[SECURITY] [DSA 179-1] New gnome-gv packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 179-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 18th, 2002 http://www.debian.org/security/faq - -- Package: gnome-gv Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0838 BugTraq ID : 5808 Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. The same code is present in gnome-gv. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim. This problem has been fixed in version 1.1.96-3.1 for the current stable distribution (woody), in version 0.82-2.1 for the old stable distribution (potato) and version 1.99.7-9 for the unstable distribution (sid). We recommend that you upgrade your gnome-gv package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1.dsc Size/MD5 checksum: 807 82140169547f88c38b9965be1bc9a69c http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1.diff.gz Size/MD5 checksum: 8494 103905f14d882282d0e976a29111bbb2 http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82.orig.tar.gz Size/MD5 checksum: 369538 c4542420f0f7aeafea6764718b398341 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_alpha.deb Size/MD5 checksum: 145076 05ebc47d64924740b4a6efced375ed00 ARM architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_arm.deb Size/MD5 checksum: 131928 44f502cc48717739484999b677b23e52 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_i386.deb Size/MD5 checksum: 131118 7d2712b05b78e757568efabee83c9bc0 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_m68k.deb Size/MD5 checksum: 126710 38225171738cca0d10b9c1f91313ad0d PowerPC architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_powerpc.deb Size/MD5 checksum: 132002 b3208e369afc8754480f80f6aa2b11c5 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_sparc.deb Size/MD5 checksum: 136274 156b99fa91b627e91f5e2c3dde50ffc7 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1.dsc Size/MD5 checksum: 831 4f3c53098ca78e9532f62778f0cf3b0a http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1.diff.gz Size/MD5 checksum:23903 b33d66f44f186f88829a0537da99d549 http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96.orig.tar.gz Size/MD5 checksum: 742271 5d80db150adb4bfc5398d8a90ee2f9dd Alpha architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_alpha.deb Size/MD5 checksum: 340232 87adcdb4e9ef30d25b95734555f3c134 ARM architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_arm.deb Size/MD5 checksum: 325244 4a5e426144987c2ab8372976ef65c34e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_i386.deb Size/MD5 checksum: 320834 73fc7baeba28750356b628eac22e7ec7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_ia64.deb Size/MD5 checksum: 380740 e814ebf7089f0717e8d86912ed38cf4b HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_hppa.deb Size/MD5 checksum: 345956 f9bfa25c891ea680d15e2c68498ba7cc Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_m68k.deb Size/MD5 checksum: 314324 dfee84b168b5acc1f2ae7239f7d07f28 Big endian MIPS architecture:
Re: ABfrag/ac1db1tch3z Kernel Exploit ?
On Thursday 17 October 2002 05:03 am, Orlando wrote: Not sure if this is real. He's using a hushmail account to post to the lists which is somewhat suspicious. He claims to have attached the binary but no one seems to have a copy of it. Some co-workers and other people have asked for a copy of it without success. I woudln't be too surprised if this is another PHC attempt for more attention. Ok I stand corrected, silvio the moderator of unix-virii list on segfault.net seems to have a copy of that binary. -x -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
Jussi Ekholm écrivait : The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... You said what would try to connect to my system's port [...] 111 from within my own system. I would answer something that is configured to do so? You may not look what binds this port since you don't run portmap but instead what is configured to try NIS, NFS, ... access! Did you tune your /etc/nsswitch.conf to try NIS? Or something else... Regards, J.C. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
I don't understand the need for this. Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? On Friday 18 October 2002 06:58 am, Fruhwirth Clemens wrote: Hi! http://therapy.endorphin.org/secpack_0.1-1.deb implements a simple cron based daily security update with signature checking using a modified version of ajt's apt-check-sigs. Feedback is appreciated. CC please, /me not on list. Regards, Clemens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote: I don't understand the need for this. Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? It'll get to you when you have 200+ debian systems spread across the internet in different cities, timezones and administrative domains :) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? Because a hacked mirror could contain malicious packages. When you check signatures before upgrading, you detect such intrusions. Of course, if the hacker managed to modify files on the master server, proper signatures would automatically get generated, and apt-check-sigs had no chance to detect these modifications. Still, checking signatures provides one more line of defense. Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, 18 Oct 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: I don't understand the need for this. Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? As pointed out several times in the past Debian has not fully implemented package signing (the last I knew...someone throw a rock at me if I am wrong). So blindly updating and upgrading might be insecure if someone could spoof the Debian update server (upstream). Regards, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 09:33, Mark Janssen wrote: On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote: I don't understand the need for this. Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? It'll get to you when you have 200+ debian systems spread across the internet in different cities, timezones and administrative domains :) Hi, You can try cron-apt package[1] and apt-check-sigs[2] to do it! Now i've twelve servers running Debian GNU/Linux and i'm using one apt-proxy[3] and aptwatcher(like cron-apt). [1] = http://packages.debian.org/cron-apt/ [2] = http://people.debian.org/~ajt/ [3] = http://apt-proxy.sourceforge.net/ Talking about secpack, is it non-free? I can't see in your mail(Clemens) the url or apt-line to get the source package. Thanks, -- Gustavo Franco -- [EMAIL PROTECTED] GNUpg id: 0x37155778 (try: wwwkeys.eu.pgp.net) I prefer encrypted and signed e-mail. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ssh banner
Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? przemol -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: grsecurity patch (woody kernel 2.4.18)
On Thu, 2002-10-17 at 01:53, WebMaster wrote: hello, can i safely apply the grsecurity patch? Yes, removing the EXTRAVERSION line in the patch(woody). if this patch make servers more secure just by apply it (without acl), why isn it applied by default? It can be much aggressive to set by default.One harden flavor to sarge with grsecurity patch can be good.Any feedback of d-boot guys? Thanks, -- Gustavo Franco -- [EMAIL PROTECTED] GNUpg id: 0x37155778 (try: wwwkeys.eu.pgp.net) I prefer encrypted and signed e-mail. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
On Fri, Oct 18, 2002 at 02:58:44PM +0200, [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 Edit sshd_config find the line with something like Banner /etc/issue.net and set # Banner /etc/issue.net killall -9 sshd done Regards How can I disable the message ? przemol -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Aleksander Iwaski [EMAIL PROTECTED] tel. +48 58 5575824 mobile: +48 502273537 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? This banner is needed information for a ssh client connecting to your server, therefor you better not disable it. Greetings, Ivo van Dongen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
