Re: Scripts that run insecurely-downloaded code
On Sat, 2020-05-02 at 18:01 +0200, estel...@elstel.org wrote: > > Am 02.05.2020 10:14, schrieb Davide Prina: > > On 01/05/20 22:00, Rebecca N. Palmer wrote: > > > On 01/05/2020 20:31, Elmar Stellnberger wrote: > > > > https isn´t any more secure than http as long as you do not have a > > > > verifiably trustworthy server certificate that you can check for. As > > > > we know the certification authority system is totally broken. > > > > > > Imperfect yes, but still better than nothing. > > > > There is another problem: implementation. Not all the software that > > implement HTTPS verify the validity of the certificate and the > > validity of all the certification chain. > > > > For example where I work has been invalidated a certificate, but for > > mistake the new valid one was not loaded on a https site. > > What do you mean by loaded on a https site? That the web server of the > site uses the certificate? Wasn´t there a CA for the new site? > > > With Debian > > and Firefox I cannot access that site (I get "the certificate is not > > valid" or something similar), but other people, that use another OS, > > can access it with internet explorer and chrome, but not with Firefox. > > I've seen this before with Firefox. Basically Firefox has disabled weaker certificates from working, where Chrome and IE still accept ones with 128bit encryption, they do show an error (at least in Chrome) if you dig into the SSL debug screen. Firefox just refuses to view it. > > Ciao > > Davide
Re: flashplugin-nonfree and latest Flash security updates
On Wed, 2016-08-03 at 20:43 +0200, Rob van der Putten wrote: > Hi there > > > On 03/08/16 11:55, Paul Wise wrote: > > > > > > > I'm not part of the team, > > Me neither. > > > > > but I do know that contrib and non-free are > > not supported by the Debian security team, so they are unlikely to > > make any fixes nor announcements. > > > > https://www.debian.org/security/faq#contrib > > You can download the plugin manually. For i396 it's; > http://fpdownload.macromedia.com/get/flashplayer/pdc/11.2.202.429/install_flash_player_11_linux.i3 > 86.tar.gz > > Replace '11.2.202.429' with the version you want. And maybe 'http' with > 'https'. > > > > > I'd encourage everyone reading this list to use this opportunity > > transition away from using the Adobe Flash player. Most of the web > > should support standard HTML5 by now, various folks have been pushing > > to get rid of Flash for a long time. > > I don't have Flash on my new Jessie box. I don't miss it. > > > Regards, > Rob > > > Only thing legitimate that I've seen that still depends upon flash is the new flash based vcenter for managing ESXi hosts. Why they went with flash is beyond me, but it doesn't work with this version of flash anyhow, I've had to install it through the browser-plugin-freshplayer-pepperflash package.
Re: ANNOUNCEMENT: AMD processor microcode security update
That's very interesting. Hopefully that's not the reason my AMD system would randomly crash on me, I thought I had fixed it with some better cooling, and one of my DIMMs had gone bad. I no longer have the system though. On Wed, 2016-03-23 at 11:52 -0700, Kalnozols, Andris wrote: > FYI in case we have any of these AMD microprocessors... > > > On 3/23/2016 11:15 AM, Henrique de Moraes Holschuh wrote: > > > > THIS ANNOUNCEMENT IS ONLY RELEVANT TO SYSTEMS THAT HAVE AMD > > PILEDRIVER > > MICROPROCESSORS (AMD-FX, and AMD Opteron 3300 / 4300 / 6300). > > > > AMD has released a microcode update that fixes a severe fault (also > > known as "erratum") on AMD Piledriver processors. This erratum can > > cause dangerous system instability, and it is also a grave security > > risk. Both server and desktop processors are affected by this > > erratum. > > > > Without this fix, these processors may misbehave in an extremely > > dangerous way when they receive an NMI (non-maskable interrupt), > > resulting in unpredictable system behavior. Robert Święcki > > discovered > > that the incorrect behavior can be exploited by an unprivileged > > user in > > an unprivileged VM to directly attack the host (hypervisor) kernel. > > > > It is trivial to trigger the erratum using the "perf" tool. > > > > > > The affected processors identify themselves (in /proc/cpuinfo) as: > > > > vendor_id : AuthenticAMD > > cpu family : 21 > > model : 2 > > stepping : 0 > > > > We believe those AMD processors to be: > > > > * AMD-FX 32nm family (codename "Vishera") > > * AMD Opteron 3300 family > > * AMD Opteron 4300 family > > * AMD Opteron 6300 family > > > > The above listing might be incomplete. > > > > > > On a Debian system, the erratum can be fixed by installing updated > > amd64-microcode packages from "non-free" and rebooting. The > > processor > > will be updated during boot (by the "initramfs") with the fixed > > microcode. After the system reboots, the "microcode" field in > > /proc/cpuinfo should read "microcode: 0x0600084f" (on the above > > mentioned processors). This indicates that the fixed microcode is > > active. > > > > Note: the microcode