Re: Verifying email signature
On Wed, Oct 16, 2002 at 11:59:44AM -0500, David wrote: In an attempt to learn more about the workings of gpg, I've been trying to verify emails from the command line. These signatures are not signed, but mutt reports a good signature, but, of course, warning that they are not signed.. When I try to verify a saved message - one which has been reported as good from Mutt, gpg returns a BAD signature. That's probably because the mail is encoded in e.g. quoted-printable. When you save an attachment from mutt, mutt de-codes it first (so you end up with plain text). From mutt, try to (C)opy the message to /tmp/somefile, and look at it there. You'll probably see things like --=20 at the beginning of the signature. The authoritative source is probably rfc2015: http://www.faqs.org/rfcs/rfc2015.html which I believe mutt follows. It's quite a good read. -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: Economics is extremely useful as a form of employment for economists. -- John Kenneth Galbraith msg07410/pgp0.pgp Description: PGP signature
Re: Verifying email signature
On Wed, Oct 16, 2002 at 11:59:44AM -0500, David wrote: In an attempt to learn more about the workings of gpg, I've been trying to verify emails from the command line. These signatures are not signed, but mutt reports a good signature, but, of course, warning that they are not signed.. When I try to verify a saved message - one which has been reported as good from Mutt, gpg returns a BAD signature. That's probably because the mail is encoded in e.g. quoted-printable. When you save an attachment from mutt, mutt de-codes it first (so you end up with plain text). From mutt, try to (C)opy the message to /tmp/somefile, and look at it there. You'll probably see things like --=20 at the beginning of the signature. The authoritative source is probably rfc2015: http://www.faqs.org/rfcs/rfc2015.html which I believe mutt follows. It's quite a good read. -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: Economics is extremely useful as a form of employment for economists. -- John Kenneth Galbraith pgpT0huX597mO.pgp Description: PGP signature
Re: port 6051: hacked?
On Fri, Sep 06, 2002 at 12:16:39PM +0200, Ramin Motakef wrote: Hi all, Todays nmap run shows me: Interesting ports on (xx): (The 59984 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 22/tcp openssh 25/tcp opensmtp 53/tcp opendomain 80/tcp openhttp 110/tcpopenpop-3 111/tcpopensunrpc 143/tcpopenimap2 199/tcpopensmux 389/tcpopenldap 443/tcpopenhttps 993/tcpopenimaps 995/tcpopenpop3s 3306/tcp openmysql 5432/tcp openpostgres Assuming that the nmap was run from the outside: Do you really need all those ports to be open? E.g. sunrpc, domain ? mysql and postgres ? AFAIK both bind (tcp/domain) and nfs (tcp/sunrpc) have had their share of security problems [admittedly mostly the latter, but] ... -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: In specifications, Murphy's Law supersedes Ohm's. pgpsWbKCycI6s.pgp Description: PGP signature
Re: service enablement via mail and otp?
On Wed, Jul 31, 2002 at 02:01:14PM +0200, Marcin Owsiany wrote: On Wed, Jul 31, 2002 at 01:37:30PM +0900, [EMAIL PROTECTED] wrote: Hi, For some time, I've been toying w/ the idea of putting together something that would allow me to trigger the starting/stopping of various services [1] via a mail message containing some kind of OTP. Recently I have seen someone posting an URL to his program which does something like that. It used GPG. I can't find the post, but I think you could find it looking for keywords like mail execution remote etc.. I guess it was this list, but I'm not sure. That someone could have been me: http://www.karl.jorgensen.com/smash Note: This is not production quality (yet). I use it myself on a couple of machines and find it useful. Testers and bugreports are welcome. Eyes on the source to find security weaknesses are in high demand. Read the man-page. Caveat Emptor. -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: SomeLamer what's the difference between chattr and chmod? SomeGuru SomeLamer: man chattr 1; man chmod 2; diff -u 1 2 | less -- Seen on #linux on irc pgpfYhXNVtDTh.pgp Description: PGP signature
Re: service enablement via mail and otp?
