Re: Slightly OT: Setting the primary NIC
On Sun, Mar 21, 2004 at 11:58:00AM +0100, Lupe Christoph wrote: Can anyone tell me how I can tell the machine which NIC is the primary? There is no such thing as a primary NIC. Unless a daemon explicitly binds a socket to a specific IP address and send a packet through that Could it be that he means the NIC that the default route applies to? netstat -rn would show that. -B -- Brandon High [EMAIL PROTECTED] ZX-7R Wasabi, '02 BMW R1150RS Troll I'm at an age where it's healthy to develop a debilitating chemical dependence. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Slightly OT: Setting the primary NIC
On Sun, Mar 21, 2004 at 11:58:00AM +0100, Lupe Christoph wrote: Can anyone tell me how I can tell the machine which NIC is the primary? There is no such thing as a primary NIC. Unless a daemon explicitly binds a socket to a specific IP address and send a packet through that Could it be that he means the NIC that the default route applies to? netstat -rn would show that. -B -- Brandon High [EMAIL PROTECTED] ZX-7R Wasabi, '02 BMW R1150RS Troll I'm at an age where it's healthy to develop a debilitating chemical dependence.
Re: How efficient is mounting /usr ro?
On Thu, Oct 09, 2003 at 08:06:46AM -0400, Phillip Hofmeister wrote: If I r00t your system I'll have access to remount it rw anyhow. Any hacker who doesn't know how to remount a file system is really lame. You may slow someone down for 3 seconds until they type: It'll stop a worm or automated intrusion though... -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Troll Depression is merely anger without enthusiasm. pgp0.pgp Description: PGP signature
Re: How efficient is mounting /usr ro?
On Thu, Oct 09, 2003 at 08:06:46AM -0400, Phillip Hofmeister wrote: If I r00t your system I'll have access to remount it rw anyhow. Any hacker who doesn't know how to remount a file system is really lame. You may slow someone down for 3 seconds until they type: It'll stop a worm or automated intrusion though... -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Troll Depression is merely anger without enthusiasm. pgp2zVb9OFFPf.pgp Description: PGP signature
Re: evolution
On Thu, Jun 26, 2003 at 08:40:38AM +0300, Martynas Domarkas wrote: Hi, it's me again and I have another stupid question: my evolution mailer in a short period of time repeatedly tries connect to some strange hosts: tcp 0 1 192.168.0.1:33931 205.156.51.200:80 SYN_SENT 4055/evolution-exec tcp 0 1 192.168.0.1:33932 206.14.209.40:80 SYN_SENT 4055/evolution-exec tcp 0 1 192.168.0.1:33933 63.236.73.20:80 SYN_SENT 4055/evolution-exec I would guess, just off the top of my head, that it's trying to load images for HTML mail that you've received. All the connections are going to port 80 on the remote machines. Check Tools-Mail Settings and look under the Display tab. Set Never load images off the net and see if the connections are still there. Evolution also uses HTTP to get the RDF data feeds for the summary page. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Troll When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: evolution
On Thu, Jun 26, 2003 at 08:40:38AM +0300, Martynas Domarkas wrote: Hi, it's me again and I have another stupid question: my evolution mailer in a short period of time repeatedly tries connect to some strange hosts: tcp 0 1 192.168.0.1:33931 205.156.51.200:80 SYN_SENT 4055/evolution-exec tcp 0 1 192.168.0.1:33932 206.14.209.40:80 SYN_SENT 4055/evolution-exec tcp 0 1 192.168.0.1:33933 63.236.73.20:80 SYN_SENT 4055/evolution-exec I would guess, just off the top of my head, that it's trying to load images for HTML mail that you've received. All the connections are going to port 80 on the remote machines. Check Tools-Mail Settings and look under the Display tab. Set Never load images off the net and see if the connections are still there. Evolution also uses HTTP to get the RDF data feeds for the summary page. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Troll When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.
Re: Could sudo be an security issue?
On Fri, May 16, 2003 at 03:50:46AM -0500, lemuel typhair wrote: xbud wrote: good point, but this is not entirely true. In the case where a user simply does a sudo su - or a sudo sh only the first command will be logged. yes this is so true, but would you really give root to someone who does not follow the rules to begin with? if i ever saw that they did that in the logs, the would never have root again... You can lock down the commands that can be run. Restricting su and the shells are simple enough and should always be done... There are other holes though. For instance: sudo vi /etc/hosts then, inside vi type :!bash Bam ... A root shell that's not logged. I know there's a way to restrict this in vim, but I'm not sure about all the shells. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Troll The world is a comedy to those that think, a tragedy to those that feel.