From Jan Niehusmann on Friday, 18 October, 2002: On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? Of course, if the hacker managed to modify files on the master server, proper signatures would automatically get generated, and apt-check-sigs had no chance to detect these modifications. Still, checking signatures provides one more line of defense. I've been thinking up a new, more secure way of doing apt. (Actually, it's a modification of the current system.) It kind of has two levels, one trusting apt's integrity, and the second would be a very paranoid system, which requires more hardware knowledge (smartcard-like businesses) than I currently possess. If people are interested enough in it, I might throw together something more formal. -Joseph -- [EMAIL PROTECTED] Alt text doesn't pop up unless you use an ancient browser from the days of yore. The relevant standards clearly indicate that it should not, and I only know about one browser released in the last two years that violates this, and it's still claiming compatibility with Mozilla 4 (which was obsolete quite long ago), so it really can't be considered a modern browser. --jonadab, in a slashdot.org comment. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
On Fri, 2002-10-18 at 14:58, [EMAIL PROTECTED] wrote: SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? You can limit it somewhat (by editing source), but the protocol needs the version string, so you can't change it without breaking compatibility. -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
On Fri, 18 Oct 2002 [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? edit /etc/ssh/sshd_config and put a comment mark (#) at the beginning of the line that says Banner /etc/issue.net or something like that. hth, tobias r. -- NOC Hamster - Security Guy - Owner of one, root of many Tobias Rosenstock - [EMAIL PROTECTED] - [EMAIL PROTECTED] - [EMAIL PROTECTED] Wieske's Crew KG - http://irz42.net - http://www.crew-kg.de Humboldtstr. 51 - Lessingstr. 2 - 22083 Hamburg - Germany -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
On Fri, Oct 18, 2002 at 02:58:44PM +0200, [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? you can't without modifiying the source. AFAIK, this message is used by client ssh to know if it is a ssh server -- Tab -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
On Fri, Oct 18, 2002 at 03:23:42PM +0200, Aleksander Iwanski wrote: On Fri, Oct 18, 2002 at 02:58:44PM +0200, [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 Edit sshd_config find the line with something like Banner /etc/issue.net and set # Banner /etc/issue.net killall -9 sshd przemek:~# grep -i banner /etc/ssh/sshd_config #Banner /etc/issue.net przemol -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
This won't do the trick, AFAIK it will only display /etc/issue.net content before the password prompt, but wont change/hide the version of the sshd when telnet'ing localhost || ip on port 22. -xavier Edit sshd_config find the line with something like Banner /etc/issue.net and set # Banner /etc/issue.net killall -9 sshd done -- Xavier Santolaria [EMAIL PROTECTED] Alldas.org IT-Security Information Network http://xs.alldas.org perl -we '$|=1;print 1;@a=qw(\ | / -);while(){for($i=0;$i@a;$i++) {print\b$a[$i];select undef,undef,undef,.1}}print\n' msg07439/pgp0.pgp Description: PGP signature
Re: ssh banner
On Fri, Oct 18, 2002 at 03:23:18PM +0200, vdongen wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? This banner is needed information for a ssh client connecting to your server, therefor you better not disable it. Well, I agree e.g. SSH-2.0. But the rest ? It allow easily recognise what system is the server. przemol -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
Hi, On Fri, 18 Oct 2002, vdongen wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? This banner is needed information for a ssh client connecting to your server, therefor you better not disable it. oops, of course you're right.. i didn't pay attention to the line saying telnet etc., i just kicked out my standard how do i remove this annoying banner reply that our customers get when they don't wanna see it. my fault.. tobias r. -- NOC Hamster - Security Guy - Owner of one, root of many Tobias Rosenstock - [EMAIL PROTECTED] - [EMAIL PROTECTED] - [EMAIL PROTECTED] Wieske's Crew KG - http://irz42.net - http://www.crew-kg.de Humboldtstr. 51 - Lessingstr. 2 - 22083 Hamburg - Germany -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
On Fri, 18 Oct 2002 at 02:58:44PM +0200, [EMAIL PROTECTED] wrote: host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? If you attempt to disable this message your ssh clients will not work. See the SSH rfc in /usr/doc/ssh. You will find that both client and server exchange Verson information as part of the connection establishment/handshake. You can; however, recompile and get rid of the Debian 1:3.4p1-1 part... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
On Fri, Oct 18, 2002 at 03:30:01PM +0200, Tobias Rosenstock wrote: On Fri, 18 Oct 2002 [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? edit /etc/ssh/sshd_config and put a comment mark (#) at the beginning of the line that says Banner /etc/issue.net or something like that. It is set (commented) by default. przemol -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
You can still have a look there: http://groups.google.com/groups?selm=cy9se16re.fsf%40zeus.theos.comoutput=gplain for an answer, but would be better to not touch it. If you can restrict the access to port 22 for a few ip's, do it and block the rest. Will save you some sleepless nights if you'r _that_ worried about showing off your sshd version. cheers, -xavier On Fri, Oct 18, 2002 at 02:58:44PM +0200, [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? przemol -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Xavier Santolaria [EMAIL PROTECTED] Alldas.org IT-Security Information Network http://xs.alldas.org perl -we '$|=1;print 1;@a=qw(\ | / -);while(){for($i=0;$i@a;$i++) {print\b$a[$i];select undef,undef,undef,.1}}print\n' msg07445/pgp0.pgp Description: PGP signature
Re: ssh banner
SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 Edit sshd_config find the line with something like Banner /etc/issue.net and set # Banner /etc/issue.net killall -9 sshd done Regards afaik /etc/issue.net is intended for telnet and not for ssh. furthermore: $ netcat 0 22 SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-4 $ cat /etc/issue.net Debian GNU/%s testing/unstable %h sshd does not use /etc/issue.net by default: $ grep Banner /etc/ssh/sshd_config #Banner /etc/issue.net Greetings, Ivo van Dongen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote: If people are interested enough in it, I might throw together something more formal. IMHO there is no lack of interesting ideas - what we really need are implementations. apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could also improve security significantly. Together, I'd say they'd suffice to make the debian mirrors extremely tamper-proof. But apt-check-sigs is lacking nice integration into existing tools, and debsigs doesn't really work, because packages are not signed, which is IMHO caused by inappropriate helper tools at packaging time. So implementing these tools, and then changing policy to make package signatures mandatory, seems to be the most feasible approach. Writing new proposals for advanced security schemes doesn't help and may even delay implementation of working mechanismns. Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