update is not permanently installed to the > > processor: it is reapplied at every boot. You should check with > > your > > motherboard vendor for the availability of a new BIOS/UEFI update > > with > > the fixed microcode. > > > > > > The updated amd64-microcode packages are already available: users > > of > > unstable, testing ("Strech"), and wheezy-backports need only update > > their systems. > > > > Users of stable ("Jessie") and oldstable ("Wheezy") should enable > > the > > "stable-proposed-updates" archive ("oldstable-proposed-updates" for > > oldstable) to receive this update now, or wait for the next Debian > > stable/oldstable point release (scheduled for 2016-04-02). > > > > Please refer to https://www.debian.org/releases/proposed-updates.ht > > ml > > for details on stable and oldstable early updates. > > > > > > All packages can also be downloaded directly from: > > http://httpredir.debian.org/debian/pool/non-free/a/amd64-microcode/ > > > > Version key: > > oldstable: 1.20160316.1 > > oldstable-backports: 2.20160316.1~bpo70+1 > > stable: 2.20160316.1~deb8u1 > > testing: 2.20160316.1 > > unstable: 2.20160316.1 > > > > > > == What is a processor microcode update? == > > > > Microcode is a control sequence/program that implements several > > internal > > functions of the system processor (CPU). A microcode update can > > fix > > many classes of processor defects. It can also update the control > > parameters of on-die processor subsystems, such as: power > > management, IO > > buses, embedded GPU interconnect, embedded cache and memory > > controllers, > > performance monitoring unit, etc. > > > > The Linux kernel can send a microcode update to the processor when > > one > > is supplied by the operating system (Debian + non-free). > > > > The microcode update has to be applied every time the processor is > > reset > > or powered off: it doesn't "stick". Therefore, Debian has to > > install > > this microcode update to the initramfs, so as to apply it every > > time the > > computer boots. > > > > > > == What is known about this AMD microcode update? == > > > > Robert Święcki, while fuzzing the kernel using the syzkaller tool, > > uncovered very strange behavior on an AMD FX-8320. This strange > > behavior was later reproduced on other AMD Piledriver model 2, > > stepping > > 0 processors including the Opteron 6300. > > > > He contacted AMD, which attributed the behavior to a microcode > > fault, > > introduced by microcode revisions 0x600832 and > > 0x600836. Unfortunately, > > using an earlier revision of the microcode leaves other critical > > errata > > unfixed (on Opteron 6300, for example, it would be expose users to > > another dangerous critical erratum, #815, which these microcode > >
Re: Mandatory Access Control
I think the problem lies in this "someone can give me your opinion about it?" It's really all opinion. Each have their advantages and disadvantages. Pretty sure most companies that would require SElinux would also require RHEL/CentOS. Debian simply gives you a choice of what you'd prefer. So if you really want to do it, look at each of them, and decide for yourself. On Sun, 2015-11-29 at 14:29 -0300, c4p0 wrote: > I read the fucking manuals but don't have clear what is the better > option of "Mandatory Access Control" for debian jessie. > (AppArmor, SElinux, tomoyo, etc ..) > > someone can give me your opinion about it? > thanks in advance > >
Re: Debian Desktop Environment
I'm curious about how you were infected by a rootkit, which one it was, and what you did to discover it? Using a Sandbox is a great idea for those two, except of course those are generally the applications with the most sensitive data as well. I always try to disable html email, but people insist on using it... On Tue, 2015-10-27 at 16:25 +0100, Elmar Stellnberger wrote: > I would believe that it will heavily depend on how you configure your > desktop environment: > * One feature I do always turn off is desktop auto indexing because > otherwise even storing an email attachement just for invoking it with > an > online view-as-jpeg service could cause an infection. Note that you > may > have to do this twice (once for Gnome and once for KDE) if you have > installed according programs of both environments. > * select starting a new session on every bootup (the session > restoration > can be used as a hook for ephemeral and home directory rootkits) > * under KDE there is a list of background services that always run; > you > may reduce it to what you really need (invokable via systemsettings) > * likely there are other important configuration options (ask for > your env.) > * get some understanding of what your X-server does (f.i. > http://www.elstel.org/xchroot : problems with a pure chroot, trying > to > resolve these problems by hand) > * double check the security of the underlying system (netstat -atupn) > * note that your email program and your browser are the two most > vulnerable parts of your desktop environment; consider running them > under qemu in a virtual machine > > Once you would comply with all these hints you may likely discover a > rootkit inside the virtual machine for emailing or browsing as I did > lately. The KDE environment of the host system did not appear to have > compromised the security of the whole system so far at me. > > Elmar > > > > On 27.10.2015 12:29, Mateusz Kozłowski wrote: > > Hi, > > Could You tell me which debian desktop environment is the most > > security and the best privacy and which You recommned for debian > > users? (KDE, XFCE, GNOME etc.)? > > > > >