On Thu, Aug 01, 2002 at 08:09:31AM +0900, [EMAIL PROTECTED] wrote: Hi, From: Karl E. Jorgensen [EMAIL PROTECTED] Subject: Re: service enablement via mail and otp? Date: Wed, 31 Jul 2002 13:47:16 +0100 On Wed, Jul 31, 2002 at 02:01:14PM +0200, Marcin Owsiany wrote: On Wed, Jul 31, 2002 at 01:37:30PM +0900, [EMAIL PROTECTED] wrote: Hi, For some time, I've been toying w/ the idea of putting together something that would allow me to trigger the starting/stopping of various services [1] via a mail message containing some kind of OTP. Recently I have seen someone posting an URL to his program which does something like that. It used GPG. I can't find the post, but I think you could find it looking for keywords like mail execution remote etc.. I guess it was this list, but I'm not sure. That someone could have been me: http://www.karl.jorgensen.com/smash Note: This is not production quality (yet). I use it myself on a couple of machines and find it useful. Testers and bugreports are welcome. Eyes on the source to find security weaknesses are in high demand. Read the man-page. Caveat Emptor. This could be nice...too nice for me perhaps (-; I've downloaded a copy and taken a quick look at the man page -- I didn't notice anything about mechanisms for dealing w/ replay attacks in the man page -- are there any? No. I have to admit that I hadn't even thought about replay attacks :-(. I'll have to see what methods others have employed to avoid them (or think up a probably-less-secure method myself). Thinking about it: this would definitely be a good thing to add to smash. At some point I did ask on this list for where to find QA resources and got a couple of good answers. But unfortunately I haven't yet had time to follow up on them. The reason I like the OTP design for my particular situation is that I don't want to carry around a PGP key [1] and I don't want to mess w/ doing some kind of round-trip-challenge-response thing via mail to deal w/ potential replay attacks. Hm... GPG *does* have a --symmetric option, which seems to not use keys at all. Assuming that a suitable method for generating (and keeping-in-sync) passphrases between your PDA and smash, do you think that would be suitable for you? This probably implies storing/generating acceptable passphases locally (for smash) in clear-text... [ Almost going off-topic for this list now...] I'm also more comfortable w/ only allowing limited command execution -- specifically, only starting a single-session-only sshd (perhaps stopping sshd too) -- so that worse case, someone can only start sshd on a machine I'm looking after. Any plans for limiting the commands to be executed? Not yet. But it should be reasonably simple to add extensions to check the script immediately before execution. I'd prefer to implement such extensions as separate scripts. I like that idea. One more on my TODO list. However, I *do* have plans to allow commands to be mime-decoded and executed under a different user. This is mostly to ringfence any bugs in the mime decoding (which I suspect is not strong security-wise). This would also help to protect ~/.gnupg/* and ~/.procmailrc. [1] I've got OTP calculators for my PDA which I'm fine w/ carrying. Actually, what I don't want is to carry around a secret key and a corresponding device to do the encryption/signing/decryption (perhaps some day PDAs will do this comfortably). I'm not about to place a secret key of mine on someone else's machine... Which OTP calculator (and PDA) do you use? I've got a PDA too, and this might be handy for me too... [ This is probably OT for this list...] -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: What the scientists have in their briefcases is terrifying. -- Nikita Khruschev pgpndSW8IrYbE.pgp Description: PGP signature
Re: ssh and password authentication
On Tue, Jun 25, 2002 at 03:35:19PM +0200, Florent Rougon wrote: Hi, I have read several times, including on this list, that password authentication with ssh does not send the password in clear text (it is sent in the encrypted tunnel). This is confirmed by the ssh(1) man page: If other authentication methods fail, ssh prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. But the default sshd_config in the openssh-3.0.2p1 package has a comment indicating the contrary: , | # To disable tunneled clear text passwords, change to no here! | PasswordAuthentication yes ` and according to that comment, the default setting would be insecure... The keyword is tunneled clear text - i.e. it *is* clear text. But it's inside the ssh tunnel (which happens to be encrypted). I don't believe it, but the comment seems to be a real bug (and an upstream one, since it also appears in the .orig.tar.gz). I agree the way it is phrased in /etc/ssh/sshd_config is slighly confusing though; perhaps a wishlist bug is in order? -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: The moon may be smaller than Earth, but it's further away. pgp0GP3UOoejD.pgp Description: PGP signature
Forum for security-review of code?