Hello, You can; however, recompile and get rid of the Debian 1:3.4p1-1 part... Why isn't it done by default ? FreeBSD started this to get rid of users, complaining about the old OpenSSH in the base system and to indicate that their OpenSSH is not the 2.3.0, but a security patched one. FreeBSD has another modification, VersionAddendum, so users who don't want that stupid string, can just add VersionAddendum to their sshd_config. --[ Free Software ISOs - http://www.fsn.hu/?f=download ]-- Attila Nagy e-mail: [EMAIL PROTECTED] Free Software Network (FSN.HU)phone @work: +361 210 1415 (194) cell.: +3630 306 6758 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
* [EMAIL PROTECTED] [EMAIL PROTECTED]: SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? You don't want to disable it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
issue(5) might help some of you about pre-login banner and daemon(s) banner version. -xavier On Fri, Oct 18, 2002 at 03:30:01PM +0200, Tobias Rosenstock wrote: edit /etc/ssh/sshd_config and put a comment mark (#) at the beginning of the line that says Banner /etc/issue.net or something like that. -- Xavier Santolaria [EMAIL PROTECTED] Alldas.org IT-Security Information Network http://xs.alldas.org perl -we '$|=1;print 1;@a=qw(\ | / -);while(){for($i=0;$i@a;$i++) {print\b$a[$i];select undef,undef,undef,.1}}print\n' msg07452/pgp0.pgp Description: PGP signature
Re: ssh banner
On Fri, Oct 18, 2002 at 03:50:12PM +0200, [EMAIL PROTECTED] wrote: You can; however, recompile and get rid of the Debian 1:3.4p1-1 part... Why isn't it done by default ? 9-12 months down the road (or whenever the next exploit in OpenSSH is found), Debian will likely backport the fix into the current version rather than upgrading entirely. I assume the Debian part of the banner is to help us defend ourselves against local security folks doing SSH scans and freaking out whenever they see any version less than 3.secure -- we point them to the DSA, show that the fix is in the Changelogs, etc. In a perfect world, those folks would have already read the above supporting material and they wouldn't bug us at all. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
IMHO there is no lack of interesting ideas - what we really need are implementations. Ja. I just have to find the time. :) apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could also improve security significantly. Together, I'd say they'd suffice to make the debian mirrors extremely tamper-proof. But apt-check-sigs is lacking nice integration into existing tools, and debsigs doesn't really work, because packages are not signed, which is IMHO caused by inappropriate helper tools at packaging time. Hrm. I guess I'll have to check into those. So implementing these tools, and then changing policy to make package signatures mandatory, seems to be the most feasible approach. Making package sigs mandatory is the critical bit, IMHO. -Joseph -- [EMAIL PROTECTED] Alt text doesn't pop up unless you use an ancient browser from the days of yore. The relevant standards clearly indicate that it should not, and I only know about one browser released in the last two years that violates this, and it's still claiming compatibility with Mozilla 4 (which was obsolete quite long ago), so it really can't be considered a modern browser. --jonadab, in a slashdot.org comment. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
Why can't apt-get be modified to check the md5sum of a package against an official debian md5sum list before downloading and installing debs? This seems much simpler and easier than signing debs. On Friday 18 October 2002 09:55 am, Jan Niehusmann wrote: On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote: If people are interested enough in it, I might throw together something more formal. IMHO there is no lack of interesting ideas - what we really need are implementations. apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could also improve security significantly. Together, I'd say they'd suffice to make the debian mirrors extremely tamper-proof. But apt-check-sigs is lacking nice integration into existing tools, and debsigs doesn't really work, because packages are not signed, which is IMHO caused by inappropriate helper tools at packaging time. So implementing these tools, and then changing policy to make package signatures mandatory, seems to be the most feasible approach. Writing new proposals for advanced security schemes doesn't help and may even delay implementation of working mechanismns. Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 10:48:16AM -0400, R. Bradley Tilley wrote: Why can't apt-get be modified to check the md5sum of a package against an official debian md5sum list before downloading and installing debs? This seems much simpler and easier than signing debs. It does. The problem is, how to get an official debian md5sum list? This is, basically, what apt-check-sigs does. It checks the validity of the Packages files (which contains md5sums of individual packages) with a gpg signature. Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
On Fri, 18 Oct 2002 at 03:50:12PM +0200, [EMAIL PROTECTED] wrote: Why isn't it done by default ? You would have to ask the maintainer... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: log_analysis configuration
On Tue, Oct 15, 2002 at 02:37:19PM -0700, Anne Carasik wrote: Hi Mathias, Thanks that's helpful if I'm workign on ONE machine. The problem is I can't get this working for our loghost which gets all the files. All I get is this: Other hosts syslogging to us: 290374 host1.example.edu 283974 host2.example.edu 289307 host3.example.edu And so on.. no matter what I put in the config file :( -Anne Sorry, I think i didn't make myself clear about the commandline. You need to tell log_analysis, which rule to use. For example I want log files iptables.0, iptables.1, being analysed, I type log_analysis -a iptables Mathias Mathias Palm grabbed a keyboard and typed... On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote: Hi Mathias, Hi Anne, I send this one to the list again, I hope this is ok. Actually, it is a good start. The developer sent me a tutorial, and I'm going to help him work on it for the clueless folks like me :) config_version 0.38 Good, we're using the same version (I'm not surprised since Debian hasn't upgraded this yet). add arr log_type_list= iptables add arr log_type_list= iptables Ok, what is add arr log_type_list and why do you have this twice? This is just a name for the for a new type of log-files where all the definitions to follow apply. I am sure the doubling is by accident. As I said, I got a config somewhere else and rewrote it according to my needs. add arr iptables_filenames= iptables Ok, so that's the filename you're reading from, right? It is the root of the logfiles the log_type iptables applies to. This rule actually reads iptables.0 ... or iptables.1.gz (when called with argument -a) You need to read about perl regular expressions (man perlre or heaps of other sources about regular expressions) to understand the following and write your own configs. I am no expert in regexps and am sure you could write better ones. Regexps being a powerful tool it is worthwile to learn about them, so you wont waste your time. set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+ Translated this means: the brackets are just groupings - ^ Match the beginning of the line - ?: some switch I cant remember why I put it there - Jan|Feb|Mar... matches Jan or Feb or Mar or ... - + match at least one time - \s match a whitespace (space, tab or similiar) - \d{1,2} match one or two digits - \: match a : (: is a special character and needs to be escaped) hence it matches a string like Oct 9 17:34:27 at the beginning of the line. Ok, quick question: What does +\s +\d do? I take it +d is an integer and +s is a string? see the above set var iptables_date_format=%b %e Not sure what %b and %e give you. read man strftime. I am not sure what it really does. logtype: iptables pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR OTO=(.