unsubscribe

[steve]

unsubscribe



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Unidentified subject!

[steve]

unsubscribe


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] script for security update notification

[Matt Zimmerman]

On Fri, May 24, 2002 at 03:54:48PM +0200, Christian Hammers wrote:

> On Fri, May 24, 2002 at 09:41:46AM -0400, Nathan Valentine wrote:
> > 1) Check the Debian security announcement list.
> > 2) Compare new announcements to the local package database.
> > 3) If vulnerable packages installed, send an 'I need updated' email to
> > an address defined by the SysAdmin.
> Another nice approach would be to archive all changelog entries (maybe the
> installer could extract them for you), scan them for tag=security or
> severity=high and build a database of "unwanted" packages that can be
> compared with "dpkg -l" by the admins. This way you could attach the
> relevant changelog entry to your "I need an update" mail.

See the 'harden' packages for similar work (without the changelog bits).

> Even more nice would be an extension to "apt-cache show" that shows all
> changelog entries after the installed version. Could then be used as
> source for your program to, but needs more work as the changelogs would
> have to be distributed alongside the package descriptions, too.

If there were any way to retrieve package changelogs without downloading the
source package or all binary packages, apt-listchanges would already do
this.

I wrote a program to extract changelogs from source packages and place them
in a relational database, and a CGI program to fetch changelogs for an
arbitrary range of versions, but it would have to be run automatically from
katie or such to be useful, and I got no response to inquiries about that.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: script for security update notification

[Teun Vink]

On Fri, 24 May 2002, Matt Zimmerman wrote:

> On Fri, May 24, 2002 at 09:41:46AM -0400, Nathan Valentine wrote:
> 
> > I'm thinking of writing a script but I am hoping that someone else has
> > beaten me to the punch. Perhaps someone has seen something that will do
> > this:
> > 
> > 1) Check the Debian security announcement list.
> > 2) Compare new announcements to the local package database.
> > 3) If vulnerable packages installed, send an 'I need updated' email to
> > an address defined by the SysAdmin.
> > 
> > Anyone ever seen such a beast? I've searched the archives of this list
> > and not found any reference to anything along these lines. 
> 
> If an announcement has been made, then there is a fixed package available,
> and (assuming you have the relevant sources.list entry) it will be
> automatically made available to apt, and all you need is a tool like
> apt-show-versions (or even apt-get) to automatically retrieve a list of
> packages for which updates exist.
> 
> 

This can be simply done with the following statement:

apt-get -qq update && apt-get -dqq upgrade && apt-get -sqq upgrade

(assuming your machine is 24/7 connected to the internet and you have
securiy.debian.org in your /etc/apt/sources.list)

This will update your packages list, and then simulate an
upgrade. Schedule it using a cron job, and you will only receive mail if
new packages are available. I use this to maintain a network of about 50
Debian servers (potato and woody).


Hope this helps,


Teun

-- 
Teun Vink - [EMAIL PROTECTED] - icq: 15001247 - http://teun.moonblade.net



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: script for security update notification

[Matt Zimmerman]

On Fri, May 24, 2002 at 09:41:46AM -0400, Nathan Valentine wrote:

> I'm thinking of writing a script but I am hoping that someone else has
> beaten me to the punch. Perhaps someone has seen something that will do
> this:
> 
> 1) Check the Debian security announcement list.
> 2) Compare new announcements to the local package database.
> 3) If vulnerable packages installed, send an 'I need updated' email to
> an address defined by the SysAdmin.
> 
> Anyone ever seen such a beast? I've searched the archives of this list
> and not found any reference to anything along these lines. 

If an announcement has been made, then there is a fixed package available,
and (assuming you have the relevant sources.list entry) it will be
automatically made available to apt, and all you need is a tool like
apt-show-versions (or even apt-get) to automatically retrieve a list of
packages for which updates exist.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: script for security update notification

[Javier Fernández-Sanguino Peña]

On Fri, May 24, 2002 at 09:41:46AM -0400, Nathan Valentine wrote:
> 
> I'm thinking of writing a script but I am hoping that someone else has
> beaten me to the punch. Perhaps someone has seen something that will do
> this:
> 
> 1) Check the Debian security announcement list.
> 2) Compare new announcements to the local package database.
> 3) If vulnerable packages installed, send an 'I need updated' email to
> an address defined by the SysAdmin.
> 
Nice thing. Already done, though (see below)

> Anyone ever seen such a beast? I've searched the archives of this list
> and not found any reference to anything along these lines. 

Simple one: Tiger does this (Debian's of course, it has been
patched/fixed to do this sort of stuff)

Ok. Now hold yourself for a *long* explanation.

Even if it's just slightly documented in the README.Debian file
(and in the manpage too) the Tiger in Debian has been enhanced to provide
quite more functionality that the Tiger provided by TAMU (or even TARA, a
tiger version distributed by ARSC).
One of this enhancements is the 'deb_checkadvisories' script. This
script takes a list of DSA's and checks against the installed package base
to see if any of your packages is vulnerable according to the DSA. This is
a little different approach to the one taken on the more general approach
taken by Tiger implemented by the 'check_signatures' script which checks
MD5sums of known vulnerable programs.

Since currently we do not ship this info (i.e. Md5sums of known
vulnerable versions) I tried the DSA approach which works fine. However,
the DSA approach and the Md5sum approach have problems: the signatures
have to be updated regularly.
I do this when making new versions of the Tiger package but I do
not make a new version every time a DSA is shipped. A nice addition, which
I have not gotten a time to add is to do this proactively, that is,
download the DSAs from the web, make the list and then check. The DSAs are
currently updated from my local CVS update of the WML sources used to
built security.debian.org (the webserver, that is).

If anyone wants to contribute a program to parse the published
DSAs, either received through e-mail or available in security.debian.org
and generate the file used by 'deb_checkadvisories' to confirm
vulnerabilities that would be quite nice (hint, hint)

This check is run through the standard program configuration once
installed (see /etc/tiger/cronrc):
# Check for Debian security measures every day at 1 am
#
1 * *   deb_checkmd5sums deb_nopackfiles deb_checkadvisories
#


*However* There is one more check that you might want to add.
However, it has not yet been added to the standard cron scripts. That
check is 'check_patches'. This script works the following way:

1.- runs apt-get update
2.- checks if there are new packages available

*IF* you are running an 'stable' system and add the
security.debian.org apt source line to your /etc/apt/sources this script
will be able to tell you if there are new packages that you need to
install. Since the only packages changing in this setup are security
updates then you have just what you wanted.

Of course this will not work if you are running woody/testing or
sid/unstable. Since probably the new packages are much more than security
updates currently (maybe not that much in the woody case since we are
"frozen" :)

You can add this script to the checks done by the cron job (at the
above configuration file) and it should work properly to warn you of this.

Hope this helps. I will try to take the time and add this same
information to the "Debian Security Manual" as soon as possible.

Regards

Javi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How create 2 server mod-ssl certificates

[Michael Schmidlin]

Tue, 07 May 2002 17:25:01 +0200
 Manuel Segura <[EMAIL PROTECTED]> wrote:

Hi,
> Hello,
> I am creating some server mod-ssl certificates using the script 
> mod-ssl-makecert.
> 
I used to do it wih openssl. For example
bash:~$ openssl genrsa -des3 -rand /dev/random -out www.domain.tld.key 1024 
generates your key,
bash:~$ openssl req -new -key www.virtualhost.com.key -out www.domain.tld.csr 
creates a request for certificate,
bash:~$ openssl x509 -req -days 30 -in www.domain.tld.csr
-signkey www.domain.tld.key -out www.domain.tld.crt
creates a self-signed certificate valid thirty days.

With ApacheSSL it is slightly different than with mod_ssl, but man openssl is a 
good choice. I hope i could help you along

just try, Michael

Coincidences are spiritual puns.
-- G.K. Chesterton



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

unsubscribe

[steve]

unsubscribe



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Unidentified subject!

[steve]

unsubscribe


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] script for security update notification

[Matt Zimmerman]

On Fri, May 24, 2002 at 03:54:48PM +0200, Christian Hammers wrote:

> On Fri, May 24, 2002 at 09:41:46AM -0400, Nathan Valentine wrote:
> > 1) Check the Debian security announcement list.
> > 2) Compare new announcements to the local package database.
> > 3) If vulnerable packages installed, send an 'I need updated' email to
> > an address defined by the SysAdmin.
> Another nice approach would be to archive all changelog entries (maybe the
> installer could extract them for you), scan them for tag=security or
> severity=high and build a database of "unwanted" packages that can be
> compared with "dpkg -l" by the admins. This way you could attach the
> relevant changelog entry to your "I need an update" mail.

See the 'harden' packages for similar work (without the changelog bits).

> Even more nice would be an extension to "apt-cache show" that shows all
> changelog entries after the installed version. Could then be used as
> source for your program to, but needs more work as the changelogs would
> have to be distributed alongside the package descriptions, too.

If there were any way to retrieve package changelogs without downloading the
source package or all binary packages, apt-listchanges would already do
this.

