Re: Things to watch on my server

2002-06-07 Thread Emmanuel Valliet 
On Fri, Jun 07, 2002 at 03:14:23PM +0200, Wouter van Gils wrote:
 Well, you could stop looking at log files, and let logcheck do it for
 you :)
 
 apt-get install logcheck
 
 You might also want a Network Intrusion Detection System -- snort
 
 apt-get install snort

And you can too install AIDE. It's a clone of tripwire, that checks for
changes in files. Useful on a box that does not have a lot of
'activity'.

-- 
VALLIET Emmanuel
Webmotion Inc. (- http://www.webmotion.com -)
Disinformation is not as good as datinformation.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: stat=I/O error: Input/output error in Sendmail on Debian

2002-05-06 Thread Emmanuel Valliet 

(2002-05-06) Informasjon sed :

 | Hello!
 |
 |
 | Can anyone help me find a solution to this message I get in my logfile in Sendmail.
 |
 |  stat=I/O error: Input/output error
 |
 | It happens only when I send to one special host/recipient.
 |
 | Please!
 |
 | Stian Kristoffersen


I had this recently with a bogus procmailrc file (piping to a
non-existent program).

By the way, you're perhaps not on the appropriate list.

-- 
VALLIET Emmanuel
Webmotion Inc. (- http://www.webmotion.com -)
Useless Invention: Fireproof cigarettes.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Hacked too?

2002-01-11 Thread Emmanuel Valliet 

(2002-01-12) Igor Balusov sed :

 | What is mean:
 | If you're running PortSentry/klaxon or another program that binds itself to
 | unused ports probably chkrootkit will give you a false positive on the
 | bindshell test (ports .. 31336/tcp, 31337/tcp ...).?
 | It is from http://www.chkrootkit.org/
 | My PC is really hacked or no? How I can determine it?
 | When I run netstat -an I get
 | udp0  0 0.0.0.0:31337   0.0.0.0:*
 | How I can stop this?
 | Billy

fuser -n udp 31337 will give you the PID of the process lsitening on
the port 31337.
The with ps you will be able to discover the process hiding behind.
Otherwise, lsof is too your friend :)

-- 
VALLIET Emmanuel
Webmotion Inc. (- http://www.webmotion.com -)
Bored? Drive the speed limit... in your garage.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Hacked too?

2002-01-11 Thread Emmanuel Valliet 
(2002-01-12) Igor Balusov sed :

 | What is mean:
 | If you're running PortSentry/klaxon or another program that binds itself to
 | unused ports probably chkrootkit will give you a false positive on the
 | bindshell test (ports .. 31336/tcp, 31337/tcp ...).?
 | It is from http://www.chkrootkit.org/
 | My PC is really hacked or no? How I can determine it?
 | When I run netstat -an I get
 | udp0  0 0.0.0.0:31337   0.0.0.0:*
 | How I can stop this?
 | Billy

fuser -n udp 31337 will give you the PID of the process lsitening on
the port 31337.
The with ps you will be able to discover the process hiding behind.
Otherwise, lsof is too your friend :)

-- 
VALLIET Emmanuel
Webmotion Inc. (- http://www.webmotion.com -)
Bored? Drive the speed limit... in your garage.

Re: How do I disable (close) ports?

2001-12-04 Thread Emmanuel Valliet 

(2001-12-04) J. Paul Bruns-Bielkowicz sed :

 | Hi,
 | I disabled all but a few ports in /etc/services, but I have
 | tcp0  0 pa237.olsztyn.sdi.t:111 80.116.215.37:1064
 | ESTABLISHED
 | when I netstat my machine. What exactly does this mean? I just want
 | 25/tcp opensmtp
 | 37/tcp opentime
 | 66/tcp opensql*net
 | 80/tcp openhttp
 | 110/tcpopenpop-3
 | 443/tcpopenhttps
 | 3306/tcp   openmysql
 | open. How can I close ports 111 and 859? They are not enabled in
 | /etc/services
 | Thanks,
 | J. Paul Bruns-Bielkowicz
 | http://www.america.prv.pl

