McDonalds after she spilled a cup of thier coffee in her lap and as a result was burned, her argument was that she didn't know coffee was hot. This is why to this day McDonalds' coffee cups have a warning printed all around them saying: WARNING COFFEE IS HOT!! -- at least in the lawsuit happy US. PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 11:39:36PM -0700, Jacob Meuser wrote: I think it is quite fitting. i think is a 21st century varient of Godwin's law developing. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip Well, I'm going to wade into this growing flamewar to point out what I think is a sound idea. The trouble with the current system is that installed daemons automatically start running with a default configuration. This is not always bad, but does not allow a paranoid sysadmin to protect themselves (short of ugly workarounds like taking down the network interface until the server is shut off). I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I'm sure there are many ways this could work. Perhaps: root@foobar:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. -- Steven Barker [EMAIL PROTECTED] Perhaps, after all, America never has been discovered. I myself would say that it had merely been detected. -- Oscar Wilde PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4 60BF E928 9E28 958F 2058 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote: WARNING: You have started this car! You are about to drive this car. That means, you will be moving, what means that accidents could be harmful for you. Do you really want to proceed? [Yes] [No][Abort] Do you want something like that? SCNR Well, someone has decided to attack me for using an analogy, so I will refrain from saying how this doesn't go with what I'm saying. What I would like is for packages to not start a service immediately upon installation. I don't want the installation of packages to put put links in /etc/rc?.d. IF not that, then something like: - WARNING -- Apache by default listens on port 80. Apache is now listening for incoming internet connections on port 80. Links have been installed in /etc/rc?.d, so that this machine will be listening for connections on port 80 everytime this machine is booted. Because you are running a service, it is VERY important that you read and follow the advice at http://www.debian.org/security/ [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:01:55AM -0700, Jacob Meuser wrote: Well, someone has decided to attack me for using an analogy, so I will refrain from saying how this doesn't go with what I'm saying. Oh, grow up. I did not attack you, I questioned the wisdom of comparing running services on a computer to the politically loaded question of guns. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: red worm amusement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jacob == Jacob Meuser [EMAIL PROTECTED] writes: Jacob What I would like is for packages to not start a service Jacob immediately upon installation. I don't want the installation of Jacob packages to put put links in /etc/rc?.d. IF not that, then Jacob something like: [cut] I'm not sure that would be an effective warning, and it may even be confusing to people, as it does not indicate that there is a potential security risk, but just tells them to read the security pages. Maybe something more like (disclaimer: it's late and I'm tired, so I can't write a proper warning, but hopefully this should be enough to get the idea across): WARNING: Apache has been started. Web servers in general potentially open up a large security hole. By running Apache, you may be vulnerable to [[list the relevant types of attacks]]. If you are not sure about what you are doing, please stop Apache at the first available moment by running /etc/init.d/apache stop and by removing the relevant links in /etc/rc?.d, and please read http://www.debian.org/security/. When you are confident that you know what you're doing then you may re-enable Apache. Having said that, I'll toss in my vote for not starting the services immediately on installation. At least give the admin a chance to configure it. Or something like exim, where you configure it in the installation process, before it gets started. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7WoFvZRhU33H9o38RAkawAKCv3oh/zIvySkEXJppmbpxk+tGwCACbBixc mYiGtigYd+tjcpArvs0MQVk= =huOg -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like any other OS, you must update when updates are available. the kernel hole (basically the same ptrace race the linux kernel had previous to 2.2.19) was only locally exploitable so that `doesn't count' since its not remote. Exactly. The claim is that there is no REMOTE exploit. If anyone who reads the posts I made looks at them with an objective outlook, they will see that my message is clearly stated. no its not you change your position every time a falicy is pointed out. What? What? I'm sorry, say that again. What falacies are you talking about? My position is, and always has been, that 'apt-get install' should not start the service, and should not put startup links in /etc/rd?.d. and you keep pointing at OpenBSD as an example of a distribution that doesn't start any services, if you had ever actually installed an OpenBSD box you would see that is not true. You have a short memory don't you Ethan? The last time I mentioned OpenBSD on this list, you jumped all over me like you have this time. Do you have something against OpenBSD? Was you're experience with OpenBSD 2.6 that bad? What, did you ask some silly question on an OpenBSD mailing list, and get flamed so bad you're still burning? I happen to be using OpenBSD to write this email. Next to me is my OpenBSD server, and when this I send this message, it will go through my OpenBSD firewall. Are you offended by the number of time I just wrote OpenBSD? I never claimed OpenBSD doesn't start ANY services. as for debian services are only started if you install them, a very logical assumption. Not really. Someone just posted an example of where he installed apache, but only needed it for a very short while. It is logical to assume that if a package is installed, it is for a reason. It is not logical to assume that there is a need to start it immediately, and everytime the machine is booted. criticising debian's choices in regards to what services are priority: standard could be a valid argument. I'll leave that to you. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 02:03:23AM -0500, Nathan E Norman wrote: Oh, grow up. I did not attack you, I questioned the wisdom of comparing running services on a computer to the politically loaded question of guns. You are beginning to sound like a troll. - Nathan E Norman [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote: On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. You don't need a marketing department to practice the 'art' of marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like Debian's default install is not vulnerable to attacks either. Your point? -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: On Sun, Jul 22, 2001 at 12:54:49PM +1000, CaT wrote: You know. You're right. We should make it as difficult as possible to install software. Right down to removing makefiles from source repositories and rot13ing the source code because the harder it is to install a piece of software, the more secure a box is. No, I'm simply saying not to start services immediately. I mean really, That wasn't what you were saying before. You were saying that the ease of install you get with apt-get is bad. This is a rather different issue. who in their right mind starts a service without looking at the config files? How hard is it to add the links from /etc/rc?.d to /etc/init.d (isn't there script to do this anyway)? Some packages already practice safety-first. You need to remove an echo and an exit from the init.d once you're good and ready. This just has to become more widespread. Then again, most of the time I install a service (90%) I want it to start running immediately. apache, ftp etc I compile by hand. And then the computer you just spent a few grand on will be about as useful as a toaster without heating elements. That's better than them getting sued for a hell of a lot more than they paid for their machine because someone launched an attack from their machine, and they can't prove they didn't to it. No machine is 100% secure, except those machines that do not exist. Anyone who thinks their box is 100% secure has rocks in their heads, regardless what OS they are running. -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. Please don't try to steer me off course, and then say I keep changing my position. It's simply not polite, and rather silly. [EMAIL PROTECTED] On Sun, Jul 22, 2001 at 06:05:18PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote: On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. You don't need a marketing department to practice the 'art' of marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like Debian's default install is not vulnerable to attacks either. Your point? -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. Then stick to that. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. Please don't try to steer me off course, and then say I keep changing my position. It's simply not polite, and rather silly. Noone is steering you offcourse. You're doing just that. You mention that OpenBSD has been secure out-of-the-box for 4yrs and then when ppl aren't impressed you chuck a hissy fit. *shrug* -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. oh so your trying to sluff your own ignorance and incompetence onto debian because you installed a zillion services and didn't know what they did thus opening lots of `security holes'. yeah whatever. what part of `don't install the service if you don't need it/don't know how to configure it' don't you understand? -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:38:23AM -0700, Magus Ba'al wrote: quoteNo machine is 100% secure, except those machines that do not exist. Anyone who thinks their box is 100% secure has rocks in their heads, regardless what OS they are running./quote Don't mean to sound like an annoyance, but I have a 100% secure computer. It's currently dissasembled, with the parts stored in different containers, and no OS on the hard drive. Crack that! *grabs HD and installs it into another pc* ;) Sorry, just a poor stab at humor. While I've always been proud that the debian list has pretty much been better than any other list at keeping flame wars to a minimum, today is an exception. At times this latest thread has become well, my cock is bigger, so I'm more right than it's starting to feel that way. you!. Yes, maybe daemons should ask to be started during startup, or prompt to be configured like exim. But who's to say that a new user won't choose an option that leads them to be vulnerable. When I first well. that'll be a concious choice by the user instead of an automated one I guess. started I *know* I made some big mistakes. Maybe Debian should have some mistakes are what we learn from the best. unfortunately they tend to have the nastiest of sideeffects at times (but I guess that's why they are such great teachers) firewall rules that are run to block vulnerable services when they are installed and then tell you how to unblock them. Maybe a billion different ways it could be, but it's not. I must commend the Debian team for maintaining the best distro, IMNSHO. I thought the Debian community aye. we're dumping redhat/slackware boxes for debian. one of the primary reasons is the ease with which you can keep the box uptodate and secure. -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 06:35:34PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. Then stick to that. Please, quote me on where I have contradicted that. Noone is steering you offcourse. You're doing just that. You mention that OpenBSD has been secure out-of-the-box for 4yrs and then when ppl aren't impressed you chuck a hissy fit. I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:44:19AM -0800, Ethan Benson wrote: what part of `don't install the service if you don't need it/don't know how to configure it' don't you understand? And when, during the installation, or regular use of Debain, is that message ever displayed to the user? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: Please, quote me on where I have contradicted that. Right below. Nothing is contradicting that. If you only wanted to talk about apt-get you should've stuck to it. Then I'm to ignore all other questions and ideas, as well personal comments aimed at me as an individual? anyways. i'm bowing out. Since it seems that suggesting that maybe something in Debian is not perfect, one will be personally ridiculed, and ridiculed further for replying to those comments, I too am bowing out. Although I never got any reason why they are started by default, other than if a service is installed, it is assumed that the admin wants it running. To me, the tiny bit of time saved by the admin is not worth the potential danger to new users. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote: I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As no i said the claim that OpenBSD starts no services was rubbish. NOT that openbsd was rubbish. an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's your the own who is full of it Jacob. If you only wanted to talk about apt-get you should've stuck to it. yup. a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! because you (Jacob) made it quite clear you don't know anything about OpenBSD by making claims about it which are not true at all. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: red worm amusement
Alright, I said I was bowing out, but I will reply to this last email. In my first post, I may not have been completely clear. I said that OpenBSD doesn't start services that are insecure. Now, we all know that no service is totally secure, so that statement is somewhat of an oxymoron. However, no one on any OpenBSD mailing list is telling people to turn off the services that are started by default, while on this list, everyone is always saying to turn off inetd and whatever else they are not using. My point is, why should someone have to go through the trouble of turning them off? Why are they started in the first place, if the advice it to immediately shut them off? If a person needs that service then they can turn it on, correct? This extends to packages that are added to the base system. I don't think it's right to assume that one wants to start the service immediately. The argument that you shouldn't install a service if you don't know what you're doing just doesn't make sense. If you never install the package, then how are you going to know anything about it? How are you going to customize a configuration file, if you have no file to modify? CaT's reply that packages are starting to made with provisions to exit the init script before the service is started, is I guess really the answer I was looking for. Is that a new policy? If it is, I think it's a good one. As to not waste any more innocent bystanders bandwidth/disk space, if anyone wishes to further discuss the questions I raised above, or try to flame me, please send your email to: [EMAIL PROTECTED] On Sun, Jul 22, 2001 at 01:57:24AM -0800, Ethan Benson wrote: On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote: I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As no i said the claim that OpenBSD starts no services was rubbish. NOT that openbsd was rubbish. an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's your the own who is full of it Jacob. If you only wanted to talk about apt-get you should've stuck to it. yup. a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! because you (Jacob) made it quite clear you don't know anything about OpenBSD by making claims about it which are not true at all. -- Ethan Benson http://www.alaska.net/~erbenson/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt-get install apache (was red worm amusement)
I wasn't going to jump in on this thread/flamewar, but since I have been bouncing on D in the mailer a lot more than normal the last couple days, I feel like one more post won't hurt... so here's two cents worth. First, I want to encourage list posters in the future to reconsider voicing their opinions about non-Debian distributions and Microsoft on this list. I think it is possible to discuss sound security without bringing up a *BSD or slagging Microsoft. The initial question of What are these strange GETs in my Apache logs has a simple answer. Asked and answered-- the further relevance to Debian is dubious. Buried in the mess of emails was at least one good comment about how Apache is installed on Debian, and it's this topic that I want to comment on. Having just installed apache on a laptop so I could do some development work when off-network, I was surprised (for some reason) to find the service not only started up immediately, but also restarted after reboot. I don't know why I was surprised, except that it had been a while since I installed a service of any type using a package. Maybe I was surprised because almost nothing else I've ever done on Debian has been quite that easy. ;) Similarly, after a recent apt-get dist-upgrade (intended to grab security updates only, so should I remove the non security.debian.org URLs from /apt/sources?) on my firewall box, I somehow managed to get all of X windows installed and a copule of services I didn't want installed AND started AND added to /etc/rc*.d. Thankfully X windows still requires startx to get going, but the services (junkbuster and wwwoffle) were just there. And while reboots on that machine are limited to power outages, it's still extra work to administer that stuff into the 'off' position. To me the lack of warnings or configurability during an apt-get install for a service is a questionable practice. It would be nice if the apache install had at least asked Do you want to start this service immediately? and Do you want to start this service on reboot?. Then I would have been informed of the status of the service during install. Similar questions during dist-upgrade would have informed me that those packages (looking harmless enough in the long list of you are about to installs) actually were services, and would have at least allowed me to keep them from starting, if not installing. -michael [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
--no-run option (was: Re: red worm amusement)
On Sun, 22 Jul 2001, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. Why should anyone want to install a server without letting it run? The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. ( If you are that paranoic you should not only do ar -x xxx.deb ; tar -xzf data.tgz etc/configfile , but also check the whole package before installing it). would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). Not adding rc.d-Links is really ridicilous. If you have an computer, that justs boots after installing without the chance to change links, than you should plug-out the network-cable so or so. This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. I do not see a nesecarity for it. Though if you want to supply patches to carry an --no-run in dpkg to some environment-variable to the script and and patch to dh_xxx to check this, go ahead, but there are important and senseful thing to do. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, 22 Jul 2001, Jacob Meuser wrote: What I would like is for packages to not start a service immediately upon installation. Though I do not understand this, I do not want to argue again, see my other post... I don't want the installation of packages to put put links in /etc/rc?.d. Why, just remove them after installing. Noone forces you to reboot just after installation. And installing an package without the want to run it is only a security flaw. Apache by default listens on port 80. Apache is now listening for incoming internet connections on port 80. Links have been installed in /etc/rc?.d, so that this machine will be listening for connections on port 80 everytime this machine is booted. Because you are running a service, it is VERY important that you read and follow the advice at http://www.debian.org/security/ This is only redicilous. The car-analogy fits here very good. Don't understand me wrong, I'm not again telling the user, if he does something dangerous. But coffee is hot, and an server lowers security. Why not also giving 5 pages of warnings, wenn configuring an networking- connection (which is the real security problem) and making the user to type Yes, I want to crash my computer before installing, so that he really knows, what can happen? Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