I wrote a program to extract changelogs from source packages and place them
in a relational database, and a CGI program to fetch changelogs for an
arbitrary range of versions, but it would have to be run automatically from
katie or such to be useful, and I got no response to inquiries about that.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: script for security update notification

[Teun Vink]

On Fri, 24 May 2002, Matt Zimmerman wrote:

> On Fri, May 24, 2002 at 09:41:46AM -0400, Nathan Valentine wrote:
> 
> > I'm thinking of writing a script but I am hoping that someone else has
> > beaten me to the punch. Perhaps someone has seen something that will do
> > this:
> > 
> > 1) Check the Debian security announcement list.
> > 2) Compare new announcements to the local package database.
> > 3) If vulnerable packages installed, send an 'I need updated' email to
> > an address defined by the SysAdmin.
> > 
> > Anyone ever seen such a beast? I've searched the archives of this list
> > and not found any reference to anything along these lines. 
> 
> If an announcement has been made, then there is a fixed package available,
> and (assuming you have the relevant sources.list entry) it will be
> automatically made available to apt, and all you need is a tool like
> apt-show-versions (or even apt-get) to automatically retrieve a list of
> packages for which updates exist.
> 
> 

This can be simply done with the following statement:

apt-get -qq update && apt-get -dqq upgrade && apt-get -sqq upgrade

(assuming your machine is 24/7 connected to the internet and you have
securiy.debian.org in your /etc/apt/sources.list)

This will update your packages list, and then simulate an
upgrade. Schedule it using a cron job, and you will only receive mail if
new packages are available. I use this to maintain a network of about 50
Debian servers (potato and woody).


Hope this helps,


Teun

-- 
Teun Vink - [EMAIL PROTECTED] - icq: 15001247 - http://teun.moonblade.net



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: script for security update notification

[Matt Zimmerman]

On Fri, May 24, 2002 at 09:41:46AM -0400, Nathan Valentine wrote:

> I'm thinking of writing a script but I am hoping that someone else has
> beaten me to the punch. Perhaps someone has seen something that will do
> this:
> 
> 1) Check the Debian security announcement list.
> 2) Compare new announcements to the local package database.
> 3) If vulnerable packages installed, send an 'I need updated' email to
> an address defined by the SysAdmin.
> 
> Anyone ever seen such a beast? I've searched the archives of this list
> and not found any reference to anything along these lines. 

If an announcement has been made, then there is a fixed package available,
and (assuming you have the relevant sources.list entry) it will be
automatically made available to apt, and all you need is a tool like
apt-show-versions (or even apt-get) to automatically retrieve a list of
packages for which updates exist.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: script for security update notification

[Javier Fernández-Sanguino Peña]

On Fri, May 24, 2002 at 09:41:46AM -0400, Nathan Valentine wrote:
> 
> I'm thinking of writing a script but I am hoping that someone else has
> beaten me to the punch. Perhaps someone has seen something that will do
> this:
> 
> 1) Check the Debian security announcement list.
> 2) Compare new announcements to the local package database.
> 3) If vulnerable packages installed, send an 'I need updated' email to
> an address defined by the SysAdmin.
> 
Nice thing. Already done, though (see below)

> Anyone ever seen such a beast? I've searched the archives of this list
> and not found any reference to anything along these lines. 

Simple one: Tiger does this (Debian's of course, it has been
patched/fixed to do this sort of stuff)

Ok. Now hold yourself for a *long* explanation.

Even if it's just slightly documented in the README.Debian file
(and in the manpage too) the Tiger in Debian has been enhanced to provide
quite more functionality that the Tiger provided by TAMU (or even TARA, a
tiger version distributed by ARSC).
One of this enhancements is the 'deb_checkadvisories' script. This
script takes a list of DSA's and checks against the installed package base
to see if any of your packages is vulnerable according to the DSA. This is
a little different approach to the one taken on the more general approach
taken by Tiger implemented by the 'check_signatures' script which checks
MD5sums of known vulnerable programs.

Since currently we do not ship this info (i.e. Md5sums of known
vulnerable versions) I tried the DSA approach which works fine. However,
the DSA approach and the Md5sum approach have problems: the signatures
have to be updated regularly.
I do this when making new versions of the Tiger package but I do
not make a new version every time a DSA is shipped. A nice addition, which
I have not gotten a time to add is to do this proactively, that is,
download the DSAs from the web, make the list and then check. The DSAs are
currently updated from my local CVS update of the WML sources used to
built security.debian.org (the webserver, that is).

If anyone wants to contribute a program to parse the published
DSAs, either received through e-mail or available in security.debian.org
and generate the file used by 'deb_checkadvisories' to confirm
vulnerabilities that would be quite nice (hint, hint)

This check is run through the standard program configuration once
installed (see /etc/tiger/cronrc):
# Check for Debian security measures every day at 1 am
#
1 * *   deb_checkmd5sums deb_nopackfiles deb_checkadvisories
#


*However* There is one more check that you might want to add.
However, it has not yet been added to the standard cron scripts. That
check is 'check_patches'. This script works the following way:

1.- runs apt-get update
2.- checks if there are new packages available

*IF* you are running an 'stable' system and add the
security.debian.org apt source line to your /etc/apt/sources this script
will be able to tell you if there are new packages that you need to
install. Since the only packages changing in this setup are security
updates then you have just what you wanted.

Of course this will not work if you are running woody/testing or
sid/unstable. Since probably the new packages are much more than security
updates currently (maybe not that much in the woody case since we are
"frozen" :)

You can add this script to the checks done by the cron job (at the
above configuration file) and it should work properly to warn you of this.

Hope this helps. I will try to take the time and add this same
information to the "Debian Security Manual" as soon as possible.

Regards

Javi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How create 2 server mod-ssl certificates

[Michael Schmidlin]

Tue, 07 May 2002 17:25:01 +0200
 Manuel Segura <[EMAIL PROTECTED]> wrote:

Hi,
> Hello,
> I am creating some server mod-ssl certificates using the script 
> mod-ssl-makecert.
> 
I used to do it wih openssl. For example
bash:~$ openssl genrsa -des3 -rand /dev/random -out www.domain.tld.key 1024 
generates your key,
bash:~$ openssl req -new -key www.virtualhost.com.key -out www.domain.tld.csr 
creates a request for certificate,
bash:~$ openssl x509 -req -days 30 -in www.domain.tld.csr
-signkey www.domain.tld.key -out www.domain.tld.crt
creates a self-signed certificate valid thirty days.

With ApacheSSL it is slightly different than with mod_ssl, but man openssl is a good 
choice. I hope i could help you along

just try, Michael

Coincidences are spiritual puns.
-- G.K. Chesterton



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uh-oh. Cracked allready. I think...

[Reagan Blundell]

On Fri, May 24, 2002 at 02:23:38PM +0200, Kjetil Kjernsmo wrote:
> 
> OK. This is what nmap says, launched from my workstation:
[snip]
> 137/tcpfilterednetbios-ns
> 138/tcpfilterednetbios-dgm
> 139/tcpfilterednetbios-ssn
[snip]
> 6346/tcp   filteredgnutella

"filtered" means there's no reply coming back 
on thos ports - most likely your ISP is blocking
those ports.

The fact they don't show up when you do a
local scan confirms this.  These services
aren't running on your machine.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uh-oh. Cracked allready. I think...

[Tim Haynes]

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes:

> On 24 May 2002, Tim Haynes wrote:
> 
> >Unfortunately, the only way to examine all the files on the disk/s is to
> >reboot the box off clean r/o media (read: rescue CD), mount them r/o,
> >and examine them by hand.
> 
> Yeah, I guess so.

In the absence of this, keeping an eye on what the box is doing is a close
second. 

> >> 53/tcp opendomain
> >
> >OK, what version of what are you running for this?
> 
> According to Nessus:
> "The remote bind version is : 9.2.0"
> But I guess this need not be accessible from the outside. I'm not running
> a name server myself (though I plan to some time...)

Well if you do, I'll recommend bind 9.2.x for the job unless there's a
better version out there by that time ;)

Last count of remote exploits: bind-8.x, lots. bind-9.x, none.

> >> 80/tcp openhttp
> >> 110/tcpopenpop-3
> >> 111/tcpopensunrpc
> >
> >Portmapper (111) is an absolute liability - I flatly refuse to run it on
> >any public-facing box, and it must *never* be externally visible.
> 
> *tears rolling* I would like to mount the three partitions where I keep
> my web pages over NFS, but my server and I will be on different networks.
> But OK I installed harden-servers.

You might be better off with `rsync -e ssh' and passphraseless keys,
depending on exactly how immediate you want change notifications to
propogate. 

You should definitely consider the relationship between your servers in the
firewall design - at the very least I'd say portmap+nfs is permitted *IFF*
you firewall down to the two machines. But preferably, don't do it at all.

> >> 137/tcpfilterednetbios-ns
> >> 138/tcpfilterednetbios-dgm
> >> 139/tcpfilterednetbios-ssn
> >
> >You're running samba then?
> 
> No, it was installed in tasksel IIRC, I thought I removed it, but
> apparently not. I removed samba, but they didn't disappear, something
> more I have to do?

If you were running samba out of xinetd, you'll probably want to disable
the relevant services in /etc/xinetd.conf (and reload xinetd).

> >> 6346/tcp   filteredgnutella
> >
> >Hang around, it's "filtered"? That means it never replied to nmap but
> >there were other ports that did - the mixture of responses means nmap
> >"knows" this port is dropping responses.
> 
> It does? 

Yes. 

> >I think you have an anomaly, myself.
> 
> OK.

You might want to check for a firewall between your workstation and the
server in question dropping port 6346 specifically - in fact, if you really
want to be sure, run tcpdump on the server while you nmap it for
-p6345-6347 (a range crossing the port in question) and see if port 6346 is
scanned at all - if not, it's an outgoing firewall getting in your way :)

> >> Uh, don't think so. I installed snort, but didn't take the time to
> >> play with it. I thought that would do the job too... Can I get the
> >> required information from the snort install...?
> >
> >Nope, snort is for dynamic logs of dodgy packets going by. 
> 
> I see. 

