Re: ssh authentication configuration?
Hi Joshua, There should be no problem with using PasswordAuthentication with SSH since the passwords are _NOT_ sent in the clear. Rather, the clear text password is sent over the encrypted channel. From the SSH(1) man page: The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. Patrick On Wed, May 29, 2002 at 09:58:00AM +1000, Joshua Goodall wrote: Stephen, On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote: [snip] i've always disabled clear text passwords(PasswordAuthentication no), and turn on pam auth (PAMAuthenticationViaKbdInt yes). That's always [snip] I'll assume you're using openssh version 3.x that's in the debian/testing distribution. The password will still be sent in the clear; there is a difference in the way the server handles it (that is, it palms off to PAM the responsibility of letting you in) and a difference in the way the client negotiates (iirc it's nonfunctional if the client doesn't request keyboard-interactive negotiation). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: ipchains rules for dmz??
I'm looking for something like this: Howabout installing shorewall? (www.shorewall.net) the best iptables script i have ever seen. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipchains rules for dmz??
Did you look at shorewall ? (apt-cache show shorewall if not) This script is fantastic, and when you know exactly what you want, configuring it is a matter of minutes... Install it, read the quick-start guide, which is basically : 1) define your zones in the zones files. you would define dmz, lan, net, and shorewall will define a fw zone which is your firewall itself 2) associate computers to your zones (hosts file), or interfaces (interfaces file) 3) define the default INPUT, OUTPUT and FORWARD for the 3 zones in the policy file 4) add exceptions to the policy in the rules file.. that's all ;) shorewall really is fantastic ;))) good luck sam - Original Message - From: Rishi L Khan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 29, 2002 4:49 PM Subject: ipchains rules for dmz?? Does anyone have a set of ipchains rules for a DMZ that doesn't have routable IPs and an internal network that doesn't have routable IPs? I looked on the IPCHAINS HOWTO page, but they don't have a script for this. I haven't seen anything with google either. I'm looking for something like this: Internet (bad) --- firewall --- dmz (192.168.9.*) ^ | +-- internal LAN (good) (10.177.9.*) I would like: bad -- good = nothing but NATed established traffic bad -- dmz = port 80 to web box, port 25 to mail, port 53 ([tu]dp) to DNS), ssh to web box dmz -- good = nothing but NATed traffic dmz -- bad = NATed traffic (allow all for now) good -- bad = NATed traffic (allow all for now) good -- dmz = same as bad -- dmz. All of the scripts I've seen have DMZ as routeable. The biggest problem I have is that good -- dmz because they're both private IP ranges. I thought I could just pass them with something like: ipchains -N good-dmz ipchains -A forward -s $INTERNAL_NET -i $DMZ_INTERFACE -j good-dmz ipchains -A good-dmz -j ACCECPT (this terminology is from the IPCHAINS HOWTO) Any suggestions? Any help? -rishi ___ Linux Users Group at UD mailing list Subscription Management: https://www.lug.udel.edu/cgi-bin/mailman/listinfo/linux Archives : http://www.lug.udel.edu/pipermail/linux/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipchains rules for dmz??
Howabout installing shorewall? (www.shorewall.net) the best iptables script i have ever seen. It's not only the best iptables script you've ever seen, but it's also a nice high-level configuration tool for everything concerning firewalling.. Traffic Shaping, IPSec... Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh authentication configuration?
On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote: Hello, i'm confused on a couple variables in the sshd_config file, i have a client that's using that 'other os' and has an ssh client that he likes. [PAMAuthenticationViaKbdInt doesn't work] Is the 'other os' client using sshv1 perhaps (v1 doesn't support challenge/response as far as I know) -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
the case of a stolen notebook
Hello, We are running a Debian (potato) box with Samba as PDC for user authentication and file server for W2k LAN clients. Recently one of our notebooks was stolen. As I can identify all the users who have ever logged in via that notebook, and may have their samba password stored on the machine, I revoked all these passwords. Can any of you think of any other steps I should take to minimise the risk of some black-hat abusing the information stored by W2k against our server/network? Regards, Rauno -- The whole world is about three drinks behind. -- Humphrey Bogart msg06868/pgp0.pgp Description: PGP signature
Re: ipchains rules for dmz??