I have authored smash [1], which I hope at some point will make its way to the Debian archves. But... Security is not my speciality, and my code is bound to have bugs and security holes etc in it. So I'm keen to have other people than myself study the code and point out security flaws etc. Can anybody suggest a suitable forum/mailing list to ask for help on this? [1] http://www.karl.jorgensen.com/smash -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com ... An rfc2324 advocate http://www.rfc.net/rfc2324.html pgpvhies5E410.pgp Description: PGP signature
Re: aide and tiger sending gpg crypted files
On Fri, Jun 07, 2002 at 11:23:52AM +0900, Oohara Yuuma wrote: On Thu, 6 Jun 2002 20:28:24 +0200 (MEST), Thomas Schmid [EMAIL PROTECTED] wrote: So, I set up my server with aide and tiger to check it's integrity. The reports are mailed to root which one is redirected to an other localadress and to a second adresse on a other server. My question is now: is it possible to let the mails be pgp encrypted with gnupg I don't know either aide or tiger, but if there is a cron job like aide | mail then changing it to aide | gpg -e -a | mail may work. I wrote something similar to send GnuPG encrypted signed email from a shell script: http://karl.jorgensen.com/smash/ It's purpose is quite different (and not very well tested ATM), from what you want, but you may be able to use the code inside it. It works well with when reading the mails it sends with mutt; haven't tried other GnuPG-enabled mail clients. so I can check if the mails realy are from my server and that no one intercepted and changed them? You may need a dedicated keypair for it because anyone who have a copy of your public key can encrypt a fake report, intercept the real report and replace it. In order to send signed emails unattended, the signing key cannot have a passphrase. So I suggest using a special key just for that purpose (and not uploading it to any key servers). HTH -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: Linux is not user-friendly. It _is_ user-friendly. It is not ignorant-friendly and idiot-friendly. -- Seen somewhere on the net pgpOhQTjktcu7.pgp Description: PGP signature
Re: Help
On Sat, May 04, 2002 at 10:53:02PM +0300, Daniel Fairhead wrote: Secondly, with response to the original post, I think that there is an unjustified level of paranoia by the network admin. High school children are at best going to be script kiddies. Secondly, your school should [ snip ] have an ethics agreement between the children and the school (signed by parents) binding the users to a legal agreement of use. I know I would respect that, and most kids would. If they understood it. I think perhaps signed by the children as well might be an idea, because then they would have personal responsibility to the agreement, and would add a certain adult element to it which would not be there if their parents only signed it. With that in place, I'd like to see how many of your students dare try anything on your computers knowing that they can be expelled for breaching the agreement. *grins* I wouldn't! However, from the original it sounds as if C is worried about students scripts being run on the server... could students have to explicitly ask for shell permission (which would reduce the number of people in a suspectable list in case of a problem) and then be told that they are responsible for that user. On the same note, disallowing exec on the /home and on /tmp and making sh/BASH/perl/etc only able to run in interactive mode for students would solve that problem. A note of caution: mounting a filesystem with the noexec option does *not* prevent execution of programs from that filesystem. It merely makes it slightly more cumbersome; $ /bin/bash /tmp/kiddie-shell-script [ this is not limited to interpreted scripts (perl, sh, bash etc), but even ELF executables can be easily executed ] Besides, I believe that dpkg (or was it some other essential debian program) relies on being able to execute scripts in /tmp ... Bottom line: mounting with noexec does not provide any real security; only a minor obstacle that is easy to overcome by somebody with relatively low skill. -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Please read http://www.pantsfullofunix.net before reporting bugs in my code. msg06604/pgp0.pgp Description: PGP signature
Re: Help
On Sat, May 04, 2002 at 10:53:02PM +0300, Daniel Fairhead wrote: Secondly, with response to the original post, I think that there is an unjustified level of paranoia by the network admin. High school children are at best going to be script kiddies. Secondly, your school should [ snip ] have an ethics agreement between the children and the school (signed by parents) binding the users to a legal agreement of use. I know I would respect that, and most kids would. If they understood it. I think perhaps signed by the children as well might be an idea, because then they would have personal responsibility to the agreement, and would add a certain adult element to it which would not be there if their parents only signed it. With that in place, I'd like to see how many of your students dare try anything on your computers knowing that they can be expelled for breaching the agreement. *grins* I wouldn't! However, from the original it sounds as if C is worried about students scripts being run on the server... could students have to explicitly ask for shell permission (which would reduce the number of people in a suspectable list in case of a problem) and then be told that they are responsible for that user. On the same note, disallowing exec on the /home and on /tmp and making sh/BASH/perl/etc only able to run in interactive mode for students would solve that problem. A note of caution: mounting a filesystem with the noexec option does *not* prevent execution of programs from that filesystem. It merely makes it slightly more cumbersome; $ /bin/bash /tmp/kiddie-shell-script [ this is not limited to interpreted scripts (perl, sh, bash etc), but even ELF executables can be easily executed ] Besides, I believe that dpkg (or was it some other essential debian program) relies on being able to execute scripts in /tmp ... Bottom line: mounting with noexec does not provide any real security; only a minor obstacle that is easy to overcome by somebody with relatively low skill. -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Please read http://www.pantsfullofunix.net before reporting bugs in my code. pgptoBOKheIDB.pgp Description: PGP signature
ssh keyscanning!?