Gasp. You can't disable services just removing them from the
/etc/services file. This file is just there to say that port is known
to listen for that service, and most of time, you don't delete
entries in it (you can add some if you want :) ). It's just here to be
a database of well-known ports.
The 111 port belongs to the portmapper. To remove it, just apt-get
remove portmap.
The 859 port is not known. It's surely a rpc.*d which listens on it,
it the rpc daemons seem to not have fixed ports.
If you want to know which process uses which port, you can netstat
-pan, or fuser -n tcp port.

By the way, would mind not posting public IPs in ML ? Some people
would kill you for doing that :-)

-- 
VALLIET Emmanuel
Webmotion Inc. (- http://www.webmotion.com -)
And they shall plow their swords into beach chairs.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: FTP and security

2001-11-08 Thread Emmanuel Valliet 
(2001-11-09) Jari Eskelinen sed :

 |   While were on the subject, is there an OpenSSH port of SFTP?
 |  openssh has a sftp subsystem, yes.
 |
 | How about sftp-client with decent (G)UI, is there one (for Linux,
 | preferable for Debian)? OpenSSH's sftp-client is pathetic. How you even
 | can upload/download whole subdirectories with it?

Hum, using the port forwarding of ssh, it's easy.
Just ssh -L 2000:remote_host:21 remote_host, then use any ftp client
you want to connect on the port 2000 of localhost.

-- 
VALLIET Emmanuel
Webmotion Inc. (- http://www.webmotion.com -)
Does killing time damage eternity?

Re: [Fwd: Virus found in sent message ?????????????????????3????]

2001-09-24 Thread Emmanuel Valliet 

(2001-09-24) Haris Sehic sed :

 | On Mon, Sep 24, 2001 at 07:39:13PM +0200, Enrique de la Torre wrote:
 |Do you know if it can infect my debian box?
 | 
 |   Thanks,
 | Enrique
 |
 | only if you have VB installed
 |
 | ---snip---
 |
 | script language='VBScript'
 |
 | ---snip---
 |
 |
 | bye
 |
 | Haris


Or perhaps if you have wine (did you read /. today :D ? )


-- 
VALLIET Emmanuel
Webmotion Inc. (- http://www.webmotion.com -)
The only thing shorter than a weekend is a vacation.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [Fwd: Virus found in sent message ?????????????????????3???? ]

2001-09-24 Thread Emmanuel Valliet 
(2001-09-24) Haris Sehic sed :

 | On Mon, Sep 24, 2001 at 07:39:13PM +0200, Enrique de la Torre wrote:
 |Do you know if it can infect my debian box?
 | 
 |   Thanks,
 | Enrique
 |
 | only if you have VB installed
 |
 | ---snip---
 |
 | script language='VBScript'
 |
 | ---snip---
 |
 |
 | bye
 |
 | Haris


Or perhaps if you have wine (did you read /. today :D ? )


-- 
VALLIET Emmanuel
Webmotion Inc. (- http://www.webmotion.com -)
The only thing shorter than a weekend is a vacation.

Re: i am experincing intrusion attempts

2001-09-18 Thread Emmanuel Valliet 

(2001-09-18) [EMAIL PROTECTED] sed :

 | I need to trace the person who is hitting on my pc 40 times a day.
 | Any ideas?
 |  Drew

Watching the logs, using snort, traceroute, whois, and hosts, you
should be able to locate him, or at least his ISP. And after that,
report to abuse or something like that. I think it's in the FAQ. If
not, it's an error. If yes, you should have read it.

It's amazing the number of scans we can watch these days... If those
stupid guys stoped that, internet could be faster. And I wouldn't be
flooded by logchecks...