Re: cluster on firewall?
On Fri, Feb 07, 2003 at 09:40:49AM +0100, Victor Calzado Mayo wrote: you might find usefull the vrrpd code. apt-cache show vrrpd I've had trouble getting the Linux vrrp code to work properly, and the documentaion is poor. There another package called 'heartbeat' that does a good job of allowing failover as well. I've used it on a firewall / gateway setup, and on ftp servers. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Troll It used to be only death and taxes were inevitable. Now, of course, there's shipping and handling, too. msg08588/pgp0.pgp Description: PGP signature
Re: cluster on firewall?
On Fri, Feb 07, 2003 at 09:40:49AM +0100, Victor Calzado Mayo wrote: you might find usefull the vrrpd code. apt-cache show vrrpd I've had trouble getting the Linux vrrp code to work properly, and the documentaion is poor. There another package called 'heartbeat' that does a good job of allowing failover as well. I've used it on a firewall / gateway setup, and on ftp servers. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Troll It used to be only death and taxes were inevitable. Now, of course, there's shipping and handling, too. pgpiYCGAzaFtm.pgp Description: PGP signature
Re: I'm searching for a network wide system update tool
On Sun, Jan 19, 2003 at 12:45:03PM +0100, Ivo Marino wrote: Well, I admin different Debian GNU/Linux stable machines on different networks, each time a new security update comes out from the DSA I actually update by hand via ssh all the Debian GNU/Linux servers in my network. Take a loot at cfengine - It's capable of automating sutff like this fairly easily. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Troll You're just jealous because the voices are talking to me. pgpMNGUkJqpWh.pgp Description: PGP signature
Re: I'm searching for a network wide system update tool
On Sun, Jan 19, 2003 at 12:45:03PM +0100, Ivo Marino wrote: Well, I admin different Debian GNU/Linux stable machines on different networks, each time a new security update comes out from the DSA I actually update by hand via ssh all the Debian GNU/Linux servers in my network. Take a loot at cfengine - It's capable of automating sutff like this fairly easily. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Troll You're just jealous because the voices are talking to me. msg08471/pgp0.pgp Description: PGP signature
Re: DHCP
On Mon, Oct 28, 2002 at 07:38:38PM -0600, Hanasaki JiJi wrote: Too bad there is no way to do a secure handshake w/ an id/password or even SecureID cards. That's the idea behind PPPoE. Yuck. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Things are more like they are today than they ever have been before. pgpgEktOnIcg4.pgp Description: PGP signature
Re: DHCP
On Mon, Oct 28, 2002 at 07:38:38PM -0600, Hanasaki JiJi wrote: Too bad there is no way to do a secure handshake w/ an id/password or even SecureID cards. That's the idea behind PPPoE. Yuck. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Things are more like they are today than they ever have been before. msg07564/pgp0.pgp Description: PGP signature
Re: frequent mail signing = is there a GPG agent?