... you can log the results into mysql and run _Acid_ against it, too. That
generates pretty-picture html overviews and stuff.

> >> What could be wrong about e.g.:
> >>ForwardX11 yes
> >
> >Erm, that's a little bit weird. 
> >
> > | StrictModes yes
> > | X11Forwarding yes
> > | X11DisplayOffset 10
> > | AllowTcpForwarding yes
> >
> >I think you're somehow using an old sshd_config with a proto2-enabled sshd.
> >Or a non-free ssh against openssh. Possibly.
> 
> Eh, Berend pointed out to me that I was making sshd read ssh_config...
> That could be it, but I have been messing a bit with it, so there could
> be more.

That would also explain it :8)

> >You should keep an eye the incoming/outgoing traffic, though; I thought
> >I saw a utility for analysing how many hosts/ports a box contacts over
> >time recently, which will help.
> 
> OK, I'll search.

Well if nothing else, you can use _iptraf_ in per-port summary mode :)

> >Set up snort and AIDE as a matter of urgency too
> 
> They're up. AIDE looked easy to configure, apt seemed to do that. 

Choose what hashes you maintain for which directory very carefully. I have
separate settings for:

=/boot$ Binlib
# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib
/usr/games Binlib
# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib
# Log files
/var/log$ StaticDir
/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
/var/log/aide/error.log(.[0-9])?(.gz)? Databases
/var/log/setuid.changes(.[0-9])?(.gz)? Databases
/var/log Logs
!/var/log/snort
# Devices
!/dev/pts
/dev Devices
# Other miscellaneous files
/var/run$ StaticDir
!/var/run

if it helps :)

> >and dns dangling around all over the place, nor will you be aware what's
> >going off if you don't start firewalling things properly and keep a

Re: Uh-oh. Cracked allready. I think...

[Kjetil Kjernsmo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 24 May 2002, Tim Haynes wrote:

>Unfortunately, the only way to examine all the files on the disk/s is to
>reboot the box off clean r/o media (read: rescue CD), mount them r/o, and
>examine them by hand.

Yeah, I guess so.

>You're highly unlikely to find something with trojanned binaries and/or a
>kernel module sitting there intercepting syscalls saying "we're not
>listening on port " and "oh look, an exec() call to ps, use ps.fake
>instead" - all 3 of which are possible these days.

Hehe.

>Nah, when you're root if the option completely isn't understood then you've
>got problems. (I mention this only because it was the first thing that gave
>a cracked box away to me.)

Good! :-)

>> OK. This is what nmap says, launched from my workstation:
>> Port   State   Service
>> 22/tcp openssh
>> 25/tcp opensmtp
>
>These are generally safe - especially in Testing.

Good.

>> 53/tcp opendomain
>
>OK, what version of what are you running for this?

According to Nessus:
"The remote bind version is : 9.2.0"
But I guess this need not be accessible from the outside. I'm not running
a name server myself (though I plan to some time...)

>> 80/tcp openhttp
>> 110/tcpopenpop-3
>> 111/tcpopensunrpc
>
>Portmapper (111) is an absolute liability - I flatly refuse to run it on
>any public-facing box, and it must *never* be externally visible.

*tears rolling* I would like to mount the three partitions where I keep my
web pages over NFS, but my server and I will be on different networks. But
OK I installed harden-servers.

>> 137/tcpfilterednetbios-ns
>> 138/tcpfilterednetbios-dgm
>> 139/tcpfilterednetbios-ssn
>
>You're running samba then?

No, it was installed in tasksel IIRC, I thought I removed it, but
apparently not. I removed samba, but they didn't disappear, something more
I have to do?

>> 6346/tcp   filteredgnutella
>
>Hang around, it's "filtered"? That means it never replied to nmap but there
>were other ports that did - the mixture of responses means nmap "knows"
>this port is dropping responses.

It does? 

>I think you have an anomaly, myself.

OK.

>> So, the suspicious gnutella port isn't in the latter. I don't know what
>> kdm is doing there, BTW. I unselected X and desktop in the initial
>> tasksel. There seems to have been installed some X stuff nevertheless,
>> but neither KDE nor kdm has ever been installed on this box.
>
>Ah, good you said that. It's not "kdm" necessarily, it's because it's the
>first port to which a non-privileged app may bind, >=1024. (See why the
>next one is 1025...)

I see. I also got a private response from Berend De Schouwer who explained
this. 

>I'd not worry about that lot myself. Unless I've missed something, it's not
>obviously different from the nmap results, is it?

Not that I can tell.

>> >Next, if you've got a socket listener or 6346 (IIRC, the most frequently
>> >used gnutella port), try telnetting into it and see what banner, if any,
>> >it presents.
>> 
>> Nope, nothing... 
>> pooh:~# telnet 217.77.32.186 6346
>> Trying 217.77.32.186...
>> telnet: Unable to connect to remote host: Connection refused
>> to be sure. 
>
>That's promising. 

Good.

>And it didn't turn up in netstat, just when you used a
>particular box to do the nmap?

Right.

>Does the port come and go over time at all?

Doesn't seem like it.

>> Yeah, I've done that several times. chkrootkit was described in "Securing
>> Debian", so I installed it before moving it, but only ran it just after I
>> saw the gnutella port. Nothing detected.
>
>OK. It's not a complete guarantee as it uses potentially-tainted tools, but
>it pushes the odds more in your favour.

Good.

>> >Do you have an original AIDE database from immediately after it was
>> >installed?
>> 
>> Uh, don't think so. I installed snort, but didn't take the time to play
>> with it. I thought that would do the job too... Can I get the required
>> information from the snort install...?
>
>Nope, snort is for dynamic logs of dodgy packets going by. 

I see. 

>AIDE is like
>tripwire - stores a database of crypto hashes for files in the filesystem,
>so you compare the database nightly and see what's changed of interest.

Yep, I installed it just after your last e-mail. Also installed
harden-environment. 

>> What could be wrong about e.g.:
>>ForwardX11 yes
>
>Erm, that's a little bit weird. 
>
> | StrictModes yes
> | X11Forwarding yes
> | X11DisplayOffset 10
> | AllowTcpForwarding yes
>
>I think you're somehow using an old sshd_config with a proto2-enabled sshd.
>Or a non-free ssh against openssh. Possibly.

Eh, Berend pointed out to me that I was making sshd read ssh_config...
That could be it, but I have been messing a bit with it, so there could be
more. 

>Good. OK, in that case, you might want to double-check a few others as
>well:
>
> | c29daf1d9fe836053e9f4f0a67a7a94e  /usr/sbin/chkroot

Re: Generating Mail passwords

[Tomasz Papszun]

On Fri, 24 May 2002 at 15:04:50 +0200, Lars Roland Kristiansen wrote:
[...]
> I have 200 users and whant some new more secure passwords
> (not to long though). Is there a simple way to generate
> secure passwords so i can use them with adduser 

pwgen, makepasswd, apg (since Woody).

[ > 11 lines deleted ]

You could shorten your .sig. It should not exceed 4-5 lines.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] script for security update notification

[Christian Hammers]

On Fri, May 24, 2002 at 09:41:46AM -0400, Nathan Valentine wrote:
> 1) Check the Debian security announcement list.
> 2) Compare new announcements to the local package database.
> 3) If vulnerable packages installed, send an 'I need updated' email to
> an address defined by the SysAdmin.
Another nice approach would be to archive all changelog entries (maybe the
installer could extract them for you), scan them for tag=security or 
severity=high and build a database of "unwanted" packages that can be
compared with "dpkg -l" by the admins. This way you could attach the
relevant changelog entry to your "I need an update" mail.

Even more nice would be an extension to "apt-cache show" that shows all
changelog entries after the installed version. Could then be used as source
for your program to, but needs more work as the changelogs would have to be
distributed alongside the package descriptions, too.

Just some thoughts..

bye,

-christian-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uh-oh. Cracked allready. I think...

[Tim Haynes]

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes:

> Thanks for all the responses.
> 
> I realize it's pretty bold trying put a box on the net without having
> extensive admin experience beforehand. But I think I'm learning fast, and
> I hope I'll be able to do it without placing any burden on the rest of
> the net. That is, except for you guys... :-) Your help is greatly
> appreciated!

We do our best :)

> >Well if something's got on there that you don't remember installing, can
> >I have some of what you're taking? ;)
> 
> Hehe... I was so sure it would be at least one copy of Star Wars II,
> but no... ;-) There's nothing here... I've walked through the whole disk,
> and I can't find anything of any size that I don't know what is. Whatever
> it is, it has to be rather small...

Unfortunately, the only way to examine all the files on the disk/s is to
reboot the box off clean r/o media (read: rescue CD), mount them r/o, and
examine them by hand.

You're highly unlikely to find something with trojanned binaries and/or a
kernel module sitting there intercepting syscalls saying "we're not
listening on port " and "oh look, an exec() call to ps, use ps.fake
instead" - all 3 of which are possible these days.

> >It's at this point that you should start debugging what's really
> >listening on your box from what a scanner says you are. I suggest you
> >nmap yourself to see what ports you really have open, and compare
> >against
> >netstat -plant | grep LIST
> >(here's your first potential clue: if netstat complains about `-p', it's
> >been trojanned.)
> 
> It complained about -p when I wasn't root...

Nah, when you're root if the option completely isn't understood then you've
got problems. (I mention this only because it was the first thing that gave
a cracked box away to me.)

> OK. This is what nmap says, launched from my workstation:
> Port   State   Service
> 22/tcp openssh
> 25/tcp opensmtp

These are generally safe - especially in Testing.