-- 
VALLIET Emmanuel
If all you have is a hammer, everything looks like a nail


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: New IIS worm

2001-09-18 Thread Emmanuel Valliet 

(2001-09-18) Emmanuel Valliet sed :

 |
 | I know we don't care on linux, but I have reallly a lot of hits from
 | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie.
 | And it starts to make a lot of apache childs, and the global charge
 | grows consequently.
 | Is there a way to protect from that ?
 | Using an apache configuration trick ?
 | Or blacklisting and using some firewall rules behind ?
 | If anyone knows how to do, or has already done the script that kicks
 | these infected servers, it could interest me...

Hum, doing a script that parse the logs and catch the bad servers was
easy. But I didn't realize that the infection could be that big and
quick.

Euh can ipchains or iptables support some more 1500 denying rules
? I don't think so...

Anyway, it doesn't matter, my apache servers seem to survive the
flood, I'm just happy to have big CPU and lot of mem.

Just the script, if you want to count the worm hit on your box:
(really not a piece of art)

#!/usr/bin/perl

my %bannlist;

while () {
  next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/;
  $host=$1;
  next if $bannlist{$host};
  $bannlist{$host}=1;
#  system(/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www
-j DENY);
  print Worm victim: $host\n;
}


-- 
VALLIET Emmanuel   !   http://www.webmotion.com
Webmotion Inc. !   mailto:[EMAIL PROTECTED]
Oxymoron: Stuck in traffic.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: i am experincing intrusion attempts

2001-09-18 Thread Emmanuel Valliet 
(2001-09-18) [EMAIL PROTECTED] sed :

 | I need to trace the person who is hitting on my pc 40 times a day.
 | Any ideas?
 |  Drew

Watching the logs, using snort, traceroute, whois, and hosts, you
should be able to locate him, or at least his ISP. And after that,
report to abuse or something like that. I think it's in the FAQ. If
not, it's an error. If yes, you should have read it.

It's amazing the number of scans we can watch these days... If those
stupid guys stoped that, internet could be faster. And I wouldn't be
flooded by logchecks...

-- 
VALLIET Emmanuel
If all you have is a hammer, everything looks like a nail

New IIS worm

2001-09-18 Thread Emmanuel Valliet 

I know we don't care on linux, but I have reallly a lot of hits from
machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie.
And it starts to make a lot of apache childs, and the global charge
grows consequently.
Is there a way to protect from that ?
Using an apache configuration trick ?
Or blacklisting and using some firewall rules behind ?
If anyone knows how to do, or has already done the script that kicks
these infected servers, it could interest me...

-- 
VALLIET Emmanuel   !   http://www.webmotion.com
Webmotion Inc. !   mailto:[EMAIL PROTECTED]
Famous last words - Jesus Christ: Father, beam me up.

Re: New IIS worm

2001-09-18 Thread Emmanuel Valliet 
(2001-09-18) Emmanuel Valliet sed :

 |
 | I know we don't care on linux, but I have reallly a lot of hits from
 | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie.
 | And it starts to make a lot of apache childs, and the global charge
 | grows consequently.
 | Is there a way to protect from that ?
 | Using an apache configuration trick ?
 | Or blacklisting and using some firewall rules behind ?
 | If anyone knows how to do, or has already done the script that kicks
 | these infected servers, it could interest me...

Hum, doing a script that parse the logs and catch the bad servers was
easy. But I didn't realize that the infection could be that big and
quick.

Euh can ipchains or iptables support some more 1500 denying rules
? I don't think so...

Anyway, it doesn't matter, my apache servers seem to survive the
flood, I'm just happy to have big CPU and lot of mem.

Just the script, if you want to count the worm hit on your box:
(really not a piece of art)

#!/usr/bin/perl

my %bannlist;

while () {
  next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/;
  $host=$1;
  next if $bannlist{$host};
  $bannlist{$host}=1;
#  system(/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www
-j DENY);
  print Worm victim: $host\n;
}


-- 
VALLIET Emmanuel   !   http://www.webmotion.com
Webmotion Inc. !   mailto:[EMAIL PROTECTED]
Oxymoron: Stuck in traffic.

