Re: Things to watch on my server
On Fri, Jun 07, 2002 at 03:14:23PM +0200, Wouter van Gils wrote: Well, you could stop looking at log files, and let logcheck do it for you :) apt-get install logcheck You might also want a Network Intrusion Detection System -- snort apt-get install snort And you can too install AIDE. It's a clone of tripwire, that checks for changes in files. Useful on a box that does not have a lot of 'activity'. -- VALLIET Emmanuel Webmotion Inc. (- http://www.webmotion.com -) Disinformation is not as good as datinformation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: stat=I/O error: Input/output error in Sendmail on Debian
(2002-05-06) Informasjon sed : | Hello! | | | Can anyone help me find a solution to this message I get in my logfile in Sendmail. | | stat=I/O error: Input/output error | | It happens only when I send to one special host/recipient. | | Please! | | Stian Kristoffersen I had this recently with a bogus procmailrc file (piping to a non-existent program). By the way, you're perhaps not on the appropriate list. -- VALLIET Emmanuel Webmotion Inc. (- http://www.webmotion.com -) Useless Invention: Fireproof cigarettes. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
(2002-01-12) Igor Balusov sed : | What is mean: | If you're running PortSentry/klaxon or another program that binds itself to | unused ports probably chkrootkit will give you a false positive on the | bindshell test (ports .. 31336/tcp, 31337/tcp ...).? | It is from http://www.chkrootkit.org/ | My PC is really hacked or no? How I can determine it? | When I run netstat -an I get | udp0 0 0.0.0.0:31337 0.0.0.0:* | How I can stop this? | Billy fuser -n udp 31337 will give you the PID of the process lsitening on the port 31337. The with ps you will be able to discover the process hiding behind. Otherwise, lsof is too your friend :) -- VALLIET Emmanuel Webmotion Inc. (- http://www.webmotion.com -) Bored? Drive the speed limit... in your garage. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
(2002-01-12) Igor Balusov sed : | What is mean: | If you're running PortSentry/klaxon or another program that binds itself to | unused ports probably chkrootkit will give you a false positive on the | bindshell test (ports .. 31336/tcp, 31337/tcp ...).? | It is from http://www.chkrootkit.org/ | My PC is really hacked or no? How I can determine it? | When I run netstat -an I get | udp0 0 0.0.0.0:31337 0.0.0.0:* | How I can stop this? | Billy fuser -n udp 31337 will give you the PID of the process lsitening on the port 31337. The with ps you will be able to discover the process hiding behind. Otherwise, lsof is too your friend :) -- VALLIET Emmanuel Webmotion Inc. (- http://www.webmotion.com -) Bored? Drive the speed limit... in your garage.
Re: How do I disable (close) ports?
(2001-12-04) J. Paul Bruns-Bielkowicz sed : | Hi, | I disabled all but a few ports in /etc/services, but I have | tcp0 0 pa237.olsztyn.sdi.t:111 80.116.215.37:1064 | ESTABLISHED | when I netstat my machine. What exactly does this mean? I just want | 25/tcp opensmtp | 37/tcp opentime | 66/tcp opensql*net | 80/tcp openhttp | 110/tcpopenpop-3 | 443/tcpopenhttps | 3306/tcp openmysql | open. How can I close ports 111 and 859? They are not enabled in | /etc/services | Thanks, | J. Paul Bruns-Bielkowicz | http://www.america.prv.pl Gasp. You can't disable services just removing them from the /etc/services file. This file is just there to say that port is known to listen for that service, and most of time, you don't delete entries in it (you can add some if you want :) ). It's just here to be a database of well-known ports. The 111 port belongs to the portmapper. To remove it, just apt-get remove portmap. The 859 port is not known. It's surely a rpc.*d which listens on it, it the rpc daemons seem to not have fixed ports. If you want to know which process uses which port, you can netstat -pan, or fuser -n tcp port. By the way, would mind not posting public IPs in ML ? Some people would kill you for doing that :-) -- VALLIET Emmanuel Webmotion Inc. (- http://www.webmotion.com -) And they shall plow their swords into beach chairs. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: FTP and security
(2001-11-09) Jari Eskelinen sed : | While were on the subject, is there an OpenSSH port of SFTP? | openssh has a sftp subsystem, yes. | | How about sftp-client with decent (G)UI, is there one (for Linux, | preferable for Debian)? OpenSSH's sftp-client is pathetic. How you even | can upload/download whole subdirectories with it? Hum, using the port forwarding of ssh, it's easy. Just ssh -L 2000:remote_host:21 remote_host, then use any ftp client you want to connect on the port 2000 of localhost. -- VALLIET Emmanuel Webmotion Inc. (- http://www.webmotion.com -) Does killing time damage eternity?