> 53/tcp opendomain

OK, what version of what are you running for this?

> 80/tcp openhttp
> 110/tcpopenpop-3
> 111/tcpopensunrpc

Portmapper (111) is an absolute liability - I flatly refuse to run it on
any public-facing box, and it must *never* be externally visible.

> 137/tcpfilterednetbios-ns
> 138/tcpfilterednetbios-dgm
> 139/tcpfilterednetbios-ssn

You're running samba then?

> 6346/tcp   filteredgnutella

Hang around, it's "filtered"? That means it never replied to nmap but there
were other ports that did - the mixture of responses means nmap "knows"
this port is dropping responses.

I think you have an anomaly, myself.

> So, the suspicious gnutella port isn't in the latter. I don't know what
> kdm is doing there, BTW. I unselected X and desktop in the initial
> tasksel. There seems to have been installed some X stuff nevertheless,
> but neither KDE nor kdm has ever been installed on this box.

Ah, good you said that. It's not "kdm" necessarily, it's because it's the
first port to which a non-privileged app may bind, >=1024. (See why the
next one is 1025...)

> So for netstat:
> pooh:~# netstat -plant | grep LIST
> tcp   0 0.0.0.0:10240.0.0.0:* LISTEN 209/rpc.statd
> tcp   0 0.0.0.0:10250.0.0.0:* LISTEN 236/rpc.mountd
> tcp   0 0.0.0.0:139 0.0.0.0:* LISTEN 218/inetd
> tcp   0 0.0.0.0:110 0.0.0.0:* LISTEN 218/inetd
> tcp   0 0.0.0.0:111 0.0.0.0:* LISTEN 123/portmap
> tcp   0 0.0.0.0:80  0.0.0.0:* LISTEN 6586/apache
> tcp   0 217.77.32.186:530.0.0.0:* LISTEN 194/named
> tcp   0 127.0.0.1:530.0.0.0:* LISTEN 194/named
> tcp   0 0.0.0.0:22  0.0.0.0:* LISTEN 285/sshd
> tcp   0 127.0.0.1:953   0.0.0.0:* LISTEN 201/lwresd
> tcp   0 0.0.0.0:25  0.0.0.0:* LISTEN 218/inetd
> 
> (slightly reformatted to fit better)

(reformatted better still ;)

I'd not worry about that lot myself. Unless I've missed something, it's not
obviously different from the nmap results, is it?

> >Next, if you've got a socket listener or 6346 (IIRC, the most frequently
> >used gnutella port), try telnetting into it and see what banner, if any,
> >it presents.
> 
> Nope, nothing... 
> pooh:~# telnet 217.77.32.186 6346
> Trying 217.77.32.186...
> telnet: Unable to connect to remote host: Connection refused
> to be sure. 

That's promising. And it didn't turn up in netstat, just when you used a
particular box to do the nmap?

Does the port come and go over time at all?

> >At some stage you should probably run _chkrootkit_ on the blighter, too.
> 
> Yeah, I've done that several times. chkrootkit was described in "Securing
> Debian", so I installed it before moving it, but only ran it just after I
> saw the gnutella port. Nothing detected.

OK. It's not a complete guarantee as it uses potentially-tainted tools, but
it pus

script for security update notification

[Nathan Valentine]

I'm thinking of writing a script but I am hoping that someone else has
beaten me to the punch. Perhaps someone has seen something that will do
this:

1) Check the Debian security announcement list.
2) Compare new announcements to the local package database.
3) If vulnerable packages installed, send an 'I need updated' email to
an address defined by the SysAdmin.

Anyone ever seen such a beast? I've searched the archives of this list
and not found any reference to anything along these lines. 

-- 
---
Nathan Valentine - [EMAIL PROTECTED]
Jabber: NRVesKY AIM: NRVesKY ICQ: 39023424


signature.asc
Description: This is a digitally signed message part

Re: Uh-oh. Cracked allready. I think...

[Reagan Blundell]

On Fri, May 24, 2002 at 02:23:38PM +0200, Kjetil Kjernsmo wrote:
> 
> OK. This is what nmap says, launched from my workstation:
[snip]
> 137/tcpfilterednetbios-ns
> 138/tcpfilterednetbios-dgm
> 139/tcpfilterednetbios-ssn
[snip]
> 6346/tcp   filteredgnutella

"filtered" means there's no reply coming back 
on thos ports - most likely your ISP is blocking
those ports.

The fact they don't show up when you do a
local scan confirms this.  These services
aren't running on your machine.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Generating Mail passwords

[Alain Tesio]

On Fri, 24 May 2002 15:04:50 +0200 (MET DST)
Lars Roland Kristiansen <[EMAIL PROTECTED]> wrote:

> 
> Hi i have configuret postfix, pop-before-smpt and ipop3 (ssl). On a debian
> mail server. I have 200 users and whant some new more secure passwords
> (not to long though). Is there a simple way to generate
> secure passwords so i can use them with adduser 

See pwgen

Alain


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Generating Mail passwords

[Mark Janssen]

On Fri, 2002-05-24 at 15:04, Lars Roland Kristiansen wrote:
> Hi i have configuret postfix, pop-before-smpt and ipop3 (ssl). On a debian
> mail server. I have 200 users and whant some new more secure passwords
> (not to long though). Is there a simple way to generate
> secure passwords so i can use them with adduser 

pwgen or one of the other password generation tools with the right
options. :)

apt-cache show pwgen

Description: Automatic Password generation
 pwgen generates random, meaningless but pronounceable passwords.
Depending
 on how the program was installed, these words contain either only
 lowercase letters, or upper and lower case mixed, or digits thrown
 in. Uppercase letters and digits are placed in a way that eases
 remembering their position when memorizing only the word.

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl


signature.asc
Description: This is a digitally signed message part

Generating Mail passwords

[Lars Roland Kristiansen]

Hi i have configuret postfix, pop-before-smpt and ipop3 (ssl). On a debian
mail server. I have 200 users and whant some new more secure passwords
(not to long though). Is there a simple way to generate
secure passwords so i can use them with adduser 

Thanks


___
Mvh./Yours sincerely

Lars 


Lars Roland Kristiansen |   (__) 
Stu. Sci. Math/Computer science |   (oo) 
Copenhagen University - | /--\/ < MUH MUHHH 
Institute for Mathematical Sciences |/ |||   
Url: www.math.ku.dk |   *  /\---/\ 
Email: [EMAIL PROTECTED]|  ~~   ~~   


   "Politics is for the moment, equations are forever"
- Albert Einstein



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uh-oh. Cracked allready. I think...

[Tim Haynes]

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes:

> On 24 May 2002, Tim Haynes wrote:
> 
> >Unfortunately, the only way to examine all the files on the disk/s is to
> >reboot the box off clean r/o media (read: rescue CD), mount them r/o,
> >and examine them by hand.
> 
> Yeah, I guess so.

In the absence of this, keeping an eye on what the box is doing is a close
second. 

> >> 53/tcp opendomain
> >
> >OK, what version of what are you running for this?
> 
> According to Nessus:
> "The remote bind version is : 9.2.0"
> But I guess this need not be accessible from the outside. I'm not running
> a name server myself (though I plan to some time...)

Well if you do, I'll recommend bind 9.2.x for the job unless there's a
better version out there by that time ;)

Last count of remote exploits: bind-8.x, lots. bind-9.x, none.

> >> 80/tcp openhttp
> >> 110/tcpopenpop-3
> >> 111/tcpopensunrpc
> >
> >Portmapper (111) is an absolute liability - I flatly refuse to run it on
> >any public-facing box, and it must *never* be externally visible.
> 
> *tears rolling* I would like to mount the three partitions where I keep
> my web pages over NFS, but my server and I will be on different networks.
> But OK I installed harden-servers.

You might be better off with `rsync -e ssh' and passphraseless keys,
depending on exactly how immediate you want change notifications to
propogate. 

You should definitely consider the relationship between your servers in the
firewall design - at the very least I'd say portmap+nfs is permitted *IFF*
you firewall down to the two machines. But preferably, don't do it at all.

> >> 137/tcpfilterednetbios-ns
> >> 138/tcpfilterednetbios-dgm
> >> 139/tcpfilterednetbios-ssn
> >
> >You're running samba then?
> 
> No, it was installed in tasksel IIRC, I thought I removed it, but
> apparently not. I removed samba, but they didn't disappear, something
> more I have to do?

If you were running samba out of xinetd, you'll probably want to disable
the relevant services in /etc/xinetd.conf (and reload xinetd).

> >> 6346/tcp   filteredgnutella
> >
> >Hang around, it's "filtered"? That means it never replied to nmap but
> >there were other ports that did - the mixture of responses means nmap
> >"knows" this port is dropping responses.
> 
> It does? 

Yes. 

> >I think you have an anomaly, myself.
> 
> OK.

You might want to check for a firewall between your workstation and the
server in question dropping port 6346 specifically - in fact, if you really
want to be sure, run tcpdump on the server while you nmap it for
-p6345-6347 (a range crossing the port in question) and see if port 6346 is
scanned at all - if not, it's an outgoing firewall getting in your way :)

> >> Uh, don't think so. I installed snort, but didn't take the time to
> >> play with it. I thought that would do the job too... Can I get the
> >> required information from the snort install...?
> >
> >Nope, snort is for dynamic logs of dodgy packets going by. 
> 
> I see. 

... you can log the results into mysql and run _Acid_ against it, too. That
generates pretty-picture html overviews and stuff.

