Re: help needed with firewall logging ..please
On Mon, Feb 09, 2004 at 08:21:15PM -0800, Jeff wrote: suhail, 2004-Feb-09 15:15 -0800: [snip] Now how do i actually find out if the packets are being dropped. i.e where shud I chk my system log files to see the dropped packets ... I mean which file is it n under which dir .. The logging done as shown above goes to syslog. I use syslog-ng and filter the firewall log messages into a separate file. Look in /var/log/messages. -- Michael Wood [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org
On Monday, 2004-02-09 at 20:38:37 +, Neil McGovern wrote: On Mon, Feb 09, 2004 at 06:17:01PM +0100, Konstantin Filtschew wrote: security.debian.org seems to be down [EMAIL PROTECTED]:~$ ping security.debian.org PING security.debian.org (130.89.175.33): 56 data bytes 64 bytes from 130.89.175.33: icmp_seq=0 ttl=51 time=68.8 ms 64 bytes from 130.89.175.33: icmp_seq=1 ttl=51 time=15.5 ms 64 bytes from 130.89.175.33: icmp_seq=2 ttl=51 time=15.0 ms 64 bytes from 130.89.175.33: icmp_seq=3 ttl=51 time=15.9 ms 64 bytes from 130.89.175.33: icmp_seq=4 ttl=51 time=15.5 ms --- security.debian.org ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 15.0/26.1/68.8 ms When I received the mail, I immediately tried to ping it. No reply. I still have the traceroute output from that time: traceroute to security.debian.org (194.109.137.218), 30 hops max, 38 byte packets 1 firewally (172.17.0.7) 0.313 ms 0.265 ms 0.294 ms 2 217.5.98.173 (217.5.98.173) 41.572 ms 14.095 ms 16.924 ms 3 217.237.157.90 (217.237.157.90) 43.417 ms 13.360 ms 13.235 ms 4 m-ec1.M.DE.net.DTAG.DE (62.154.27.234) 43.712 ms 41.187 ms 13.722 ms 5 zcr2-so-5-2-0.Munich.cw.net (208.175.230.49) 43.801 ms 80.418 ms 13.694 ms 6 zcr1-ge-4-3-0-5.Munich.cw.net (208.175.230.253) 44.627 ms 14.025 ms 13.144 ms 7 bcr2-so-0-3-0.Amsterdam.cw.net (208.173.209.149) 44.844 ms 41.744 ms 41.494 ms 8 zcr2-so-1-0-0.Amsterdamamt.cw.net (208.173.209.198) 45.590 ms 40.869 ms 42.402 ms 9 zar1-ge-0-3-0.Amsterdamamt.cw.net (208.173.220.131) 46.314 ms zar1-ge-1-3-0.Amsterdamamt.cw.net (208.173.220.147) 325.519 ms 45.989 ms 10 kpn.Amsterdamamt.cw.net (208.173.212.154) 48.013 ms 45.763 ms 39.773 ms 11 0.so-1-3-0.xr1.d12.xs4all.net (194.109.5.101) 49.062 ms 67.547 ms 41.748 ms 12 0.so-3-0-0.cr1.d12.xs4all.net (194.109.5.58) 47.961 ms * 46.106 ms 13 * * * 14 * * * Now the traceroute goes like this: traceroute to security.debian.org (130.89.175.33), 30 hops max, 38 byte packets 1 firewally (172.17.0.7) 14.812 ms 0.293 ms 0.176 ms 2 217.5.98.173 (217.5.98.173) 14.354 ms 15.059 ms 16.953 ms 3 217.237.157.90 (217.237.157.90) 33.209 ms 12.916 ms 13.132 ms 4 f-ea1.F.DE.net.DTAG.DE (62.154.18.22) 47.707 ms 44.256 ms 19.434 ms 5 208.49.136.173 (208.49.136.173) 46.733 ms 17.878 ms 21.079 ms 6 pos12-0-2488M.cr1.FRA2.gblx.net (67.17.74.149) 38.589 ms 89.690 ms 26.491 ms 7 pos0-0-2488M.cr1.AMS2.gblx.net (67.17.64.90) 45.999 ms 39.470 ms 39.688 ms 8 so0-0-0-2488M.ar1.AMS1.gblx.net (67.17.65.230) 46.996 ms 38.572 ms 39.662 ms 9 SURFnet.ge-4-2-0.ar1.AMS1.gblx.net (67.17.162.206) 40.223 ms GigaSurf-Amsterdam.ge-2-1-0.ar1.AMS1.gblx.net (208.49.125.50) 39.632 ms 39.552 ms 10 P11-0.CR1.Amsterdam1.surf.net (145.145.166.33) 38.971 ms 71.401 ms 39.665 ms 11 PO1-0.CR2.Amsterdam1.surf.net (145.145.160.2) 39.699 ms 39.121 ms 39.690 ms 12 PO0-0.AR5.Enschede1.surf.net (145.145.163.14) 44.969 ms 44.032 ms 44.446 ms 13 utwente-router.Customer.surf.net (145.145.4.2) 44.232 ms 44.670 ms 43.218 ms 14 slagroom.snt.utwente.nl (130.89.175.33) 45.313 ms 82.717 ms 44.476 ms You can see that this was probably not security.d.o being down, but some router. the packets are taking a quite different path. Maybe U Twente switched providers? Also see http://www.debian.org/News/2004/20040202 That's old news. The machine has been reactivated. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org
Le mardi 10 fvrier 2004 09h19 (+0100), Lupe Christoph crivait : Also see http://www.debian.org/News/2004/20040202 That's old news. The machine has been reactivated. BTW, could somebody put back the debian-security - . symbolic link? -- J.C. ANDR [EMAIL PROTECTED] http://www.vn.refer.org/ Coordonnateur technique rgional / Associ technologie projet Reflets (CODA) Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP) Adresse postale : AUF, 21 L Thnh Tng, T.T. Hon Kim, H Ni, Vit Nam Tl. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747 Note personnelle : merci d'viter de m'envoyer des fichiers PowerPoint ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org
Lupe Christoph wrote: On Monday, 2004-02-09 at 20:38:37 +, Neil McGovern wrote: On Mon, Feb 09, 2004 at 06:17:01PM +0100, Konstantin Filtschew wrote: security.debian.org seems to be down traceroute to security.debian.org (194.109.137.218), 30 hops max, 38 byte packets 1 firewally (172.17.0.7) 0.313 ms 0.265 ms 0.294 ms 2 217.5.98.173 (217.5.98.173) 41.572 ms 14.095 ms 16.924 ms 3 217.237.157.90 (217.237.157.90) 43.417 ms 13.360 ms 13.235 ms 4 m-ec1.M.DE.net.DTAG.DE (62.154.27.234) 43.712 ms 41.187 ms 13.722 ms 5 zcr2-so-5-2-0.Munich.cw.net (208.175.230.49) 43.801 ms 80.418 ms 13.694 ms 6 zcr1-ge-4-3-0-5.Munich.cw.net (208.175.230.253) 44.627 ms 14.025 ms 13.144 ms 7 bcr2-so-0-3-0.Amsterdam.cw.net (208.173.209.149) 44.844 ms 41.744 ms 41.494 ms 8 zcr2-so-1-0-0.Amsterdamamt.cw.net (208.173.209.198) 45.590 ms 40.869 ms 42.402 ms 9 zar1-ge-0-3-0.Amsterdamamt.cw.net (208.173.220.131) 46.314 ms zar1-ge-1-3-0.Amsterdamamt.cw.net (208.173.220.147) 325.519 ms 45.989 ms 10 kpn.Amsterdamamt.cw.net (208.173.212.154) 48.013 ms 45.763 ms 39.773 ms 11 0.so-1-3-0.xr1.d12.xs4all.net (194.109.5.101) 49.062 ms 67.547 ms 41.748 ms 12 0.so-3-0-0.cr1.d12.xs4all.net (194.109.5.58) 47.961 ms * 46.106 ms 13 * * * 14 * * * traceroute to klecker.debian.org (194.109.137.218), 64 hops max, 44 byte packets 6 0.so-2-3-0.xr2.d12.xs4all.net (194.109.5.89) 18.584 ms 17.343 ms 16.522 ms 7 0.ge-1-3-0.cr1.d12.xs4all.net (194.109.5.74) 17.500 ms 17.696 ms 17.765 ms 8 * * * 9 * * * klecker seems down again, security and non-us seem to be moved to the old location (utwente). snip traceroute to utwente You can see that this was probably not security.d.o being down, but some router. the packets are taking a quite different path. Maybe U Twente switched providers? not likely :) Gr, Ivo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mail Delivery System
This is an autoresponder. I'll never see your message. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
How To Set Up Mail-out-only System ?
Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? The default Exim MTA is installed, and I've commented out the SMTP line from inetd.conf, but there is a /etc/init.d/exim startup script that comes with the Exim package, that has this : # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi [...] case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ --exec $DAEMON -- -bd -q30m So one way or the other, Exim gets to listen. In exim.conf, there is # This will cause it to accept mail only from the local interface #local_interfaces = 127.0.0.1 so I could set that option. Would that stop Exim from binding to the ethernet interface ? Should I just remove the S20exim symlink from rc?.d ? That seems a bit of a kludge. If this was NetBSD, I'd set something like exim=no in somewhere like rc.conf ... is there a Debian equivalent to that ? TIA for any advice. Nick Boyce Bristol, UK -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Tue, 2004-02-10 at 20:41, Nick Boyce wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? You might want to check out ssmtp. ...Murray -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
Quoting Murray J. Brown ([EMAIL PROTECTED]): You might want to check out ssmtp. Also nullmailer and smtppush. See: Nullmailers on http://linuxmafia.com/kb/Mail/ -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote: I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. You could firewall incoming port 25 connections... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote:
[want a send-only exim]
The default Exim MTA is installed, and I've commented out the SMTP line
from inetd.conf, but there is a /etc/init.d/exim startup script that
comes with the Exim package, that has this :
# Exit if exim runs from /etc/inetd.conf
if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then
exit 0
fi
[...]
case $1 in
start)
echo -n Starting MTA:
start-stop-daemon --start --pidfile /var/run/exim/exim.pid \
--exec $DAEMON -- -bd -q30m
If you remove the '-bd', exim will run as a daemon, but it will only
send mail out (processing its queue). It won't bind tcp/25 to receive
mail.
(Exim will use a different pid file, so the init script has to be
modified for that, too. I've attached one with the necessary
modifications.)
Should I just remove the S20exim symlink from rc?.d ?
If you don't want exim to run as a daemon at all, then you should rename
those links to K20exim. The crontab fragment in /etc/cron.d/exim will do
a queue run four times an hour.
That seems a bit of a kludge. If this was NetBSD, I'd set something
like exim=no in somewhere like rc.conf ... is there a Debian
equivalent to that ?
If you don't want to drive it the System V-ish way, you could probably
do something like that:
add to exim init script:
| . /etc/default/exim
| if [ $SHOULDIRUN = no ]; then
|exit 0;
| fi
then create /etc/default/exim and add:
| SHOULDIRUN=no
--
William Aoki KD7YAF [EMAIL PROTECTED] /\ ASCII Ribbon Campaign
\ / No HTML in mail or news!
X
/ \
#! /bin/sh
# /etc/init.d/exim
#
# Written by Miquel van Smoorenburg [EMAIL PROTECTED].
# Modified for Debian GNU/Linux by Ian Murdock [EMAIL PROTECTED].
# Modified for exim by Tim Cutts [EMAIL PROTECTED]
set -e
# Exit if exim runs from /etc/inetd.conf
if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then
exit 0
fi
DAEMON=/usr/sbin/exim
NAME=exim
test -x $DAEMON || exit 0
case $1 in
start)
echo -n Starting MTA:
start-stop-daemon --start --pidfile /var/run/exim/exim.pid-q30m \
--exec $DAEMON -- -q30m
echo exim.