Jacob Meuser [EMAIL PROTECTED] writes: Still not the point. I'm talking about services being enabled, either by default, or by apt-get. [...] ftpd is not enabled by default. So imagine someone looking for a ftp-server, and, as it happens to be the case, finds one, say, per locate, in /usr/libexec, which already has a line corresponding to it in /etc/inetd.conf, though commented out... There are many ways to locally compromise any Unix-like OS, therefore it has a rather low priority. This sounds a bit illogical to me. If there are 'many ways', shouldn't it rather be 'high priority', especially, as this renders per-daemon uids basically useless? And whose going to teach them? Certainly not an OS that makes it as easy as 'apt-get install apache'! OSs don't teach people anything, documentation does. Which won't get read anyway or at least be ignored. Maybe you don't get it. A system that is compromised poses a danger to EVERYONE ON THE INTERNET. So what? Try a cable-cutter. -- stone me -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: --no-run option (was: Re: red worm amusement)
Exactly. It is more of a special case to *not* want a server to start at boot rather than the other way around. To those who think that apt-get install apache is too easy, then why is apt-get remove apache too hard? -Rob On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote: On Sun, 22 Jul 2001, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. Why should anyone want to install a server without letting it run? The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. ( If you are that paranoic you should not only do ar -x xxx.deb ; tar -xzf data.tgz etc/configfile , but also check the whole package before installing it). would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). Not adding rc.d-Links is really ridicilous. If you have an computer, that justs boots after installing without the chance to change links, than you should plug-out the network-cable so or so. This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. I do not see a nesecarity for it. Though if you want to supply patches to carry an --no-run in dpkg to some environment-variable to the script and and patch to dh_xxx to check this, go ahead, but there are important and senseful thing to do. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt-get install apache (was red worm amusement)
On Sunday 22 July 2001 11:17 am, Rob VanFleet wrote: If you're upgrading for security and bug fixes, you use upgrade. apt-get remove junkbuster wwwoffle --purge Not so hard to me. Have you ever bothered to lower your message priority in debconf? dpkg-reconfigure debconf. Choose 'low'. Learn about the tools before you start to criticize them. Thanks for the tips and your patience, I certainly having some learning to do. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bernhard == Bernhard R Link [EMAIL PROTECTED] writes: Bernhard On public streets or public places, you are not Bernhard allowed. Otherwise you are allowed without licence. True. And I think that most of us won't care if people have insecure boxes, if those boxes aren't on the Internet. Bernhard (And even an licence does not avoid accidents and deaths, it Bernhard only may reduce them) True again. Just as knowing about security or hiring a security-conscious admin only reduces the chance of getting cracked. If we had the same sort of standards for computer use, though, we wouldn't have as much of a security problem as we do have. Bernhard Sure? Yes. Because at the minimum, it would inform people about the importance of paying attention to security. (Mind you, the standards that I'm talking about for driving only reflect my North American experiences. Germany may be (and I have heard it is) different.) - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7W2X9ZRhU33H9o38RAvkGAJ0RCOxHO4uwP4dRnxRsi0I7557yAACfbKhQ JuCEXA8i9VC/U4W0YkO7yR4= =185s -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt-get install apache (was red worm amusement)
If you're upgrading for security and bug fixes, you use upgrade. In michael's defense, take this entry from the apt-get mapage: dist-upgrade dist-upgrade, in addition to performing the func tion of upgrade, also intelligently handles chang ing dependencies with new versions of packages; apt-get has a smart conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. I agree we all need to know the tools we use, and I'll be the first to admit that I have learning to do too, just like michael. However, the manpage is where I start... and when I read this, it sure seemed like a good idea to use dist-upgrade rather than upgrade. Maybe I should have dug deeper to be sure, but... KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, 22 Jul 2001, Steven Barker wrote: On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip Well, I'm going to wade into this growing flamewar to point out what I think is a sound idea. The trouble with the current system is that installed daemons automatically start running with a default configuration. This is not always bad, but does not allow a paranoid sysadmin to protect themselves (short of ugly workarounds like taking down the network interface until the server is shut off). I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I think this is a great idea, also, if dpkg / apt showed what servers were being setup to run after the initial install, it could be saved to a file. This would also assist if there was a break-in and a new server running you could check against your original list. I'm sure there are many ways this could work. Perhaps: root@foobar:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). One option here would be a simple [y/n] question whether or not to run the new service automatically as part of the package install. --snip-- Colin. -- Colin Johnson [EMAIL PROTECTED] Remember: Everything you see on screen is but ones and zeroes. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Apache + ModSSL
Dear Debian Security: I have a problem configuring apache + mod_ssl on debian. I already have installed apache and mod-ssl from debian site (potato), and in apache error log, I got: [Mon Jul 23 11:07:10 2001] [notice] Apache/1.3.9 (Unix) Debian/GNU mod_ssl/2.4.10 OpenSSL/0.9.4 PHP/4.0.3pl1 configured -- resuming normal operations My question is how to configure httpd.conf, so I can access my sites via https://www.mysite.com. Any helps or document in debian sites that explain about this configuration? Thanks Didit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt-get install apache (was red worm amusement)
On Sun, Jul 22, 2001 at 07:28:31PM -0500, Kenneth Pronovici wrote: If you're upgrading for security and bug fixes, you use upgrade. In michael's defense, take this entry from the apt-get mapage: dist-upgrade dist-upgrade, in addition to performing the func tion of upgrade, also intelligently handles chang ing dependencies with new versions of packages; ^^^ Yes, but when you're upgrading your existing packages, and the dependencies have changed to such a degree to require *new* packages, that almost always implies a major change, such as a stable - testing transition, not a security fix for a package in stable (which is what security.debian.org is for). Upgrade does exactly as it implies, it upgrades your existing packages, and under no circumstances installs anything new, avoiding the whole I tried to upgrade to some security fixes and ended up with XFree86 and KDE issues. -Rob apt-get has a smart conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. I agree we all need to know the tools we use, and I'll be the first to admit that I have learning to do too, just like michael. However, the manpage is where I start... and when I read this, it sure seemed like a good idea to use dist-upgrade rather than upgrade. Maybe I should have dug deeper to be sure, but... KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:21:09PM -0700, Nicole Zimmerman wrote: last i used OpenBSD (2.6) it started portmap and identd by default at the very least, maybe fingerd too i don't remember for sure. The difference is, those were not exploitable. And they are on debian? It seems everyone on this list YELLS at people who leave rpc.statd running. I don't know whether it's exploitable or not, I know enough to turn it off because I don't use it. I am not talking about people who know what they are doing. I am talking about new users who have no practical knowledge of the system. I'm talking about protecting them from being immediately vulnerable. If people are running services, they should know how to start and stop them, right? [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 10:34:56PM -0500, Dana J. Laude wrote: On Sat, Jul 21, 2001 at 06:27:00PM -0700 Jacob Meuser wrote: IMHO, no distribution is secure out of the box. Hell, even OpenBSD has had major blunders in their lastest release. Security is, after all... an ongoing issue that needs to be dealt with *all* the time. I couldn't agree more. I never said OpenBSD was more secure than Debian. I merely pointed out that I think their policy of not starting services (perhaps I should qualify that as services that are added to the default base system) is a good policy. The only reason I suggested that is because, IIRC, this thread started with someone bashing M$ because they say its easy to administer their products. I have heard a lot of advocacy for Debian based on ease of use. That's the problem, it's too easy to put yourself in a bad situation. [EMAIL PROTECTED] PS We don't give guns to children, do we?