Re: [SECURITY] [DSA 3053-1] openssl security update
On Sat, 2014-10-18 at 23:59 +0100, Jonathan Wiltshire wrote: On 2014-10-18 22:08, Julian Gilbey wrote: On Thu, Oct 16, 2014 at 05:48:24PM +0200, Thijs Kinkhorst wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-3053-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst October 16, 2014 http://www.debian.org/security/faq - - Package: openssl CVE ID : CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 [...] Now that the jessie release is well underway, is it possible either to request unblocks for security uploads or to begin to support a jessie/testing suite in security.debian.org? Technically nothing is blocked yet (except udebs), but yes of course security fixes are a reasonable justification for an unblock request, when that time does come. A Jessie security archive is up to the security team and FTP masters. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits I always thought that both Stable and Testing were supported by the security team. deb http://security.debian.org/ jessie/updates main contrib non-free deb-src http://security.debian.org/ jessie/updates main contrib non-free Not sure what is in there, but they are active. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1413991021.3899.1.ca...@thefnords.org
Re: vacation mail
Ha, I think it's hilarious when people do this. Also stupid, but if it weren't for stupid people, who would we have to laugh at? :D On Thu, 2014-08-07 at 15:54 +0100, Daniel wrote: It's not the first, and it won't be the last. Y'know, if I was a malicious individual I might lurk the Debian security mailing lists until I saw such an announcement, and then wait for a security vulnerability, for example [DSA 2998-1] to be posted thereafter. Deducing that the individual or their organisation ran Debian, I might then scan or probe the domain which issued to vacation mail to ascertain if they were vulnerable. Having all the information I needed to take advantage of the vulnerability in the DSA, I might then attack said individual or their organisation, safe in the knowledge that they would not be back in the office to deal with the problem until August 25th. Such vacation mails would make my job alot easier. IT is fortunate for the senders of such mails that I am not a malicious individual. Best regards, Daniel On 6 Aug 2014, at 09:49, Grond wrote: Bugger, but someone has *reeaally* poor manners. A vacation notice to a mailing list? I mean; really? I do *hope* that we will not be spammed by this until August 25th. (I realize that this rant may not meet minimum notability for this list.) On Tue, Aug 05, 2014 at 08:13:31PM +0200, programac...@sf-informatica.com wrote: Els missatges enviats a aquesta adreça de correu no s'atendran fins al 25 d'agost. Si us plau, si és urgent, posi's en contacte amb urgenc...@sf-informatica.com. Disculpi les molèsties. Los mensajes enviados a esta dirección de correo no se atenderán hasta el 25 de agosto. Por favor, si es urgente, póngase en contacto con urgenc...@sf-informatica.com. Disculpe las molestias. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140805181331.32e066041d...@11vs2.vspain.net -- Attached is my PGP public key. Primary key fingerprint: B7C7 AD66 D9AF 4348 0238 168E 2C53 D8FA 55D8 9FD9 If you have a PGP key (and a minute to spare) please send it in reply to this email. If you have no idea what PGP is, feel free to ignore all this gobbledegook. Mail Attachment -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1407426504.2771.0.ca...@jfergusdeb.proofpoint.com
Re: RFC: fail2ban wheezy security update
Of course, a guy who uses a gmail account wouldn't be interested in the security of Debian. :D You know you can unsubscribe to it at anytime, right? https://lmddgtfy.net/?q=how+to+unsubscribe+debian+mailing+list On Tue, 2014-07-08 at 09:27 +0200, Fabrizio Marocchini wrote: Please remove me from this list thanks a lot On 8 July 2014 09:13, Tomasz Ciolek t...@vandradlabs.com.au wrote: Hi guys Perhaps the best way is to sumbmit these patches to the Debian fail2ban maintainer? On Mon, Jul 07, 2014 at 04:41:04PM -0600, Jason Fergus wrote: I run a postfix at home, and I just installed your new package. It does look pretty good so far. Also reminds me I should pay more attention to my logs. There are a lot of attempts to connect from unauthorized people. Of course I'm sure that happens everywhere, which is why we use fail2ban in the first place! On Mon, 2014-07-07 at 17:55 -0400, Yaroslav Halchenko wrote: Dear Security Enthusiasts, Would someone be kind to verify correct operation of a perspective security update for the Fail2Ban package in wheezy. Especially if you are using postfix, cyrus imap, courier smtp, exim, or lighttpd. Unfortunately amount of changes to those filters definitions was quite large, and I have tried to do my best to verify their correct operation on sample log lines we have in recent Fail2Ban, but I could have missed something obvious since I have no working deployments of postfix etc. Cheers Tomasz -- Tomasz M. Ciolek *** tmc at vandradlabs dot com dot au *** GPG Key ID: 0x41C4C2F0 GPG Key Fingerprint: 3883 B308 8256 2246 D3ED A1FF 3A1D 0EAD 41C4 C2F0 Key available on good key-servers *** signature.asc Description: This is a digitally signed message part