Re: Secure Network Filesystem

2001-08-28 Thread Emmanuel Valliet 

(2001-08-28) Alisson Sellaro sed :

 | Hi there folks
 |
 | I'm planning a modification in the network of my departament
 | here. We have a pretty standard lay-out with a DMZ and a
 | screened subnet firewalling schema (two firewalls, one from
 | outside to our DMZ and other from the DMZ to our Intranet). The
 | point is: we are with new requirements of sharing some
 | filesystems accross the network (Intranet and DMZ).
 |
 | I would like to know from you what is suggested in terms of use
 | X security. I really would not like to use NFS. Any clues? Coda?
 |
 | Thamnks in advance

If you just want to just crypt the traffic, you can use tcfs, which is
client side oriented, and that you use over NFS.
Otherwise, you can do a VPN, with 2 or more box you buy, put between
the cliens and the server. I don't have any name in minds, but I think
you can find things like this in blackbox...
Last but not the least, you can build a vpn using linux boxes and
ipsec, using freeS/WAN (http://www.freeswan.org). That works fine.


-- 
VALLIET Emmanuel   !   http://www.webmotion.com
Webmotion Inc. !   mailto:[EMAIL PROTECTED]
I like cats, but I don't think I could eat a whole one.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Secure Network Filesystem

2001-08-28 Thread Emmanuel Valliet 
(2001-08-28) Alisson Sellaro sed :

 | Hi there folks
 |
 | I'm planning a modification in the network of my departament
 | here. We have a pretty standard lay-out with a DMZ and a
 | screened subnet firewalling schema (two firewalls, one from
 | outside to our DMZ and other from the DMZ to our Intranet). The
 | point is: we are with new requirements of sharing some
 | filesystems accross the network (Intranet and DMZ).
 |
 | I would like to know from you what is suggested in terms of use
 | X security. I really would not like to use NFS. Any clues? Coda?
 |
 | Thamnks in advance

If you just want to just crypt the traffic, you can use tcfs, which is
client side oriented, and that you use over NFS.
Otherwise, you can do a VPN, with 2 or more box you buy, put between
the cliens and the server. I don't have any name in minds, but I think
you can find things like this in blackbox...
Last but not the least, you can build a vpn using linux boxes and
ipsec, using freeS/WAN (http://www.freeswan.org). That works fine.


-- 
VALLIET Emmanuel   !   http://www.webmotion.com
Webmotion Inc. !   mailto:[EMAIL PROTECTED]
I like cats, but I don't think I could eat a whole one.

Re: apt-get do not douwnload new packages announced in debian-security-announce

2001-08-09 Thread Emmanuel Valliet 
-. Alberto Cortés (2001-08-09) :

 | I have a little problem with apt-get, i think i am not doing it the
 | proper way.
 |
 |When there is a announce that certain package has a bug, (like
 | gnupg v1.0.5) you can read in www.debian.org that there is a new
 | package to download (1.0.6-0potato1). Thats OK, but i can't download it
 | with my apt-get, maybe i am not using the correct sources, my
 | sources.list look like this:
 |
 | deb http://http.us.debian.org/debian stable main contrib non-free
 | deb http://non-us.debian.org/debian-non-US stable/non-US main contrib 
non-free
 |
 | What are the official sources if you want to have an up to date,
 | secure system?

Mhh, just 2 clicks, and:
http://www.debian.org/security/ :

You may find it convenient to use apt to get the latest security updates.
This requires a line such as
   deb http://security.debian.org/ potato/updates main contrib non-free
in your /etc/apt/sources.list file.

You can also put
deb http://security.debian.org/debian-non-US potato/non-US main contrib
non-free

I have this line too, but I think it's the same as one before:
deb http://security.debian.org/debian-security potato/updates main contrib
non-free


-- 
VALLIET Emmanuel   !   http://www.webmotion.com
Webmotion Inc. !   mailto:[EMAIL PROTECTED]
The Majority is never right unless it includes me.