;;
stop)
echo -n Stopping MTA:
start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \
--oknodo --retry 30 --exec $DAEMON
echo exim.
;;
restart)
echo -n Restarting MTA:
start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \
--oknodo --retry 30 --exec $DAEMON
start-stop-daemon --start --pidfile /var/run/exim/exim.pid-q30m \
--exec $DAEMON -- -q30m
echo exim.
;;
reload|force-reload)
echo Reloading $NAME configuration files
start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \
--signal 1 --exec $DAEMON
;;
*)
echo Usage: /etc/init.d/$NAME {start|stop|restart|reload}
exit 1
;;
esac
exit 0
Re: How To Set Up Mail-out-only System ?
Quoting Dale Amon ([EMAIL PROTECTED]): You could firewall incoming port 25 connections... Smarter to just edit /etc/exim/exim.con to set local_interfaces = 127.0.0.1 in the main section, and then just HUP Exim. See also: http://slashdot.org/comments.pl?sid=92798cid=7980769 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=227981 -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, 11 Feb 2004 11:53:38 +1000, Clayton Russell wrote: On Wed, 2004-02-11 at 11:41, Nick Boyce wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. If you would like to use postfix you can comment out the smtp inet n - n - - smtpd line in /etc/postfix/master.cf, which stops the daemon listening on port 25, but does not affect sending mail. Thanks Clayton - that's very useful - I was planning to look at Postfix in due course - it seems to have the best security pedigree of any of the popular MTAs. [Without wanting to start anything religious here :-)] Much obliged Nick -- Bother, said Pooh, as he struggled with sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 11 Feb 2004 02:40:07 +0100, Nick Boyce [EMAIL PROTECTED] wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? The default Exim MTA is installed, and I've commented out the SMTP line from inetd.conf, but there is a /etc/init.d/exim startup script that comes with the Exim package, that has this : # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi [...] case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ --exec $DAEMON -- -bd -q30m So one way or the other, Exim gets to listen. In exim.conf, there is # This will cause it to accept mail only from the local interface #local_interfaces = 127.0.0.1 so I could set that option. Would that stop Exim from binding to the ethernet interface ? Should I just remove the S20exim symlink from rc?.d ? That seems a bit of a kludge. If this was NetBSD, I'd set something like exim=no in somewhere like rc.conf ... is there a Debian equivalent to that ? TIA for any advice. Nick Boyce Bristol, UK Just firewall off port 25 from the network. Leave it visible internally on the loopback, so you can still use it for a local MTA. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAKZC5d90bcYOAWPYRAtGyAJ9i9GnQhUa9RxtPuerpGbktsZzLtQCgmOGW KVwsJnoPAF7pfFBNWbUPG8M= =w2SY -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock We have to go forth and crush every world view that doesn't believe in tolerance and free speech, - David Brin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, 11 Feb 2004 01:41:13 +, I wrote: I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? Thanks for all the great advice, people. The idea of removing the -bd switch from the Exim startup line in /etc/init.d/exim is appealing, though I guess I'd have to remember to make that amendment every time a major upgrade occurred ... in that context, I suppose editing exim.conf is more correct, in that upgrades