Re: RFC: fail2ban wheezy security update
Of course, a guy who uses a gmail account wouldn't be interested in the security of Debian. :D You know you can unsubscribe to it at anytime, right? https://lmddgtfy.net/?q=how+to+unsubscribe+debian+mailing+list On Tue, 2014-07-08 at 09:27 +0200, Fabrizio Marocchini wrote: Please remove me from this list thanks a lot On 8 July 2014 09:13, Tomasz Ciolek t...@vandradlabs.com.au wrote: Hi guys Perhaps the best way is to sumbmit these patches to the Debian fail2ban maintainer? On Mon, Jul 07, 2014 at 04:41:04PM -0600, Jason Fergus wrote: I run a postfix at home, and I just installed your new package. It does look pretty good so far. Also reminds me I should pay more attention to my logs. There are a lot of attempts to connect from unauthorized people. Of course I'm sure that happens everywhere, which is why we use fail2ban in the first place! On Mon, 2014-07-07 at 17:55 -0400, Yaroslav Halchenko wrote: Dear Security Enthusiasts, Would someone be kind to verify correct operation of a perspective security update for the Fail2Ban package in wheezy. Especially if you are using postfix, cyrus imap, courier smtp, exim, or lighttpd. Unfortunately amount of changes to those filters definitions was quite large, and I have tried to do my best to verify their correct operation on sample log lines we have in recent Fail2Ban, but I could have missed something obvious since I have no working deployments of postfix etc. Cheers Tomasz -- Tomasz M. Ciolek *** tmc at vandradlabs dot com dot au *** GPG Key ID: 0x41C4C2F0 GPG Key Fingerprint: 3883 B308 8256 2246 D3ED A1FF 3A1D 0EAD 41C4 C2F0 Key available on good key-servers *** signature.asc Description: This is a digitally signed message part
Re: RFC: fail2ban wheezy security update
I run a postfix at home, and I just installed your new package. It does look pretty good so far. Also reminds me I should pay more attention to my logs. There are a lot of attempts to connect from unauthorized people. Of course I'm sure that happens everywhere, which is why we use fail2ban in the first place! On Mon, 2014-07-07 at 17:55 -0400, Yaroslav Halchenko wrote: Dear Security Enthusiasts, Would someone be kind to verify correct operation of a perspective security update for the Fail2Ban package in wheezy. Especially if you are using postfix, cyrus imap, courier smtp, exim, or lighttpd. Unfortunately amount of changes to those filters definitions was quite large, and I have tried to do my best to verify their correct operation on sample log lines we have in recent Fail2Ban, but I could have missed something obvious since I have no working deployments of postfix etc. These changes will later me reapplied (where applicable) on top of the squeeze LTS version as well (haven't looked into it yet). I am attaching the debdiff and the .deb package could be found at http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb signature: http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb.asc sha256sum: 815b28ffdfcfbf0c8983facad46d54edffce63df2269ef9dc79b60886e747794 If you prefer to review changes online, here is the corresponding pull request: https://github.com/fail2ban/fail2ban/pull/757 Corresponding changelog, hinting on those filters which were affected by the fixes -- the rest of the fail2ban should have not been affected fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high * Use anchored failregex for filters to avoid possible DoS. Manually picked up from the current status of 0.8 branch (as of 0.8.13-29-g09b2016): - CVE-2013-7176: postfix.conf - anchored on the front, expects postfix/smtpd prefix in the log line - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and refactored to have a single failregex - couriersmtp.conf - anchored on both sides - exim.conf - front-anchored versions picked up from exim.conf and exim-spam.conf - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf -- Yaroslav Halchenko deb...@onerussian.com Sun, 22 Jun 2014 11:56:54 -0400 Thank you very much and please CC me. Best regards, -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1404772864.2925.3.ca...@jfergusdeb.proofpoint.com
Re: Please remove me from this list