I looked into shorewall. It doesn't support ipchains, but seawall does. Would you suggest updating to iptables or using seawall? Do you think that Linux 2.4.x is stable yet? If so, which version? I believe that ipchains can do the job and that linux 2.2.20 is stable. I don't have experience in 2.4.x kernels yet, but am willing to look into it if people think that it's as stable as 2.2.20. Are there any security issues with the currentversion of ipchains that is addressed with iptables (I don't mean iptables features like stateful packet filtering -- I mean security vulnerabilities) -rishi On Wed, 29 May 2002, Sami Dalouche wrote: Howabout installing shorewall? (www.shorewall.net) the best iptables script i have ever seen. It's not only the best iptables script you've ever seen, but it's also a nice high-level configuration tool for everything concerning firewalling.. Traffic Shaping, IPSec... Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipchains rules for dmz??
I think you should upgrade to 2.4.x, netfilter really is clean. Even if some parts of 2.4.x are critisized (or were, like the VM..), the whole netfilter part really is beautiful.. ipchains is a bunch of hacks glued together to provide all the functionnalities you need. Netfilter, on the other side, is built on top of a solid basis. If you want to upgrade to 2.4.x, I suggest you to try the latest one (2.4.18). USB support is nice, the VM problems are (partly ?) solved, and it works correctly. It also supports ext3 that you should upgrade to if you choose to upgrade, btw. I couldn't compare it to 2.2.20 however (I upgraded to 2.4.x before being able to really test the 2.2.x branch.. ;-), but people will probably tell you 2.2.20 is more stable... Personally, I haven't had any problem with 2.4, except concerning my SCSI card (which screws up with any version of linux, anyways.. Tekram DC390) Concerning security issues, I think it's OK, but I also heard that because of the DMCA, changelogs and some security issues are censored, so. could anyone confirm ? Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Seawall firewall (was Re: ipchains rules for dmz??)
On Wed, May 29, 2002 at 12:30:32PM -0400, Rishi L Khan remarked: I looked into shorewall. It doesn't support ipchains, but seawall does. Would you suggest updating to iptables or using seawall? I am also curious to know if anyone has played with seawall and can comment on whether it comes recommended as shorewall is? Comments? Cheers, Raymond msg06871/pgp0.pgp Description: PGP signature
Configuration problems with pam_smb, mod_auth_pam
I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. I keep getting a 500 internal server error when I go to login to a secured area. In my error.log, it says: [Wed May 29 09:55:05 2002] [crit] [client xxx.xxx.xxx.xxx] configuration error: couldn't check user. No user file?: /admin I don't know if this means that it can't contact the domain controller, or...? My .htaccess looks like this: AuthType Basic AuthName PUSD Website Admin require valid-user If I require a valid user, does it mean a user vaild for the NT domain, or the Debian box? This is the way the .htaccess file was in the example I followed. My /etc/pam.d/httpd file looks like this: authrequiredpam_smb_auth.so debug account requiredpam_pwdb.so debug md5 Finally, my /etc/pam_smb.conf file looks like this: PUSD endeavor Endeavor PUSD is the domain, and endeavor is the PDC. I can successfully ping the host endeavor from the Debian box. Where have I gone wrong? At this point, I am having a hard time troubleshooting. Can anyone point me in the proper direction? Thanks, Tom Dominico Technology Coordinator Parlier Unified School District (559) 646-2731 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Configuration problems with pam_smb, mod_auth_pam
On Wed, May 29, 2002 at 10:05:45AM -0700, Tom Dominico wrote: I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. [...] AuthType Basic AuthName PUSD Website Admin require valid-user i have no idea how to make apache authenticate against a windows pdc, but i believe AuthType Basic can only be used to authenticate against a local password file, usually generated using htpasswd. see http://httpd.apache.org/docs/howto/auth.html xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Configuration problems with pam_smb, mod_auth_pam
You're going to need to use the NTLM auth mod for apache .. http://modntlm.sourceforge.net/ At 11:47 AM 29/05/2002 -0700, Christian G. Warden wrote: On Wed, May 29, 2002 at 10:05:45AM -0700, Tom Dominico wrote: I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. [...] AuthType Basic AuthName PUSD Website Admin require valid-user i have no idea how to make apache authenticate against a windows pdc, but i believe AuthType Basic can only be used to authenticate against a local password file, usually generated using htpasswd. see http://httpd.apache.org/docs/howto/auth.html xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: the case of a stolen notebook
