Re: iptables not logging or dhcp-client lying?
Olaf Meeuwissen [EMAIL PROTECTED] writes: Gabor Kovacs [EMAIL PROTECTED] writes: Olaf Meeuwissen wrote: Basically, I'd like to keep the setup as closed as possible so I make a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let the DHCPDISCOVER broadcast out (and a reply back in eventually, taking this one step at a time ;-). At least, that's what I thought I should do, but I noticed that packets are not logged! I think (but not sure) DHCP client is using (so called) raw sockets which are below the layer where iptables is in the kernel. That's why iptables is unable to see the packets. Looks like you are right. I set all built-in chains to LOG and a DROP policy (no other rules) and my interface configures fine. Once it is up there's an incessant stream of logged packets (mainly win-DoS hosts letting everyone know who and where they are by shouting all over the subnet and, occasionally, beyond). Oh well, I guess I can forget about making and plugging holes for the DHCPDISCOVER (and probably DHCPREQUEST) requests and their replies. That makes my job easier, but I guess the docs then need a fix ;-) I gotta set myself straight here. The DHCPDISCOVER does not need a hole to make it past the packet filtering layer, but the DHCPREQUEST does. And from experience, it seems that dhclient starts requesting without going through the /etc/dhclient-script. Bummer, 'cause that means you don't get the chance to open up a hole for the request and close it once your lease has been renewed. Oh well, I guess I have to leave a hole open permanently for the requests to and replies from the dhcp-server-identifier ... -- Olaf MeeuwissenEpson Kowa Corporation, CID GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
subscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: php error?!
On Wed, Apr 10, 2002 you wrote: Could someone tell me why I still get these messages in apache? Premature end of script headers: /usr/lib/cgi-bin/php4 Is there something wrong with php in debian package? May be there is something wrong with the config of apache. Have you added the directives AddHandler or SetHandler to your host sections? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Sun, Apr 07, 2002 at 09:02:56PM -0500, Rob VanFleet wrote: You have three issues: Shared Authentication... Kerberos or LDAP File Sharing Looked at GFS? Could also use NFS I guess. Sigh. Look at autofs Security! NFS and LDAP by default do stuff in plain text... over an open network this plain sucks... Set up Freeswan on all the nodes. If you have control of or access to any DNS you can set them all up to use opportunistic encryption. Once this is in place, and the list of nodes (ie keys that are trusted) is made, then I'd be very happy to have single signon and NFS automounted home directories... even on disparate nodes across the internet. But only once they are all VPN'd. -- Paul -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: php error?!
It was problem with suexec, in Debian it uses default /var/www I've corrected it by compile source with my args. Regards Michal Novotny 11. dubna 2002 9:14:36, Dmitry Rojkov [EMAIL PROTECTED] pise: On Wed, Apr 10, 2002 you wrote: Could someone tell me why I still get these messages in apache? Premature end of script headers: /usr/lib/cgi-bin/php4 Is there something wrong with php in debian package? May be there is something wrong with the config of apache. Have you added the directives AddHandler or SetHandler to your host sections? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Big ICMP with don't Fragment bit
Hi all, has anybody an Idea how to create an ICMP Packet with size of 1500 and don't Fragment bit set? Or how to filter such Packets generally with IPChains? I've the Problem, that a Maschine cancels the external connection some times. No entrys in Syslog or anywhere else. In my Intrusion Detection I see some maschines sending such Packets before the Maschine cancels the Connection to the external Net. Thorsten -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
cups security