> >> What could be wrong about e.g.:
> >>ForwardX11 yes
> >
> >Erm, that's a little bit weird. 
> >
> > | StrictModes yes
> > | X11Forwarding yes
> > | X11DisplayOffset 10
> > | AllowTcpForwarding yes
> >
> >I think you're somehow using an old sshd_config with a proto2-enabled sshd.
> >Or a non-free ssh against openssh. Possibly.
> 
> Eh, Berend pointed out to me that I was making sshd read ssh_config...
> That could be it, but I have been messing a bit with it, so there could
> be more.

That would also explain it :8)

> >You should keep an eye the incoming/outgoing traffic, though; I thought
> >I saw a utility for analysing how many hosts/ports a box contacts over
> >time recently, which will help.
> 
> OK, I'll search.

Well if nothing else, you can use _iptraf_ in per-port summary mode :)

> >Set up snort and AIDE as a matter of urgency too
> 
> They're up. AIDE looked easy to configure, apt seemed to do that. 

Choose what hashes you maintain for which directory very carefully. I have
separate settings for:

=/boot$ Binlib
# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib
/usr/games Binlib
# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib
# Log files
/var/log$ StaticDir
/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
/var/log/aide/error.log(.[0-9])?(.gz)? Databases
/var/log/setuid.changes(.[0-9])?(.gz)? Databases
/var/log Logs
!/var/log/snort
# Devices
!/dev/pts
/dev Devices
# Other miscellaneous files
/var/run$ StaticDir
!/var/run

if it helps :)

> >and dns dangling around all over the place, nor will you be aware what's
> >going off if you don't start firewalling things properly and keep a

Re: Uh-oh. Cracked allready. I think...

[Kjetil Kjernsmo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dear Tim, dear all,

Thanks for all the responses.

I realize it's pretty bold trying put a box on the net without having
extensive admin experience beforehand. But I think I'm learning fast, and
I hope I'll be able to do it without placing any burden on the rest of the
net. That is, except for you guys... :-) Your help is greatly appreciated!

On 23 May 2002, Tim Haynes wrote:

>Kjetil Kjernsmo <[EMAIL PROTECTED]> writes:
>
>> To address this first: It is the gnutella server that causes alarm, so is
>> there anything I could have done that would install gnutella but escape
>> my attention? I certainly never did apt-get install gnutella (I tried
>> apt-get remove gnutella yesterday, with no effect). Is it likely that if
>> I don't know how it got there, has been installed by a cracker? I've
>> tried to telnet 217.77.32.186 6346 but get no connection.
>
>Well if something's got on there that you don't remember installing, can I
>have some of what you're taking? ;)

Hehe... I was so sure it would be at least one copy of Star Wars II,
but no... ;-) There's nothing here... I've walked through the whole disk,
and I can't find anything of any size that I don't know what is. Whatever
it is, it has to be rather small... 

>It's at this point that you should start debugging what's really listening
>on your box from what a scanner says you are. I suggest you nmap yourself
>to see what ports you really have open, and compare against
>netstat -plant | grep LIST
>(here's your first potential clue: if netstat complains about `-p', it's
>been trojanned.)

It complained about -p when I wasn't root...

OK. This is what nmap says, launched from my workstation:
Port   State   Service
22/tcp openssh
25/tcp opensmtp
53/tcp opendomain
80/tcp openhttp
110/tcpopenpop-3
111/tcpopensunrpc
137/tcpfilterednetbios-ns
138/tcpfilterednetbios-dgm
139/tcpfilterednetbios-ssn
1024/tcp   openkdm
1025/tcp   openlisten
6346/tcp   filteredgnutella

Whereas this is nmap from the machine itself:
[EMAIL PROTECTED]:~$ nmap pooh

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Warning:  You are not root -- using TCP pingscan rather than ICMP
Interesting ports on pooh.kjernsmo.net (217.77.32.186):
(The 1545 ports scanned but not shown below are in state: closed)
Port   State   Service
22/tcp openssh
25/tcp opensmtp
53/tcp opendomain
80/tcp openhttp
110/tcpopenpop-3
111/tcpopensunrpc
139/tcpopennetbios-ssn
1024/tcp   openkdm
1025/tcp   openlisten

So, the suspicious gnutella port isn't in the latter. I don't know what
kdm is doing there, BTW. I unselected X and desktop in the initial
tasksel. There seems to have been installed some X stuff nevertheless, but
neither KDE nor kdm has ever been installed on this box. 

So for netstat:
pooh:~# netstat -plant | grep LIST
tcp0  0 0.0.0.0:10240.0.0.0:* LISTEN 
209/rpc.statd
tcp0  0 0.0.0.0:10250.0.0.0:* LISTEN 
236/rpc.mountd
tcp0  0 0.0.0.0:139 0.0.0.0:* LISTEN 218/inetd
tcp0  0 0.0.0.0:110 0.0.0.0:* LISTEN 218/inetd
tcp0  0 0.0.0.0:111 0.0.0.0:* LISTEN 123/portmap
tcp0  0 0.0.0.0:80  0.0.0.0:* LISTEN 6586/apache
tcp0  0 217.77.32.186:530.0.0.0:* LISTEN 194/named
tcp0  0 127.0.0.1:530.0.0.0:* LISTEN 194/named
tcp0  0 0.0.0.0:22  0.0.0.0:* LISTEN 285/sshd
tcp0  0 127.0.0.1:953   0.0.0.0:* LISTEN 201/lwresd
tcp0  0 0.0.0.0:25  0.0.0.0:* LISTEN 218/inetd

(slightly reformatted to fit better)

>Next, if you've got a socket listener or 6346 (IIRC, the most frequently
>used gnutella port), try telnetting into it and see what banner, if any, it
>presents.

Nope, nothing... 
pooh:~# telnet 217.77.32.186 6346
Trying 217.77.32.186...
telnet: Unable to connect to remote host: Connection refused
to be sure. 

>At some stage you should probably run _chkrootkit_ on the blighter, too.

Yeah, I've done that several times. chkrootkit was described in "Securing
Debian", so I installed it before moving it, but only ran it just after I
saw the gnutella port. Nothing detected. 

>Do you have an original AIDE database from immediately after it was
>installed?

Uh, don't think so. I installed snort, but didn't take the time to play
with it. I thought that would do the job too... Can I get the required
information from the snort install...? 

>> I tried to set the suggested PermitRootLogin for ssh to no,
>> but ssh gave me some messsage that I thought meant it did't recognize it.
>
>That's 

Re: Uh-oh. Cracked allready. I think...

[Kjetil Kjernsmo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 24 May 2002, Tim Haynes wrote:

>Unfortunately, the only way to examine all the files on the disk/s is to
>reboot the box off clean r/o media (read: rescue CD), mount them r/o, and
>examine them by hand.

Yeah, I guess so.

>You're highly unlikely to find something with trojanned binaries and/or a
>kernel module sitting there intercepting syscalls saying "we're not
>listening on port " and "oh look, an exec() call to ps, use ps.fake
>instead" - all 3 of which are possible these days.

Hehe.

>Nah, when you're root if the option completely isn't understood then you've
>got problems. (I mention this only because it was the first thing that gave
>a cracked box away to me.)

Good! :-)

>> OK. This is what nmap says, launched from my workstation:
>> Port   State   Service
>> 22/tcp openssh
>> 25/tcp opensmtp
>
>These are generally safe - especially in Testing.

Good.

>> 53/tcp opendomain
>
>OK, what version of what are you running for this?

According to Nessus:
"The remote bind version is : 9.2.0"
But I guess this need not be accessible from the outside. I'm not running
a name server myself (though I plan to some time...)

>> 80/tcp openhttp
>> 110/tcpopenpop-3
>> 111/tcpopensunrpc
>
>Portmapper (111) is an absolute liability - I flatly refuse to run it on
>any public-facing box, and it must *never* be externally visible.

*tears rolling* I would like to mount the three partitions where I keep my
web pages over NFS, but my server and I will be on different networks. But
OK I installed harden-servers.

>> 137/tcpfilterednetbios-ns
>> 138/tcpfilterednetbios-dgm
>> 139/tcpfilterednetbios-ssn
>
>You're running samba then?

No, it was installed in tasksel IIRC, I thought I removed it, but
apparently not. I removed samba, but they didn't disappear, something more
I have to do?

>> 6346/tcp   filteredgnutella
>
>Hang around, it's "filtered"? That means it never replied to nmap but there
>were other ports that did - the mixture of responses means nmap "knows"
>this port is dropping responses.

It does? 

>I think you have an anomaly, myself.

OK.

>> So, the suspicious gnutella port isn't in the latter. I don't know what
>> kdm is doing there, BTW. I unselected X and desktop in the initial
>> tasksel. There seems to have been installed some X stuff nevertheless,
>> but neither KDE nor kdm has ever been installed on this box.
>
>Ah, good you said that. It's not "kdm" necessarily, it's because it's the
>first port to which a non-privileged app may bind, >=1024. (See why the
>next one is 1025...)

I see. I also got a private response from Berend De Schouwer who explained
this. 

>I'd not worry about that lot myself. Unless I've missed something, it's not
>obviously different from the nmap results, is it?

Not that I can tell.

>> >Next, if you've got a socket listener or 6346 (IIRC, the most frequently
>> >used gnutella port), try telnetting into it and see what banner, if any,
>> >it presents.
>> 
>> Nope, nothing... 
>> pooh:~# telnet 217.77.32.186 6346
>> Trying 217.77.32.186...
>> telnet: Unable to connect to remote host: Connection refused
>> to be sure. 
>
>That's promising. 

Good.

>And it didn't turn up in netstat, just when you used a
>particular box to do the nmap?

Right.

>Does the port come and go over time at all?