On Sun, Jun 09, 2002 at 09:57:10AM +0700, Jean Christophe ANDR?? wrote: Probably a stupid question but... I can see lots of you on this list frequently signing their e-mails, do you use some kind of GPG agent? mutt and Evolution both have pgp/gpg signing built in. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '94 BMW K75s Brick More hay, Trigger? No thanks, Roy, I'm stuffed! pgpJhUi17JJwj.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 07:46:22PM +0200, Marcin Owsiany wrote: On Wed, Apr 10, 2002 at 06:24:01PM +0200, Narancs v1 wrote: Hi there! I've read a srtange info at http://www3.ca.com/Virus/Virus.asp?ID=11513 is it true? can it infect my debian systems? (woody, sid, potato)? how? If you run an infected file - yes. Otherwise - i don't think so (they don't say if it exploits any vulnerabilities other than user's stupidity/ignorance). Basically, if you run binaries from an unsafe source, you get what you deserve. And another reason not to run as root... -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '94 BMW K75s Brick When approaching a four-way stop, the vehicle with the largest tires always has the right of way. msg06295/pgp0.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 02:54:26PM -0700, Anne Carasik wrote: with Trojan horses. Always check the digital signatures and the checksums! Debian does this when you do an apt-get, I believe. I think there's support for it in later versions of apt-get, but not with the one included with Potato. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '94 BMW K75s Brick Speeling mistakes only bother people who are illiterate. msg06301/pgp0.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 07:46:22PM +0200, Marcin Owsiany wrote: On Wed, Apr 10, 2002 at 06:24:01PM +0200, Narancs v1 wrote: Hi there! I've read a srtange info at http://www3.ca.com/Virus/Virus.asp?ID=11513 is it true? can it infect my debian systems? (woody, sid, potato)? how? If you run an infected file - yes. Otherwise - i don't think so (they don't say if it exploits any vulnerabilities other than user's stupidity/ignorance). Basically, if you run binaries from an unsafe source, you get what you deserve. And another reason not to run as root... -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '94 BMW K75s Brick When approaching a four-way stop, the vehicle with the largest tires always has the right of way. pgp5X912gTrBH.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 02:54:26PM -0700, Anne Carasik wrote: with Trojan horses. Always check the digital signatures and the checksums! Debian does this when you do an apt-get, I believe. I think there's support for it in later versions of apt-get, but not with the one included with Potato. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '94 BMW K75s Brick Speeling mistakes only bother people who are illiterate. pgpS8PSUGjEHI.pgp Description: PGP signature
Re: Port 113 (auth) accept or deny?
On Sat, Feb 09, 2002 at 09:39:00PM +0100, Johannes Weiss wrote: I have a security question: On my HTTP(s)/MAIL(SMTP,POP,IMAP)/SSH-Server: should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. -B -- Brandon High [EMAIL PROTECTED] 1998 Kawasaki ZX-7R Wasabi, 1998 Kawasaki EX500, 1994 BMW K75s I started out with nothing still have most of it left. msg05637/pgp0.pgp Description: PGP signature
Re: Port 113 (auth) accept or deny?
On Sat, Feb 09, 2002 at 10:07:45PM +0100, Jakub Jankowski wrote: On 2002-02-09, Brandon High wrote: [...] should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. We've been through at least once, haven't we? *sigh* I know what port 113 is for: schitzo:~[1] grep 113 /etc/services auth113/tcp authentication tap ident I just don't know what you might need the ident server for. -B -- Brandon High [EMAIL PROTECTED] 1998 Kawasaki ZX-7R Wasabi, 1998 Kawasaki EX500, 1994 BMW K75s Do they ever shut up on your planet? msg05640/pgp0.pgp Description: PGP signature
Re: Port 113 (auth) accept or deny?
On Sat, Feb 09, 2002 at 09:39:00PM +0100, Johannes Weiss wrote: I have a security question: On my HTTP(s)/MAIL(SMTP,POP,IMAP)/SSH-Server: should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. -B -- Brandon High [EMAIL PROTECTED] 1998 Kawasaki ZX-7R Wasabi, 1998 Kawasaki EX500, 1994 BMW K75s I started out with nothing still have most of it left. pgpoXYeBXzkDD.pgp Description: PGP signature
Re: Port 113 (auth) accept or deny?