Good morning everybody, well at least morning over here in Cali. For everybody else, Good afternoon, good evening and good night. I just installed cups and I was wondering if it's possible to have cups run properly without having port 631 open. I don't like having ports open, especially since this computer will be the only one printing to this printer. I looked at some of the doc on http://www.cups.org and didn't see anything. Any ideas? Also, when I installed cups it said something about me needing to do a . . . route add -net 224.0.0.0 netmask 240.0.0.0 dev interface What's up with that? I didn't see anything in the doc about that either. You know, a howto would be nice right about now. Anyway, thanks in advance for your insight. Oh, and if any of you use pine, I won't hold it against you. :) -- http://www.torrin.net I hate pine. It's the worst E-mail client ever. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Said Torrin on Thu, Apr 11, 2002 at 09:56:51AM -0500: I just installed cups and I was wondering if it's possible to have cups run properly without having port 631 open. I don't like having ports open, especially since this computer will be the only one printing to this printer. I looked at some of the doc on http://www.cups.org and didn't see anything. Any ideas? In general, I would recommend a firewall, and in this specific case, I would stick with that suggestion :-) If you don't feel like getting into the internals, I would recommend firestarter as a great app for graphical firewall configuration. - -- [!] Justin R. Miller [EMAIL PROTECTED] PGP 0xC9C40C31 -=- http://codesorcery.net http://news.independent.co.uk/world/asia_china/story.jsp?story=281067 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tbQB94d6K8nEDDERAtdrAJ0fRlS9HeCFds+1y0gMu4XVSKMZ6ACcCMdp +ypUfZL9smttMQjlmtr6XXw= =tkFF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security
On Thu, Apr 11, 2002 at 09:56:51AM -0500, Torrin wrote: Good morning everybody, well at least morning over here in Cali. For everybody else, Good afternoon, good evening and good night. :)) Hi, pal. Also, when I installed cups it said something about me needing to do a . . . route add -net 224.0.0.0 netmask 240.0.0.0 dev interface What's up with that? I didn't see anything in the doc about that either. The route line is going to add an entry in the kernel's routing table. This entry would make the kernel think it is running on a host which is in the network 0xE?.???.???.??? where 0xE? is in hexadecimal and the ? can match any number of the addressing IP. Moreover, the kernel is going to redirect all packets received by it to the network interface interface. Sorry, if I'm not of much help, but I am using LPRNG and can't really help you with cups. Generally, if you want to use the server on your host only, you should set up a firewall. Until someone helps you, -- Pav -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security
El jue, 11-04-2002 a las 16:56, Torrin escribió: Good morning everybody, well at least morning over here in Cali. For everybody else, Good afternoon, good evening and good night. I just installed cups and I was wondering if it's possible to have cups run properly without having port 631 open. I don't like having ports open, especially since this computer will be the only one printing to this printer. I looked at some of the doc on http://www.cups.org and didn't see anything. Any ideas? Why don't you cut access to that port via tcp wrappers? At least in my Woody, cups is in inetd.conf: #:OTHER: Other services printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd (actually i'm not sure whether this corresponds to cups or to lpr) so you could add printer: ALL BUT LOCAL [or something like that] to /etc/hosts.deny Regards Also, when I installed cups it said something about me needing to do a . . . route add -net 224.0.0.0 netmask 240.0.0.0 dev interface What's up with that? I didn't see anything in the doc about that either. I never did that and it's working ok for me :) You know, a howto would be nice right about now. Anyway, thanks in advance for your insight. Oh, and if any of you use pine, I won't hold it against you. :) -- http://www.torrin.net I hate pine. It's the worst E-mail client ever. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security
Luis Gómez Miralles [EMAIL PROTECTED] writes: El jue, 11-04-2002 a las 16:56, Torrin escribió: Good morning everybody, well at least morning over here in Cali. For everybody else, Good afternoon, good evening and good night. I just installed cups and I was wondering if it's possible to have cups run properly without having port 631 open. I don't like having ports open, especially since this computer will be the only one printing to this printer. I looked at some of the doc on http://www.cups.org and didn't see anything. Any ideas? Why don't you cut access to that port via tcp wrappers? At least in my Woody, cups is in inetd.conf: #:OTHER: Other services printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd (actually i'm not sure whether this corresponds to cups or to lpr) It corresponds to the cups server that accepts lpd jobs on port 515, which is an optional part of cups. The primary part of cups is a daemon that accepts IPP jobs (and serves html documentation) on port 631. so you could add printer: ALL BUT LOCAL [or something like that] to /etc/hosts.deny If you are not accepting lpd print jobs from other hosts, there is no reason I am aware of to run cups-lpd. Securing cups itself is done though the /etc/cups/cupsd.conf file. In particular, something like the following will limit access of the printers and documentation to localhost: Location / Order Deny,Allow Deny From All Allow From 127.0.0.1 /Location The cupsd.conf file has lots of goodies that are not turned on by default, including things like SSL/TLS certificates and crypto, restricting of the daemon binding, and lots of other hooks. The manuals are avaiable at http://localhost:631/ or at cups.org. route add -net 224.0.0.0 netmask 240.0.0.0 dev interface What's up with that? I didn't see anything in the doc about that either. Google for the term ``multicast'' and you'll find the answer. It has (to the best of my knowledge, nothing to do with CUPS. -- /* Dale Southard Jr. [EMAIL PROTECTED] 925-422-1463, fax 422-9429 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luis == Luis Gómez Miralles [EMAIL PROTECTED] writes: Luis Why don't you cut access to that port via tcp wrappers? At least Luis in my Woody, cups is in inetd.conf: #:OTHER: Other services Luis printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd Luis cups-lpd (actually i'm not sure whether this corresponds to cups Luis or to lpr) That would be CUPS's lpr compatability daemon. If you don't have other hosts needing to use your computer to print, you can just drop it completely. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tdPQZRhU33H9o38RAkS0AKC0R6XGDpv6W234SbjNsugnPHRlywCgwtBx NmPy6N9I1BWsy/Vl1vnA7BI= =DE37 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
OK, in summary. 1. I should set it to listen only on the local interface by setting Listen 127.0.0.1:631 in the cupsd.conf file. 2. I should firewall off the port. This part is already done, I just don't like to have ports open. So from what people have said, I guess there isn't a way to run cups and close the port. Is the open port essential to it's operation, like open port 22 is essential to the operation of ssh? -- http://www.torrin.net I hate pine. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipfwadm and ssh forwarding
Steve, I think you may be happier (i.e. spend less time working on this) if you can drum up a copy of redir or transproxy for your Cobalt Cube. Both of these are stable tools that I used quite heavily before the Linux kernel incorporated a true DNAT (2.4) or port-forwarding (hacked into 2.2). HTH, tony On 10 Apr 2002, Steve Johnson wrote: i have an old cobalt cube on my network running a cutom 2.0.34 kernel, that i'm finding is going to be really hard to upgrade, it's not running debian, but everything else in here is :) so i'm only asking here because i've read the docs and tried everywhere else for help. anyway, it has ipfwadm(note: ipmasqadm is not on it) tool for handling masqing and filtering, it's currently set up to masq everything from inside to outside, and nothing else. i have a server inside running backups, pulling data from web servers remotely, that is working great, however, i need to be able to ssh into that machine from the outside, there's only one real (external) ip that's attatched to the cube, can i, using ipfwadm, set it up to route any ssh requests to that machine on that ip to the interal backup server? i've tried everything, i'm just not that familiar with firewalling, if it's possible can someone send me a sample script with the appropriate rules to forward those packets? thanks in advance for you help. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale == Dale Southard [EMAIL PROTECTED] writes: Dale If you've done step 1, step 2 is redundant protection. There Dale shouldn't be anything listening on 631 anyplace except loopback. Right, but step 2 has no negative effects (other than some extra time needed to learn how to set up the firewall), and ensures that no one can connect to port 631 even if you accidentally misconfigure something, or something overwrites your configuration. IMHO, pretty much every box should have its own firewall installed. It prevents various bad things from happening (trojans, misconfigured daemons) and is an extra layer of protection just in case. You can set it up to deny all packets except for - packets which are part of a connection that you established (e.g. HTTP replies) - whatever ports you want open to the public - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tm2nZRhU33H9o38RAlB6AJ9dCp2HsASAYX4lnF0OHRxlhyXKLQCgwWol lKhtaGUMfqM8VW5kqzL8zps= =dMWw -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables not logging or dhcp-client lying?