Re: red worm amusement
Microsoft Windows is not really bad, if you know how to admin it. However, Microsoft give this on its web site: http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTZAK. asp Oh my god... Zero Administration ? Luckily, Debian is asking their administrator check for security updates periodiclly.
Re: red worm amusement
On 20010721.2117, Jacob Meuser said ... On Sat, Jul 21, 2001 at 08:21:09PM -0700, Nicole Zimmerman wrote: last i used OpenBSD (2.6) it started portmap and identd by default at the very least, maybe fingerd too i don't remember for sure. The difference is, those were not exploitable. And they are on debian? It seems everyone on this list YELLS at people who leave rpc.statd running. I don't know whether it's exploitable or not, I know enough to turn it off because I don't use it. I am not talking about people who know what they are doing. I am talking about new users who have no practical knowledge of the system. I'm talking about protecting them from being immediately vulnerable. If people are running services, they should know how to start and stop them, right? I'm with you on this one. I ran 'apt-get install apache' because I wanted to run it once to configure Samba via Swat. It irked me that it started apache right away and set it up to start each time I rebooted. Not what I wanted, and I can see your point. I would much rather be running a system that depended on me to check the config before a service started, vulnerability or not. -Rob
Re: red worm amusement
On 20010721.2117, Jacob Meuser said ... On Sat, Jul 21, 2001 at 08:21:09PM -0700, Nicole Zimmerman wrote: last i used OpenBSD (2.6) it started portmap and identd by default at the very least, maybe fingerd too i don't remember for sure. The difference is, those were not exploitable. And they are on debian? It seems everyone on this list YELLS at people who leave rpc.statd running. I don't know whether it's exploitable or not, I know enough to turn it off because I don't use it. I am not talking about people who know what they are doing. I am talking about new users who have no practical knowledge of the system. I'm talking about protecting them from being immediately vulnerable. If people are running services, they should know how to start and stop them, right? I'm with you on this one. I ran 'apt-get install apache' because I wanted to run it once to configure Samba via Swat. It irked me that it started apache right away and set it up to start each time I rebooted. Not what I wanted, and I can see your point. I would much rather be running a system that depended on me to check the config before a service started, vulnerability or not. -Rob
Re: red worm amusement
On Sat, Jul 21, 2001 at 07:52:02PM -0700, Jacob Meuser wrote: And whose going to teach them? Certainly not an OS that makes it as easy as 'apt-get install apache' ! Well, your solution of making it more obfuscated and difficult will cause even more of a problem. Many new users will simply say This is annoying, I'll install PWS on my Windows box instead. Now which is more of a 'danger'? -Rob
Re: red worm amusement
On Sat, Jul 21, 2001 at 09:28:35PM -0700, Jacob Meuser wrote: PS We don't give guns to children, do we? What the hell does this have to do with running services on a freaking computer connected to the Internet? You are beginning to sound like a troll. HINT: It's difficult to kill someone with a computer without regard to whether the computer operator is a child. Obfuscating the issue with inane comparisons to loaded political issues generally means you can't argue your original position effectively. Besides, I was a great shot as a child. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpOZpmFM1nKg.pgp Description: PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 06:27:00PM -0700, Jacob Meuser wrote: On Sat, Jul 21, 2001 at 04:32:32PM -0800, Ethan Benson wrote: Not really what I was getting at. I was saying this is TOO EASY. I'm saying that Debian doesn't do a good enough job of warning people about doing these things. I'm thinking about first time users who are not behind a firewall. I'm thinking about myself two years ago, running apache, mysql, exim, telnetd, portmap, and who knows what else, all while directly connected to the internet. Sure, I had some idea that running servers could be dangerous, but as Debian touts itself as secure, I figured it would tell me if I were doing something dangerous. WARNING: You have started this car! You are about to drive this car. That means, you will be moving, what means that accidents could be harmful for you. Do you really want to proceed? [Yes] [No][Abort] Do you want something like that? SCNR Greeting from Unna/Ger Martin
Re: red worm amusement
On Sat, Jul 21, 2001 at 04:39:48PM -0800, Ethan Benson wrote: fool me once, shame on you, fool me twice shame on me. Fool me twice? Our hospital is building a network and needs special software. The only software we found usefull runs under Win. We would have installed linux, but we are nearly *forced* to use Win. We are forced to use Win2000 (and not cheaper used licences of NT4) and office2000 (and not cheaper used licences of office97), because support for NT and office97 ends in 2002. Don't want to talk about how M$ interprets support, but these are facts, that impress people, who have to decide. We are all wearing black... Greeting from Unna/Ger Martin
iptables logging
What does syslog recognize as iptables log messages? I tried putting iptable.* in syslog.conf, but I'm not seeing messages. thanks, jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA
Re: iptables logging
On Sat, Jul 21, 2001 at 10:59:08PM -0700, Jeff Coppock wrote: IIRC it uses kernel facility per default and configurable log level (via --log-level) But I'd suggest checking into ULOG-target in the patch-o-matic[1]. What does syslog recognize as iptables log messages? I tried putting iptable.* in syslog.conf, but I'm not seeing messages. thanks, jc -- Jeff Coppock Nortel Networks Systems Engineer http://nortelnetworks.com Major Accts. Santa Clara, CA Tell the Shasta guys to code faster Linux client, and hey, while you are at it make it apt-getable g [1] http://netfilter.samba.org/iptables-1.2.2.tar.bz2 -- ++ytti
Re: iptables logging
Jeff Coppock wrote on Sat Jul 21, 2001 at 10:59:08PM: What does syslog recognize as iptables log messages? I tried putting iptable.* in syslog.conf, but I'm not seeing messages. You need to tell iptables which packages should be logged. For example: iptables -N log # This table logs and hands package over to delete iptables -N delete - This table rejects anything iptables -A INPUT RULE -j log # Rule to be logged iptables -A INPUT RULE -j delete # Rule not to be logged iptables -A log -j LOG --log-prefix Rejected: # be verbose in syslog iptables -A log -j delete # hand over package to delete iptables -A delete -j REJECT # gracefully reject package It would be bad to have iptables log everything by default -- man DOS Matth¡as -- Matthias Richter --+- stud. soz. inf. -+-- http://www.uni-leipzig.de --GPG Public Key: http://www.matthias-richter.de/gpg.ascii-- · Projekt Deutscher Wortschatz: URL:http://wortschatz.uni-leipzig.de pgpVaeMjxUoEz.pgp Description: PGP signature
Re: red worm amusement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin == Martin Bieder [EMAIL PROTECTED] writes: Martin WARNING: You have started this car! You are about to drive this Martin car. That means, you will be moving, what means that accidents Martin could be harmful for you. Do you really want to proceed? Martin [Yes] [No] [Abort] Umm. Bad analogy here. You have to be *tested* before you can drive a car. It is not _legal_ to drive without a license. If we had the same sort of standards for computer use, though, we wouldn't have as much of a security problem as we do have. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7WnCRZRhU33H9o38RAlaTAKC7EMtJeUpL3kWqLq9T1SDrZgvFUgCgnwqd fHSAyKPtablyy/xzQBikHfc= =UWQc -END PGP SIGNATURE-
Re: red worm amusement
On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. the kernel hole (basically the same ptrace race the linux kernel had previous to 2.2.19) was only locally exploitable so that `doesn't count' since its not remote. prove them wrong, and get away with it? Assuming it is rubbish, as you say. try reading bugtraq. If anyone who reads the posts I made looks at them with an objective outlook, they will see that my message is clearly stated. no its not you change your position every time a falicy is pointed out. Starting services by default is a bad idea. and you keep pointing at OpenBSD as an example of a distribution that doesn't start any services, if you had ever actually installed an OpenBSD box you would see that is not true. as for debian services are only started if you install them, a very logical assumption. criticising debian's choices in regards to what services are priority: standard could be a valid argument. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpcIUb0NnbrZ.pgp Description: PGP signature
Re: iptables logging
On Sun, Jul 22, 2001 at 08:18:34AM +0200, Matthias Richter wrote: You need to tell iptables which packages should be logged. For example: iptables -N log # This table logs and hands package over to delete iptables -N delete - This table rejects anything iptables -A INPUT RULE -j log # Rule to be logged iptables -A INPUT RULE -j delete # Rule not to be logged iptables -A log -j LOG --log-prefix Rejected: # be verbose in syslog iptables -A log -j delete # hand over package to delete iptables -A delete -j REJECT # gracefully reject package It would be bad to have iptables log everything by default -- man DOS No not really, you can use limit-module and define at which rate in maximum will you choose to LOG matching entries. -- ++ytti