A while back logcheck alerted me to the entries in my syslog: Unusual System Events =-=-=-=-=-=-=-=-=-=-= 20:05:37 hawking dhcpd-2.2.x: Discarding packet with invalid hlen. 20:05:43 hawking dhcpd-2.2.x: Discarding packet with invalid hlen. 20:33:52 hawking sshd[26972]: scanned from xxx.xxx.130.196 with SSH-1.0-SSH_Version_Mapper. Don't panic. 20:33:52 hawking sshd[26971]: Did not receive identification string from xxx.xxx.130.196 20:44:04 hawking dhcpd-2.2.x: Discarding packet with invalid hlen. 20:44:10 hawking dhcpd-2.2.x: Discarding packet with invalid hlen. The (obscured) IP address is definitely from the outside (Poland, AFAICS) - definitely not somewhere I've been communicating with. I'm not too worried about the ssh keyscan, although it has never happened to me before. The only thing is that I'm running woody, and security updates tend to percolate through here a bit later than potato. But the dhcpd messages has not occurred before either. And taking them together, it makes me slightly uncomfortable. But I may be overly paranoid. I'm not even sure whether dhcpd was reacting to packets from my local lan or the internet. The firewalling I have in place only allows incoming connections for ssh. UDP is locked down so only DNS works there. And by mistake (fixed now), it also allowed incoming DHCP requests from the internet. Tripwire hasn't flagged anything up (other than stuff that I know that *I* changed). Opinions (or even facts) welcome: Should I be worried ? Is somebody studying the locks ? Should I tighten things up more? How many questions can you fit in a line? -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: It took the computational power of three Commodore 64s to fly to the moon. It takes at least a 486 to run Windows 95. Something is wrong here. msg06028/pgp0.pgp Description: PGP signature
Re: ssh keyscanning!?
On Thu, Mar 21, 2002 at 01:00:51PM +0100, Daniel Kobras wrote: On Thu, Mar 21, 2002 at 10:31:02AM +, Karl E. Jorgensen wrote: The firewalling I have in place only allows incoming connections for ssh. UDP is locked down so only DNS works there. And by mistake (fixed now), it also allowed incoming DHCP requests from the internet. Careful here. The first DHCP request from a freshly booted machine doesn't carry a local IP address (but either 0.0.0.0 or random crap). So make sure you don't filter by IP address, but by interface at most. Yep. My mistake was just to filter by protocol + port number, and ignoring the interface. By now I have found that I only have dhcpd listening on eth0 (my internal network). Which means that dhcpd was completely irrelevant here. Sorry about the wild goosechase. -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: * JHM wonders what Joey did to earn I'd just like to say, for the record, that Joey rules. -- Seen on #Debian msg06030/pgp0.pgp Description: PGP signature
ssh keyscanning!?