Ha ha, made me laugh. Speaking of lists, I wish I knew how Evolution knows to ask if one would like to reply to the list or the sender. My work uses a bunch of mailing lists, and I always feel like I'm breaking list etiquette when I have to do a group reply, because the option isn't there to just reply to the list. I'm guessing it sees 'lists' in the To or CC field.. On Wed, 2014-06-25 at 23:43 -0500, Scott Blaydes wrote: Doesn’t it make you wonder about a company who’s Privacy, Security and Compliance Officer can’t figure out how to get off of a mailing list that he had to subscribe to and verify his address for? I know, I am a jerk, but it was the first thing I thought of when I saw his posting to the list. Now back to your regularly scheduled content. On Jun 25, 2014, at 12:50 PM, Andrea Zwirner and...@linkspirit.org wrote: Hint: http://www.list-unsubscribe.com/ Sent from my Sylpheed On Wed, 25 Jun 2014 11:23:47 -0500 Ed Blonski eblon...@homeaccess.com wrote: Please remove me from this list Ed Blonski 847-310-6034 Manager, Technology Security and Compliance Initiatives Privacy, Security Compliance Officer __ 2401 W. Hassell Road, Suite 1510 | Hoffman Estates, IL 60169 | Tel: 847-310-6034 http://www.homeaccess.com http://www.homeaccess.com/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140625195009.ce9f17c6dd3bba76828ae...@linkspirit.org signature.asc Description: This is a digitally signed message part
Re: Please remove me from this list
On Thu, 2014-06-26 at 16:15 +0200, Erwan David wrote: Le 26/06/2014 16:06, Jason Fergus a écrit : Ha ha, made me laugh. Speaking of lists, I wish I knew how Evolution knows to ask if one would like to reply to the list or the sender. My work uses a bunch of mailing lists, and I always feel like I'm breaking list etiquette when I have to do a group reply, because the option isn't there to just reply to the list. I'm guessing it sees 'lists' in the To or CC field.. There are several List-* headers relevant to this. eg. for this list you get in the headers : List-Id: debian-security.lists.debian.org List-URL: http://lists.debian.org/debian-security/ List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:debian-security-requ...@lists.debian.org?subject=help List-Subscribe: mailto:debian-security-requ...@lists.debian.org?subject=subscribe List-Unsubscribe: mailto:debian-security-requ...@lists.debian.org?subject=unsubscribe The relevant header for replying to list is List-Post: Thanks, good to know! signature.asc Description: This is a digitally signed message part
Re: Debian mirrors and MITM
I have to laugh at this, my phone was going off constantly this morning, and I was thinking I don't have this much email normally! Looked over the discussion and thought, didn't this discussion happen recently? It was something I was randomly thinking about one day too, but really plain-text over http isn't really what's happening anyhow, and if you want to change it, change it to ftp transport, not many people trying to look there! (yes that bit is a joke, but still, I don't think HTTPS would really help a whole lot, except as someone else mentioned, you may be able to see the packages being installed without it.) On Fri, 2014-05-30 at 15:26 +0200, Estelmann, Christian wrote: Yes, but I think this time it will not be better... Some (most?) mirrors are supporting https. If you want to use https just try which mirrors are supporting it. ftp.us.d.o will not work very good because of the DNS round robin. On 30. Mai 2014 15:16:29 MESZ, Alfie John alf...@fastmail.fm wrote: On Fri, May 30, 2014, at 11:03 PM, Estelmann, Christian wrote: In Oct 2013 a similar discussion startet https://lists.debian.org/debian-security/2013/10/msg00027.html Thanks for the link, but that discussion went nowhere pretty fast. Alfie signature.asc Description: This is a digitally signed message part
Re: End-user laptop firewall available?
On Sat, 2013-12-07 at 10:55 -0600, Richard Owlett wrote: I chose phrasing of subject line to emphasize some peculiarities of my needs. End-user emphasizes: - I am *NOT* an expert - my system is never intended to be a server Without any services running, you won't really have any ports open. Of course some user style services (like samba) may be running. I always like running 'lsof -i' as root to see what ports / services are open. Laptop indicates: - small standalone system intended to operate primarily *WITHOUT* any networking When connected to internet it will be: - primarily for browsing, email, Usenet - occasionally used for downloading small files using HTTP *NOT* (never?) FTP The theory is if that's all you do on a Linux system, then you probably don't need to put in any firewall rules. The fly in ointment will be: The typical internet connection will be with a USB dial-up modem. When I desire to browse complex website or download a large set of files, I will carry it to a local library and use a WiFi connection. A couple months of reading has left me confused as to a suitable firewall. Any help/direction appreciated. If you're paranoid, I'd go with arno-iptables-firewall. It really is easy to set up, even though it's all done through either debconf, or text files. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1386607294.22898.0.ca...@skint.thefnords.org
Re: End-user laptop firewall available?