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:34:50AM -0500, Nathan E Norman wrote: On Sat, Jul 21, 2001 at 09:28:35PM -0700, Jacob Meuser wrote: PS We don't give guns to children, do we? What the hell does this have to do with running services on a freaking computer connected to the Internet? You are beginning to sound like a troll. You don't give a gun to a child because it is likely they will hurt themselves or others because they don't know what it does. Similarly, running a service without knowing what it does can hurt the operator, and leave their box open to attacks being launched from their box, thereby hurting others. I think it is quite fitting. HINT: It's difficult to kill someone with a computer without regard to whether the computer operator is a child. Obfuscating the issue with inane comparisons to loaded political issues generally means you can't argue your original position effectively. Well, it's kind of hard to argue a point, when pople start steering the discussion in bizzare directions. I thought maybe I had to put it in simpler terms. Aparently that was not a good idea, as now that has born yet another pointless post. [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote: WARNING: You have started this car! You are about to drive this car. That means, you will be moving, what means that accidents could be harmful for you. Do you really want to proceed? [Yes] [No][Abort] Do you want something like that? or: WARNING: Coffee is served HOT! [0] -- Ethan Benson http://www.alaska.net/~erbenson/ [0] for those who don't remember there was a case some years ago where a woman sued McDonalds after she spilled a cup of thier coffee in her lap and as a result was burned, her argument was that she didn't know coffee was hot. This is why to this day McDonalds' coffee cups have a warning printed all around them saying: WARNING COFFEE IS HOT!! -- at least in the lawsuit happy US. pgp96T2Cgw8q5.pgp Description: PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 11:39:36PM -0700, Jacob Meuser wrote: I think it is quite fitting. i think is a 21st century varient of Godwin's law developing. -- Ethan Benson http://www.alaska.net/~erbenson/ pgp4AnOA3mFuw.pgp Description: PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip Well, I'm going to wade into this growing flamewar to point out what I think is a sound idea. The trouble with the current system is that installed daemons automatically start running with a default configuration. This is not always bad, but does not allow a paranoid sysadmin to protect themselves (short of ugly workarounds like taking down the network interface until the server is shut off). I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I'm sure there are many ways this could work. Perhaps: [EMAIL PROTECTED]:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. -- Steven Barker [EMAIL PROTECTED] Perhaps, after all, America never has been discovered. I myself would say that it had merely been detected. -- Oscar Wilde PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4 60BF E928 9E28 958F 2058
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote: WARNING: You have started this car! You are about to drive this car. That means, you will be moving, what means that accidents could be harmful for you. Do you really want to proceed? [Yes] [No][Abort] Do you want something like that? SCNR Well, someone has decided to attack me for using an analogy, so I will refrain from saying how this doesn't go with what I'm saying. What I would like is for packages to not start a service immediately upon installation. I don't want the installation of packages to put put links in /etc/rc?.d. IF not that, then something like: - WARNING -- Apache by default listens on port 80. Apache is now listening for incoming internet connections on port 80. Links have been installed in /etc/rc?.d, so that this machine will be listening for connections on port 80 everytime this machine is booted. Because you are running a service, it is VERY important that you read and follow the advice at http://www.debian.org/security/ [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote: On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip ... I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I'm sure there are many ways this could work. Perhaps: [EMAIL PROTECTED]:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. But that doesn't change the default. If you do something like this, you should add an option apt-get --run install foo Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Mike
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:01:55AM -0700, Jacob Meuser wrote: Well, someone has decided to attack me for using an analogy, so I will refrain from saying how this doesn't go with what I'm saying. Oh, grow up. I did not attack you, I questioned the wisdom of comparing running services on a computer to the politically loaded question of guns. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpZ3ws3vVRRT.pgp Description: PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. But that doesn't change the default. If you do something like this, you should add an option apt-get --run install foo Yes, that would make sense. Both --run and --no-run could be avalable as options with the default behavior determined by apt/dpkg configuration. As for what the default for apt/dpkg's config, that's for us to flame each other over... ;-) Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. -- Steven Barker [EMAIL PROTECTED] There's so much to say but your eyes keep interrupting me. PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4 60BF E928 9E28 958F 2058
Re: red worm amusement
On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like any other OS, you must update when updates are available. the kernel hole (basically the same ptrace race the linux kernel had previous to 2.2.19) was only locally exploitable so that `doesn't count' since its not remote. Exactly. The claim is that there is no REMOTE exploit. If anyone who reads the posts I made looks at them with an objective outlook, they will see that my message is clearly stated. no its not you change your position every time a falicy is pointed out. What? What? I'm sorry, say that again. What falacies are you talking about? My position is, and always has been, that 'apt-get install' should not start the service, and should not put startup links in /etc/rd?.d. and you keep pointing at OpenBSD as an example of a distribution that doesn't start any services, if you had ever actually installed an OpenBSD box you would see that is not true. You have a short memory don't you Ethan? The last time I mentioned OpenBSD on this list, you jumped all over me like you have this time. Do you have something against OpenBSD? Was you're experience with OpenBSD 2.6 that bad? What, did you ask some silly question on an OpenBSD mailing list, and get flamed so bad you're still burning? I happen to be using OpenBSD to write this email. Next to me is my OpenBSD server, and when this I send this message, it will go through my OpenBSD firewall. Are you offended by the number of time I just wrote OpenBSD? I never claimed OpenBSD doesn't start ANY services. as for debian services are only started if you install them, a very logical assumption. Not really. Someone just posted an example of where he installed apache, but only needed it for a very short while. It is logical to assume that if a package is installed, it is for a reason. It is not logical to assume that there is a need to start it immediately, and everytime the machine is booted. criticising debian's choices in regards to what services are priority: standard could be a valid argument. I'll leave that to you. [EMAIL PROTECTED]
Re: red worm amusement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jacob == Jacob Meuser [EMAIL PROTECTED] writes: Jacob What I would like is for packages to not start a service Jacob immediately upon installation. I don't want the installation of Jacob packages to put put links in /etc/rc?.d. IF not that, then Jacob something like: [cut] I'm not sure that would be an effective warning, and it may even be confusing to people, as it does not indicate that there is a potential security risk, but just tells them to read the security pages. Maybe something more like (disclaimer: it's late and I'm tired, so I can't write a proper warning, but hopefully this should be enough to get the idea across): WARNING: Apache has been started. Web servers in general potentially open up a large security hole. By running Apache, you may be vulnerable to [[list the relevant types of attacks]]. If you are not sure about what you are doing, please stop Apache at the first available moment by running /etc/init.d/apache stop and by removing the relevant links in /etc/rc?.d, and please read http://www.debian.org/security/. When you are confident that you know what you're doing then you may re-enable Apache. Having said that, I'll toss in my vote for not starting the services immediately on installation. At least give the admin a chance to configure it. Or something like exim, where you configure it in the installation process, before it gets started. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7WoFvZRhU33H9o38RAkawAKCv3oh/zIvySkEXJppmbpxk+tGwCACbBixc mYiGtigYd+tjcpArvs0MQVk= =huOg -END PGP SIGNATURE-
Re: red worm amusement