A while back logcheck alerted me to the entries in my syslog: Unusual System Events =-=-=-=-=-=-=-=-=-=-= 20:05:37 hawking dhcpd-2.2.x: Discarding packet with invalid hlen. 20:05:43 hawking dhcpd-2.2.x: Discarding packet with invalid hlen. 20:33:52 hawking sshd[26972]: scanned from xxx.xxx.130.196 with SSH-1.0-SSH_Version_Mapper. Don't panic. 20:33:52 hawking sshd[26971]: Did not receive identification string from xxx.xxx.130.196 20:44:04 hawking dhcpd-2.2.x: Discarding packet with invalid hlen. 20:44:10 hawking dhcpd-2.2.x: Discarding packet with invalid hlen. The (obscured) IP address is definitely from the outside (Poland, AFAICS) - definitely not somewhere I've been communicating with. I'm not too worried about the ssh keyscan, although it has never happened to me before. The only thing is that I'm running woody, and security updates tend to percolate through here a bit later than potato. But the dhcpd messages has not occurred before either. And taking them together, it makes me slightly uncomfortable. But I may be overly paranoid. I'm not even sure whether dhcpd was reacting to packets from my local lan or the internet. The firewalling I have in place only allows incoming connections for ssh. UDP is locked down so only DNS works there. And by mistake (fixed now), it also allowed incoming DHCP requests from the internet. Tripwire hasn't flagged anything up (other than stuff that I know that *I* changed). Opinions (or even facts) welcome: Should I be worried ? Is somebody studying the locks ? Should I tighten things up more? How many questions can you fit in a line? -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: It took the computational power of three Commodore 64s to fly to the moon. It takes at least a 486 to run Windows 95. Something is wrong here. pgpPhKxEJDOdE.pgp Description: PGP signature
Re: ssh keyscanning!?
On Thu, Mar 21, 2002 at 01:00:51PM +0100, Daniel Kobras wrote: On Thu, Mar 21, 2002 at 10:31:02AM +, Karl E. Jorgensen wrote: The firewalling I have in place only allows incoming connections for ssh. UDP is locked down so only DNS works there. And by mistake (fixed now), it also allowed incoming DHCP requests from the internet. Careful here. The first DHCP request from a freshly booted machine doesn't carry a local IP address (but either 0.0.0.0 or random crap). So make sure you don't filter by IP address, but by interface at most. Yep. My mistake was just to filter by protocol + port number, and ignoring the interface. By now I have found that I only have dhcpd listening on eth0 (my internal network). Which means that dhcpd was completely irrelevant here. Sorry about the wild goosechase. -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: * JHM wonders what Joey did to earn I'd just like to say, for the record, that Joey rules. -- Seen on #Debian pgpFHPWAoonVr.pgp Description: PGP signature
Re: ssh ip address
On Tue, Feb 19, 2002 at 05:35:13PM -0300, Eduardo J. Gargiulo wrote: Hi all. Is there any way to obtain the IP address of a ssh client and use it on a shell script? I want to put a crontab like ssh server script but I need the IP address i'm connecting from in the shell script and the address is assigned dynamically. $ man ssh look for SSH_CLIENT (at least in ssh 1.2.3-9.4) -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: The only intuitive interface is the nipple. After that, it's all learned. -- Bruce Ediger, [EMAIL PROTECTED], on X interfaces msg05749/pgp0.pgp Description: PGP signature
Re: ssh ip address
On Tue, Feb 19, 2002 at 05:35:13PM -0300, Eduardo J. Gargiulo wrote: Hi all. Is there any way to obtain the IP address of a ssh client and use it on a shell script? I want to put a crontab like ssh server script but I need the IP address i'm connecting from in the shell script and the address is assigned dynamically. $ man ssh look for SSH_CLIENT (at least in ssh 1.2.3-9.4) -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: The only intuitive interface is the nipple. After that, it's all learned. -- Bruce Ediger, [EMAIL PROTECTED], on X interfaces pgpmELXpGYuUp.pgp Description: PGP signature
Re: Debian security being trashed in Linux Today comments