On Sat, 2013-12-07 at 10:55 -0600, Richard Owlett wrote: I chose phrasing of subject line to emphasize some peculiarities of my needs. End-user emphasizes: - I am *NOT* an expert - my system is never intended to be a server Without any services running, you won't really have any ports open. Of course some user style services (like samba) may be running. I always like running 'lsof -i' as root to see what ports / services are open. Laptop indicates: - small standalone system intended to operate primarily *WITHOUT* any networking When connected to internet it will be: - primarily for browsing, email, Usenet - occasionally used for downloading small files using HTTP *NOT* (never?) FTP The theory is if that's all you do on a Linux system, then you probably don't need to put in any firewall rules. The fly in ointment will be: The typical internet connection will be with a USB dial-up modem. When I desire to browse complex website or download a large set of files, I will carry it to a local library and use a WiFi connection. A couple months of reading has left me confused as to a suitable firewall. Any help/direction appreciated. If you're paranoid, I'd go with arno-iptables-firewall. It really is easy to set up, even though it's all done through either debconf, or text files. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1386445461.6021.7.ca...@skint.thefnords.org
Re: End-user laptop firewall available?
On Mon, 2013-12-09 at 20:16 +0100, Javier Fernández-Sanguino Peña wrote: On Mon, Dec 09, 2013 at 09:41:34AM -0700, Jason Fergus wrote: On Sat, 2013-12-07 at 10:55 -0600, Richard Owlett wrote: I chose phrasing of subject line to emphasize some peculiarities of my needs. End-user emphasizes: - I am *NOT* an expert - my system is never intended to be a server Without any services running, you won't really have any ports open. Of course some user style services (like samba) may be running. I always like running 'lsof -i' as root to see what ports / services are open. lsof -i is equivalent to 'netstat -punta' it will provide also provide information on existing (outbound/inbound) connections. This might provides too much information. I figured if he'd done that while not connected to any network, lsof would have worked. But you're right. To list the service *listening* to the network 'netstat -puntl' might be more useful as it provides *just* listening services (-l) in either UDP or TCP. As an advantage, it does not require root privileges (the only information you will miss if run by a regular user is the processes, i.e. the -p option) Additionally, you can use 'ss' a tool similar to netstat (in iproute2 package). 'ss -l' lists open TCP/UDP sockets. All these are command-line tools, I'm not aware of any GUI tool putting this information in a friendly interface in a Desktop (i.e. similar to what gnome-system-monitor does for processes). Anyone? Gnome's network tools has a netstat tab. Regards Javier signature.asc Description: This is a digitally signed message part
Re: NULL Scan issues or something else?
On Tue, 2013-02-05 at 23:10 +, Jérémie Marguerie wrote: Le 5 févr. 2013 23:03, Bartek Krajnik bar...@bmk-it.com a écrit : Hi, For ssh login attempts you can use program authfail (after 4 wrong login attempts it adds proper IP to netfilter with DROP rule sending notification to IP class owner from whois database). It sounds a bit overkill. Am I the only one sometimes typing my password incorrectly because I forgot it? Fail2ban does pretty much the same job but only ban for a few minutes. It's just a way to slow down bruteforce. Having 20 guesses per 10 minutes makes a bruteforce useless if the passwords are decent. And it will not annoy too much your users but will annoy stupid bots. -- Jérémie Marguerie I'll second Fail2Ban. I use it all the time. Though, funny story, where I work we use PBX in a Flash as our PBX. It is installed by default with fail2ban, but one day we were having random issues with the network and our VoIP phones (Aastra 57i) kept trying to connect, I finally realized that fail2ban had blocked it, as soon as I restarted the service (clearing the bans) the phone connected and worked just fine. So like anything similar, use the tool with care. It's extremely configurable though. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1360106090.3141.3.camel@localhost.localdomain
Re: flashplugin-nonfree get-upstream-version.pl security concern
On Thu, 2012-12-13 at 19:55 -0500, Michael Gilbert wrote: On Wed, Dec 12, 2012 at 11:41 PM, Jason Fergus wrote: On Wed, 2012-12-12 at 17:26 -0500, Michael Gilbert wrote: On Wed, Dec 12, 2012 at 12:52 PM, adrelanos wrote: What is Debian policy on code execution from user websites? Unfortunately there is none. I've tried to gain consensus that at a minimum things downloaders like this need to stay out of main, but that thought hasn't really gained traction. The real answer is that this package is in contrib and thus not security supported at all. Ultimately, for anyone even modestly security-conscious adobe flash should really be avoided at all costs. Alternatives include lightspark, gnash, and (most preferably) html5. Best wishes, Mike I could be wrong on this, but I had always thought that ANY sort of downloader