On Wednesday 29 May 2002 11:16 am, Rauno Linnamäe wrote: Hello, We are running a Debian (potato) box with Samba as PDC for user authentication and file server for W2k LAN clients. Recently one of our notebooks was stolen. As I can identify all the users who have ever logged in via that notebook, and may have their samba password stored on the machine, I revoked all these passwords. Can any of you think of any other steps I should take to minimise the risk of some black-hat abusing the information stored by W2k against our server/network? This is no way to think if you're a security geek, but if you want to make yourself feel better the person who stole your notebook is a mere theif and is incapable of using any information other than credit/financial information that can lead again to more theft. On the other hand, purge the users' login's make a significant change to the username converntion since he/she knows what you currently use and can use this to his/her advantage for later brute force attacks. He also knows your internal address space information (ie your Internal ip addresses are now 'public),of course that is a significant network change if your dealing with several thousand hosts. Regards, Rauno -- --- Orlando Padilla [EMAIL PROTECTED] I only drink to make other people interesting www.g0thead.com/xbud.asc --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: the case of a stolen notebook
On Wednesday 29 May 2002 04:38 pm, Rauno Linnam?e wrote: On Wed, May 29, 2002 at 03:37:50AM -0500, xbud wrote: On Wednesday 29 May 2002 11:16 am, Rauno Linnamäe wrote: Hello, We are running a Debian (potato) box with Samba as PDC for user authentication and file server for W2k LAN clients. Recently one of our notebooks was stolen. As I can identify all the users who have ever logged in via that notebook, and may have their samba password stored on the machine, I revoked all these passwords. Can any of you think of any other steps I should take to minimise the risk of some black-hat abusing the information stored by W2k against our server/network? This is no way to think if you're a security geek, but if you want to make yourself feel better the person who stole your notebook is a mere theif and is incapable of using any information other than credit/financial information that can lead again to more theft. I am quite aware of that. In fact, I was rather thinking about the consecutive owner/purchaser of the stolen hardware who might have some knowledge about computer security. On the other hand, purge the users' login's make a significant change to the username converntion since he/she knows what you currently use and can use this to his/her advantage for later brute force attacks. The username can also often be guessed from e-mail addresses. Besides, I do employ a strong password policy, and several IDS-s, thus brute-forcing would not be of primary concern. Brute force attacks can be evasive unders circumstances a patient one may try one password per day for several months in an automated fashion. ( what are the odds eh?) IDS's ? If you have any ssl enabled webservers allowing users to check email remotely or login through say 'mindterm' to an internal machine etc... Will the ids catch that too ? ( you willing to monitor after decryption has occured at the OS side ? ) He also knows your internal address space information (ie your Internal ip addresses are now 'public),of course that is a significant network change if your dealing with several thousand hosts. All internal addresses are in the 192.168.x.x address space, thus this is not highly sensitive information, is it? This depends on you, evidently you're paranoid or you wouldn't be posting here :), why give out any information regarding your network when it's unnecessary ? But I agree under these circumstances not highly sensitive. --- Orlando Padilla [EMAIL PROTECTED] I only drink to make other people interesting www.g0thead.com/xbud.asc --- Many thanks, Rauno -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh authentication configuration? = better use OTP method
libpam-opie seems to be working great here. On Wed, May 29, 2002 at 10:58:50AM +0700, Jean Christophe ANDRÃ? wrote: Hello Joshua and all, Joshua Goodall wrote : Personally I recommend neither and tell everyone to prefer keys and one-time passwords, but that's another story :) Any hint for the best OTP method on Debian? libpam-opie?? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Configuration problems with pam_smb, mod_auth_pam
Do you happen to know if debs are available? I don't see any using apt-cache search. Thanks. -Original Message- From: Stephen Hassard [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 12:19 PM To: Tom Dominico Cc: [EMAIL PROTECTED] Subject: Re: Configuration problems with pam_smb, mod_auth_pam You're going to need to use the NTLM auth mod for apache .. http://modntlm.sourceforge.net/ At 11:47 AM 29/05/2002 -0700, Christian G. Warden wrote: On Wed, May 29, 2002 at 10:05:45AM -0700, Tom Dominico wrote: I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. [...] AuthType Basic AuthName PUSD Website Admin require valid-user i have no idea how to make apache authenticate against a windows pdc, but i believe AuthType Basic can only be used to authenticate against a local password file, usually generated using htpasswd. see http://httpd.apache.org/docs/howto/auth.html xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh authentication configuration?
