Re: NFS, password transparency, and security
On Tue, Apr 09, 2002 at 12:37:27PM +0200, Wichert Akkerman wrote: Previously Alan Shutko wrote: An AFS-based setup is used at many places to great effect, especially on untrusted nets, but I don't know how bad setup is. I suspect it's evil. There is also SFS which works very nicely indeed. After doing some reading about it, the only thing that turns me off to SFS is that you still have to run the usual NFS services for it to work. A large part of the reason I am seeking alternatives is that those services are so often vulnerable. Rob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Tue, Apr 09, 2002 at 08:01:14AM +0200, Lupe Christoph wrote: Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid=C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, [EMAIL PROTECTED] The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Denied ports 1339, 2049 and 2702
We use Debian (sid, 2.4.18 custom, libc6 2.2.5) box with iptables (1.2.6a) and Obsid's rc.firewall.iptables.dual (1.2b2) http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current as a firewall between private net and Internet. Every day we get a lot of DENIED PORT messages: [...] Apr 9 17:05:57 lee kernel: DENIED PORT:IN=eth0 OUT=ppp0 SRC=private IP DST=Internet IP LEN=48 TOS=0x08 PREC=0x00 TTL=125 ID=40301 DF PROTO=TCP SPT=2702 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 [...] Apr 9 17:26:53 lee kernel: DENIED PORT:IN=eth0 OUT=ppp0 SRC=private IP DST=Internet IP LEN=48 TOS=0x08 PREC=0x00 TTL=125 ID=10893 DF PROTO=TCP SPT=1339 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 [..] Apr 9 17:35:10 lee kernel: DENIED PORT:IN=eth0 OUT=ppp0 SRC=private IP DST=Internet IP LEN=48 TOS=0x08 PREC=0x00 TTL=127 ID=25376 DF PROTO=TCP SPT=2049 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 [...] These ports is denied by script, but I do not understand what does it mean. If some private net user browser try to connect to some Internet www server (DPT=80) it has to use one of the dynamic and/or private ports (49152 through 65535) as a source port, hasn't it? As http://www.iana.org/assignments/port-numbers reads port 1339 used by kjtsiteserver, 2049 by Network File System - Sun Microsystems, and 2702 by SMS XFER. But our private net does not use Network File System - Sun Microsystems (we use SAMBA instead). I do not manage to find any usefull information what kjtsiteserver and SMS XFER is, but so far as I can understand no our private net boxes use such software too. Can anybody, please, explain me, point to source of information give a hint (any information would be gratefully appreciated) how to understand these messages. Thank you, Mikhail. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Denied ports 1339, 2049 and 2702
On Tue, Apr 09, 2002 at 07:20:18PM +0600, Mikhail Romanenko wrote: snip These ports is denied by script, but I do not understand what does it mean. If some private net user browser try to connect to some Internet www server (DPT=80) it has to use one of the dynamic and/or private ports (49152 through 65535) as a source port, hasn't it? My understanding of it is that the ports IANA list are for servers. When a client is connecting to a server, it can use any port it wants. i.e. those blocked requests were probably web browsers trying to access the web server on that machine. HTH, Gareth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Tue, Apr 09, 2002 at 06:51:38AM -0500, Rob VanFleet wrote: After doing some reading about it, the only thing that turns me off to SFS is that you still have to run the usual NFS services for it to work. A large part of the reason I am seeking alternatives is that those services are so often vulnerable. You run those service locally on each machine only. You don't make them available to other hosts. Luca -- Luca Filipozzi, Debian Developer [dpkg] We are the apt. You will be packaged. Comply. gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Tuesday, 2002-04-09 at 08:50:18 -0400, Andrew Pimlott wrote: On Tue, Apr 09, 2002 at 08:01:14AM +0200, Lupe Christoph wrote: Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid=C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, [EMAIL PROTECTED] The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Hmm. It would be nice if the manpage for ipsec.conf had been patched to mention this... Thanks! Lupe -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Tue, Apr 09, 2002 at 06:57:18PM +0200, Lupe Christoph wrote: On Tuesday, 2002-04-09 at 08:50:18 -0400, Andrew Pimlott wrote: You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Hmm. It would be nice if the manpage for ipsec.conf had been patched to mention this... ipsec.conf(5) doesn't mention certificates at all, since they're not a part of standard freeswan, and the x509 project doesn't supply a patched man page. I gather that integrating x509 into standard freeswan is not on anyone's short-term agenda, alas. But if you read /usr/share/doc/freeswan/README.x509.gz , in section 4.6 it says If no rightid or leftid entry is present then the subject distinguished name contained in the certificate is taken as the ID. I missed this the first time through, but someone on the mailing list mentioned it. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
qpopper LAG...