should offer me the chance to keep my customised exim.conf. I'd rather stay with a mainstream MTA than switch to a smaller dedicated null mailer, on the premise that mainstream MTAs will stay better maintained - though the smaller attack surface of the dedicated mailers is a Good Thing I suppose. I may need timely notifications from this box (ok, it's an IDS), so I don't want to rely on periodic cron-initiated mailer runs. Again, many thanks for all the help. Nick Boyce Bristol, Uk -- We did a risk management review. We concluded that there was no risk of any management. -- Hugo Mills [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: help needed with firewall logging ..please
On Mon, Feb 09, 2004 at 08:21:15PM -0800, Jeff wrote: suhail, 2004-Feb-09 15:15 -0800: [snip] Now how do i actually find out if the packets are being dropped. i.e where shud I chk my system log files to see the dropped packets ... I mean which file is it n under which dir .. The logging done as shown above goes to syslog. I use syslog-ng and filter the firewall log messages into a separate file. Look in /var/log/messages. -- Michael Wood [EMAIL PROTECTED]
Re: security.debian.org
On Monday, 2004-02-09 at 20:38:37 +, Neil McGovern wrote: On Mon, Feb 09, 2004 at 06:17:01PM +0100, Konstantin Filtschew wrote: security.debian.org seems to be down [EMAIL PROTECTED]:~$ ping security.debian.org PING security.debian.org (130.89.175.33): 56 data bytes 64 bytes from 130.89.175.33: icmp_seq=0 ttl=51 time=68.8 ms 64 bytes from 130.89.175.33: icmp_seq=1 ttl=51 time=15.5 ms 64 bytes from 130.89.175.33: icmp_seq=2 ttl=51 time=15.0 ms 64 bytes from 130.89.175.33: icmp_seq=3 ttl=51 time=15.9 ms 64 bytes from 130.89.175.33: icmp_seq=4 ttl=51 time=15.5 ms --- security.debian.org ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 15.0/26.1/68.8 ms When I received the mail, I immediately tried to ping it. No reply. I still have the traceroute output from that time: traceroute to security.debian.org (194.109.137.218), 30 hops max, 38 byte packets 1 firewally (172.17.0.7) 0.313 ms 0.265 ms 0.294 ms 2 217.5.98.173 (217.5.98.173) 41.572 ms 14.095 ms 16.924 ms 3 217.237.157.90 (217.237.157.90) 43.417 ms 13.360 ms 13.235 ms 4 m-ec1.M.DE.net.DTAG.DE (62.154.27.234) 43.712 ms 41.187 ms 13.722 ms 5 zcr2-so-5-2-0.Munich.cw.net (208.175.230.49) 43.801 ms 80.418 ms 13.694 ms 6 zcr1-ge-4-3-0-5.Munich.cw.net (208.175.230.253) 44.627 ms 14.025 ms 13.144 ms 7 bcr2-so-0-3-0.Amsterdam.cw.net (208.173.209.149) 44.844 ms 41.744 ms 41.494 ms 8 zcr2-so-1-0-0.Amsterdamamt.cw.net (208.173.209.198) 45.590 ms 40.869 ms 42.402 ms 9 zar1-ge-0-3-0.Amsterdamamt.cw.net (208.173.220.131) 46.314 ms zar1-ge-1-3-0.Amsterdamamt.cw.net (208.173.220.147) 325.519 ms 45.989 ms 10 kpn.Amsterdamamt.cw.net (208.173.212.154) 48.013 ms 45.763 ms 39.773 ms 11 0.so-1-3-0.xr1.d12.xs4all.net (194.109.5.101) 49.062 ms 67.547 ms 41.748 ms 12 0.so-3-0-0.cr1.d12.xs4all.net (194.109.5.58) 47.961 ms * 46.106 ms 13 * * * 14 * * * Now the traceroute goes like this: traceroute to security.debian.org (130.89.175.33), 30 hops max, 38 byte packets 1 firewally (172.17.0.7) 14.812 ms 0.293 ms 0.176 ms 2 217.5.98.173 (217.5.98.173) 14.354 ms 15.059 ms 16.953 ms 3 217.237.157.90 (217.237.157.90) 33.209 ms 12.916 ms 13.132 ms 4 f-ea1.F.DE.net.DTAG.DE (62.154.18.22) 47.707 ms 44.256 ms 19.434 ms 5 208.49.136.173 (208.49.136.173) 46.733 ms 17.878 ms 21.079 ms 6 pos12-0-2488M.cr1.FRA2.gblx.net (67.17.74.149) 38.589 ms 89.690 ms 26.491 ms 7 pos0-0-2488M.cr1.AMS2.gblx.net (67.17.64.90) 45.999 ms 