Olaf Meeuwissen [EMAIL PROTECTED] writes: Gabor Kovacs [EMAIL PROTECTED] writes: Olaf Meeuwissen wrote: Basically, I'd like to keep the setup as closed as possible so I make a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let the DHCPDISCOVER broadcast out (and a reply back in eventually, taking this one step at a time ;-). At least, that's what I thought I should do, but I noticed that packets are not logged! I think (but not sure) DHCP client is using (so called) raw sockets which are below the layer where iptables is in the kernel. That's why iptables is unable to see the packets. Looks like you are right. I set all built-in chains to LOG and a DROP policy (no other rules) and my interface configures fine. Once it is up there's an incessant stream of logged packets (mainly win-DoS hosts letting everyone know who and where they are by shouting all over the subnet and, occasionally, beyond). Oh well, I guess I can forget about making and plugging holes for the DHCPDISCOVER (and probably DHCPREQUEST) requests and their replies. That makes my job easier, but I guess the docs then need a fix ;-) I gotta set myself straight here. The DHCPDISCOVER does not need a hole to make it past the packet filtering layer, but the DHCPREQUEST does. And from experience, it seems that dhclient starts requesting without going through the /etc/dhclient-script. Bummer, 'cause that means you don't get the chance to open up a hole for the request and close it once your lease has been renewed. Oh well, I guess I have to leave a hole open permanently for the requests to and replies from the dhcp-server-identifier ... -- Olaf MeeuwissenEpson Kowa Corporation, CID GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
subscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: php error?!
On Wed, Apr 10, 2002 you wrote: Could someone tell me why I still get these messages in apache? Premature end of script headers: /usr/lib/cgi-bin/php4 Is there something wrong with php in debian package? May be there is something wrong with the config of apache. Have you added the directives AddHandler or SetHandler to your host sections? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Sun, Apr 07, 2002 at 09:02:56PM -0500, Rob VanFleet wrote: You have three issues: Shared Authentication... Kerberos or LDAP File Sharing Looked at GFS? Could also use NFS I guess. Sigh. Look at autofs Security! NFS and LDAP by default do stuff in plain text... over an open network this plain sucks... Set up Freeswan on all the nodes. If you have control of or access to any DNS you can set them all up to use opportunistic encryption. Once this is in place, and the list of nodes (ie keys that are trusted) is made, then I'd be very happy to have single signon and NFS automounted home directories... even on disparate nodes across the internet. But only once they are all VPN'd. -- Paul -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re[2]: php error?!
It was problem with suexec, in Debian it uses default /var/www I've corrected it by compile source with my args. Regards Michal Novotny 11. dubna 2002 9:14:36, Dmitry Rojkov [EMAIL PROTECTED] pise: On Wed, Apr 10, 2002 you wrote: Could someone tell me why I still get these messages in apache? Premature end of script headers: /usr/lib/cgi-bin/php4 Is there something wrong with php in debian package? May be there is something wrong with the config of apache. Have you added the directives AddHandler or SetHandler to your host sections? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Big ICMP with don't Fragment bit
Hi all, has anybody an Idea how to create an ICMP Packet with size of 1500 and don't Fragment bit set? Or how to filter such Packets generally with IPChains? I've the Problem, that a Maschine cancels the external connection some times. No entrys in Syslog or anywhere else. In my Intrusion Detection I see some maschines sending such Packets before the Maschine cancels the Connection to the external Net. Thorsten -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big ICMP with don't Fragment bit
Thorsten Kruschel [EMAIL PROTECTED] writes: has anybody an Idea how to create an ICMP Packet with size of 1500 and don't Fragment bit set? Or how to filter such Packets generally with IPChains? I've the Problem, that a Maschine cancels the external connection some times. No entrys in Syslog or anywhere else. In my Intrusion Detection I see some maschines sending such Packets before the Maschine cancels the Connection to the external Net. If it's causing you problems, such as breaking the PMTU discovery (the typical one - what machines are giving you problems?), you shouldn't be filtering ICMP echo-requests. In ipchains, that's the best you can do - open yourself up to pings. In iptables, you can use the length module to filter by length within the ICMP protocol: | zsh, potato 2:52PM piglet % iptables -m length -h | tail [snip] | | length v1.2.5 options: | [!] --length length[:length]Match packet length against value or range ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