On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote: Hello, i'm confused on a couple variables in the sshd_config file, i have a client that's using that 'other os' and has an ssh client that he likes. however, he wanted me to secure the server as much as possible, i've always disabled clear text passwords(PasswordAuthentication no), and turn on pam auth (PAMAuthenticationViaKbdInt yes). That's always worked fine for me as i'm using debian linux, and i don't actually know why i do it other than in the conf file debian adds a comment above telling me to do so, so i do. Well, my clients ssh client app doesn't seem to be able to handle pam auth, so when i disable clear text passes Both PasswordAuthentication and PAMAuthenticationViaKbdInt go through PAM [0]. The difference is that PasswordAuthentication obtains a password and hands that to the auth modules, whereas PAMAuthenticationViaKbdInt allows modules to interact with the user so that they can display their own prompts and collect responses. Note that both send passwords (or other data) as *tunneled* cleartext - in other words, the string itself is sent, but it's sent over the encrypted channel. it won't let him in, even though i can get in with his account from my ssh client. i guess what i'm asking is, How much of a security risk is using regular auth versus Pam?. Unless you've modified your PAM configuration to use some challenge-response authentication mechanism, and barring any relevant undiscovered bugs in OpenSSH or PAM, there's no difference in the risks posed by using SSH password-authentication and SSH keyboard-interactive authentication, nor reason to turn off PasswordAuthentication but leave PAMAuthenticationViaKbdInt on. [0] in the Debian configuration - if configured at build time without PAM, PasswordAuthentication will use another mechanism to check passwords. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B - key change\ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 prev. expiredX / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh authentication configuration? = better use OTP method
Hello Joshua and all, Joshua Goodall wrote : Personally I recommend neither and tell everyone to prefer keys and one-time passwords, but that's another story :) Any hint for the best OTP method on Debian? libpam-opie?? Cheers, J.C. -- Jean Christophe ANDRÉ [EMAIL PROTECTED] http://www.vn.refer.org/ Coordonnateur technique régional (systèmes et réseaux informatiques) Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP) Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam Tél. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh authentication configuration?
Hi Joshua, There should be no problem with using PasswordAuthentication with SSH since the passwords are _NOT_ sent in the clear. Rather, the clear text password is sent over the encrypted channel. From the SSH(1) man page: The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. Patrick On Wed, May 29, 2002 at 09:58:00AM +1000, Joshua Goodall wrote: Stephen, On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote: [snip] i've always disabled clear text passwords(PasswordAuthentication no), and turn on pam auth (PAMAuthenticationViaKbdInt yes). That's always [snip] I'll assume you're using openssh version 3.x that's in the debian/testing distribution. The password will still be sent in the clear; there is a difference in the way the server handles it (that is, it palms off to PAM the responsibility of letting you in) and a difference in the way the client negotiates (iirc it's nonfunctional if the client doesn't request keyboard-interactive negotiation). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ipchains rules for dmz??
Does anyone have a set of ipchains rules for a DMZ that doesn't have routable IPs and an internal network that doesn't have routable IPs? I looked on the IPCHAINS HOWTO page, but they don't have a script for this. I haven't seen anything with google either. I'm looking for something like this: Internet (bad) --- firewall --- dmz (192.168.9.*) ^ | +-- internal LAN (good) (10.177.9.*) I would like: bad -- good = nothing but NATed established traffic bad -- dmz = port 80 to web box, port 25 to mail, port 53 ([tu]dp) to DNS), ssh to web box dmz -- good = nothing but NATed traffic dmz -- bad = NATed traffic (allow all for now) good -- bad = NATed traffic (allow all for now) good -- dmz = same as bad -- dmz. All of the scripts I've seen have DMZ as routeable. The biggest problem I have is that good -- dmz because they're both private IP ranges. I thought I could just pass them with something like: ipchains -N good-dmz ipchains -A forward -s $INTERNAL_NET -i $DMZ_INTERFACE -j good-dmz ipchains -A good-dmz -j ACCECPT (this terminology is from the IPCHAINS HOWTO) Any suggestions? Any help? -rishi ___ Linux Users Group at UD mailing list Subscription Management: https://www.lug.udel.edu/cgi-bin/mailman/listinfo/linux Archives : http://www.lug.udel.edu/pipermail/linux/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: ipchains rules for dmz??