qpopper LAG... == Hallo Debian security folks, Here's my problem: qpopper daemon (2.53-7) seems to get some LAGs when there's much/medium internet traffic. It's a rather strange problem cause it seems like qpopper or either the user's MUA (mail client) goes in timeout. The pop3-fetch sessions just goes in timeout and hangs-up. Of course, as I said, this happens not always but only when there's some internet traffic, both on the local or on the external net nodes. Anyone experienced some qpopper-timeout-related problems ? Maybe it's related to network LAG or similar causes, but anyway I won't exclude there's some buffer problem in the qpopper daemon, is that possible ? Version 2.53-7 seems anyway quite stable. Hope there's someone out there who experienced my same qpopper-related-issues ! Thanks for any help, folks. Have a nice time, - Ivo -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org/~eim http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Tue, Apr 09, 2002 at 07:23:28AM -0700, Luca Filipozzi wrote: On Tue, Apr 09, 2002 at 06:51:38AM -0500, Rob VanFleet wrote: After doing some reading about it, the only thing that turns me off to SFS is that you still have to run the usual NFS services for it to work. A large part of the reason I am seeking alternatives is that those services are so often vulnerable. You run those service locally on each machine only. You don't make them available to other hosts. Sorry if I'm being completely dense here, but aren't the ports still open, even if they are only serving localhost? Rob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Unidentified subject!
unsubscribe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Tue, Apr 09, 2002 at 04:02:34PM -0500, Rob VanFleet wrote: On Tue, Apr 09, 2002 at 07:23:28AM -0700, Luca Filipozzi wrote: You run those service locally on each machine only. You don't make them available to other hosts. Sorry if I'm being completely dense here, but aren't the ports still open, even if they are only serving localhost? The point is that it's made accessible only from localhost. Whether this is by using a firewall to block connections from anyone else, using tcpwrappers or that it only binds to the lo interface. If someone has an exploit, rather than being able to exploit it remotely, they have to be running the exploit from the local machine. Gareth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
log the original source ipaddress
dear, i have webserver (running on localnet rfc1918) stay behind a firewall (using rinetd for redirecting), the apache's log read all access from the internal interface's firewall instead of the original source address. any idea how can i log the original source ipaddress's anyone who access my webserver even i use redirecting..? thx, N. A. Hilal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: log the original source ipaddress
i'm not familiar with rinetd, but if you use netfilter to do dnat the source address will be maintained. just make sure internal boxes hit the webserver directly, on the internal ip, rather than through the external one so they don't get confused by packets coming back directly from the web server. something like this should work: /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 80 \ -j DNAT --to-destination $WEBSERVER:80 /sbin/iptables -A FORWARD -p tcp -d $WEBSERVER --destination-port 80 -j ACCEPT xn On Wed, Apr 10, 2002 at 11:01:25AM +0700, N. A. Hilal wrote: dear, i have webserver (running on localnet rfc1918) stay behind a firewall (using rinetd for redirecting), the apache's log read all access from the internal interface's firewall instead of the original source address. any idea how can i log the original source ipaddress's anyone who access my webserver even i use redirecting..? thx, N. A. Hilal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Fri, Apr 05, 2002 at 12:13:41PM +0200, Victor Vuillard wrote: the fswcert tool, which is used to extract private key from certificate was before in freeswan package. I was not able to find it in 1.95 version of freeswan. Anyone knows why it has been removed ??? Because it's no longer needed. The Debian freeswan packages can use certs directly. Some stuff in /usr/share/doc/freeswan will help you figure out how to use them. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpDkfHDDn6lh.pgp Description: PGP signature
Re: fswcert