cups security
Good morning everybody, well at least morning over here in Cali. For everybody else, Good afternoon, good evening and good night. I just installed cups and I was wondering if it's possible to have cups run properly without having port 631 open. I don't like having ports open, especially since this computer will be the only one printing to this printer. I looked at some of the doc on http://www.cups.org and didn't see anything. Any ideas? Also, when I installed cups it said something about me needing to do a . . . route add -net 224.0.0.0 netmask 240.0.0.0 dev interface What's up with that? I didn't see anything in the doc about that either. You know, a howto would be nice right about now. Anyway, thanks in advance for your insight. Oh, and if any of you use pine, I won't hold it against you. :) -- http://www.torrin.net I hate pine. It's the worst E-mail client ever. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Said Torrin on Thu, Apr 11, 2002 at 09:56:51AM -0500: I just installed cups and I was wondering if it's possible to have cups run properly without having port 631 open. I don't like having ports open, especially since this computer will be the only one printing to this printer. I looked at some of the doc on http://www.cups.org and didn't see anything. Any ideas? In general, I would recommend a firewall, and in this specific case, I would stick with that suggestion :-) If you don't feel like getting into the internals, I would recommend firestarter as a great app for graphical firewall configuration. - -- [!] Justin R. Miller [EMAIL PROTECTED] PGP 0xC9C40C31 -=- http://codesorcery.net http://news.independent.co.uk/world/asia_china/story.jsp?story=281067 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tbQB94d6K8nEDDERAtdrAJ0fRlS9HeCFds+1y0gMu4XVSKMZ6ACcCMdp +ypUfZL9smttMQjlmtr6XXw= =tkFF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security
On Thu, Apr 11, 2002 at 09:56:51AM -0500, Torrin wrote: Good morning everybody, well at least morning over here in Cali. For everybody else, Good afternoon, good evening and good night. :)) Hi, pal. Also, when I installed cups it said something about me needing to do a . . . route add -net 224.0.0.0 netmask 240.0.0.0 dev interface What's up with that? I didn't see anything in the doc about that either. The route line is going to add an entry in the kernel's routing table. This entry would make the kernel think it is running on a host which is in the network 0xE?.???.???.??? where 0xE? is in hexadecimal and the ? can match any number of the addressing IP. Moreover, the kernel is going to redirect all packets received by it to the network interface interface. Sorry, if I'm not of much help, but I am using LPRNG and can't really help you with cups. Generally, if you want to use the server on your host only, you should set up a firewall. Until someone helps you, -- Pav -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security
El jue, 11-04-2002 a las 16:56, Torrin escribió: Good morning everybody, well at least morning over here in Cali. For everybody else, Good afternoon, good evening and good night. I just installed cups and I was wondering if it's possible to have cups run properly without having port 631 open. I don't like having ports open, especially since this computer will be the only one printing to this printer. I looked at some of the doc on http://www.cups.org and didn't see anything. Any ideas? Why don't you cut access to that port via tcp wrappers? At least in my Woody, cups is in inetd.conf: #:OTHER: Other services printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd (actually i'm not sure whether this corresponds to cups or to lpr) so you could add printer: ALL BUT LOCAL [or something like that] to /etc/hosts.deny Regards Also, when I installed cups it said something about me needing to do a . . . route add -net 224.0.0.0 netmask 240.0.0.0 dev interface What's up with that? I didn't see anything in the doc about that either. I never did that and it's working ok for me :) You know, a howto would be nice right about now. Anyway, thanks in advance for your insight. Oh, and if any of you use pine, I won't hold it against you. :) -- http://www.torrin.net I hate pine. It's the worst E-mail client ever. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security