I'm looking for something like this: Howabout installing shorewall? (www.shorewall.net) the best iptables script i have ever seen. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipchains rules for dmz??
Did you look at shorewall ? (apt-cache show shorewall if not) This script is fantastic, and when you know exactly what you want, configuring it is a matter of minutes... Install it, read the quick-start guide, which is basically : 1) define your zones in the zones files. you would define dmz, lan, net, and shorewall will define a fw zone which is your firewall itself 2) associate computers to your zones (hosts file), or interfaces (interfaces file) 3) define the default INPUT, OUTPUT and FORWARD for the 3 zones in the policy file 4) add exceptions to the policy in the rules file.. that's all ;) shorewall really is fantastic ;))) good luck sam - Original Message - From: Rishi L Khan [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Wednesday, May 29, 2002 4:49 PM Subject: ipchains rules for dmz?? Does anyone have a set of ipchains rules for a DMZ that doesn't have routable IPs and an internal network that doesn't have routable IPs? I looked on the IPCHAINS HOWTO page, but they don't have a script for this. I haven't seen anything with google either. I'm looking for something like this: Internet (bad) --- firewall --- dmz (192.168.9.*) ^ | +-- internal LAN (good) (10.177.9.*) I would like: bad -- good = nothing but NATed established traffic bad -- dmz = port 80 to web box, port 25 to mail, port 53 ([tu]dp) to DNS), ssh to web box dmz -- good = nothing but NATed traffic dmz -- bad = NATed traffic (allow all for now) good -- bad = NATed traffic (allow all for now) good -- dmz = same as bad -- dmz. All of the scripts I've seen have DMZ as routeable. The biggest problem I have is that good -- dmz because they're both private IP ranges. I thought I could just pass them with something like: ipchains -N good-dmz ipchains -A forward -s $INTERNAL_NET -i $DMZ_INTERFACE -j good-dmz ipchains -A good-dmz -j ACCECPT (this terminology is from the IPCHAINS HOWTO) Any suggestions? Any help? -rishi ___ Linux Users Group at UD mailing list Subscription Management: https://www.lug.udel.edu/cgi-bin/mailman/listinfo/linux Archives : http://www.lug.udel.edu/pipermail/linux/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipchains rules for dmz??
Howabout installing shorewall? (www.shorewall.net) the best iptables script i have ever seen. It's not only the best iptables script you've ever seen, but it's also a nice high-level configuration tool for everything concerning firewalling.. Traffic Shaping, IPSec... Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh authentication configuration?
On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote: Hello, i'm confused on a couple variables in the sshd_config file, i have a client that's using that 'other os' and has an ssh client that he likes. [PAMAuthenticationViaKbdInt doesn't work] Is the 'other os' client using sshv1 perhaps (v1 doesn't support challenge/response as far as I know) -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
the case of a stolen notebook
Hello, We are running a Debian (potato) box with Samba as PDC for user authentication and file server for W2k LAN clients. Recently one of our notebooks was stolen. As I can identify all the users who have ever logged in via that notebook, and may have their samba password stored on the machine, I revoked all these passwords. Can any of you think of any other steps I should take to minimise the risk of some black-hat abusing the information stored by W2k against our server/network? Regards, Rauno -- The whole world is about three drinks behind. -- Humphrey Bogart pgpQWURC4FcLT.pgp Description: PGP signature
Re: ipchains rules for dmz??
I looked into shorewall. It doesn't support ipchains, but seawall does. Would you suggest updating to iptables or using seawall? Do you think that Linux 2.4.x is stable yet? If so, which version? I believe that ipchains can do the job and that linux 2.2.20 is stable. I don't have experience in 2.4.x kernels yet, but am willing to look into it if people think that it's as stable as 2.2.20. Are there any security issues with the currentversion of ipchains that is addressed with iptables (I don't mean iptables features like stateful packet filtering -- I mean security vulnerabilities) -rishi On Wed, 29 May 2002, Sami Dalouche wrote: Howabout installing shorewall? (www.shorewall.net) the best iptables script i have ever seen. It's not only the best iptables script you've ever seen, but it's also a nice high-level configuration tool for everything concerning firewalling.. Traffic Shaping, IPSec... Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipchains rules for dmz??