On Tuesday, 2002-04-09 at 00:03:20 -0400, Noah L. Meyerhans wrote: On Fri, Apr 05, 2002 at 12:13:41PM +0200, Victor Vuillard wrote: the fswcert tool, which is used to extract private key from certificate was before in freeswan package. I was not able to find it in 1.95 version of freeswan. Anyone knows why it has been removed ??? Because it's no longer needed. The Debian freeswan packages can use certs directly. Some stuff in /usr/share/doc/freeswan will help you figure out how to use them. Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid=C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, CN=antalya.lupe-christoph.de/[EMAIL PROTECTED] The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' Mail me directly if you need help setting this up. HTH, Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
Previously Alan Shutko wrote: An AFS-based setup is used at many places to great effect, especially on untrusted nets, but I don't know how bad setup is. I suspect it's evil. There is also SFS which works very nicely indeed. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Tue, Apr 09, 2002 at 12:37:27PM +0200, Wichert Akkerman wrote: Previously Alan Shutko wrote: An AFS-based setup is used at many places to great effect, especially on untrusted nets, but I don't know how bad setup is. I suspect it's evil. There is also SFS which works very nicely indeed. After doing some reading about it, the only thing that turns me off to SFS is that you still have to run the usual NFS services for it to work. A large part of the reason I am seeking alternatives is that those services are so often vulnerable. Rob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Tue, Apr 09, 2002 at 08:01:14AM +0200, Lupe Christoph wrote: Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid=C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, CN=antalya.lupe-christoph.de/[EMAIL PROTECTED] The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Denied ports 1339, 2049 and 2702
We use Debian (sid, 2.4.18 custom, libc6 2.2.5) box with iptables (1.2.6a) and Obsid's rc.firewall.iptables.dual (1.2b2) http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current as a firewall between private net and Internet. Every day we get a lot of DENIED PORT messages: [...] Apr 9 17:05:57 lee kernel: DENIED PORT:IN=eth0 OUT=ppp0 SRC=private IP DST=Internet IP LEN=48 TOS=0x08 PREC=0x00 TTL=125 ID=40301 DF PROTO=TCP SPT=2702 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 [...] Apr 9 17:26:53 lee kernel: DENIED PORT:IN=eth0 OUT=ppp0 SRC=private IP DST=Internet IP LEN=48 TOS=0x08 PREC=0x00 TTL=125 ID=10893 DF PROTO=TCP SPT=1339 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 [..] Apr 9 17:35:10 lee kernel: DENIED PORT:IN=eth0 OUT=ppp0 SRC=private IP DST=Internet IP LEN=48 TOS=0x08 PREC=0x00 TTL=127 ID=25376 DF PROTO=TCP SPT=2049 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 [...] These ports is denied by script, but I do not understand what does it mean. If some private net user browser try to connect to some Internet www server (DPT=80) it has to use one of the dynamic and/or private ports (49152 through 65535) as a source port, hasn't it? As http://www.iana.org/assignments/port-numbers reads port 1339 used by kjtsiteserver, 2049 by Network File System - Sun Microsystems, and 2702 by SMS XFER. But our private net does not use Network File System - Sun Microsystems (we use SAMBA instead). I do not manage to find any usefull information what kjtsiteserver and SMS XFER is, but so far as I can understand no our private net boxes use such software too. Can anybody, please, explain me, point to source of information give a hint (any information would be gratefully appreciated) how to understand these messages. Thank you, Mikhail. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Denied ports 1339, 2049 and 2702