*) I take *'s work like they do in the shell? The . matches any character and the * matches the preceding character 0 or more times. I am not sure if the preceding character is the dot or the character replacing the dot. use_sprintf format: %-3s packet from %-15s to %-15s , $3, $1, $2 I have simple format: sections like: format: STMP from $1 to $2 What does use_sprintf buy you? I actually dont know, I guess sprintf sounded just familiar (knowing C quite well), so I didn't search for anything else pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P ROTO=(.*) Do the periods (.) give you anything if they aren't escaped with a \? see before. Alright, hope this answers some of your questions. Good luck and thanks for writing the tutorial. I'd be interested in it and would be glad if you could notify me where to find it. Mathias -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
issue(5) might help some of you about pre-login banner and daemon(s) banner version. Banner gets diplayed _after_ successful login, but ssh handshake needs some information about server ssh version. There was a big flame about the 3.4p1 Debian 1:3.4p1-1 part of message. It can _not_ be masqueraded by config file, but you have 2 ways to get rid of this message: First: rewriting it on the source code and recompile sshd Second: get a hex-editor and put X's over the unwanted information. Be sure that you don't writing over necessary fields, or truncating the file with deleting some chars. Tripwire or software like that will cry. Daniel Vasarhelyi -- Daniel asd Vasarhelyi PGP key avaible at http://asd.musichello.com/gpg-pub.key and public keyservers Key fingerprint = EA00 AF4D A83C 1122 0967 DDF5 27BC 390F 181F 9954 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
Jussi Ekholm [EMAIL PROTECTED] writes: Olaf Dietsche olaf.dietsche#[EMAIL PROTECTED] wrote: Jussi Ekholm [EMAIL PROTECTED] writes: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Port 111 is used by portmap. If you don't use RPC services, you can stop it. I don't use it on my desktop machine. Try rpcinfo -p to see, wether there's anything running on your computer. Well, at least knowingly I don't use any RPC services. :-) And this is what 'rpcinfo -p' gives me: rpcinfo: can't contact portmapper: RPC: Remote system error \ - Connection refused (I split it in two lines) The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... This means portmap isn't running. Connection refused means nothing listens on port 111. So, whatever is trying to contact port 111, there's no reason to be concerned. This could be valid requests from programs trying to contact NIS before DNS, however. Look at /etc/nsswitch.conf, wether NIS is mentioned. Regards, Olaf. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[OT] secure, minimal Debian installation for linux-based thin clients?
This is unrelated to any security patches / exploits, hence off-topic. I'm posting here mostly because it seems like the right crowd for this sort of problem. If this offends you, let me know and I'll find a different venue in the future. OK. We're a large network running lots (~100) thin clients, and expecting to run more of them in the future. Currently, these are NeoWare Eon's (mobile x86 cpu) running Linux (an old scaled-down RedHat), with an NFS-mounted root fs. They run almost nothing locally: currently an X server, sshd, and possibly some music forwarding daemon in the future, so users can listen to tunes on their thin clients using software on the server (we don't give users access to the local software). Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. This isn't fatal, since the filesystem is NFS-mounted, but it's not clean, either. Is there a Debian-derived minimal distribution? Or should we just install the base Debian system, add X via tasksel, and add/remove remaining items with dselect or apt-get? There is obviously more than one solution here, so I'm looking for recommendations. We care about security; we don't want to run any services we don't need, etc. Reliability is key, so your uncle's friend's brother's alpha software might not be for us. Any other comments (relevant to Debian on thin clients / X terminals) welcome. -chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07463/pgp0.pgp Description: PGP signature
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
OK, thanks. BTW, how does that differ from running tasksel and not selecting any tasks? Or is that even possible? -chris Noah L. Meyerhans [EMAIL PROTECTED] writes: On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
* Chris Majewski [EMAIL PROTECTED] [021018 22:43]: RedHat), with an NFS-mounted root fs. They run almost nothing locally: currently an X server, sshd, and possibly some music forwarding daemon in the future, so users can listen to tunes on their thin clients using software on the server (we don't give users access to the local software). Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. This isn't fatal, since the filesystem is NFS-mounted, but it's not clean, either. I do not know, what you all need. When setting up only as Xterminal I just copied the needed files from the sparc .deb in some dir of the x86-Server. (And compiled some kernel on some sparc-machine, as the clients only had 5mb). Only some libs, init and the xserver. (Not even a shell). If you need ssh, you may need some more libs, but selecting exactly the files you need makes it also a litte more secure. As running ssh means regular updates, I would just suggest some script unpacking the whole .debs (Maybe even directly using ar and tar) and putting the configuration files in place. (Though thinking again about ssh and such things as the sshd-user this might perhaps not be the best solution) Hochachtungsvoll, Bernhard R. Link -- The man who trades freedom for security does not deserve nor will he ever receive either. (Benjamin Franklin) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: -changes/PTS -style notification
On Wed, Oct 16, 2002 at 05:07:06PM -0500, Nathan A. Ferch wrote: is there a means to recieve email notifications of security-related packages in the same format as the -changes mailing lists or the emails that the PTS sends out? or is this not possible due to the way that the security archive is managed? PTS mails are per-source-package, so that isn't possible unless it's only a few specific packages you're interested in. -changes ... well, there's [EMAIL PROTECTED] which receives notices of stable uploads, but I don't recall offhand whether security uploads are always pushed into the main proposed-updates archive quickly enough for this to be what you want. Maybe somebody could confirm or deny. -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
Jussi Ekholm écrivait : The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... You said what would try to connect to my system's port [...] 111 from within my own system. I would answer something that is configured to do so? You may not look what binds this port since you don't run portmap but instead what is configured to try NIS, NFS, ... access! Did you tune your /etc/nsswitch.conf to try NIS? Or something else... Regards, J.C.
Re: ABfrag/ac1db1tch3z Kernel Exploit ?