I think you should upgrade to 2.4.x, netfilter really is clean. Even if some parts of 2.4.x are critisized (or were, like the VM..), the whole netfilter part really is beautiful.. ipchains is a bunch of hacks glued together to provide all the functionnalities you need. Netfilter, on the other side, is built on top of a solid basis. If you want to upgrade to 2.4.x, I suggest you to try the latest one (2.4.18). USB support is nice, the VM problems are (partly ?) solved, and it works correctly. It also supports ext3 that you should upgrade to if you choose to upgrade, btw. I couldn't compare it to 2.2.20 however (I upgraded to 2.4.x before being able to really test the 2.2.x branch.. ;-), but people will probably tell you 2.2.20 is more stable... Personally, I haven't had any problem with 2.4, except concerning my SCSI card (which screws up with any version of linux, anyways.. Tekram DC390) Concerning security issues, I think it's OK, but I also heard that because of the DMCA, changelogs and some security issues are censored, so. could anyone confirm ? Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Seawall firewall (was Re: ipchains rules for dmz??)
On Wed, May 29, 2002 at 12:30:32PM -0400, Rishi L Khan remarked: I looked into shorewall. It doesn't support ipchains, but seawall does. Would you suggest updating to iptables or using seawall? I am also curious to know if anyone has played with seawall and can comment on whether it comes recommended as shorewall is? Comments? Cheers, Raymond pgpE8TpPr6j3c.pgp Description: PGP signature
Configuration problems with pam_smb, mod_auth_pam
I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. I keep getting a 500 internal server error when I go to login to a secured area. In my error.log, it says: [Wed May 29 09:55:05 2002] [crit] [client xxx.xxx.xxx.xxx] configuration error: couldn't check user. No user file?: /admin I don't know if this means that it can't contact the domain controller, or...? My .htaccess looks like this: AuthType Basic AuthName PUSD Website Admin require valid-user If I require a valid user, does it mean a user vaild for the NT domain, or the Debian box? This is the way the .htaccess file was in the example I followed. My /etc/pam.d/httpd file looks like this: authrequiredpam_smb_auth.so debug account requiredpam_pwdb.so debug md5 Finally, my /etc/pam_smb.conf file looks like this: PUSD endeavor Endeavor PUSD is the domain, and endeavor is the PDC. I can successfully ping the host endeavor from the Debian box. Where have I gone wrong? At this point, I am having a hard time troubleshooting. Can anyone point me in the proper direction? Thanks, Tom Dominico Technology Coordinator Parlier Unified School District (559) 646-2731 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Configuration problems with pam_smb, mod_auth_pam
On Wed, May 29, 2002 at 10:05:45AM -0700, Tom Dominico wrote: I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. [...] AuthType Basic AuthName PUSD Website Admin require valid-user i have no idea how to make apache authenticate against a windows pdc, but i believe AuthType Basic can only be used to authenticate against a local password file, usually generated using htpasswd. see http://httpd.apache.org/docs/howto/auth.html xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Configuration problems with pam_smb, mod_auth_pam
You're going to need to use the NTLM auth mod for apache .. http://modntlm.sourceforge.net/ At 11:47 AM 29/05/2002 -0700, Christian G. Warden wrote: On Wed, May 29, 2002 at 10:05:45AM -0700, Tom Dominico wrote: I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. [...] AuthType Basic AuthName PUSD Website Admin require valid-user i have no idea how to make apache authenticate against a windows pdc, but i believe AuthType Basic can only be used to authenticate against a local password file, usually generated using htpasswd. see http://httpd.apache.org/docs/howto/auth.html xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipchains rules for dmz??