On Tue, Apr 09, 2002 at 07:20:18PM +0600, Mikhail Romanenko wrote: snip These ports is denied by script, but I do not understand what does it mean. If some private net user browser try to connect to some Internet www server (DPT=80) it has to use one of the dynamic and/or private ports (49152 through 65535) as a source port, hasn't it? My understanding of it is that the ports IANA list are for servers. When a client is connecting to a server, it can use any port it wants. i.e. those blocked requests were probably web browsers trying to access the web server on that machine. HTH, Gareth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Tue, Apr 09, 2002 at 06:51:38AM -0500, Rob VanFleet wrote: After doing some reading about it, the only thing that turns me off to SFS is that you still have to run the usual NFS services for it to work. A large part of the reason I am seeking alternatives is that those services are so often vulnerable. You run those service locally on each machine only. You don't make them available to other hosts. Luca -- Luca Filipozzi, Debian Developer [dpkg] We are the apt. You will be packaged. Comply. gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Tuesday, 2002-04-09 at 08:50:18 -0400, Andrew Pimlott wrote: On Tue, Apr 09, 2002 at 08:01:14AM +0200, Lupe Christoph wrote: Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid=C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, CN=antalya.lupe-christoph.de/[EMAIL PROTECTED] The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Hmm. It would be nice if the manpage for ipsec.conf had been patched to mention this... Thanks! Lupe -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Tue, Apr 09, 2002 at 06:57:18PM +0200, Lupe Christoph wrote: On Tuesday, 2002-04-09 at 08:50:18 -0400, Andrew Pimlott wrote: You can save yourself this step: use a leftcert pointing to your certificate, and you don't need the leftid. Reduces redundancy, and avoids having that huge long line in your config file! Hmm. It would be nice if the manpage for ipsec.conf had been patched to mention this... ipsec.conf(5) doesn't mention certificates at all, since they're not a part of standard freeswan, and the x509 project doesn't supply a patched man page. I gather that integrating x509 into standard freeswan is not on anyone's short-term agenda, alas. But if you read /usr/share/doc/freeswan/README.x509.gz , in section 4.6 it says If no rightid or leftid entry is present then the subject distinguished name contained in the certificate is taken as the ID. I missed this the first time through, but someone on the mailing list mentioned it. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
qpopper LAG...
qpopper LAG... == Hallo Debian security folks, Here's my problem: qpopper daemon (2.53-7) seems to get some LAGs when there's much/medium internet traffic. It's a rather strange problem cause it seems like qpopper or either the user's MUA (mail client) goes in timeout. The pop3-fetch sessions just goes in timeout and hangs-up. Of course, as I said, this happens not always but only when there's some internet traffic, both on the local or on the external net nodes. Anyone experienced some qpopper-timeout-related problems ? Maybe it's related to network LAG or similar causes, but anyway I won't exclude there's some buffer problem in the qpopper daemon, is that possible ? Version 2.53-7 seems anyway quite stable. Hope there's someone out there who experienced my same qpopper-related-issues ! Thanks for any help, folks. Have a nice time, - Ivo -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org/~eim http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Tue, Apr 09, 2002 at 07:23:28AM -0700, Luca Filipozzi wrote: On Tue, Apr 09, 2002 at 06:51:38AM -0500, Rob VanFleet wrote: After doing some reading about it, the only thing that turns me off to SFS is that you still have to run the usual NFS services for it to work. A large part of the reason I am seeking alternatives is that those services are so often vulnerable. You run those service locally on each machine only. You don't make them available to other hosts. Sorry if I'm being completely dense here, but aren't the ports still open, even if they are only serving localhost? Rob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Unidentified subject!
unsubscribe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Tue, Apr 09, 2002 at 04:02:34PM -0500, Rob VanFleet wrote: On Tue, Apr 09, 2002 at 07:23:28AM -0700, Luca Filipozzi wrote: You run those service locally on each machine only. You don't make them available to other hosts. Sorry if I'm being completely dense here, but aren't the ports still open, even if they are only serving localhost? The point is that it's made accessible only from localhost. Whether this is by using a firewall to block connections from anyone else, using tcpwrappers or that it only binds to the lo interface. If someone has an exploit, rather than being able to exploit it remotely, they have to be running the exploit from the local machine. Gareth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]