type installer (like the flashplugin-nonfree package) could NOT be in main. For any package to be in main, it has to have source code available as well as DFSG compliant. It's the same reason why quake2-data packages were always in contrib. While the source code for quake2 is GPL, the -data package would grab the pk0.pak files off of the CD to put them in the proper place for global Quake 2 fun. quake2-data was always in contrib. I was going to use qmail as an example, but I am guessing they changed their license recently, because previous to Wheezy, you always had to build it from source (and there was a qmail-src package). You would think that, but Debian policy has nothing to say. I put a lot of energy into it, but things like getweb still remain: http://bugs.debian.org/449497 These cases are actually pretty rare, which is the real reason that there is no defined policy. Plus people tend to not like repacking upstream due to single questionable files. Anyhow, I hope that point was made clear. Contrib also does get security updates, but they're not maintained by the security team (if I'm recalling correctly. Sucks getting old). They're simply maintained by the package maintainer. Well, there's always the option for the maintainer to provide a security update an spu, but that is so rare in contrib that I don't recall the last time it happened. Without security team intervention happens in probably 95% of cases for security issues, so there's something like a 5% of a fix going into contrib. Maintainers tend to lose interest in the stable release fairly quickly. Pretty sure I've seen the flashplugin-nonfree updated for Squeeze at some point, but I could be wrong. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1355452450.10685.25.camel@localhost.localdomain
Re: flashplugin-nonfree get-upstream-version.pl security concern
On Wed, 2012-12-12 at 17:26 -0500, Michael Gilbert wrote: On Wed, Dec 12, 2012 at 12:52 PM, adrelanos wrote: What is Debian policy on code execution from user websites? Unfortunately there is none. I've tried to gain consensus that at a minimum things downloaders like this need to stay out of main, but that thought hasn't really gained traction. The real answer is that this package is in contrib and thus not security supported at all. Ultimately, for anyone even modestly security-conscious adobe flash should really be avoided at all costs. Alternatives include lightspark, gnash, and (most preferably) html5. Best wishes, Mike I could be wrong on this, but I had always thought that ANY sort of downloader type installer (like the flashplugin-nonfree package) could NOT be in main. For any package to be in main, it has to have source code available as well as DFSG compliant. It's the same reason why quake2-data packages were always in contrib. While the source code for quake2 is GPL, the -data package would grab the pk0.pak files off of the CD to put them in the proper place for global Quake 2 fun. quake2-data was always in contrib. I was going to use qmail as an example, but I am guessing they changed their license recently, because previous to Wheezy, you always had to build it from source (and there was a qmail-src package). Anyhow, I hope that point was made clear. Contrib also does get security updates, but they're not maintained by the security team (if I'm recalling correctly. Sucks getting old). They're simply maintained by the package maintainer. Warning, all of the above could be incorrect, but that had always been my impression, and I've been running Debian since 1.3 was out. I remember being totally stoked for Kernel 2.2.x coming out! I totally agree with Mike though, Adobe flash has a horrible security record, which is why Adobe has continuously been releasing new versions, even though they said they were discontinuing support for it. They are all security patches! -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1355373702.10685.22.camel@localhost.localdomain
Re: Informazioni Log Analyzer Postfix
On Tue, 2012-12-04 at 11:35 +0100, Gilles Mocellin wrote: Le 27/11/2012 11:53, Zattara Stefano a écrit : Buongiorno a tutta la lista, vi chiedo un consiglio riguardo un log analyzer per postfix. Ho già dato un'occhiata a pflogsum ed a varie interfaccie simili in python. Quello che mi interesserebbe è riuscire a ricostruitre la vita di una mail dall'ingresso alla consegna o allo scarto per qualche motivo ( ingresso-postfix-antispam-filtri-consegna ) Qualunco ha qualche dritta da darmi in merito? Grazie Stefano Hello, This is really a must have tool. The best I found is a two step procedure. The script is postfix.transform.log that I found here (there is other nice scripts) : http://www.arschkrebs.de/postfix/scripts/ First step, Have a hash of the conversation : # postfix.transform.log /var/log/mail.info | grep em...@dom.tld [hdKa9YSKDVopgYp8K4XHXg] Dec 4 11:12:56 servername postfix/smtp[14106]: 7E1627E003: to=em...