On Sun, Jul 22, 2001 at 02:03:23AM -0500, Nathan E Norman wrote: Oh, grow up. I did not attack you, I questioned the wisdom of comparing running services on a computer to the politically loaded question of guns. You are beginning to sound like a troll. - Nathan E Norman [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote: On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. You don't need a marketing department to practice the 'art' of marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like Debian's default install is not vulnerable to attacks either. Your point? -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: On Sun, Jul 22, 2001 at 12:54:49PM +1000, CaT wrote: You know. You're right. We should make it as difficult as possible to install software. Right down to removing makefiles from source repositories and rot13ing the source code because the harder it is to install a piece of software, the more secure a box is. No, I'm simply saying not to start services immediately. I mean really, That wasn't what you were saying before. You were saying that the ease of install you get with apt-get is bad. This is a rather different issue. who in their right mind starts a service without looking at the config files? How hard is it to add the links from /etc/rc?.d to /etc/init.d (isn't there script to do this anyway)? Some packages already practice safety-first. You need to remove an echo and an exit from the init.d once you're good and ready. This just has to become more widespread. Then again, most of the time I install a service (90%) I want it to start running immediately. apache, ftp etc I compile by hand. And then the computer you just spent a few grand on will be about as useful as a toaster without heating elements. That's better than them getting sued for a hell of a lot more than they paid for their machine because someone launched an attack from their machine, and they can't prove they didn't to it. No machine is 100% secure, except those machines that do not exist. Anyone who thinks their box is 100% secure has rocks in their heads, regardless what OS they are running. -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:32:00AM -0600, Hubert Chan wrote: I'm not sure that would be an effective warning, and it may even be confusing to people, as it does not indicate that there is a potential security risk, but just tells them to read the security pages. Hmmm, silly me referenced http://www.debian.org/security/ before I looked at it. I assumed there would at least be some links to more security information, as the first thing it says is Debian takes security very seriously. Then it goes on to talk about reactive security, not proactive security. Or something like exim, where you configure it in the installation process, before it gets started. At least it lets you set it up for local service only. [EMAIL PROTECTED]
Re: red worm amusement
For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. Please don't try to steer me off course, and then say I keep changing my position. It's simply not polite, and rather silly. [EMAIL PROTECTED] On Sun, Jul 22, 2001 at 06:05:18PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote: On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. You don't need a marketing department to practice the 'art' of marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like Debian's default install is not vulnerable to attacks either. Your point? -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. Then stick to that. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. Please don't try to steer me off course, and then say I keep changing my position. It's simply not polite, and rather silly. Noone is steering you offcourse. You're doing just that. You mention that OpenBSD has been secure out-of-the-box for 4yrs and then when ppl aren't impressed you chuck a hissy fit. *shrug* -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
RE: red worm amusement
-Original Message- From: CaT [mailto:[EMAIL PROTECTED] Sent: Sunday, July 22, 2001 1:11 AM To: Jacob Meuser Cc: debian-security@lists.debian.org Subject: Re: red worm amusement quoteNo machine is 100% secure, except those machines that do not exist. Anyone who thinks their box is 100% secure has rocks in their heads, regardless what OS they are running./quote Don't mean to sound like an annoyance, but I have a 100% secure computer. It's currently dissasembled, with the parts stored in different containers, and no OS on the hard drive. Crack that! Sorry, just a poor stab at humor. While I've always been proud that the debian list has pretty much been better than any other list at keeping flame wars to a minimum, today is an exception. At times this latest thread has become well, my cock is bigger, so I'm more right than you!. Yes, maybe daemons should ask to be started during startup, or prompt to be configured like exim. But who's to say that a new user won't choose an option that leads them to be vulnerable. When I first started I *know* I made some big mistakes. Maybe Debian should have some firewall rules that are run to block vulnerable services when they are installed and then tell you how to unblock them. Maybe a billion different ways it could be, but it's not. I must commend the Debian team for maintaining the best distro, IMNSHO. I thought the Debian community was better than the others due to the fact that we work together to come up with ideas, not thinking 'My Way(tm)' is the only good option. So far all the points brought up have been valid and very arguable. The problem is that it's turning into a 'your idea sucks' pissing match. The best idea is to gather all the ideas and pick the best way to do things. Maybe the way it's currently done was the best of the ideas at the time. Trying to get amy package maintainers to redo their packages at the snap of a finger is ridiculous. Maybe we should try putting our heads together and find the best solution to securely installing/configuring/starting daemons, and then present that to the Debian team? Maybe someone has a better idea than I do on how to get stuff changed. The point is to work together! All flames are welcome is you are so inclined. But please email me directly, and me only. Do not reply, CC/BCC the list directly if you really need to get some aggression out. Thanks! Steven Beverly I am the Illustrious Postmaster and Grand Poobah of Electronic Transmissions -Mary Jo Pehl, MST3K He who fights with monsters should look to it that he himself does not become a monster...when you gaze long into the abyss the abyss also gazes into you. -Friedrich Nietzsche
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote: that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. that quote is still marketing, its backed up by excuses and lawyerly nitpicking, not real fact. And so the default install was not vulnerable to remote attacks. Like any other OS, you must update when updates are available. wrong. default install of all versions of OpenBSD prior to 2.7 WERE vulnerable because they turned on ftpd by default in the default install. the only reason they maintain that absurd `4 years without a root hole' is because they narrowly obsoleted 2.6 with 2.7 before that hole was discovered. like i said: lawyerly nitpicking. Exactly. The claim is that there is no REMOTE exploit. and local exploits don't matter? exactly the response i expect from a marketing person. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpHxdeRowuRT.pgp Description: PGP signature
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. oh so your trying to sluff your own ignorance and incompetence onto debian because you installed a zillion services and didn't know what they did thus opening lots of `security holes'. yeah whatever. what part of `don't install the service if you don't need it/don't know how to configure it' don't you understand? -- Ethan Benson http://www.alaska.net/~erbenson/ pgpDoqBbOgsU2.pgp Description: PGP signature
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:38:23AM -0700, Magus Ba'al wrote: quoteNo machine is 100% secure, except those machines that do not exist. Anyone who thinks their box is 100% secure has rocks in their heads, regardless what OS they are running./quote Don't mean to sound like an annoyance, but I have a 100% secure computer. It's currently dissasembled, with the parts stored in different containers, and no OS on the hard drive. Crack that! *grabs HD and installs it into another pc* ;) Sorry, just a poor stab at humor. While I've always been proud that the debian list has pretty much been better than any other list at keeping flame wars to a minimum, today is an exception. At times this latest thread has become well, my cock is bigger, so I'm more right than it's starting to feel that way. you!. Yes, maybe daemons should ask to be started during startup, or prompt to be configured like exim. But who's to say that a new user won't choose an option that leads them to be vulnerable. When I first well. that'll be a concious choice by the user instead of an automated one I guess. started I *know* I made some big mistakes. Maybe Debian should have some mistakes are what we learn from the best. unfortunately they tend to have the nastiest of sideeffects at times (but I guess that's why they are such great teachers) firewall rules that are run to block vulnerable services when they are installed and then tell you how to unblock them. Maybe a billion different ways it could be, but it's not. I must commend the Debian team for maintaining the best distro, IMNSHO. I thought the Debian community aye. we're dumping redhat/slackware boxes for debian. one of the primary reasons is the ease with which you can keep the box uptodate and secure. -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
Re: red worm amusement
On Sun, Jul 22, 2001 at 06:35:34PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. Then stick to that. Please, quote me on where I have contradicted that. Noone is steering you offcourse. You're doing just that. You mention that OpenBSD has been secure out-of-the-box for 4yrs and then when ppl aren't impressed you chuck a hissy fit. I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?!