39.470 ms 39.688 ms 8 so0-0-0-2488M.ar1.AMS1.gblx.net (67.17.65.230) 46.996 ms 38.572 ms 39.662 ms 9 SURFnet.ge-4-2-0.ar1.AMS1.gblx.net (67.17.162.206) 40.223 ms GigaSurf-Amsterdam.ge-2-1-0.ar1.AMS1.gblx.net (208.49.125.50) 39.632 ms 39.552 ms 10 P11-0.CR1.Amsterdam1.surf.net (145.145.166.33) 38.971 ms 71.401 ms 39.665 ms 11 PO1-0.CR2.Amsterdam1.surf.net (145.145.160.2) 39.699 ms 39.121 ms 39.690 ms 12 PO0-0.AR5.Enschede1.surf.net (145.145.163.14) 44.969 ms 44.032 ms 44.446 ms 13 utwente-router.Customer.surf.net (145.145.4.2) 44.232 ms 44.670 ms 43.218 ms 14 slagroom.snt.utwente.nl (130.89.175.33) 45.313 ms 82.717 ms 44.476 ms You can see that this was probably not security.d.o being down, but some router. the packets are taking a quite different path. Maybe U Twente switched providers? Also see http://www.debian.org/News/2004/20040202 That's old news. The machine has been reactivated. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: security.debian.org
Le mardi 10 février 2004 à 09h19 (+0100), Lupe Christoph écrivait : Also see http://www.debian.org/News/2004/20040202 That's old news. The machine has been reactivated. BTW, could somebody put back the debian-security - . symbolic link? -- J.C. プログフ ANDRÉ [EMAIL PROTECTED] http://www.vn.refer.org/ Coordonnateur technique régional / Associé technologie projet Reflets (CODA) Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP) Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam Tél. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747 ⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint ⎫ ⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html ⎭
Re: Mail Delivery System
This is an autoresponder. I'll never see your message.
Re: security.debian.org
Lupe Christoph wrote: On Monday, 2004-02-09 at 20:38:37 +, Neil McGovern wrote: On Mon, Feb 09, 2004 at 06:17:01PM +0100, Konstantin Filtschew wrote: security.debian.org seems to be down traceroute to security.debian.org (194.109.137.218), 30 hops max, 38 byte packets 1 firewally (172.17.0.7) 0.313 ms 0.265 ms 0.294 ms 2 217.5.98.173 (217.5.98.173) 41.572 ms 14.095 ms 16.924 ms 3 217.237.157.90 (217.237.157.90) 43.417 ms 13.360 ms 13.235 ms 4 m-ec1.M.DE.net.DTAG.DE (62.154.27.234) 43.712 ms 41.187 ms 13.722 ms 5 zcr2-so-5-2-0.Munich.cw.net (208.175.230.49) 43.801 ms 80.418 ms 13.694 ms 6 zcr1-ge-4-3-0-5.Munich.cw.net (208.175.230.253) 44.627 ms 14.025 ms 13.144 ms 7 bcr2-so-0-3-0.Amsterdam.cw.net (208.173.209.149) 44.844 ms 41.744 ms 41.494 ms 8 zcr2-so-1-0-0.Amsterdamamt.cw.net (208.173.209.198) 45.590 ms 40.869 ms 42.402 ms 9 zar1-ge-0-3-0.Amsterdamamt.cw.net (208.173.220.131) 46.314 ms zar1-ge-1-3-0.Amsterdamamt.cw.net (208.173.220.147) 325.519 ms 45.989 ms 10 kpn.Amsterdamamt.cw.net (208.173.212.154) 48.013 ms 45.763 ms 39.773 ms 11 0.so-1-3-0.xr1.d12.xs4all.net (194.109.5.101) 49.062 ms 67.547 ms 41.748 ms 12 0.so-3-0-0.cr1.d12.xs4all.net (194.109.5.58) 47.961 ms * 46.106 ms 13 * * * 14 * * * traceroute to klecker.debian.org (194.109.137.218), 64 hops max, 44 byte packets 6 0.so-2-3-0.xr2.d12.xs4all.net (194.109.5.89) 18.584 ms 17.343 ms 16.522 ms 7 0.ge-1-3-0.cr1.d12.xs4all.net (194.109.5.74) 17.500 ms 17.696 ms 17.765 ms 8 * * * 9 * * * klecker seems down again, security and non-us seem to be moved to the old location (utwente). snip traceroute to utwente You can see that this was probably not security.d.o being down, but some router. the packets are taking a quite different path. Maybe U Twente switched providers? not likely :) Gr, Ivo
How To Set Up Mail-out-only System ?
Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? The default Exim MTA is installed, and I've commented out the SMTP line from inetd.conf, but there is a /etc/init.d/exim startup script that comes with the Exim package, that has this : # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi [...] case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ --exec $DAEMON -- -bd -q30m So one way or the other, Exim gets to listen. In exim.conf, there is # This will cause it to accept mail only from the local interface #local_interfaces = 127.0.0.1 so I could set that option. Would that stop Exim from binding to the ethernet interface ? Should I just remove the S20exim symlink from rc?.d ? That seems a bit of a kludge. If this was NetBSD, I'd set something like exim=no in somewhere like rc.conf ... is there a Debian equivalent to that ? TIA for any advice. Nick Boyce Bristol, UK
Re: How To Set Up Mail-out-only System ?
On Tue, 2004-02-10 at 20:41, Nick Boyce wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? You might want to check out ssmtp. ...Murray
Re: How To Set Up Mail-out-only System ?
Quoting Murray J. Brown ([EMAIL PROTECTED]): You might want to check out ssmtp. Also nullmailer and smtppush. See: Nullmailers on http://linuxmafia.com/kb/Mail/ -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote: I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. You could firewall incoming port 25 connections... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel --
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote:
[want a send-only exim]
The default Exim MTA is installed, and I've commented out the SMTP line
from inetd.conf, but there is a /etc/init.d/exim startup script that
comes with the Exim package, that has this :
# Exit if exim runs from /etc/inetd.conf
if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then
exit 0
fi
[...]
case $1 in
start)
echo -n Starting MTA:
start-stop-daemon --start --pidfile /var/run/exim/exim.pid \
--exec $DAEMON -- -bd -q30m
If you remove the '-bd', exim will run as a daemon, but it will only
send mail out (processing its queue). It won't bind tcp/25 to receive
mail.
(Exim will use a different pid file, so the init script has to be
modified for that, too. I've attached one with the necessary
modifications.)
Should I just remove the S20exim symlink from rc?.d ?
If you don't want exim to run as a daemon at all, then you should rename
those links to K20exim. The crontab fragment in /etc/cron.d/exim will do
a queue run four times an hour.
That seems a bit of a kludge. If this was NetBSD, I'd set something
like exim=no in somewhere like rc.conf ... is there a Debian
equivalent to that ?
If you don't want to drive it the System V-ish way, you could probably
do something like that:
add to exim init script:
| . /etc/default/exim
| if [ $SHOULDIRUN = no ]; then
|exit 0;
| fi
then create /etc/default/exim and add:
| SHOULDIRUN=no
--
William Aoki KD7YAF [EMAIL PROTECTED] /\ ASCII Ribbon Campaign
\ / No HTML in mail or news!
X
/ \
#! /bin/sh
# /etc/init.d/exim
#
# Written by Miquel van Smoorenburg [EMAIL PROTECTED].
# Modified for Debian GNU/Linux by Ian Murdock [EMAIL PROTECTED].
# Modified for exim by Tim Cutts [EMAIL PROTECTED]
set -e
# Exit if exim runs from /etc/inetd.conf
if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then
exit 0
fi
DAEMON=/usr/sbin/exim
NAME=exim
test -x $DAEMON || exit 0
case $1 in
start)
echo -n Starting MTA:
start-stop-daemon --start --pidfile /var/run/exim/exim.pid-q30m \
--exec $DAEMON -- -q30m
echo exim.