On Thursday 17 October 2002 05:03 am, Orlando wrote: Not sure if this is real. He's using a hushmail account to post to the lists which is somewhat suspicious. He claims to have attached the binary but no one seems to have a copy of it. Some co-workers and other people have asked for a copy of it without success. I woudln't be too surprised if this is another PHC attempt for more attention. Ok I stand corrected, silvio the moderator of unix-virii list on segfault.net seems to have a copy of that binary. -x
Automatic Debian security updates, an Implementation
Hi! http://therapy.endorphin.org/secpack_0.1-1.deb implements a simple cron based daily security update with signature checking using a modified version of ajt's apt-check-sigs. Feedback is appreciated. CC please, /me not on list. Regards, Clemens pgpVBkwjvCD5f.pgp Description: PGP signature
Re: Automatic Debian security updates, an Implementation
I don't understand the need for this. Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? On Friday 18 October 2002 06:58 am, Fruhwirth Clemens wrote: Hi! http://therapy.endorphin.org/secpack_0.1-1.deb implements a simple cron based daily security update with signature checking using a modified version of ajt's apt-check-sigs. Feedback is appreciated. CC please, /me not on list. Regards, Clemens
Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote: I don't understand the need for this. Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? It'll get to you when you have 200+ debian systems spread across the internet in different cities, timezones and administrative domains :) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? Because a hacked mirror could contain malicious packages. When you check signatures before upgrading, you detect such intrusions. Of course, if the hacker managed to modify files on the master server, proper signatures would automatically get generated, and apt-check-sigs had no chance to detect these modifications. Still, checking signatures provides one more line of defense. Jan
Re: Automatic Debian security updates, an Implementation
On Fri, 18 Oct 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: I don't understand the need for this. Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? As pointed out several times in the past Debian has not fully implemented package signing (the last I knew...someone throw a rock at me if I am wrong). So blindly updating and upgrading might be insecure if someone could spoof the Debian update server (upstream). Regards, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP
Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 09:33, Mark Janssen wrote: On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote: I don't understand the need for this. Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? It'll get to you when you have 200+ debian systems spread across the internet in different cities, timezones and administrative domains :) Hi, You can try cron-apt package[1] and apt-check-sigs[2] to do it! Now i've twelve servers running Debian GNU/Linux and i'm using one apt-proxy[3] and aptwatcher(like cron-apt). [1] = http://packages.debian.org/cron-apt/ [2] = http://people.debian.org/~ajt/ [3] = http://apt-proxy.sourceforge.net/ Talking about secpack, is it non-free? I can't see in your mail(Clemens) the url or apt-line to get the source package. Thanks, -- Gustavo Franco -- [EMAIL PROTECTED] GNUpg id: 0x37155778 (try: wwwkeys.eu.pgp.net) I prefer encrypted and signed e-mail.
ssh banner
Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? przemol
Re: grsecurity patch (woody kernel 2.4.18)
On Thu, 2002-10-17 at 01:53, WebMaster wrote: hello, can i safely apply the grsecurity patch? Yes, removing the EXTRAVERSION line in the patch(woody). if this patch make servers more secure just by apply it (without acl), why isn it applied by default? It can be much aggressive to set by default.One harden flavor to sarge with grsecurity patch can be good.Any feedback of d-boot guys? Thanks, -- Gustavo Franco -- [EMAIL PROTECTED] GNUpg id: 0x37155778 (try: wwwkeys.eu.pgp.net) I prefer encrypted and signed e-mail.
Re: ssh banner
On Fri, Oct 18, 2002 at 02:58:44PM +0200, [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 Edit sshd_config find the line with something like Banner /etc/issue.net and set # Banner /etc/issue.net killall -9 sshd done Regards How can I disable the message ? przemol -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Aleksander Iwański [EMAIL PROTECTED] tel. +48 58 5575824 mobile: +48 502273537
Re: ssh banner
Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? This banner is needed information for a ssh client connecting to your server, therefor you better not disable it. Greetings, Ivo van Dongen
Re: Automatic Debian security updates, an Implementation
From Jan Niehusmann on Friday, 18 October, 2002: On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? Of course, if the hacker managed to modify files on the master server, proper signatures would automatically get generated, and apt-check-sigs had no chance to detect these modifications. Still, checking signatures provides one more line of defense. I've been thinking up a new, more secure way of doing apt. (Actually, it's a modification of the current system.) It kind of has two levels, one trusting apt's integrity, and the second would be a very paranoid system, which requires more hardware knowledge (smartcard-like businesses) than I currently possess. If people are interested enough in it, I might throw together something more formal. -Joseph -- [EMAIL PROTECTED] Alt text doesn't pop up unless you use an ancient browser from the days of yore. The relevant standards clearly indicate that it should not, and I only know about one browser released in the last two years that violates this, and it's still claiming compatibility with Mozilla 4 (which was obsolete quite long ago), so it really can't be considered a modern browser. --jonadab, in a slashdot.org comment.