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:44:19AM -0800, Ethan Benson wrote: what part of `don't install the service if you don't need it/don't know how to configure it' don't you understand? And when, during the installation, or regular use of Debain, is that message ever displayed to the user? [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote: On Sun, Jul 22, 2001 at 06:35:34PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. Then stick to that. Please, quote me on where I have contradicted that. Right below. Noone is steering you offcourse. You're doing just that. You mention that OpenBSD has been secure out-of-the-box for 4yrs and then when ppl aren't impressed you chuck a hissy fit. I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's If you only wanted to talk about apt-get you should've stuck to it. a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! don't care. remember, this is meant to be about apt-get only? anyways. i'm bowing out. -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: Please, quote me on where I have contradicted that. Right below. Nothing is contradicting that. If you only wanted to talk about apt-get you should've stuck to it. Then I'm to ignore all other questions and ideas, as well personal comments aimed at me as an individual? anyways. i'm bowing out. Since it seems that suggesting that maybe something in Debian is not perfect, one will be personally ridiculed, and ridiculed further for replying to those comments, I too am bowing out. Although I never got any reason why they are started by default, other than if a service is installed, it is assumed that the admin wants it running. To me, the tiny bit of time saved by the admin is not worth the potential danger to new users. [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote: I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As no i said the claim that OpenBSD starts no services was rubbish. NOT that openbsd was rubbish. an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's your the own who is full of it Jacob. If you only wanted to talk about apt-get you should've stuck to it. yup. a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! because you (Jacob) made it quite clear you don't know anything about OpenBSD by making claims about it which are not true at all. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpxgMeBD0ZRm.pgp Description: PGP signature
Re: red worm amusement
Alright, I said I was bowing out, but I will reply to this last email. In my first post, I may not have been completely clear. I said that OpenBSD doesn't start services that are insecure. Now, we all know that no service is totally secure, so that statement is somewhat of an oxymoron. However, no one on any OpenBSD mailing list is telling people to turn off the services that are started by default, while on this list, everyone is always saying to turn off inetd and whatever else they are not using. My point is, why should someone have to go through the trouble of turning them off? Why are they started in the first place, if the advice it to immediately shut them off? If a person needs that service then they can turn it on, correct? This extends to packages that are added to the base system. I don't think it's right to assume that one wants to start the service immediately. The argument that you shouldn't install a service if you don't know what you're doing just doesn't make sense. If you never install the package, then how are you going to know anything about it? How are you going to customize a configuration file, if you have no file to modify? CaT's reply that packages are starting to made with provisions to exit the init script before the service is started, is I guess really the answer I was looking for. Is that a new policy? If it is, I think it's a good one. As to not waste any more innocent bystanders bandwidth/disk space, if anyone wishes to further discuss the questions I raised above, or try to flame me, please send your email to: [EMAIL PROTECTED] On Sun, Jul 22, 2001 at 01:57:24AM -0800, Ethan Benson wrote: On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote: I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As no i said the claim that OpenBSD starts no services was rubbish. NOT that openbsd was rubbish. an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's your the own who is full of it Jacob. If you only wanted to talk about apt-get you should've stuck to it. yup. a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! because you (Jacob) made it quite clear you don't know anything about OpenBSD by making claims about it which are not true at all. -- Ethan Benson http://www.alaska.net/~erbenson/
Re: apt-get install apache (was red worm amusement)
I wasn't going to jump in on this thread/flamewar, but since I have been bouncing on D in the mailer a lot more than normal the last couple days, I feel like one more post won't hurt... so here's two cents worth. First, I want to encourage list posters in the future to reconsider voicing their opinions about non-Debian distributions and Microsoft on this list. I think it is possible to discuss sound security without bringing up a *BSD or slagging Microsoft. The initial question of What are these strange GETs in my Apache logs has a simple answer. Asked and answered-- the further relevance to Debian is dubious. Buried in the mess of emails was at least one good comment about how Apache is installed on Debian, and it's this topic that I want to comment on. Having just installed apache on a laptop so I could do some development work when off-network, I was surprised (for some reason) to find the service not only started up immediately, but also restarted after reboot. I don't know why I was surprised, except that it had been a while since I installed a service of any type using a package. Maybe I was surprised because almost nothing else I've ever done on Debian has been quite that easy. ;) Similarly, after a recent apt-get dist-upgrade (intended to grab security updates only, so should I remove the non security.debian.org URLs from /apt/sources?) on my firewall box, I somehow managed to get all of X windows installed and a copule of services I didn't want installed AND started AND added to /etc/rc*.d. Thankfully X windows still requires startx to get going, but the services (junkbuster and wwwoffle) were just there. And while reboots on that machine are limited to power outages, it's still extra work to administer that stuff into the 'off' position. To me the lack of warnings or configurability during an apt-get install for a service is a questionable practice. It would be nice if the apache install had at least asked Do you want to start this service immediately? and Do you want to start this service on reboot?. Then I would have been informed of the status of the service during install. Similar questions during dist-upgrade would have informed me that those packages (looking harmless enough in the long list of you are about to installs) actually were services, and would have at least allowed me to keep them from starting, if not installing. -michael [EMAIL PROTECTED]
--no-run option (was: Re: red worm amusement)
On Sun, 22 Jul 2001, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. Why should anyone want to install a server without letting it run? The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. ( If you are that paranoic you should not only do ar -x xxx.deb ; tar -xzf data.tgz etc/configfile , but also check the whole package before installing it). would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). Not adding rc.d-Links is really ridicilous. If you have an computer, that justs boots after installing without the chance to change links, than you should plug-out the network-cable so or so. This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. I do not see a nesecarity for it. Though if you want to supply patches to carry an --no-run in dpkg to some environment-variable to the script and and patch to dh_xxx to check this, go ahead, but there are important and senseful thing to do. Hochachtungsvoll, Bernhard R. Link
Re: red worm amusement
On Sun, 22 Jul 2001, Jacob Meuser wrote: What I would like is for packages to not start a service immediately upon installation. Though I do not understand this, I do not want to argue again, see my other post... I don't want the installation of packages to put put links in /etc/rc?.d. Why, just remove them after installing. Noone forces you to reboot just after installation. And installing an package without the want to run it is only a security flaw. Apache by default listens on port 80. Apache is now listening for incoming internet connections on port 80. Links have been installed in /etc/rc?.d, so that this machine will be listening for connections on port 80 everytime this machine is booted. Because you are running a service, it is VERY important that you read and follow the advice at http://www.debian.org/security/ This is only redicilous. The car-analogy fits here very good. Don't understand me wrong, I'm not again telling the user, if he does something dangerous. But coffee is hot, and an server lowers security. Why not also giving 5 pages of warnings, wenn configuring an networking- connection (which is the real security problem) and making the user to type Yes, I want to crash my computer before installing, so that he really knows, what can happen? Hochachtungsvoll, Bernhard R. Link