Re: [Fwd: Virus found in sent message ?????????????????????3????]
(2001-09-24) Haris Sehic sed : | On Mon, Sep 24, 2001 at 07:39:13PM +0200, Enrique de la Torre wrote: |Do you know if it can infect my debian box? | | Thanks, | Enrique | | only if you have VB installed | | ---snip--- | | script language='VBScript' | | ---snip--- | | | bye | | Haris Or perhaps if you have wine (did you read /. today :D ? ) -- VALLIET Emmanuel Webmotion Inc. (- http://www.webmotion.com -) The only thing shorter than a weekend is a vacation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Virus found in sent message ?????????????????????3???? ]
(2001-09-24) Haris Sehic sed : | On Mon, Sep 24, 2001 at 07:39:13PM +0200, Enrique de la Torre wrote: |Do you know if it can infect my debian box? | | Thanks, | Enrique | | only if you have VB installed | | ---snip--- | | script language='VBScript' | | ---snip--- | | | bye | | Haris Or perhaps if you have wine (did you read /. today :D ? ) -- VALLIET Emmanuel Webmotion Inc. (- http://www.webmotion.com -) The only thing shorter than a weekend is a vacation.
Re: i am experincing intrusion attempts
(2001-09-18) [EMAIL PROTECTED] sed : | I need to trace the person who is hitting on my pc 40 times a day. | Any ideas? | Drew Watching the logs, using snort, traceroute, whois, and hosts, you should be able to locate him, or at least his ISP. And after that, report to abuse or something like that. I think it's in the FAQ. If not, it's an error. If yes, you should have read it. It's amazing the number of scans we can watch these days... If those stupid guys stoped that, internet could be faster. And I wouldn't be flooded by logchecks... -- VALLIET Emmanuel If all you have is a hammer, everything looks like a nail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New IIS worm
(2001-09-18) Emmanuel Valliet sed : | | I know we don't care on linux, but I have reallly a lot of hits from | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie. | And it starts to make a lot of apache childs, and the global charge | grows consequently. | Is there a way to protect from that ? | Using an apache configuration trick ? | Or blacklisting and using some firewall rules behind ? | If anyone knows how to do, or has already done the script that kicks | these infected servers, it could interest me... Hum, doing a script that parse the logs and catch the bad servers was easy. But I didn't realize that the infection could be that big and quick. Euh can ipchains or iptables support some more 1500 denying rules ? I don't think so... Anyway, it doesn't matter, my apache servers seem to survive the flood, I'm just happy to have big CPU and lot of mem. Just the script, if you want to count the worm hit on your box: (really not a piece of art) #!/usr/bin/perl my %bannlist; while () { next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/; $host=$1; next if $bannlist{$host}; $bannlist{$host}=1; # system(/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www -j DENY); print Worm victim: $host\n; } -- VALLIET Emmanuel ! http://www.webmotion.com Webmotion Inc. ! mailto:[EMAIL PROTECTED] Oxymoron: Stuck in traffic. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: i am experincing intrusion attempts
(2001-09-18) [EMAIL PROTECTED] sed : | I need to trace the person who is hitting on my pc 40 times a day. | Any ideas? | Drew Watching the logs, using snort, traceroute, whois, and hosts, you should be able to locate him, or at least his ISP. And after that, report to abuse or something like that. I think it's in the FAQ. If not, it's an error. If yes, you should have read it. It's amazing the number of scans we can watch these days... If those stupid guys stoped that, internet could be faster. And I wouldn't be flooded by logchecks... -- VALLIET Emmanuel If all you have is a hammer, everything looks like a nail
New IIS worm
I know we don't care on linux, but I have reallly a lot of hits from machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie. And it starts to make a lot of apache childs, and the global charge grows consequently. Is there a way to protect from that ? Using an apache configuration trick ? Or blacklisting and using some firewall rules behind ? If anyone knows how to do, or has already done the script that kicks these infected servers, it could interest me... -- VALLIET Emmanuel ! http://www.webmotion.com Webmotion Inc. ! mailto:[EMAIL PROTECTED] Famous last words - Jesus Christ: Father, beam me up.