Doesn't seem like it.

>> Yeah, I've done that several times. chkrootkit was described in "Securing
>> Debian", so I installed it before moving it, but only ran it just after I
>> saw the gnutella port. Nothing detected.
>
>OK. It's not a complete guarantee as it uses potentially-tainted tools, but
>it pushes the odds more in your favour.

Good.

>> >Do you have an original AIDE database from immediately after it was
>> >installed?
>> 
>> Uh, don't think so. I installed snort, but didn't take the time to play
>> with it. I thought that would do the job too... Can I get the required
>> information from the snort install...?
>
>Nope, snort is for dynamic logs of dodgy packets going by. 

I see. 

>AIDE is like
>tripwire - stores a database of crypto hashes for files in the filesystem,
>so you compare the database nightly and see what's changed of interest.

Yep, I installed it just after your last e-mail. Also installed
harden-environment. 

>> What could be wrong about e.g.:
>>ForwardX11 yes
>
>Erm, that's a little bit weird. 
>
> | StrictModes yes
> | X11Forwarding yes
> | X11DisplayOffset 10
> | AllowTcpForwarding yes
>
>I think you're somehow using an old sshd_config with a proto2-enabled sshd.
>Or a non-free ssh against openssh. Possibly.

Eh, Berend pointed out to me that I was making sshd read ssh_config...
That could be it, but I have been messing a bit with it, so there could be
more. 

>Good. OK, in that case, you might want to double-check a few others as
>well:
>
> | c29daf1d9fe836053e9f4f0a67a7a94e  /usr/sbin/chkroo

Re: Generating Mail passwords

[Tomasz Papszun]

On Fri, 24 May 2002 at 15:04:50 +0200, Lars Roland Kristiansen wrote:
[...]
> I have 200 users and whant some new more secure passwords
> (not to long though). Is there a simple way to generate
> secure passwords so i can use them with adduser 

pwgen, makepasswd, apg (since Woody).

[ > 11 lines deleted ]

You could shorten your .sig. It should not exceed 4-5 lines.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Emails being sent from my network

[Karl Breitner]

Langdon Green skrev:

>   Hi guys, I am having a bit of trouble with some dodgy emails getting
> sent to my friend...they are strange, not just normal spam, the emails
> have information that is from my company web site (hosted off
> site) Anyway, the header of the emails has this line: Received: from
> Wzk ([MYIP]) by out.somewhere.net Does this indicate a computer on my
> network has be hacked, and is emailing this? I am running a debian
> router with an ipchains firewall, on a small masqueraded home network,
> with a debian file server running samba. I have had a look on the
> router for anything suspicious, but there is just too many things it
> could be.  I am in the process of making a new router that will have
> IDS installed (I know I know, but I was in a rush:) Any
> Ideas? Langdon

Without having the opportunity to look at a complete message with full
headers, I can't say for sure.
It spells virus to me if you have something attached to the mesage as
well. If someone on the inside of your network
are using MS products and doesn't have functional virus protection,
updated of course, then it's very likely they
will catch eMailviruses.

The security guy at our place put it.
"Not having an updated virus protection on a Windoze box today, is like
trying to cure human flue by eating popcorn."

Regards
/Karl



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] script for security update notification

[Christian Hammers]

On Fri, May 24, 2002 at 09:41:46AM -0400, Nathan Valentine wrote:
> 1) Check the Debian security announcement list.
> 2) Compare new announcements to the local package database.
> 3) If vulnerable packages installed, send an 'I need updated' email to
> an address defined by the SysAdmin.
Another nice approach would be to archive all changelog entries (maybe the
installer could extract them for you), scan them for tag=security or 
severity=high and build a database of "unwanted" packages that can be
compared with "dpkg -l" by the admins. This way you could attach the
relevant changelog entry to your "I need an update" mail.

Even more nice would be an extension to "apt-cache show" that shows all
changelog entries after the installed version. Could then be used as source
for your program to, but needs more work as the changelogs would have to be
distributed alongside the package descriptions, too.

Just some thoughts..

bye,

-christian-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Emails being sent from my network

[Langdon Green]

  
Hi guys,
 
I am having a bit of trouble with some dodgy emails 
getting sent to my friend...they are strange, not just normal spam, the emails 
have information that is from my company web site (hosted off site)
 
Anyway, the header of the emails has this 
line:
 
Received: from Wzk ([MYIP]) by 
out.somewhere.net
 
Does this indicate a computer on my network has be 
hacked, and is emailing this? I am running a debian router with an ipchains 
firewall, on a small masqueraded home network, with a debian file server running 
samba.
 
I have had a look on the router for anything 
suspicious, but there is just too many things it could be.  I am in the 
process of making a new router that will have IDS installed (I know I know, but 
I was in a rush:)
 
Any Ideas?
 
Langdon
   

Re: Uh-oh. Cracked allready. I think...

[Tim Haynes]

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes:

> Thanks for all the responses.
> 
> I realize it's pretty bold trying put a box on the net without having
> extensive admin experience beforehand. But I think I'm learning fast, and
> I hope I'll be able to do it without placing any burden on the rest of
> the net. That is, except for you guys... :-) Your help is greatly
> appreciated!

We do our best :)

> >Well if something's got on there that you don't remember installing, can
> >I have some of what you're taking? ;)
> 
> Hehe... I was so sure it would be at least one copy of Star Wars II,
> but no... ;-) There's nothing here... I've walked through the whole disk,
> and I can't find anything of any size that I don't know what is. Whatever
> it is, it has to be rather small...

Unfortunately, the only way to examine all the files on the disk/s is to
reboot the box off clean r/o media (read: rescue CD), mount them r/o, and
examine them by hand.

You're highly unlikely to find something with trojanned binaries and/or a
kernel module sitting there intercepting syscalls saying "we're not
listening on port " and "oh look, an exec() call to ps, use ps.fake
instead" - all 3 of which are possible these days.

> >It's at this point that you should start debugging what's really
> >listening on your box from what a scanner says you are. I suggest you
> >nmap yourself to see what ports you really have open, and compare
> >against
> >netstat -plant | grep LIST
> >(here's your first potential clue: if netstat complains about `-p', it's
> >been trojanned.)
> 
> It complained about -p when I wasn't root...

Nah, when you're root if the option completely isn't understood then you've
got problems. (I mention this only because it was the first thing that gave
a cracked box away to me.)

> OK. This is what nmap says, launched from my workstation:
> Port   State   Service
> 22/tcp openssh
> 25/tcp opensmtp

These are generally safe - especially in Testing.

> 53/tcp opendomain

OK, what version of what are you running for this?

> 80/tcp openhttp
> 110/tcpopenpop-3
> 111/tcpopensunrpc

Portmapper (111) is an absolute liability - I flatly refuse to run it on
any public-facing box, and it must *never* be externally visible.

> 137/tcpfilterednetbios-ns
> 138/tcpfilterednetbios-dgm
> 139/tcpfilterednetbios-ssn

You're running samba then?

> 6346/tcp   filteredgnutella

Hang around, it's "filtered"? That means it never replied to nmap but there
were other ports that did - the mixture of responses means nmap "knows"
this port is dropping responses.

I think you have an anomaly, myself.

> So, the suspicious gnutella port isn't in the latter. I don't know what
> kdm is doing there, BTW. I unselected X and desktop in the initial
> tasksel. There seems to have been installed some X stuff nevertheless,
> but neither KDE nor kdm has ever been installed on this box.

Ah, good you said that. It's not "kdm" necessarily, it's because it's the
first port to which a non-privileged app may bind, >=1024. (See why the
next one is 1025...)

> So for netstat:
> pooh:~# netstat -plant | grep LIST
> tcp   0 0.0.0.0:10240.0.0.0:* LISTEN 209/rpc.statd
> tcp   0 0.0.0.0:10250.0.0.0:* LISTEN 236/rpc.mountd
> tcp   0 0.0.0.0:139 0.0.0.0:* LISTEN 218/inetd
> tcp   0 0.0.0.0:110 0.0.0.0:* LISTEN 218/inetd
> tcp   0 0.0.0.0:111 0.0.0.0:* LISTEN 123/portmap
> tcp   0 0.0.0.0:80  0.0.0.0:* LISTEN 6586/apache
> tcp   0 217.77.32.186:530.0.0.0:* LISTEN 194/named
> tcp   0 127.0.0.1:530.0.0.0:* LISTEN 194/named
> tcp   0 0.0.0.0:22  0.0.0.0:* LISTEN 285/sshd
> tcp   0 127.0.0.1:953   0.0.0.0:* LISTEN 201/lwresd
> tcp   0 0.0.0.0:25  0.0.0.0:* LISTEN 218/inetd
> 
> (slightly reformatted to fit better)

(reformatted better still ;)

I'd not worry about that lot myself. Unless I've missed something, it's not
obviously different from the nmap results, is it?

> >Next, if you've got a socket listener or 6346 (IIRC, the most frequently
> >used gnutella port), try telnetting into it and see what banner, if any,
> >it presents.
> 
> Nope, nothing... 
> pooh:~# telnet 217.77.32.186 6346
> Trying 217.77.32.186...
> telnet: Unable to connect to remote host: Connection refused
> to be sure. 

That's promising. And it didn't turn up in netstat, just when you used a
particular box to do the nmap?

Does the port come and go over time at all?

> >At some stage you should probably run _chkrootkit_ on the blighter, too.
> 
> Yeah, I've done that several times. chkrootkit was described in "Securing
> Debian", so I installed it before moving it, but only ran it just after I
> saw the gnutella port. Nothing detected.