On Sat, Feb 09, 2002 at 10:07:45PM +0100, Jakub Jankowski wrote: On 2002-02-09, Brandon High wrote: [...] should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. We've been through at least once, haven't we? *sigh* I know what port 113 is for: schitzo:~[1] grep 113 /etc/services auth113/tcp authentication tap ident I just don't know what you might need the ident server for. -B -- Brandon High [EMAIL PROTECTED] 1998 Kawasaki ZX-7R Wasabi, 1998 Kawasaki EX500, 1994 BMW K75s Do they ever shut up on your planet? pgpNi91PpXkzs.pgp Description: PGP signature
Re: FTP and security
On Thu, Nov 08, 2001 at 10:29:08PM +0100, Luc MAIGNAN wrote: Is FTP really insecure ? I use a version of ProFtpd. The protocol is insecure, since it sends login and authentication information over the wire in clear text. Different FTP daemons have different security issues. -B -- Brandon High [EMAIL PROTECTED] The careful application of terror is also a form of communication. msg04089/pgp0.pgp Description: PGP signature
Re: FTP and security
On Thu, Nov 08, 2001 at 10:29:08PM +0100, Luc MAIGNAN wrote: Is FTP really insecure ? I use a version of ProFtpd. The protocol is insecure, since it sends login and authentication information over the wire in clear text. Different FTP daemons have different security issues. -B -- Brandon High [EMAIL PROTECTED] The careful application of terror is also a form of communication. pgpmncbXAKOjq.pgp Description: PGP signature
Re: i am experincing intrusion attempts
On Tue, Sep 18, 2001 at 11:29:24AM -0400, [EMAIL PROTECTED] wrote: I need to trace the person who is hitting on my pc 40 times a day. Any ideas? There's a new IIS exploit out there. http:[EMAIL PROTECTED] I started getting hit about 6:15 ths morning by the worm, but there was (what looks like) a manual attemp yesterday at 17/Sep/2001:10:17:58 -0700 -B -- Brandon High [EMAIL PROTECTED] If God wanted me to touch my toes, he would have put them on my knees. PGP signature
Re: i am experincing intrusion attempts
On Tue, Sep 18, 2001 at 11:29:24AM -0400, [EMAIL PROTECTED] wrote: I need to trace the person who is hitting on my pc 40 times a day. Any ideas? There's a new IIS exploit out there. http://www.norton.com/avcenter/venc/data/[EMAIL PROTECTED] I started getting hit about 6:15 ths morning by the worm, but there was (what looks like) a manual attemp yesterday at 17/Sep/2001:10:17:58 -0700 -B -- Brandon High [EMAIL PROTECTED] If God wanted me to touch my toes, he would have put them on my knees. pgpNFetH2TGc6.pgp Description: PGP signature
Re: Mutt and inline gpg
On Thu, Aug 09, 2001 at 03:19:42PM +0200, Martin Domig wrote: I am using the same procmail filter and can say that it works perfectly for incoming pgp/gpg mails. However, this does not solve the problem with other mail clients that want to have inline PGP messages, and those are many. Is there a way to make mutt send inline PGP messages instead of the MIME attachment form? I think this is what you're looking for: 6.3.115. pgp_create_traditional Type: quadoption Default: no This option controls whether Mutt generates old-style PGP encrypted or signed messages under certain circumstances. Note that PGP/MIME will be used automatically for messages which have a character set different from us-ascii, or which consist of more than a single MIME part. Also note that using the old-style PGP message format is strongly deprecated. -B -- Brandon High [EMAIL PROTECTED] Some people are alive only because it's illegal to kill. PGP signature
Re: Mutt and inline gpg
On Thu, Aug 09, 2001 at 03:19:42PM +0200, Martin Domig wrote: I am using the same procmail filter and can say that it works perfectly for incoming pgp/gpg mails. However, this does not solve the problem with other mail clients that want to have inline PGP messages, and those are many. Is there a way to make mutt send inline PGP messages instead of the MIME attachment form? I think this is what you're looking for: 6.3.115. pgp_create_traditional Type: quadoption Default: no This option controls whether Mutt generates old-style PGP encrypted or signed messages under certain circumstances. Note that PGP/MIME will be used automatically for messages which have a character set different from us-ascii, or which consist of more than a single MIME part. Also note that using the old-style PGP message format is strongly deprecated. -B -- Brandon High [EMAIL PROTECTED] Some people are alive only because it's illegal to kill. pgpvjxXK7QtBd.pgp Description: PGP signature
Code Red Worm
Code Red v2 is wreaking havoc already today. It's liquefied our corporate firewall. I've was probed by it 200 times on Sunday as well, vs. maybe 30/day for v1. -B -- Brandon High [EMAIL PROTECTED] Remember that silence is sometimes the best answer. PGP signature
Code Red Worm
Code Red v2 is wreaking havoc already today. It's liquefied our corporate firewall. I've was probed by it 200 times on Sunday as well, vs. maybe 30/day for v1. -B -- Brandon High [EMAIL PROTECTED] Remember that silence is sometimes the best answer. pgprANIiatAeH.pgp Description: PGP signature
Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 03:38:28PM -0700, Vineet Kumar wrote: * David Ehle ([EMAIL PROTECTED]) [010803 14:53]: Thanks Andrew, Thanks Jim. I'll layer them on and sleep better tonight ;). Stopping the middle button menu behavior is still causing me to pull my hair out though. Tried changing the behavior of the middle button in the /enlightenment/keybind.cfg file - both global and local version, but it doesn't seem to stop the menu function when you click on the desktop proper. Any super X guru's out there want to share their $.02? (IANAG) I've never tried this, but maybe you could just reconfigure X so that it thinks you're using a one-button mouse? Of course, you'd also want to disable the keyboard-mouse-emulation functionality. Overall, it seems like a weird way to go about sidestepping configurability. There must be other ways to change settings (gnome-control-center, e16menuedit, e16keyedit, etc) without the middle button. You should be able to do this by setting Buttons 2 in the mouse config of XFree. You can also use xmodmap to set the middle button to something else. -B -- Brandon High [EMAIL PROTECTED] If I worked as much as others, I would do as little as they. pgpOi5B2o4WPn.pgp Description: PGP signature
[OT] Key mapping
I'm having a few problems when running an X application on my Solaris 5.6 box and displaying on my Potato X session. Namely, when I press and release the right shift key (Shift_R) xev reports that I'm pressing the key pad * key. KeyPress event, serial 25, synthetic NO, window 0x381, root 0x26, subw 0x0, time 466910596, (74,97), root:(676,463), state 0x10, keycode 62 (keysym 0xffaa, KP_Multiply), same_screen YES, XLookupString gives 1 characters: * KeyRelease event, serial 25, synthetic NO, window 0x381, root 0x26, subw 0x0, time 466911171, (74,97), root:(676,463), state 0x11, keycode 62 (keysym 0xffe2, Shift_R), same_screen YES, XLookupString gives 0 characters: An X app running locally on the box does the right thing: KeyPress event, serial 16, synthetic NO, window 0x381, root 0x26, subw 0x0, time 466910596, (74,97), root:(676,463), state 0x10, keycode 62 (keysym 0xffe2, Shift_R), same_screen YES, XLookupString gives 0 characters: KeyRelease event, serial 16, synthetic NO, window 0x381, root 0x26, subw 0x0, time 466911171, (74,97), root:(676,463), state 0x11, keycode 62 (keysym 0xffe2, Shift_R), same_screen YES, XLookupString gives 0 characters: Any idea on how I can fix this? -B -- Brandon High [EMAIL PROTECTED] You're just jealous because the voices are talking to me. pgpkaaq2UukNz.pgp Description: PGP signature
Re: CGI Buffer Overflow?
On Thu, Jul 19, 2001 at 05:17:26PM -0400, Brian Rectanus wrote: Anyone seen this before? I have looked around for similar attacks, but cannot find any info. I assume that is a unicode string padded out with Ns. How would I go about finding out what is in the string? xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] GET /default.ida?NNN N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u%u00=a HTTP/1.0 400 328 There was a bug in IIS that involved query strings over 4095 or 8191 characters. That was several years ago though. -B -- Brandon High [EMAIL PROTECTED] Jury: Twelve people who determine which client has the better attorney. PGP signature
Re: CGI Buffer Overflow?
On Thu, Jul 19, 2001 at 05:17:26PM -0400, Brian Rectanus wrote: Anyone seen this before? I have looked around for similar attacks, but cannot find any info. I assume that is a unicode string padded out with Ns. How would I go about finding out what is in the string? xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] GET /default.ida?NNN N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u%u00=a HTTP/1.0 400 328 There was a bug in IIS that involved query strings over 4095 or 8191 characters. That was several years ago though. -B -- Brandon High [EMAIL PROTECTED] Jury: Twelve people who determine which client has the better attorney. pgpieYrp09xBT.pgp Description: PGP signature
Re: ProFtpd question
On Wed, Jun 27, 2001 at 03:36:27AM +0200, Jean-Marc Boursot wrote: ln -s /bin/ftponly /bin/false Wow, it's quite late in Europe. It's better like that: ln -s /bin/false /bin/ftponly Perhaps a silly question, but why not just set the shell to /bin/false? -B -- Brandon High [EMAIL PROTECTED] Black holes are where God divided by zero. PGP signature
Re: ProFtpd question
On Wed, Jun 27, 2001 at 03:36:27AM +0200, Jean-Marc Boursot wrote: ln -s /bin/ftponly /bin/false Wow, it's quite late in Europe. It's better like that: ln -s /bin/false /bin/ftponly Perhaps a silly question, but why not just set the shell to /bin/false? -B -- Brandon High [EMAIL PROTECTED] Black holes are where God divided by zero. pgpQYObu0ZidP.pgp Description: PGP signature
Re: nmap 2.12
On Sun, Jun 17, 2001 at 09:52:50PM +0200, Gregoire Welraeds wrote: Hello, I have recently installed a basic potato on a PII. While playing a little bit around a find that the provided nmap was only a 2.12 version. It is a rather old version of nmap (I have a 2.53 installed on a SuSE 6.3). Is there any known reason for this choice ? It's probably what was available when Potato was frozen. The distribution is getting a little long in the tooth, I think that it was almost 2 years ago. -B -- Brandon High [EMAIL PROTECTED] I always have fun because I'm out of my mind!!! pgpTnTEIUKZPF.pgp Description: PGP signature
Re: a FISH?!?!