Re: red worm amusement
Jacob Meuser [EMAIL PROTECTED] writes: Still not the point. I'm talking about services being enabled, either by default, or by apt-get. [...] ftpd is not enabled by default. So imagine someone looking for a ftp-server, and, as it happens to be the case, finds one, say, per locate, in /usr/libexec, which already has a line corresponding to it in /etc/inetd.conf, though commented out... There are many ways to locally compromise any Unix-like OS, therefore it has a rather low priority. This sounds a bit illogical to me. If there are 'many ways', shouldn't it rather be 'high priority', especially, as this renders per-daemon uids basically useless? And whose going to teach them? Certainly not an OS that makes it as easy as 'apt-get install apache'! OSs don't teach people anything, documentation does. Which won't get read anyway or at least be ignored. Maybe you don't get it. A system that is compromised poses a danger to EVERYONE ON THE INTERNET. So what? Try a cable-cutter. -- stone me
Re: red worm amusement
Iam new to Debian and this is my first post to the debian-security mailinglist, having read this threath i realy aint seeing anybody pointing out that it is the Sysadmin who makes the machine secure, it's not an OS what makes a machine secure, it's the admin behind it. I use a broad range of OS'es, including OpenBSD, claiming blunt out that OpenBSD is secure by default is like dancing with the devil because it isn't, every *NIX distro is by default leak\insecure, YOU have to make it secure, when it comes to Microsoft products you can patch and upgrade all you wan't, it isn't gona help you make a secure system, you have to realize that bugs and holes is something what comes by default with Microsoft. On *NIX you can make a difference. Jörgen V. -- http://security.veendam.org http://www.securitydatabase.net
Re: apt-get install apache (was red worm amusement)
On Sun, Jul 22, 2001 at 07:59:47AM -0500, chandler wrote: Similarly, after a recent apt-get dist-upgrade (intended to grab security updates only, Then why did you dist-upgrade? I think it's pretty self-explanatory that if you're upgrading from one distribution to another (like from stable to testing) you use dist-upgrade. If you're upgrading for security and bug fixes, you use upgrade. so should I remove the non security.debian.org URLs from /apt/sources?) No, just don't use dist-upgrade and make sure all of your sources are pointing to the correct distribution of Debian you are tracking. on my firewall box, I somehow managed to get all of X windows installed and a copule of services I didn't want installed AND started AND added to /etc/rc*.d. Thankfully X windows still requires startx to get going, but the services (junkbuster and wwwoffle) were just there. And while reboots on that machine are limited to power outages, it's still extra work to administer that stuff into the 'off' position. apt-get remove junkbuster wwwoffle --purge Not so hard to me. To me the lack of warnings or configurability during an apt-get install for a service is a questionable practice. Have you ever bothered to lower your message priority in debconf? dpkg-reconfigure debconf. Choose 'low'. Learn about the tools before you start to criticize them. -Rob
Re: --no-run option (was: Re: red worm amusement)
Exactly. It is more of a special case to *not* want a server to start at boot rather than the other way around. To those who think that apt-get install apache is too easy, then why is apt-get remove apache too hard? -Rob On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote: On Sun, 22 Jul 2001, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. Why should anyone want to install a server without letting it run? The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. ( If you are that paranoic you should not only do ar -x xxx.deb ; tar -xzf data.tgz etc/configfile , but also check the whole package before installing it). would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). Not adding rc.d-Links is really ridicilous. If you have an computer, that justs boots after installing without the chance to change links, than you should plug-out the network-cable so or so. This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. I do not see a nesecarity for it. Though if you want to supply patches to carry an --no-run in dpkg to some environment-variable to the script and and patch to dh_xxx to check this, go ahead, but there are important and senseful thing to do. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: --no-run option (was: Re: red worm amusement)
On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote: On Sun, 22 Jul 2001, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. Why should anyone want to install a server without letting it run? Security, customibility, flexability The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. You are right, and I don't think that running with a default configuration would be a problem would be a problem often. But an option to prevent servers (or perhaps all daemons, networked or not) from running on install would let anyone who does not want the default configuration the chance to change settings before starting it up. Another problem with the current system is that disabled (as in, not running and removed from /etc/rc?.d) daemons restart themselves when they are upgraded. Often they are in packages that are so fundamental that they cannot realistically be removed (ie: inetd). The same mechanism in apt/dpgk that allows non-run installations could also permit non-run upgrades (perhaps even automatically detected). I'm not planning to hacking this into dpkg, but perhaps it will be a future project. I'm always interested in other opinions as well. -- Steven Barker [EMAIL PROTECTED] I will make no bargains with terrorist hardware. -- Peter da Silva I have a new PGP key! It's ID is EBD5936B. Get it at http://www.students.uiuc.edu~/scbarker/pubkey.asc PGP Key Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: apt-get install apache (was red worm amusement)
On Sunday 22 July 2001 11:17 am, Rob VanFleet wrote: If you're upgrading for security and bug fixes, you use upgrade. apt-get remove junkbuster wwwoffle --purge Not so hard to me. Have you ever bothered to lower your message priority in debconf? dpkg-reconfigure debconf. Choose 'low'. Learn about the tools before you start to criticize them. Thanks for the tips and your patience, I certainly having some learning to do.
Re: red worm amusement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bernhard == Bernhard R Link [EMAIL PROTECTED] writes: Bernhard On public streets or public places, you are not Bernhard allowed. Otherwise you are allowed without licence. True. And I think that most of us won't care if people have insecure boxes, if those boxes aren't on the Internet. Bernhard (And even an licence does not avoid accidents and deaths, it Bernhard only may reduce them) True again. Just as knowing about security or hiring a security-conscious admin only reduces the chance of getting cracked. If we had the same sort of standards for computer use, though, we wouldn't have as much of a security problem as we do have. Bernhard Sure? Yes. Because at the minimum, it would inform people about the importance of paying attention to security. (Mind you, the standards that I'm talking about for driving only reflect my North American experiences. Germany may be (and I have heard it is) different.) - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7W2X9ZRhU33H9o38RAvkGAJ0RCOxHO4uwP4dRnxRsi0I7557yAACfbKhQ JuCEXA8i9VC/U4W0YkO7yR4= =185s -END PGP SIGNATURE-
Re: red worm amusement
On Sun, 22 Jul 2001, Steven Barker wrote: On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip Well, I'm going to wade into this growing flamewar to point out what I think is a sound idea. The trouble with the current system is that installed daemons automatically start running with a default configuration. This is not always bad, but does not allow a paranoid sysadmin to protect themselves (short of ugly workarounds like taking down the network interface until the server is shut off). I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I think this is a great idea, also, if dpkg / apt showed what servers were being setup to run after the initial install, it could be saved to a file. This would also assist if there was a break-in and a new server running you could check against your original list. I'm sure there are many ways this could work. Perhaps: [EMAIL PROTECTED]:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). One option here would be a simple [y/n] question whether or not to run the new service automatically as part of the package install. --snip-- Colin. -- Colin Johnson [EMAIL PROTECTED] Remember: Everything you see on screen is but ones and zeroes.