Re: ssh banner
On Fri, 2002-10-18 at 14:58, [EMAIL PROTECTED] wrote: SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? You can limit it somewhat (by editing source), but the protocol needs the version string, so you can't change it without breaking compatibility. -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl
Re: ssh banner
On Fri, 18 Oct 2002 [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? edit /etc/ssh/sshd_config and put a comment mark (#) at the beginning of the line that says Banner /etc/issue.net or something like that. hth, tobias r. -- NOC Hamster - Security Guy - Owner of one, root of many Tobias Rosenstock - [EMAIL PROTECTED] - [EMAIL PROTECTED] - [EMAIL PROTECTED] Wieske's Crew KG - http://irz42.net - http://www.crew-kg.de Humboldtstr. 51 - Lessingstr. 2 - 22083 Hamburg - Germany
Re: ssh banner
On Fri, Oct 18, 2002 at 02:58:44PM +0200, [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? you can't without modifiying the source. AFAIK, this message is used by client ssh to know if it is a ssh server -- Tab
Re: ssh banner
On Fri, Oct 18, 2002 at 03:23:18PM +0200, vdongen wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? This banner is needed information for a ssh client connecting to your server, therefor you better not disable it. Well, I agree e.g. SSH-2.0. But the rest ? It allow easily recognise what system is the server. przemol
Re: ssh banner
On Fri, 18 Oct 2002 at 02:58:44PM +0200, [EMAIL PROTECTED] wrote: host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? If you attempt to disable this message your ssh clients will not work. See the SSH rfc in /usr/doc/ssh. You will find that both client and server exchange Verson information as part of the connection establishment/handshake. You can; however, recompile and get rid of the Debian 1:3.4p1-1 part... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP
Re: ssh banner
On Fri, Oct 18, 2002 at 03:30:01PM +0200, Tobias Rosenstock wrote: On Fri, 18 Oct 2002 [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? edit /etc/ssh/sshd_config and put a comment mark (#) at the beginning of the line that says Banner /etc/issue.net or something like that. It is set (commented) by default. przemol
Re: ssh banner
On Fri, Oct 18, 2002 at 03:23:42PM +0200, Aleksander Iwanski wrote: On Fri, Oct 18, 2002 at 02:58:44PM +0200, [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 Edit sshd_config find the line with something like Banner /etc/issue.net and set # Banner /etc/issue.net killall -9 sshd przemek:~# grep -i banner /etc/ssh/sshd_config #Banner /etc/issue.net przemol
Re: ssh banner
On Fri, 18 Oct 2002 at 03:23:42PM +0200, Aleksander Iwanski wrote: Edit sshd_config find the line with something like Banner /etc/issue.net That will not get rid of the version identification string. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP
Re: ssh banner
You can still have a look there: http://groups.google.com/groups?selm=cy9se16re.fsf%40zeus.theos.comoutput=gplain for an answer, but would be better to not touch it. If you can restrict the access to port 22 for a few ip's, do it and block the rest. Will save you some sleepless nights if you'r _that_ worried about showing off your sshd version. cheers, -xavier On Fri, Oct 18, 2002 at 02:58:44PM +0200, [EMAIL PROTECTED] wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? przemol -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Xavier Santolaria [EMAIL PROTECTED] Alldas.org IT-Security Information Network http://xs.alldas.org perl -we '$|=1;print 1;@a=qw(\ | / -);while(){for($i=0;$i@a;$i++) {print\b$a[$i];select undef,undef,undef,.1}}print\n' pgpj4ihs6fYum.pgp Description: PGP signature
Re: ssh banner
Hi, On Fri, 18 Oct 2002, vdongen wrote: Woody host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? This banner is needed information for a ssh client connecting to your server, therefor you better not disable it. oops, of course you're right.. i didn't pay attention to the line saying telnet etc., i just kicked out my standard how do i remove this annoying banner reply that our customers get when they don't wanna see it. my fault.. tobias r. -- NOC Hamster - Security Guy - Owner of one, root of many Tobias Rosenstock - [EMAIL PROTECTED] - [EMAIL PROTECTED] - [EMAIL PROTECTED] Wieske's Crew KG - http://irz42.net - http://www.crew-kg.de Humboldtstr. 51 - Lessingstr. 2 - 22083 Hamburg - Germany
Re: ssh banner
This won't do the trick, AFAIK it will only display /etc/issue.net content before the password prompt, but wont change/hide the version of the sshd when telnet'ing localhost || ip on port 22. -xavier Edit sshd_config find the line with something like Banner /etc/issue.net and set # Banner /etc/issue.net killall -9 sshd done -- Xavier Santolaria [EMAIL PROTECTED] Alldas.org IT-Security Information Network http://xs.alldas.org perl -we '$|=1;print 1;@a=qw(\ | / -);while(){for($i=0;$i@a;$i++) {print\b$a[$i];select undef,undef,undef,.1}}print\n' pgpy6uPbEiLKT.pgp Description: PGP signature
Re: ssh banner
On Fri, Oct 18, 2002 at 09:42:14AM -0400, Phillip Hofmeister wrote: On Fri, 18 Oct 2002 at 02:58:44PM +0200, [EMAIL PROTECTED] wrote: host:/home/przemoltelnet 192.168.x.y ssh Trying 192.168.x.y... Connected to 192.168.x.y. Escape character is '^]'. SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? If you attempt to disable this message your ssh clients will not work. See the SSH rfc in /usr/doc/ssh. You will find that both client and server exchange Verson information as part of the connection establishment/handshake. If version information of ssh protocol - that's ok. But I don't belive that string -OpenSSH_3.4p1 Debian 1:3.4p1-1 is required as part of protocol ;-) You can; however, recompile and get rid of the Debian 1:3.4p1-1 part... Why isn't it done by default ? przemol
Re: ssh banner
SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 Edit sshd_config find the line with something like Banner /etc/issue.net and set # Banner /etc/issue.net killall -9 sshd done Regards afaik /etc/issue.net is intended for telnet and not for ssh. furthermore: $ netcat 0 22 SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-4 $ cat /etc/issue.net Debian GNU/%s testing/unstable %h sshd does not use /etc/issue.net by default: $ grep Banner /etc/ssh/sshd_config #Banner /etc/issue.net Greetings, Ivo van Dongen
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote: If people are interested enough in it, I might throw together something more formal. IMHO there is no lack of interesting ideas - what we really need are implementations. apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could also improve security significantly. Together, I'd say they'd suffice to make the debian mirrors extremely tamper-proof. But apt-check-sigs is lacking nice integration into existing tools, and debsigs doesn't really work, because packages are not signed, which is IMHO caused by inappropriate helper tools at packaging time. So implementing these tools, and then changing policy to make package signatures mandatory, seems to be the most feasible approach. Writing new proposals for advanced security schemes doesn't help and may even delay implementation of working mechanismns. Jan
Re: ssh banner
* Aleksander Iwanski [EMAIL PROTECTED]: Edit sshd_config find the line with something like Banner /etc/issue.net That's not the banner he's talking about. killall -9 sshd There are better ways to stop the ssh daemon.
Re: ssh banner
* [EMAIL PROTECTED] [EMAIL PROTECTED]: SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? You don't want to disable it.