Re: New IIS worm
(2001-09-18) Emmanuel Valliet sed : | | I know we don't care on linux, but I have reallly a lot of hits from | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie. | And it starts to make a lot of apache childs, and the global charge | grows consequently. | Is there a way to protect from that ? | Using an apache configuration trick ? | Or blacklisting and using some firewall rules behind ? | If anyone knows how to do, or has already done the script that kicks | these infected servers, it could interest me... Hum, doing a script that parse the logs and catch the bad servers was easy. But I didn't realize that the infection could be that big and quick. Euh can ipchains or iptables support some more 1500 denying rules ? I don't think so... Anyway, it doesn't matter, my apache servers seem to survive the flood, I'm just happy to have big CPU and lot of mem. Just the script, if you want to count the worm hit on your box: (really not a piece of art) #!/usr/bin/perl my %bannlist; while () { next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/; $host=$1; next if $bannlist{$host}; $bannlist{$host}=1; # system(/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www -j DENY); print Worm victim: $host\n; } -- VALLIET Emmanuel ! http://www.webmotion.com Webmotion Inc. ! mailto:[EMAIL PROTECTED] Oxymoron: Stuck in traffic.
Re: Secure Network Filesystem
(2001-08-28) Alisson Sellaro sed : | Hi there folks | | I'm planning a modification in the network of my departament | here. We have a pretty standard lay-out with a DMZ and a | screened subnet firewalling schema (two firewalls, one from | outside to our DMZ and other from the DMZ to our Intranet). The | point is: we are with new requirements of sharing some | filesystems accross the network (Intranet and DMZ). | | I would like to know from you what is suggested in terms of use | X security. I really would not like to use NFS. Any clues? Coda? | | Thamnks in advance If you just want to just crypt the traffic, you can use tcfs, which is client side oriented, and that you use over NFS. Otherwise, you can do a VPN, with 2 or more box you buy, put between the cliens and the server. I don't have any name in minds, but I think you can find things like this in blackbox... Last but not the least, you can build a vpn using linux boxes and ipsec, using freeS/WAN (http://www.freeswan.org). That works fine. -- VALLIET Emmanuel ! http://www.webmotion.com Webmotion Inc. ! mailto:[EMAIL PROTECTED] I like cats, but I don't think I could eat a whole one. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure Network Filesystem
(2001-08-28) Alisson Sellaro sed : | Hi there folks | | I'm planning a modification in the network of my departament | here. We have a pretty standard lay-out with a DMZ and a | screened subnet firewalling schema (two firewalls, one from | outside to our DMZ and other from the DMZ to our Intranet). The | point is: we are with new requirements of sharing some | filesystems accross the network (Intranet and DMZ). | | I would like to know from you what is suggested in terms of use | X security. I really would not like to use NFS. Any clues? Coda? | | Thamnks in advance If you just want to just crypt the traffic, you can use tcfs, which is client side oriented, and that you use over NFS. Otherwise, you can do a VPN, with 2 or more box you buy, put between the cliens and the server. I don't have any name in minds, but I think you can find things like this in blackbox... Last but not the least, you can build a vpn using linux boxes and ipsec, using freeS/WAN (http://www.freeswan.org). That works fine. -- VALLIET Emmanuel ! http://www.webmotion.com Webmotion Inc. ! mailto:[EMAIL PROTECTED] I like cats, but I don't think I could eat a whole one.
Re: apt-get do not douwnload new packages announced in debian-security-announce
-. Alberto Cortés (2001-08-09) : | I have a little problem with apt-get, i think i am not doing it the | proper way. | |When there is a announce that certain package has a bug, (like | gnupg v1.0.5) you can read in www.debian.org that there is a new | package to download (1.0.6-0potato1). Thats OK, but i can't download it | with my apt-get, maybe i am not using the correct sources, my | sources.list look like this: | | deb http://http.us.debian.org/debian stable main contrib non-free | deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free | | What are the official sources if you want to have an up to date, | secure system? Mhh, just 2 clicks, and: http://www.debian.org/security/ : You may find it convenient to use apt to get the latest security updates. This requires a line such as deb http://security.debian.org/ potato/updates main contrib non-free in your /etc/apt/sources.list file. You can also put deb http://security.debian.org/debian-non-US potato/non-US main contrib non-free I have this line too, but I think it's the same as one before: deb http://security.debian.org/debian-security potato/updates main contrib non-free -- VALLIET Emmanuel ! http://www.webmotion.com Webmotion Inc. ! mailto:[EMAIL PROTECTED] The Majority is never right unless it includes me.