On Wednesday 29 May 2002 11:30 am, Rishi L Khan wrote: I looked into shorewall. It doesn't support ipchains, but seawall does. Would you suggest updating to iptables or using seawall? Do you think that Linux 2.4.x is stable yet? If so, which version? The kernel overall I believe is considered stable, I've been using 2.4.18 for sometime now and have had no major problems with it. .17 gave me usb horror but was fixed in 18. The only bug I'd watch for would be the NAT bug found by cartel-securite.fr using a patch to nmap which reviels internal ip information. According to their advisory 2.4.4 - 2.4.19pre6 are vulnerable. I believe that ipchains can do the job and that linux 2.2.20 is stable. I don't have experience in 2.4.x kernels yet, but am willing to look into it if people think that it's as stable as 2.2.20. Are there any security issues with the currentversion of ipchains that is addressed with iptables (I don't mean iptables features like stateful packet filtering -- I mean security vulnerabilities) I've stuck with ipchains myself, but for no significant reason other than being lazy =). -rishi On Wed, 29 May 2002, Sami Dalouche wrote: Howabout installing shorewall? (www.shorewall.net) the best iptables script i have ever seen. It's not only the best iptables script you've ever seen, but it's also a nice high-level configuration tool for everything concerning firewalling.. Traffic Shaping, IPSec... Sam -- --- Orlando Padilla [EMAIL PROTECTED] I only drink to make other people interesting www.g0thead.com/xbud.asc --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: the case of a stolen notebook
On Wednesday 29 May 2002 11:16 am, Rauno Linnamäe wrote: Hello, We are running a Debian (potato) box with Samba as PDC for user authentication and file server for W2k LAN clients. Recently one of our notebooks was stolen. As I can identify all the users who have ever logged in via that notebook, and may have their samba password stored on the machine, I revoked all these passwords. Can any of you think of any other steps I should take to minimise the risk of some black-hat abusing the information stored by W2k against our server/network? This is no way to think if you're a security geek, but if you want to make yourself feel better the person who stole your notebook is a mere theif and is incapable of using any information other than credit/financial information that can lead again to more theft. On the other hand, purge the users' login's make a significant change to the username converntion since he/she knows what you currently use and can use this to his/her advantage for later brute force attacks. He also knows your internal address space information (ie your Internal ip addresses are now 'public),of course that is a significant network change if your dealing with several thousand hosts. Regards, Rauno -- --- Orlando Padilla [EMAIL PROTECTED] I only drink to make other people interesting www.g0thead.com/xbud.asc --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: the case of a stolen notebook
On Wed, May 29, 2002 at 03:37:50AM -0500, xbud wrote: On Wednesday 29 May 2002 11:16 am, Rauno Linnamäe wrote: Hello, We are running a Debian (potato) box with Samba as PDC for user authentication and file server for W2k LAN clients. Recently one of our notebooks was stolen. As I can identify all the users who have ever logged in via that notebook, and may have their samba password stored on the machine, I revoked all these passwords. Can any of you think of any other steps I should take to minimise the risk of some black-hat abusing the information stored by W2k against our server/network? This is no way to think if you're a security geek, but if you want to make yourself feel better the person who stole your notebook is a mere theif and is incapable of using any information other than credit/financial information that can lead again to more theft. I am quite aware of that. In fact, I was rather thinking about the consecutive owner/purchaser of the stolen hardware who might have some knowledge about computer security. On the other hand, purge the users' login's make a significant change to the username converntion since he/she knows what you currently use and can use this to his/her advantage for later brute force attacks. The username can also often be guessed from e-mail addresses. Besides, I do employ a strong password policy, and several IDS-s, thus brute-forcing would not be of primary concern. He also knows your internal address space information (ie your Internal ip addresses are now 'public),of course that is a significant network change if your dealing with several thousand hosts. All internal addresses are in the 192.168.x.x address space, thus this is not highly sensitive information, is it? --- Orlando Padilla [EMAIL PROTECTED] I only drink to make other people interesting www.g0thead.com/xbud.asc --- Many thanks, Rauno pgp6XaiyFDUIk.pgp Description: PGP signature
Re: the case of a stolen notebook