Re: ssh banner
Hello, You can; however, recompile and get rid of the Debian 1:3.4p1-1 part... Why isn't it done by default ? FreeBSD started this to get rid of users, complaining about the old OpenSSH in the base system and to indicate that their OpenSSH is not the 2.3.0, but a security patched one. FreeBSD has another modification, VersionAddendum, so users who don't want that stupid string, can just add VersionAddendum to their sshd_config. --[ Free Software ISOs - http://www.fsn.hu/?f=download ]-- Attila Nagy e-mail: [EMAIL PROTECTED] Free Software Network (FSN.HU)phone @work: +361 210 1415 (194) cell.: +3630 306 6758
Re: ssh banner
issue(5) might help some of you about pre-login banner and daemon(s) banner version. -xavier On Fri, Oct 18, 2002 at 03:30:01PM +0200, Tobias Rosenstock wrote: edit /etc/ssh/sshd_config and put a comment mark (#) at the beginning of the line that says Banner /etc/issue.net or something like that. -- Xavier Santolaria [EMAIL PROTECTED] Alldas.org IT-Security Information Network http://xs.alldas.org perl -we '$|=1;print 1;@a=qw(\ | / -);while(){for($i=0;$i@a;$i++) {print\b$a[$i];select undef,undef,undef,.1}}print\n' pgpU0TExwL8R9.pgp Description: PGP signature
Re: ssh banner
On Fri, Oct 18, 2002 at 03:50:12PM +0200, [EMAIL PROTECTED] wrote: You can; however, recompile and get rid of the Debian 1:3.4p1-1 part... Why isn't it done by default ? 9-12 months down the road (or whenever the next exploit in OpenSSH is found), Debian will likely backport the fix into the current version rather than upgrading entirely. I assume the Debian part of the banner is to help us defend ourselves against local security folks doing SSH scans and freaking out whenever they see any version less than 3.secure -- we point them to the DSA, show that the fix is in the Changelogs, etc. In a perfect world, those folks would have already read the above supporting material and they wouldn't bug us at all. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
IMHO there is no lack of interesting ideas - what we really need are implementations. Ja. I just have to find the time. :) apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could also improve security significantly. Together, I'd say they'd suffice to make the debian mirrors extremely tamper-proof. But apt-check-sigs is lacking nice integration into existing tools, and debsigs doesn't really work, because packages are not signed, which is IMHO caused by inappropriate helper tools at packaging time. Hrm. I guess I'll have to check into those. So implementing these tools, and then changing policy to make package signatures mandatory, seems to be the most feasible approach. Making package sigs mandatory is the critical bit, IMHO. -Joseph -- [EMAIL PROTECTED] Alt text doesn't pop up unless you use an ancient browser from the days of yore. The relevant standards clearly indicate that it should not, and I only know about one browser released in the last two years that violates this, and it's still claiming compatibility with Mozilla 4 (which was obsolete quite long ago), so it really can't be considered a modern browser. --jonadab, in a slashdot.org comment.
Re: Automatic Debian security updates, an Implementation
Why can't apt-get be modified to check the md5sum of a package against an official debian md5sum list before downloading and installing debs? This seems much simpler and easier than signing debs. On Friday 18 October 2002 09:55 am, Jan Niehusmann wrote: On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote: If people are interested enough in it, I might throw together something more formal. IMHO there is no lack of interesting ideas - what we really need are implementations. apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could also improve security significantly. Together, I'd say they'd suffice to make the debian mirrors extremely tamper-proof. But apt-check-sigs is lacking nice integration into existing tools, and debsigs doesn't really work, because packages are not signed, which is IMHO caused by inappropriate helper tools at packaging time. So implementing these tools, and then changing policy to make package signatures mandatory, seems to be the most feasible approach. Writing new proposals for advanced security schemes doesn't help and may even delay implementation of working mechanismns. Jan
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 10:48:16AM -0400, R. Bradley Tilley wrote: Why can't apt-get be modified to check the md5sum of a package against an official debian md5sum list before downloading and installing debs? This seems much simpler and easier than signing debs. It does. The problem is, how to get an official debian md5sum list? This is, basically, what apt-check-sigs does. It checks the validity of the Packages files (which contains md5sums of individual packages) with a gpg signature. Jan
Re: ssh banner
On Fri, 18 Oct 2002 at 03:50:12PM +0200, [EMAIL PROTECTED] wrote: Why isn't it done by default ? You would have to ask the maintainer... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP
Re: log_analysis configuration
On Tue, Oct 15, 2002 at 02:37:19PM -0700, Anne Carasik wrote: Hi Mathias, Thanks that's helpful if I'm workign on ONE machine. The problem is I can't get this working for our loghost which gets all the files. All I get is this: Other hosts syslogging to us: 290374 host1.example.edu 283974 host2.example.edu 289307 host3.example.edu And so on.. no matter what I put in the config file :( -Anne Sorry, I think i didn't make myself clear about the commandline. You need to tell log_analysis, which rule to use. For example I want log files iptables.0, iptables.1, being analysed, I type log_analysis -a iptables Mathias Mathias Palm grabbed a keyboard and typed... On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote: Hi Mathias, Hi Anne, I send this one to the list again, I hope this is ok. Actually, it is a good start. The developer sent me a tutorial, and I'm going to help him work on it for the clueless folks like me :) config_version 0.38 Good, we're using the same version (I'm not surprised since Debian hasn't upgraded this yet). add arr log_type_list= iptables add arr log_type_list= iptables Ok, what is add arr log_type_list and why do you have this twice? This is just a name for the for a new type of log-files where all the definitions to follow apply. I am sure the doubling is by accident. As I said, I got a config somewhere else and rewrote it according to my needs. add arr iptables_filenames= iptables Ok, so that's the filename you're reading from, right? It is the root of the logfiles the log_type iptables applies to. This rule actually reads iptables.0 ... or iptables.1.gz (when called with argument -a) You need to read about perl regular expressions (man perlre or heaps of other sources about regular expressions) to understand the following and write your own configs. I am no expert in regexps and am sure you could write better ones. Regexps being a powerful tool it is worthwile to learn about them, so you wont waste your time. set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+ Translated this means: the brackets are just groupings - ^ Match the beginning of the line - ?: some switch I cant remember why I put it there - Jan|Feb|Mar... matches Jan or Feb or Mar or ... - + match at least one time - \s match a whitespace (space, tab or similiar) - \d{1,2} match one or two digits - \: match a : (: is a special character and needs to be escaped) hence it matches a string like Oct 9 17:34:27 at the beginning of the line. Ok, quick question: What does +\s +\d do? I take it +d is an integer and +s is a string? see the above set var iptables_date_format=%b %e Not sure what %b and %e give you. read man strftime. I am not sure what it really does. logtype: iptables pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR OTO=(.*) I take *'s work like they do in the shell? The . matches any character and the * matches the preceding character 0 or more times. I am not sure if the preceding character is the dot or the character replacing the dot. use_sprintf format: %-3s packet from %-15s to %-15s , $3, $1, $2 I have simple format: sections like: format: STMP from $1 to $2 What does use_sprintf buy you? I actually dont know, I guess sprintf sounded just familiar (knowing C quite well), so I didn't search for anything else pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P ROTO=(.*) Do the periods (.) give you anything if they aren't escaped with a \? see before. Alright, hope this answers some of your questions. Good luck and thanks for writing the tutorial. I'd be interested in it and would be glad if you could notify me where to find it. Mathias -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~
RE: Automatic Debian security updates, an Implementation
Four words: Single point of failure. (Or is that six? Or ten? Yes, yes, that's right, twelve words. Let's try that again, shall we? ... ;) Besides, I strongly believe that it already does this... IIRC apt-get does this to make sure that the packages weren't corrupted (or truncated) in transit. -Ian R. Bradley Tilley hath spoke: Why can't apt-get be modified to check the md5sum of a package against an official debian md5sum list before downloading and installing debs? This seems much simpler and easier than signing debs.