OK. It's not a complete guarantee as it uses potentially-tainted tools, but
it pu

script for security update notification

[Nathan Valentine]

I'm thinking of writing a script but I am hoping that someone else has
beaten me to the punch. Perhaps someone has seen something that will do
this:

1) Check the Debian security announcement list.
2) Compare new announcements to the local package database.
3) If vulnerable packages installed, send an 'I need updated' email to
an address defined by the SysAdmin.

Anyone ever seen such a beast? I've searched the archives of this list
and not found any reference to anything along these lines. 

-- 
---
Nathan Valentine - [EMAIL PROTECTED]
Jabber: NRVesKY AIM: NRVesKY ICQ: 39023424



signature.asc
Description: This is a digitally signed message part

Re: Generating Mail passwords

[Alain Tesio]

On Fri, 24 May 2002 15:04:50 +0200 (MET DST)
Lars Roland Kristiansen <[EMAIL PROTECTED]> wrote:

> 
> Hi i have configuret postfix, pop-before-smpt and ipop3 (ssl). On a debian
> mail server. I have 200 users and whant some new more secure passwords
> (not to long though). Is there a simple way to generate
> secure passwords so i can use them with adduser 

See pwgen

Alain


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Generating Mail passwords

[Mark Janssen]

On Fri, 2002-05-24 at 15:04, Lars Roland Kristiansen wrote:
> Hi i have configuret postfix, pop-before-smpt and ipop3 (ssl). On a debian
> mail server. I have 200 users and whant some new more secure passwords
> (not to long though). Is there a simple way to generate
> secure passwords so i can use them with adduser 

pwgen or one of the other password generation tools with the right
options. :)

apt-cache show pwgen

Description: Automatic Password generation
 pwgen generates random, meaningless but pronounceable passwords.
Depending
 on how the program was installed, these words contain either only
 lowercase letters, or upper and lower case mixed, or digits thrown
 in. Uppercase letters and digits are placed in a way that eases
 remembering their position when memorizing only the word.

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl



signature.asc
Description: This is a digitally signed message part

Generating Mail passwords

[Lars Roland Kristiansen]

Hi i have configuret postfix, pop-before-smpt and ipop3 (ssl). On a debian
mail server. I have 200 users and whant some new more secure passwords
(not to long though). Is there a simple way to generate
secure passwords so i can use them with adduser 

Thanks


___
Mvh./Yours sincerely

Lars 


Lars Roland Kristiansen |   (__) 
Stu. Sci. Math/Computer science |   (oo) 
Copenhagen University - | /--\/ < MUH MUHHH 
Institute for Mathematical Sciences |/ |||   
Url: www.math.ku.dk |   *  /\---/\ 
Email: [EMAIL PROTECTED]|  ~~   ~~   


   "Politics is for the moment, equations are forever"
- Albert Einstein



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uh-oh. Cracked allready. I think...

[Kjetil Kjernsmo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dear Tim, dear all,

Thanks for all the responses.

I realize it's pretty bold trying put a box on the net without having
extensive admin experience beforehand. But I think I'm learning fast, and
I hope I'll be able to do it without placing any burden on the rest of the
net. That is, except for you guys... :-) Your help is greatly appreciated!

On 23 May 2002, Tim Haynes wrote:

>Kjetil Kjernsmo <[EMAIL PROTECTED]> writes:
>
>> To address this first: It is the gnutella server that causes alarm, so is
>> there anything I could have done that would install gnutella but escape
>> my attention? I certainly never did apt-get install gnutella (I tried
>> apt-get remove gnutella yesterday, with no effect). Is it likely that if
>> I don't know how it got there, has been installed by a cracker? I've
>> tried to telnet 217.77.32.186 6346 but get no connection.
>
>Well if something's got on there that you don't remember installing, can I
>have some of what you're taking? ;)

Hehe... I was so sure it would be at least one copy of Star Wars II,
but no... ;-) There's nothing here... I've walked through the whole disk,
and I can't find anything of any size that I don't know what is. Whatever
it is, it has to be rather small... 

>It's at this point that you should start debugging what's really listening
>on your box from what a scanner says you are. I suggest you nmap yourself
>to see what ports you really have open, and compare against
>netstat -plant | grep LIST
>(here's your first potential clue: if netstat complains about `-p', it's
>been trojanned.)

It complained about -p when I wasn't root...

OK. This is what nmap says, launched from my workstation:
Port   State   Service
22/tcp openssh
25/tcp opensmtp
53/tcp opendomain
80/tcp openhttp
110/tcpopenpop-3
111/tcpopensunrpc
137/tcpfilterednetbios-ns
138/tcpfilterednetbios-dgm
139/tcpfilterednetbios-ssn
1024/tcp   openkdm
1025/tcp   openlisten
6346/tcp   filteredgnutella

Whereas this is nmap from the machine itself:
kjetil@pooh:~$ nmap pooh

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Warning:  You are not root -- using TCP pingscan rather than ICMP
Interesting ports on pooh.kjernsmo.net (217.77.32.186):
(The 1545 ports scanned but not shown below are in state: closed)
Port   State   Service
22/tcp openssh
25/tcp opensmtp
53/tcp opendomain
80/tcp openhttp
110/tcpopenpop-3
111/tcpopensunrpc
139/tcpopennetbios-ssn
1024/tcp   openkdm
1025/tcp   openlisten

So, the suspicious gnutella port isn't in the latter. I don't know what
kdm is doing there, BTW. I unselected X and desktop in the initial
tasksel. There seems to have been installed some X stuff nevertheless, but
neither KDE nor kdm has ever been installed on this box. 

So for netstat:
pooh:~# netstat -plant | grep LIST
tcp0  0 0.0.0.0:10240.0.0.0:* LISTEN 209/rpc.statd
tcp0  0 0.0.0.0:10250.0.0.0:* LISTEN 236/rpc.mountd
tcp0  0 0.0.0.0:139 0.0.0.0:* LISTEN 218/inetd
tcp0  0 0.0.0.0:110 0.0.0.0:* LISTEN 218/inetd
tcp0  0 0.0.0.0:111 0.0.0.0:* LISTEN 123/portmap
tcp0  0 0.0.0.0:80  0.0.0.0:* LISTEN 6586/apache
tcp0  0 217.77.32.186:530.0.0.0:* LISTEN 194/named
tcp0  0 127.0.0.1:530.0.0.0:* LISTEN 194/named
tcp0  0 0.0.0.0:22  0.0.0.0:* LISTEN 285/sshd
tcp0  0 127.0.0.1:953   0.0.0.0:* LISTEN 201/lwresd
tcp0  0 0.0.0.0:25  0.0.0.0:* LISTEN 218/inetd

(slightly reformatted to fit better)

>Next, if you've got a socket listener or 6346 (IIRC, the most frequently
>used gnutella port), try telnetting into it and see what banner, if any, it
>presents.

Nope, nothing... 
pooh:~# telnet 217.77.32.186 6346
Trying 217.77.32.186...
telnet: Unable to connect to remote host: Connection refused
to be sure. 

>At some stage you should probably run _chkrootkit_ on the blighter, too.

Yeah, I've done that several times. chkrootkit was described in "Securing
Debian", so I installed it before moving it, but only ran it just after I
saw the gnutella port. Nothing detected. 

>Do you have an original AIDE database from immediately after it was
>installed?

Uh, don't think so. I installed snort, but didn't take the time to play
with it. I thought that would do the job too... Can I get the required
information from the snort install...? 

>> I tried to set the suggested PermitRootLogin for ssh to no,
>> but ssh gave me some messsage that I thought meant it did't recognize it.
>
>That's weird. 

Re: Emails being sent from my network

[Karl Breitner]

Langdon Green skrev:

>   Hi guys, I am having a bit of trouble with some dodgy emails getting
> sent to my friend...they are strange, not just normal spam, the emails
> have information that is from my company web site (hosted off
> site) Anyway, the header of the emails has this line: Received: from
> Wzk ([MYIP]) by out.somewhere.net Does this indicate a computer on my
> network has be hacked, and is emailing this? I am running a debian
> router with an ipchains firewall, on a small masqueraded home network,
> with a debian file server running samba. I have had a look on the
> router for anything suspicious, but there is just too many things it
> could be.  I am in the process of making a new router that will have
> IDS installed (I know I know, but I was in a rush:) Any
> Ideas? Langdon

Without having the opportunity to look at a complete message with full
headers, I can't say for sure.
It spells virus to me if you have something attached to the mesage as
well. If someone on the inside of your network
are using MS products and doesn't have functional virus protection,
updated of course, then it's very likely they
will catch eMailviruses.

The security guy at our place put it.
"Not having an updated virus protection on a Windoze box today, is like
trying to cure human flue by eating popcorn."

Regards
/Karl



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Emails being sent from my network

[Langdon Green]

  
Hi guys,
 
I am having a bit of trouble with some dodgy emails 
getting sent to my friend...they are strange, not just normal spam, the emails 
have information that is from my company web site (hosted off site)
 
Anyway, the header of the emails has this 
line:
 
Received: from Wzk ([MYIP]) by 
out.somewhere.net
 
Does this indicate a computer on my network has be 
hacked, and is emailing this? I am running a debian router with an ipchains 
firewall, on a small masqueraded home network, with a debian file server running 
samba.
 
I have had a look on the router for anything 
suspicious, but there is just too many things it could be.  I am in the 
process of making a new router that will have IDS installed (I know I know, but 
I was in a rush:)
 
Any Ideas?
 
Langdon
   

Re: Uh-oh. Cracked allready. I think...