@dom.tld, relay=our-MX-IP[our-MX-IP]:25, delay=0.27, delays=0.05/0/0/0.21, dsn=2.6.0, status=sent (250 2.6.0 497621310.7803.1354615169395.JavaMail._appserver@ws4.local Queued mail for delivery) Second step, Show all log entries with that hash : # postfix.transform.log /var/log/mail.info | grep hdKa9YSKDVopgYp8K4XHXg [hdKa9YSKDVopgYp8K4XHXg] Dec 4 11:12:48 servername postfix/smtpd[14202]: E5F187E002: client=clientserver[x.clientIP] [hdKa9YSKDVopgYp8K4XHXg] Dec 4 11:12:50 servername postfix/cleanup[14414]: E5F187E002: message-id=497621310.7803.1354615169395.JavaMail._appserver@ws4.local [hdKa9YSKDVopgYp8K4XHXg] Dec 4 11:12:54 servername postfix/qmgr[17373]: E5F187E002: from=sen...@domain.tld, size=19568, nrcpt=1 (queue active) [hdKa9YSKDVopgYp8K4XHXg] Dec 4 11:12:56 servername postfix/smtpd[9961]: 7E1627E003: client=localhost[127.0.0.1] [hdKa9YSKDVopgYp8K4XHXg] Dec 4 11:12:56 servername postfix/cleanup[14075]: 7E1627E003: message-id=497621310.7803.1354615169395.JavaMail._appserver@ws4.local [hdKa9YSKDVopgYp8K4XHXg] Dec 4 11:12:56 servername postfix/qmgr[17373]: 7E1627E003: from=sen...@domain.tld, size=20035, nrcpt=1 (queue active) [hdKa9YSKDVopgYp8K4XHXg] Dec 4 11:12:56 servername postfix/lmtp[14421]: E5F187E002: to=em...@domain.tld, relay=127.0.0.1[127.0.0.1]:10024, delay=9.3, delays=7.6/0/0/1.8, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=14533-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7E1627E003) [hdKa9YSKDVopgYp8K4XHXg] Dec 4 11:12:56 servername postfix/qmgr[17373]: E5F187E002: removed [hdKa9YSKDVopgYp8K4XHXg] Dec 4 11:12:56 servername postfix/smtp[14106]: 7E1627E003: to=em...@domain.tld, relay=our-MX-IP[our-MX-IP]:25, delay=0.27, delays=0.05/0/0/0.21, dsn=2.6.0, status=sent (250 2.6.0 497621310.7803.1354615169395.JavaMail._appserver@ws4.local Queued mail for delivery) [hdKa9YSKDVopgYp8K4XHXg] Dec 4 11:12:56 servername postfix/qmgr[17373]: 7E1627E003: removed As you can see, it handles well amavisd-new intermediate delivery. We also have policyd-weight, but it does show it. Not so bad, because mails that are refused by policyd-weight don't have many lines in the logs. Hope it helps. I generally just use 'less /var/log/mail.log' for the times that I need to dive into a log to find the 'life' of it. I guess the 'analyzer' is my brain. I do this for a living, and it's always served me well. Sure I also have summaries, and awstats, etc. But when it comes to tracing where an email went and if it was blocked by spam, or rejected from our email server or from the destination, there really isn't much better than less. You can even pipe less through the syntax highlighting program to 'colorize' the logs. Though this seems to break the follow functionality of less. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1354625106.1559.3.camel@localhost.localdomain
Re: sun-java6-plugin outdated and vulnerable to an actively exploited security issue
On Thu, 2012-08-16 at 12:09 +0200, Erwan David wrote: On Thu, Aug 16, 2012 at 11:37:09AM CEST, Thijs Kinkhorst th...@debian.org said: Hi Adam, On Thu, August 16, 2012 07:56, echo083 wrote: The sun-java6 in the stable branch is the version 1.6.0_26 is there a plan for any security upgrade ? I'm afraid that's not possible. Oracle has changed licensing such that it's no longer allowed for Debian to distribute newer versions. There's somewhat more detail in http://www.debian.org/News/weekly/2011/15/#javarm It is advised to switch to openjdk-6 instead. Cheers, Thijs I might do this when every java application I need to use is compatible with it... Meanwhile some do not work... Is it plausible to get openjdk7 backported to squeeze as a security measure in this regard? It sure seems to be more closely based to what oracle is now putting out. Well there are some programs that apparently refuse to work with Java7 altogether, but I'd say that's the programmers fault. I know where I work there have been issues with that. But at least openjdk7 seems to be getting updated along with Oracle's Java7. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1345126044.1597.14.camel@localhost.localdomain
Re: how to fix rootkit?
On Wed, 2012-02-08 at 18:16 -0600, Mike Mestnik wrote: On 02/08/12 18:07, Russell Coker wrote: On Thu, 9 Feb 2012, Stephen Hemminger shemmin...@vyatta.com wrote: The advice I heard is trust nothing (even reflash the BIOS). Do you know of any real-world exploits that involve replacing the BIOS? It's been theoretically possible for a long time but I haven't seen any references to it being done. Exploits that are theoretically possible are implemented by private 3rd parties(and Hackers!). I've a small collection of utilities I know that I'm the only one who has a copy, though other tools that work the same way more then likely exist. Also one thing to keep in mind is the apparent competence of the attackers. If they didn't bother changing debsums then it's unlikely that they did any of the other tricky things which have been discussed (such as trojaning the kernel). A RedHat expert can alter a running Debian kernel, but might miss debsum. Out of curiosity, couldn't one technically boot up a liveCD, mount the drive(s) and then download the .debs individually, then extract them over the mounted partitions, effectively copying over all of the binaries. (Yeah, it'd be a nightmare, and quite frankly would be easier / faster to just re-install with the exported package list. Not to mention I'd trust it more just to re-install.) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1328760003.1540.5.camel@localhost.localdomain