On Sun, Jun 03, 2001 at 07:44:00AM +, Adam Olsen wrote: Since I doubt anybody'd try the latter, does anybody know of a program that might have caused it? There is a hack from the xscreensaver package that will fetch images from the web and display them. It freaked me out the first time it came up on random. Since you were actually using the system, I doubt that's it though. -B -- Brandon High [EMAIL PROTECTED] Eat Bran - If you can't be normal, at least be regular. pgpYNPv9oXLXT.pgp Description: PGP signature
Re: What is port 500?
On Sat, May 19, 2001 at 10:14:42AM +0100, Karl E. Jorgensen wrote: Recently, logcheck alerted me to the following in my logs (sorry about the long lines): [...] But I am at loss to what port 500/udp is? By the timings, (starting 30 seconds after connecting to my ISP), it actually looks like my ISP is trying to send those packets to me (the source IP is the other endpoint of my ppp connection). Any ideas out there? Where I can I find an authoritative list of port numbers? I don't know what port 500 is, but I saw something similar in my logs: May 18 04:03:40 xenophobe kernel: Packet log: input DENY eth1 PROTO=17 193.15.225.97:63760 63.203.219.82:500 L=772 S=0x00 I=35765 F=0x T=113 (#36) There were 6 attempts, spaced less than 15 seconds apart. There's most likely a new Windows back door that runs port 500, and people are scanning for it. -B -- Brandon High [EMAIL PROTECTED] No occifer, I'm not under the affluence of incohol.
Re: Got root?
On Sun, Apr 29, 2001 at 07:19:06AM -0400, Sunny Dubey wrote: I know that UNIX does it so that normal users can't seem like legit and important services, but there surely must be some better way of delegating a port below 1024 to a deamon. *DISCLAIMER* I do not know exactly what I'm talking about. Large grains of salt recommended to aid in digestion. To the best of my knowledge, root access is only required in order to bind to a priveledged port. A process does not need to be running as root in order to communicate using a priveledged port. I believe that this restriction is in place so that a daemon running on a priveledged port not only has to have access to the port, but can be protected by stricter access on a system (eg: having the binaries 0500 and owned root:root.) It's conceivable (to me at least) that a non-root owned file could be compromised by another non-root process, but with your proposal it would still be allowed to bind to a port. A good example of execute and chuser is Apache. It has to be exectuted as root, but imediately chuser's to non-root once binding. I suppose there is some risk involved in this scheme, but I'm too caffiene-addled to think of anything now. inetd should probably be (or has been?) re-written such that it chuser's before exec'ing to remove the dependency on the application acting in a proper manner. I think all of us can agree that an application, especially a daemon serviceing the unwashed masses on the net, should run with the minimal permissions required to get the job done. ftp might be a problem, since I believe all or most daemons run as root until the user is authenticated, then chuser. (This is also where most of the security holes in ProFTP, wu-ftp, and others arise.) Since we're dreaming pipe dreams, we may as well hope for system call ACLs that would allow a non-root daemon running as uid 'ftpd' to chuser to another non-root uid. I think that some OS's have this ability. Not everything uses inetd though. Other services (such as http) would still be dependant on quality coding to avoid compromise. Did I make any sense? -- Brandon High [EMAIL PROTECTED] The careful application of terror is also a form of communication. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Got root?