[Steve Meyer]

There is a good chance if you have been rooted, that the attacker installed 
a rootkit to cover his tracks.  I saw a good rootkit detecter on  
http://freshmeat.net/ .  Just do a search for it on there.




From: Tim Haynes <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: Kjetil Kjernsmo <[EMAIL PROTECTED]>
CC: debian-security@lists.debian.org
Subject: Re: Uh-oh. Cracked allready. I think...
Date: 23 May 2002 17:11:26 +0100
MIME-Version: 1.0
Received: from murphy.debian.org ([65.125.64.134]) by hotmail.com with 
Microsoft SMTPSVC(5.0.2195.4905); Thu, 23 May 2002 09:58:49 -0700

Received: (qmail 17912 invoked by uid 38); 23 May 2002 16:11:56 -
Received: (qmail 17654 invoked from network); 23 May 2002 16:11:41 -
Received: from potato.vegetable.org.uk (195.149.39.120)  by 
murphy.debian.org with SMTP; 23 May 2002 16:11:41 -
Received: from piglet by potato.vegetable.org.uk with local (Exim 3.35 #1 
(Debian))id 17AvBW-oa-00; Thu, 23 May 2002 17:11:26 +0100

X-Envelope-Sender: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Lines: 78
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2
X-Spam-Status: No, hits=-2.0 required=4.7 tests=IN_REP_TO version=2.01
Resent-Message-ID: <[EMAIL PROTECTED]>
Resent-From: debian-security@lists.debian.org
X-Mailing-List:  archive/latest/7361
X-Loop: debian-security@lists.debian.org
List-Post: 
List-Help: 
List-Subscribe: 

List-Unsubscribe: 


Precedence: list
Resent-Sender: [EMAIL PROTECTED]
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 23 May 2002 16:58:49.0697 (UTC) 
FILETIME=[1C308510:01C2027B]


Kjetil Kjernsmo <[EMAIL PROTECTED]> writes:

> To address this first: It is the gnutella server that causes alarm, so 
is

> there anything I could have done that would install gnutella but escape
> my attention? I certainly never did apt-get install gnutella (I tried
> apt-get remove gnutella yesterday, with no effect). Is it likely that if
> I don't know how it got there, has been installed by a cracker? I've
> tried to telnet 217.77.32.186 6346 but get no connection.

Well if something's got on there that you don't remember installing, can I
have some of what you're taking? ;)

It's at this point that you should start debugging what's really listening
on your box from what a scanner says you are. I suggest you nmap yourself
to see what ports you really have open, and compare against
netstat -plant | grep LIST
(here's your first potential clue: if netstat complains about `-p', it's
been trojanned.)

Next, if you've got a socket listener or 6346 (IIRC, the most frequently
used gnutella port), try telnetting into it and see what banner, if any, it
presents.

At some stage you should probably run _chkrootkit_ on the blighter, too.

Do you have an original AIDE database from immediately after it was
installed?

> I tried to set the suggested PermitRootLogin for ssh to no,
> but ssh gave me some messsage that I thought meant it did't recognize 
it.


That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and
see if you get any syntax errors there.

Here's another idea:

 | zsh/scr, potato  5:03PM piglet % md5sum /var/cache/apt/archives/*ssh*
 | /usr/sbin/sshd
 | 0c1ef2fb11aa02a3b6af95157038e71b  ssh_1%3a3.0.2p1-9_i386.deb
 | a68ece0b46d2f42b655d0bf6434c317a  /usr/sbin/sshd

> I complied in IPtables in the kernel, but I haven't read up
> on how to use it. I have also installed some of the harden packages.

> Last night, I thought my system was running quite well, though I had
> noticed gnutella running. I figured it was time to run nessus, so I did.
> It seems to report many holes, some holes that I guess would be
> exploitable. I put the report on  http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html >

Bear in mind two things:

a) Debian apply patches in stable as/when required, we don't follow
   upstream version#s regardlessly

b) testing is a strange halfway-house between stable and unstable; you can
   expect a security fix to make it into Unstable pretty soon (as it 
tracks

   upstream versions) but it'll be at least a fortnight after that it hits
   Testing.

That said, you probably want to check the Changelog(.Debian.gz) for ssh -
I'd be surprised if the patches required hadn't made it down into Testing.

> If it has been cracked, what should I do? I could run up to my hosts and
> have them turn it off, I guess. But then what? I have really no clue 
what

> happened, and while I could turn off some more services, it seems like
> the biggest security problems are with ssh and smtp, that is, OpenSSH 
and

> Exim, so would a clean reinstall help a lot?

.

First assess whether you really have been breached; if you have, you *must*

Re: Uh-oh. Cracked allready. I think...

[Steve Meyer]

There is a good chance if you have been rooted, that the attacker installed 
a rootkit to cover his tracks.  I saw a good rootkit detecter on  
http://freshmeat.net/ .  Just do a search for it on there.


>From: Tim Haynes <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: Kjetil Kjernsmo <[EMAIL PROTECTED]>
>CC: [EMAIL PROTECTED]
>Subject: Re: Uh-oh. Cracked allready. I think...
>Date: 23 May 2002 17:11:26 +0100
>MIME-Version: 1.0
>Received: from murphy.debian.org ([65.125.64.134]) by hotmail.com with 
>Microsoft SMTPSVC(5.0.2195.4905); Thu, 23 May 2002 09:58:49 -0700
>Received: (qmail 17912 invoked by uid 38); 23 May 2002 16:11:56 -
>Received: (qmail 17654 invoked from network); 23 May 2002 16:11:41 -
>Received: from potato.vegetable.org.uk (195.149.39.120)  by 
>murphy.debian.org with SMTP; 23 May 2002 16:11:41 -
>Received: from piglet by potato.vegetable.org.uk with local (Exim 3.35 #1 
>(Debian))id 17AvBW-oa-00; Thu, 23 May 2002 17:11:26 +0100
>X-Envelope-Sender: [EMAIL PROTECTED]
>Sender: [EMAIL PROTECTED]
>References: 
>In-Reply-To: 
>Message-ID: <[EMAIL PROTECTED]>
>Lines: 78
>User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2
>X-Spam-Status: No, hits=-2.0 required=4.7 tests=IN_REP_TO version=2.01
>Resent-Message-ID: 
>Resent-From: [EMAIL PROTECTED]
>X-Mailing-List: <[EMAIL PROTECTED]> archive/latest/7361
>X-Loop: [EMAIL PROTECTED]
>List-Post: 
>List-Help: 
>List-Subscribe: 
>
>List-Unsubscribe: 
>
>Precedence: list
>Resent-Sender: [EMAIL PROTECTED]
>Return-Path: [EMAIL PROTECTED]
>X-OriginalArrivalTime: 23 May 2002 16:58:49.0697 (UTC) 
>FILETIME=[1C308510:01C2027B]
>
>Kjetil Kjernsmo <[EMAIL PROTECTED]> writes:
>
> > To address this first: It is the gnutella server that causes alarm, so 
>is
> > there anything I could have done that would install gnutella but escape
> > my attention? I certainly never did apt-get install gnutella (I tried
> > apt-get remove gnutella yesterday, with no effect). Is it likely that if
> > I don't know how it got there, has been installed by a cracker? I've
> > tried to telnet 217.77.32.186 6346 but get no connection.
>
>Well if something's got on there that you don't remember installing, can I
>have some of what you're taking? ;)
>
>It's at this point that you should start debugging what's really listening
>on your box from what a scanner says you are. I suggest you nmap yourself
>to see what ports you really have open, and compare against
> netstat -plant | grep LIST
>(here's your first potential clue: if netstat complains about `-p', it's
>been trojanned.)
>
>Next, if you've got a socket listener or 6346 (IIRC, the most frequently
>used gnutella port), try telnetting into it and see what banner, if any, it
>presents.
>
>At some stage you should probably run _chkrootkit_ on the blighter, too.
>
>Do you have an original AIDE database from immediately after it was
>installed?
>
> > I tried to set the suggested PermitRootLogin for ssh to no,
> > but ssh gave me some messsage that I thought meant it did't recognize 
>it.
>
>That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and
>see if you get any syntax errors there.
>
>Here's another idea:
>
>  | zsh/scr, potato  5:03PM piglet % md5sum /var/cache/apt/archives/*ssh*
>  | /usr/sbin/sshd
>  | 0c1ef2fb11aa02a3b6af95157038e71b  ssh_1%3a3.0.2p1-9_i386.deb
>  | a68ece0b46d2f42b655d0bf6434c317a  /usr/sbin/sshd
>
> > I complied in IPtables in the kernel, but I haven't read up
> > on how to use it. I have also installed some of the harden packages.
>
> > Last night, I thought my system was running quite well, though I had
> > noticed gnutella running. I figured it was time to run nessus, so I did.
> > It seems to report many holes, some holes that I guess would be
> > exploitable. I put the report on  > http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html >
>
>Bear in mind two things:
>
>a) Debian apply patches in stable as/when required, we don't follow
>upstream version#s regardlessly
>
>b) testing is a strange halfway-house between stable and unstable; you can
>expect a security fix to make it into Unstable pretty soon (as it 
>tracks
>upstream versions) but it'll be at least a fortnight after that it hits
>Testing.
>
>That said, you probably want to check the Changelog(.Debian.gz) for ssh -
>I'd be surprised if the patches required hadn't made it down into Testing.
>
> > If it has been cracked, what should I do? I could run up to my hosts and
> > have them turn it off, I guess. But then what? I have really no clue 
>what
> > happened, and while I could turn off some more services, it seems like
> > the biggest security problems are with ssh and smtp, that is, OpenSSH 
>and
> > E