Luis Gómez Miralles [EMAIL PROTECTED] writes: El jue, 11-04-2002 a las 16:56, Torrin escribió: Good morning everybody, well at least morning over here in Cali. For everybody else, Good afternoon, good evening and good night. I just installed cups and I was wondering if it's possible to have cups run properly without having port 631 open. I don't like having ports open, especially since this computer will be the only one printing to this printer. I looked at some of the doc on http://www.cups.org and didn't see anything. Any ideas? Why don't you cut access to that port via tcp wrappers? At least in my Woody, cups is in inetd.conf: #:OTHER: Other services printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd (actually i'm not sure whether this corresponds to cups or to lpr) It corresponds to the cups server that accepts lpd jobs on port 515, which is an optional part of cups. The primary part of cups is a daemon that accepts IPP jobs (and serves html documentation) on port 631. so you could add printer: ALL BUT LOCAL [or something like that] to /etc/hosts.deny If you are not accepting lpd print jobs from other hosts, there is no reason I am aware of to run cups-lpd. Securing cups itself is done though the /etc/cups/cupsd.conf file. In particular, something like the following will limit access of the printers and documentation to localhost: Location / Order Deny,Allow Deny From All Allow From 127.0.0.1 /Location The cupsd.conf file has lots of goodies that are not turned on by default, including things like SSL/TLS certificates and crypto, restricting of the daemon binding, and lots of other hooks. The manuals are avaiable at http://localhost:631/ or at cups.org. route add -net 224.0.0.0 netmask 240.0.0.0 dev interface What's up with that? I didn't see anything in the doc about that either. Google for the term ``multicast'' and you'll find the answer. It has (to the best of my knowledge, nothing to do with CUPS. -- /* Dale Southard Jr. [EMAIL PROTECTED] 925-422-1463, fax 422-9429 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Torrin == Torrin [EMAIL PROTECTED] writes: Torrin I just installed cups and I was wondering if it's possible to Torrin have cups run properly without having port 631 open. I don't Torrin like having ports open, especially since this computer will be Torrin the only one printing to this printer. I looked at some of the Torrin doc on http://www.cups.org and didn't see anything. Any ideas? You can set CUPS to listen only on the loopback interface. Edit /etc/cups/cupsd.conf, and replace the line Port 631 with Listen 127.0.0.1:631. Also, if you're paranoid, set up a firewall too. Even if you don't have any extra ports open right now, a firewall can save you if you accidentally misconfigure something (or if a trojan gets installed). - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tdMRZRhU33H9o38RAp2UAJ9BCtEEAvRZA6msirIg4M8Lubu2LQCeNnKH QMWtis/bOgPGlLpjKPqtiiw= =a1Js -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security
On Thu, Apr 11, 2002 at 09:56:51AM -0500, Torrin wrote: Good morning everybody, well at least morning over here in Cali. For everybody else, Good afternoon, good evening and good night. I just installed cups and I was wondering if it's possible to have cups run properly without having port 631 open. I don't like having ports open, especially since this computer will be the only one printing to this printer. I looked at some of the doc on http://www.cups.org and didn't see anything. Any ideas? 631 is ipp port. It's needed for admin and remote printing, you can enable it only for localhost (127.0.0.1) by adding Listen 127.0.0.1:631 in /etc/cups/cupsd.conf (there are many security options like allow/deny networks/hosts in this config file, but in your case, listen only on localhost will be the good choice). Also, when I installed cups it said something about me needing to do a . . . route add -net 224.0.0.0 netmask 240.0.0.0 dev interface What's up with that? I didn't see anything in the doc about that either. That's for slp protocol (www.openslp.org), if you don't need it (I think it's not usefull in your case), don't add the route line and don't install slpd. You know, a howto would be nice right about now. Anyway, thanks in advance for your insight. Howto: apt-get install cupsys cupsys-bsd customize /etc/cups/cupsd.conf for security, it's easy to understand I think. Go to http://localhost:631/ and configure your printer echo test | lpr ... it works (theoritically...) Oh, and if any of you use pine, I won't hold it against you. :) Mutt -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpZmqNWpJiPF.pgp Description: PGP signature
Re: cups security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luis == Luis Gómez Miralles [EMAIL PROTECTED] writes: Luis Why don't you cut access to that port via tcp wrappers? At least Luis in my Woody, cups is in inetd.conf: #:OTHER: Other services Luis printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd Luis cups-lpd (actually i'm not sure whether this corresponds to cups Luis or to lpr) That would be CUPS's lpr compatability daemon. If you don't have other hosts needing to use your computer to print, you can just drop it completely. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tdPQZRhU33H9o38RAkS0AKC0R6XGDpv6W234SbjNsugnPHRlywCgwtBx NmPy6N9I1BWsy/Vl1vnA7BI= =DE37 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