Re: ssh banner
issue(5) might help some of you about pre-login banner and daemon(s) banner version. Banner gets diplayed _after_ successful login, but ssh handshake needs some information about server ssh version. There was a big flame about the 3.4p1 Debian 1:3.4p1-1 part of message. It can _not_ be masqueraded by config file, but you have 2 ways to get rid of this message: First: rewriting it on the source code and recompile sshd Second: get a hex-editor and put X's over the unwanted information. Be sure that you don't writing over necessary fields, or truncating the file with deleting some chars. Tripwire or software like that will cry. Daniel Vasarhelyi -- Daniel asd Vasarhelyi PGP key avaible at http://asd.musichello.com/gpg-pub.key and public keyservers Key fingerprint = EA00 AF4D A83C 1122 0967 DDF5 27BC 390F 181F 9954
Re: port 16001 and 111
Jussi Ekholm [EMAIL PROTECTED] writes: Olaf Dietsche [EMAIL PROTECTED] wrote: Jussi Ekholm [EMAIL PROTECTED] writes: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Port 111 is used by portmap. If you don't use RPC services, you can stop it. I don't use it on my desktop machine. Try rpcinfo -p to see, wether there's anything running on your computer. Well, at least knowingly I don't use any RPC services. :-) And this is what 'rpcinfo -p' gives me: rpcinfo: can't contact portmapper: RPC: Remote system error \ - Connection refused (I split it in two lines) The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... This means portmap isn't running. Connection refused means nothing listens on port 111. So, whatever is trying to contact port 111, there's no reason to be concerned. This could be valid requests from programs trying to contact NIS before DNS, however. Look at /etc/nsswitch.conf, wether NIS is mentioned. Regards, Olaf.
[OT] secure, minimal Debian installation for linux-based thin clients?
This is unrelated to any security patches / exploits, hence off-topic. I'm posting here mostly because it seems like the right crowd for this sort of problem. If this offends you, let me know and I'll find a different venue in the future. OK. We're a large network running lots (~100) thin clients, and expecting to run more of them in the future. Currently, these are NeoWare Eon's (mobile x86 cpu) running Linux (an old scaled-down RedHat), with an NFS-mounted root fs. They run almost nothing locally: currently an X server, sshd, and possibly some music forwarding daemon in the future, so users can listen to tunes on their thin clients using software on the server (we don't give users access to the local software). Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. This isn't fatal, since the filesystem is NFS-mounted, but it's not clean, either. Is there a Debian-derived minimal distribution? Or should we just install the base Debian system, add X via tasksel, and add/remove remaining items with dselect or apt-get? There is obviously more than one solution here, so I'm looking for recommendations. We care about security; we don't want to run any services we don't need, etc. Reliability is key, so your uncle's friend's brother's alpha software might not be for us. Any other comments (relevant to Debian on thin clients / X terminals) welcome. -chris
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgptOgzTLJCET.pgp Description: PGP signature
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
OK, thanks. BTW, how does that differ from running tasksel and not selecting any tasks? Or is that even possible? -chris Noah L. Meyerhans [EMAIL PROTECTED] writes: On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, 18 Oct 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. This isn't fatal, since the filesystem is NFS-mounted, but it's not clean, either. Is there a Debian-derived minimal distribution? Or should we just install the base Debian system, add X via tasksel, and add/remove remaining items with dselect or apt-get? Try doing a regular install but don't choose the option to install more packages after you install the base package I believe this is what you are looking for... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP
Securing Apache: vserver or chroot ?
Hi. I have been thinking about puting apache inside a place it cannot harm anything else on the system. We are serving web pages for several projects and we cannot control what every of them do (PHPNuke, PostNuke and friends have their big share of vulnerabilities). I have been reading about two possibilities, among others. * Vserver (http://www.solucorp.qc.ca/miscprj/s_context.hc) A patch for the kernel which provides context creation and jailing, so that processes are controled by the kernel, and can be isolated from other contexts. Allows you to stop/start/restart the vservers, and provides a set of tools to work with them (even to create them). * Chroot The linux system call to jail a subtree. Has to be created and maintained manually. If anyone has experience with the solutions introduced above or has another kind of suggestion... The other problem is how to prepare it: In the case of vserver, it can be done by copying the tree to a new location (/usr/vserverXX/) or just by mounting using --bind flag on mount (allowing a dir to be mounted on to another mount point). Any experience here? Thanks in advance! mooch -- Jesus Climent | Unix System Admin | Helsinki, Finland. web: www.hispalinux.es/~data/ | pumuki.hispalinux.es -- Please, encrypt mail sent to me: GnuPG ID: 86946D69 FP: BB64 2339 1CAA 7064 E429 7E18 66FC 1D7F 8694 6D69 -- Registered Linux user #66350 Debian 3.0 Linux 2.4.20 Shall I make us a nice cup of tea, Ma'am ? --Mrs. Mills (The others) pgpkcoj9bALSE.pgp Description: PGP signature
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
* Chris Majewski [EMAIL PROTECTED] [021018 22:43]: RedHat), with an NFS-mounted root fs. They run almost nothing locally: currently an X server, sshd, and possibly some music forwarding daemon in the future, so users can listen to tunes on their thin clients using software on the server (we don't give users access to the local software). Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. This isn't fatal, since the filesystem is NFS-mounted, but it's not clean, either. I do not know, what you all need. When setting up only as Xterminal I just copied the needed files from the sparc .deb in some dir of the x86-Server. (And compiled some kernel on some sparc-machine, as the clients only had 5mb). Only some libs, init and the xserver. (Not even a shell). If you need ssh, you may need some more libs, but selecting exactly the files you need makes it also a litte more secure. As running ssh means regular updates, I would just suggest some script unpacking the whole .debs (Maybe even directly using ar and tar) and putting the configuration files in place. (Though thinking again about ssh and such things as the sshd-user this might perhaps not be the best solution) Hochachtungsvoll, Bernhard R. Link -- The man who trades freedom for security does not deserve nor will he ever receive either. (Benjamin Franklin)