;;
stop)
echo -n Stopping MTA:
start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \
--oknodo --retry 30 --exec $DAEMON
echo exim.
;;
restart)
echo -n Restarting MTA:
start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \
--oknodo --retry 30 --exec $DAEMON
start-stop-daemon --start --pidfile /var/run/exim/exim.pid-q30m \
--exec $DAEMON -- -q30m
echo exim.
;;
reload|force-reload)
echo Reloading $NAME configuration files
start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \
--signal 1 --exec $DAEMON
;;
*)
echo Usage: /etc/init.d/$NAME {start|stop|restart|reload}
exit 1
;;
esac
exit 0
Re: How To Set Up Mail-out-only System ?
Quoting Dale Amon ([EMAIL PROTECTED]): You could firewall incoming port 25 connections... Smarter to just edit /etc/exim/exim.con to set local_interfaces = 127.0.0.1 in the main section, and then just HUP Exim. See also: http://slashdot.org/comments.pl?sid=92798cid=7980769 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=227981 -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, 11 Feb 2004 11:53:38 +1000, Clayton Russell wrote: On Wed, 2004-02-11 at 11:41, Nick Boyce wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. If you would like to use postfix you can comment out the smtp inet n - n - - smtpd line in /etc/postfix/master.cf, which stops the daemon listening on port 25, but does not affect sending mail. Thanks Clayton - that's very useful - I was planning to look at Postfix in due course - it seems to have the best security pedigree of any of the popular MTAs. [Without wanting to start anything religious here :-)] Much obliged Nick -- Bother, said Pooh, as he struggled with sendmail.cf, it never does quite what I want. I wish Christopher Robin was here.
Re: How To Set Up Mail-out-only System ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 11 Feb 2004 02:40:07 +0100, Nick Boyce [EMAIL PROTECTED] wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? The default Exim MTA is installed, and I've commented out the SMTP line from inetd.conf, but there is a /etc/init.d/exim startup script that comes with the Exim package, that has this : # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi [...] case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ --exec $DAEMON -- -bd -q30m So one way or the other, Exim gets to listen. In exim.conf, there is # This will cause it to accept mail only from the local interface #local_interfaces = 127.0.0.1 so I could set that option. Would that stop Exim from binding to the ethernet interface ? Should I just remove the S20exim symlink from rc?.d ? That seems a bit of a kludge. If this was NetBSD, I'd set something like exim=no in somewhere like rc.conf ... is there a Debian equivalent to that ? TIA for any advice. Nick Boyce Bristol, UK Just firewall off port 25 from the network. Leave it visible internally on the loopback, so you can still use it for a local MTA. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAKZC5d90bcYOAWPYRAtGyAJ9i9GnQhUa9RxtPuerpGbktsZzLtQCgmOGW KVwsJnoPAF7pfFBNWbUPG8M= =w2SY -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock We have to go forth and crush every world view that doesn't believe in tolerance and free speech, - David Brin
Re: How To Set Up Mail-out-only System ?
On Wed, 11 Feb 2004 01:41:13 +, I wrote: I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? Thanks for all the great advice, people. The idea of removing the -bd switch from the Exim startup line in /etc/init.d/exim is appealing, though I guess I'd have to remember to make that amendment every time a major upgrade occurred ... in that context, I suppose editing exim.conf is more correct, in that upgrades should offer me the chance to keep my customised exim.conf. I'd rather stay with a mainstream MTA than switch to a smaller dedicated null mailer, on the premise that mainstream MTAs will stay better maintained - though the smaller attack surface of the dedicated mailers is a Good Thing I suppose. I may need timely notifications from this box (ok, it's an IDS), so I don't want to rely on periodic cron-initiated mailer runs. Again, many thanks for all the help. Nick Boyce Bristol, Uk -- We did a risk management review. We concluded that there was no risk of any management. -- Hugo Mills [EMAIL PROTECTED]