OK, in summary. 1. I should set it to listen only on the local interface by setting Listen 127.0.0.1:631 in the cupsd.conf file. 2. I should firewall off the port. This part is already done, I just don't like to have ports open. So from what people have said, I guess there isn't a way to run cups and close the port. Is the open port essential to it's operation, like open port 22 is essential to the operation of ssh? -- http://www.torrin.net I hate pine. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security (fwd)
Oops, forgot to send this to the list. -- Forwarded message -- Date: Thu, 11 Apr 2002 19:09:22 -0500 (CDT) From: Torrin [EMAIL PROTECTED] To: Emmanuel Lacour [EMAIL PROTECTED] Subject: Re: cups security Hmmm . . . you forgot, apt-get install cupsys-driver-gimpprint gunzip driver.gz cp driver /usr/share/cups/model I guess that is only if the proper driver isn't included with cups. also, I used lpadmin to configure the printer. I didn't even realize there was a web server listening on 631. Doh!! Oh, but it does ask for username and password. I suppose that's secure enough. On Thu, 11 Apr 2002, Emmanuel Lacour wrote: Howto: apt-get install cupsys cupsys-bsd customize /etc/cups/cupsd.conf for security, it's easy to understand I think. Go to http://localhost:631/ and configure your printer echo test | lpr ... it works (theoritically...) -- http://www.torrin.net Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
Torrin [EMAIL PROTECTED] writes: OK, in summary. 1. I should set it to listen only on the local interface by setting Listen 127.0.0.1:631 in the cupsd.conf file. 2. I should firewall off the port. This part is already done, I just don't like to have ports open. So from what people have said, I guess there isn't a way to run cups and close the port. Step 1 causes cups to bind to only to the loopback interface. After making the change, restart the cupsd and nmap scan your loopback (localhost) and public interfaces -- you shouldn't see 631 open on anything but the loopback. If you've done step 1, step 2 is redundant protection. There shouldn't be anything listening on 631 anyplace except loopback. Is the open port essential to it's operation, like open port 22 is essential to the operation of ssh? In any unix printing architecture, there has to be a way to get the client's data to the host's print server. In traditional lpr and lp, the client command copies or symlinks the data into the spool directory (which is why lp/lpr is usually SUID or SGID). In cups, the print data is transferred to the server via http protocol. This means the client program doesn't need any special privileges, but does require that the server be listening on a port somewhere. Which is ultimately a better idea from a security perspective is a matter of opinion and situation -- /* Dale Southard Jr. [EMAIL PROTECTED] 925-422-1463, fax 422-9429 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Wed, Apr 10, 2002 at 12:21:13AM +0100, Gareth Bowker wrote: On Tue, Apr 09, 2002 at 04:02:34PM -0500, Rob VanFleet wrote: On Tue, Apr 09, 2002 at 07:23:28AM -0700, Luca Filipozzi wrote: You run those service locally on each machine only. You don't make them available to other hosts. Sorry if I'm being completely dense here, but aren't the ports still open, even if they are only serving localhost? The point is that it's made accessible only from localhost. Whether this is by using a firewall to block connections from anyone else, using tcpwrappers or that it only binds to the lo interface. This last case (binding to lo): how would I go about doing that? Thanks, Rob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipfwadm and ssh forwarding
Steve, I think you may be happier (i.e. spend less time working on this) if you can drum up a copy of redir or transproxy for your Cobalt Cube. Both of these are stable tools that I used quite heavily before the Linux kernel incorporated a true DNAT (2.4) or port-forwarding (hacked into 2.2). HTH, tony On 10 Apr 2002, Steve Johnson wrote: i have an old cobalt cube on my network running a cutom 2.0.34 kernel, that i'm finding is going to be really hard to upgrade, it's not running debian, but everything else in here is :) so i'm only asking here because i've read the docs and tried everywhere else for help. anyway, it has ipfwadm(note: ipmasqadm is not on it) tool for handling masqing and filtering, it's currently set up to masq everything from inside to outside, and nothing else. i have a server inside running backups, pulling data from web servers remotely, that is working great, however, i need to be able to ssh into that machine from the outside, there's only one real (external) ip that's attatched to the cube, can i, using ipfwadm, set it up to route any ssh requests to that machine on that ip to the interal backup server? i've tried everything, i'm just not that familiar with firewalling, if it's possible can someone send me a sample script with the appropriate rules to forward those packets? thanks in advance for you help. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]