On Wednesday 29 May 2002 04:38 pm, Rauno Linnam?e wrote: On Wed, May 29, 2002 at 03:37:50AM -0500, xbud wrote: On Wednesday 29 May 2002 11:16 am, Rauno Linnamäe wrote: Hello, We are running a Debian (potato) box with Samba as PDC for user authentication and file server for W2k LAN clients. Recently one of our notebooks was stolen. As I can identify all the users who have ever logged in via that notebook, and may have their samba password stored on the machine, I revoked all these passwords. Can any of you think of any other steps I should take to minimise the risk of some black-hat abusing the information stored by W2k against our server/network? This is no way to think if you're a security geek, but if you want to make yourself feel better the person who stole your notebook is a mere theif and is incapable of using any information other than credit/financial information that can lead again to more theft. I am quite aware of that. In fact, I was rather thinking about the consecutive owner/purchaser of the stolen hardware who might have some knowledge about computer security. On the other hand, purge the users' login's make a significant change to the username converntion since he/she knows what you currently use and can use this to his/her advantage for later brute force attacks. The username can also often be guessed from e-mail addresses. Besides, I do employ a strong password policy, and several IDS-s, thus brute-forcing would not be of primary concern. Brute force attacks can be evasive unders circumstances a patient one may try one password per day for several months in an automated fashion. ( what are the odds eh?) IDS's ? If you have any ssl enabled webservers allowing users to check email remotely or login through say 'mindterm' to an internal machine etc... Will the ids catch that too ? ( you willing to monitor after decryption has occured at the OS side ? ) He also knows your internal address space information (ie your Internal ip addresses are now 'public),of course that is a significant network change if your dealing with several thousand hosts. All internal addresses are in the 192.168.x.x address space, thus this is not highly sensitive information, is it? This depends on you, evidently you're paranoid or you wouldn't be posting here :), why give out any information regarding your network when it's unnecessary ? But I agree under these circumstances not highly sensitive. --- Orlando Padilla [EMAIL PROTECTED] I only drink to make other people interesting www.g0thead.com/xbud.asc --- Many thanks, Rauno -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh authentication configuration? = better use OTP method
libpam-opie seems to be working great here. On Wed, May 29, 2002 at 10:58:50AM +0700, Jean Christophe ANDRÃ? wrote: Hello Joshua and all, Joshua Goodall wrote : Personally I recommend neither and tell everyone to prefer keys and one-time passwords, but that's another story :) Any hint for the best OTP method on Debian? libpam-opie?? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Configuration problems with pam_smb, mod_auth_pam
Do you happen to know if debs are available? I don't see any using apt-cache search. Thanks. -Original Message- From: Stephen Hassard [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 29, 2002 12:19 PM To: Tom Dominico Cc: debian-security@lists.debian.org Subject: Re: Configuration problems with pam_smb, mod_auth_pam You're going to need to use the NTLM auth mod for apache .. http://modntlm.sourceforge.net/ At 11:47 AM 29/05/2002 -0700, Christian G. Warden wrote: On Wed, May 29, 2002 at 10:05:45AM -0700, Tom Dominico wrote: I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. [...] AuthType Basic AuthName PUSD Website Admin require valid-user i have no idea how to make apache authenticate against a windows pdc, but i believe AuthType Basic can only be used to authenticate against a local password file, usually generated using htpasswd. see http://httpd.apache.org/docs/howto/auth.html xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh authentication configuration?
On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote: Hello, i'm confused on a couple variables in the sshd_config file, i have a client that's using that 'other os' and has an ssh client that he likes. however, he wanted me to secure the server as much as possible, i've always disabled clear text passwords(PasswordAuthentication no), and turn on pam auth (PAMAuthenticationViaKbdInt yes). That's always worked fine for me as i'm using debian linux, and i don't actually know why i do it other than in the conf file debian adds a comment above telling me to do so, so i do. Well, my clients ssh client app doesn't seem to be able to handle pam auth, so when i disable clear text passes Both PasswordAuthentication and PAMAuthenticationViaKbdInt go through PAM [0]. The difference is that PasswordAuthentication obtains a password and hands that to the auth modules, whereas PAMAuthenticationViaKbdInt allows modules to interact with the user so that they can display their own prompts and collect responses. Note that both send passwords (or other data) as *tunneled* cleartext - in other words, the string itself is sent, but it's sent over the encrypted channel. it won't let him in, even though i can get in with his account from my ssh client. i guess what i'm asking is, How much of a security risk is using regular auth versus Pam?. Unless you've modified your PAM configuration to use some challenge-response authentication mechanism, and barring any relevant undiscovered bugs in OpenSSH or PAM, there's no difference in the risks posed by using SSH password-authentication and SSH keyboard-interactive authentication, nor reason to turn off PasswordAuthentication but leave PAMAuthenticationViaKbdInt on. [0] in the Debian configuration - if configured at build time without PAM, PasswordAuthentication will use another mechanism to check passwords. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B - key change\ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 prev. expiredX / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]