On Sun, Apr 29, 2001 at 07:19:06AM -0400, Sunny Dubey wrote: I know that UNIX does it so that normal users can't seem like legit and important services, but there surely must be some better way of delegating a port below 1024 to a deamon. *DISCLAIMER* I do not know exactly what I'm talking about. Large grains of salt recommended to aid in digestion. To the best of my knowledge, root access is only required in order to bind to a priveledged port. A process does not need to be running as root in order to communicate using a priveledged port. I believe that this restriction is in place so that a daemon running on a priveledged port not only has to have access to the port, but can be protected by stricter access on a system (eg: having the binaries 0500 and owned root:root.) It's conceivable (to me at least) that a non-root owned file could be compromised by another non-root process, but with your proposal it would still be allowed to bind to a port. A good example of execute and chuser is Apache. It has to be exectuted as root, but imediately chuser's to non-root once binding. I suppose there is some risk involved in this scheme, but I'm too caffiene-addled to think of anything now. inetd should probably be (or has been?) re-written such that it chuser's before exec'ing to remove the dependency on the application acting in a proper manner. I think all of us can agree that an application, especially a daemon serviceing the unwashed masses on the net, should run with the minimal permissions required to get the job done. ftp might be a problem, since I believe all or most daemons run as root until the user is authenticated, then chuser. (This is also where most of the security holes in ProFTP, wu-ftp, and others arise.) Since we're dreaming pipe dreams, we may as well hope for system call ACLs that would allow a non-root daemon running as uid 'ftpd' to chuser to another non-root uid. I think that some OS's have this ability. Not everything uses inetd though. Other services (such as http) would still be dependant on quality coding to avoid compromise. Did I make any sense? -- Brandon High [EMAIL PROTECTED] The careful application of terror is also a form of communication.
Re: MD5 sums of induvidual files?
On Wed, 18 Apr 2001, Michael Boman wrote: Is there a repository of MD5 sums for single files in a package? Look under /var/lib/dpkg/info/*.md5sums I don't know if there is an automated method of verifying that the sums match currently installed files though. -B -- Brandon High [EMAIL PROTECTED] If at first you don't succeed, destroy all evidence that you tried. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of induvidual files?
On Wed, 18 Apr 2001, Michael Boman wrote: Is there a repository of MD5 sums for single files in a package? Look under /var/lib/dpkg/info/*.md5sums I don't know if there is an automated method of verifying that the sums match currently installed files though. -B -- Brandon High [EMAIL PROTECTED] If at first you don't succeed, destroy all evidence that you tried.
Packet filtering help
I've tightened my filtering rules recently, but have a few questions regarding TCP SYN packets and ICMP packets. Supposing I'm ACCEPTing on TCP ports 22, 25 and 80. I am ACCEPTing all packets for these 3 ports. I am ACCEPTing non-SYN for ports 1023 I am DENYing for all other packets. How should ICMP packets be filtered? I'm was blocking them all, but I was getting a lot of traffic in my logs like: kernel: Packet log: input DENY eth1 PROTO=1 216.242.53.162:3 x.y.z.82:3 L=56 S=0x00 I=25760 F=0x T=243 (#27) kernel: Packet log: input DENY eth1 PROTO=1 211.184.206.194:8 x.y.z.82:0 L=60 S=0x00 I=65280 F=0x T=15 (#5) I'm currently allowing ICMP to and from ports 0, 3 and 8. I'm just afraid that I'm breaking a few RFCs doing this. Also... Is it a better idea to DENY or REJECT? What does Ye Olde RFC recommend? Which is safer? -B -- Brandon High [EMAIL PROTECTED] Stress is when you wake up screaming you realize you haven't fallen asleep yet.
Ports to block?
Does anyone have a recommendation of ports that should be blocked (via ipchains/netfilter/etc) to make a system more secure? In light of the recent security holes, I did a netstat -an, then lsof -i for all ports that were listening and/or UDP. I put a filter in the way of everything that I didn't want externally visible, but UDP port 1028 shows nothing listening lsof. I blocked it out of principle, but does anyone know what it might be? -B -- Brandon High [EMAIL PROTECTED] We are Homer of Borg. Resistance is ... Ooo! Donuts! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Ports to block?
Does anyone have a recommendation of ports that should be blocked (via ipchains/netfilter/etc) to make a system more secure? In light of the recent security holes, I did a netstat -an, then lsof -i for all ports that were listening and/or UDP. I put a filter in the way of everything that I didn't want externally visible, but UDP port 1028 shows nothing listening lsof. I blocked it out of principle, but does anyone know what it might be? -B -- Brandon High [EMAIL PROTECTED] We are Homer of Borg. Resistance is ... Ooo! Donuts!