On Tue, Jan 15, 2002 at 01:52:47PM +, Colin Phipps wrote: [...] Furthermore I think the mean is exactly the right measure of this: from the user point of view, the important figure is total exposure time, i.e. sum of time between vulnerability discovery and patch (for installed packages) for all vulns. For someone who installs every Debian package, this is equal to (# of vulnerabilities)x(mean time to patch). The former measures how well packages are audited in advance, the latter measures how quickly vulnerabilities are corrected. It's the right statistic. Are there any stats available on the number of people who have each package installed? (I think not, but better ask). If such stats were available, then security flaws in popular packages could be weighted higher than flaws in the not-so-popular packages. tangentSuch numbers may also be useful for guestimating the impact of non-security related bugs... I feel a debian package coming along... (mutters as he walk off into the sunset)/tangent -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/ -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh msg05289/pgp0.pgp Description: PGP signature
Re: SSH configuration problem
On Mon, Jan 07, 2002 at 08:00:02PM +0100, Luc MAIGNAN wrote: Hi, my SSH connections don't go to the 'auth.log' file, but the sshd_config seems to be good. What can happen ? Without much information to go on, I would have a stab at /etc/syslog.conf... Do you currently have *anything* ending up in auth.log (e.g. su should be logged in here by default) If you have other stuff going to auth.log, then chances are that you /etc/syslog.conf is OK, but you sshd_config is somehow at fault. Hope this helps Best regards -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: 1. is qmail as secure as they say? Depends on what they were saying, but most likely yes. -- Seen on debian-devel msg05185/pgp0.pgp Description: PGP signature
Re: Secure Finger Daemon
On Sun, Jan 06, 2002 at 11:45:28PM +0100, eim wrote: my Finger Daemon conclusion... First, Thanks for all the answers to my question. Well, so it really seems it's better to avoid using any finger daemon, security has always priority. Anyway I thought the finger daemon would be a nice feature for the .plan files, userinfo and mail info for the users of my box. Maybe running fingerd in a chrooted jail as not-root user would be a secure-like solution, got to think about it. I'm no security expert, but... Wouldn't running fingerd in a chroot jail prevent it from accessing users' .plan files? Thanks again for all the replays, have a nice time... -Ivo -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh msg05062/pgp0.pgp Description: PGP signature
Re: Secure Finger Daemon
On Sun, Jan 06, 2002 at 11:45:28PM +0100, eim wrote: my Finger Daemon conclusion... First, Thanks for all the answers to my question. Well, so it really seems it's better to avoid using any finger daemon, security has always priority. Anyway I thought the finger daemon would be a nice feature for the .plan files, userinfo and mail info for the users of my box. Maybe running fingerd in a chrooted jail as not-root user would be a secure-like solution, got to think about it. I'm no security expert, but... Wouldn't running fingerd in a chroot jail prevent it from accessing users' .plan files? Thanks again for all the replays, have a nice time... -Ivo -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh pgpU7g8iGn9jc.pgp Description: PGP signature
Re: MTAs
On Wed, Nov 21, 2001 at 10:45:24PM +1000, Paul Haesler wrote: snip . Cc: [paul@marge sbin] 2001-11-21 22:41:42 166Vl8-00017q-00 = [EMAIL PROTECTED] U=paul P=local S=327 2001-11-21 22:41:42 166Vl8-00017q-00 Unable to get root to set uid and gid for local delivery to paul: uid=1000 euid=1000 2001-11-21 22:41:42 166Vl8-00017q-00 Unable to get root to set uid and gid for local delivery to paul: uid=1000 euid=1000 It appears there is a problem, although arguably in the implementation. Source code anyone? -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085 There is some description of the setuid'ism in the exim manual - chapter 55. My quick scan of it revealed that setuid root is used for: - setting up a listening socked on port 25 (not required when run from inetd) - local deliveries (=writing to /var/mail ?) - reading .forward files (NFS considerations + .forward need not be world-readable and I wouldn't be surprised that setuid is required for running .procmailrc's too Hope this helps Cautionary note: No: I haven't read the source code. -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh msg04322/pgp0.pgp Description: PGP signature
Re: MTAs
On Wed, Nov 21, 2001 at 10:45:24PM +1000, Paul Haesler wrote: snip . Cc: [EMAIL PROTECTED] sbin] 2001-11-21 22:41:42 166Vl8-00017q-00 = [EMAIL PROTECTED] U=paul P=local S=327 2001-11-21 22:41:42 166Vl8-00017q-00 Unable to get root to set uid and gid for local delivery to paul: uid=1000 euid=1000 2001-11-21 22:41:42 166Vl8-00017q-00 Unable to get root to set uid and gid for local delivery to paul: uid=1000 euid=1000 It appears there is a problem, although arguably in the implementation. Source code anyone? -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085 There is some description of the setuid'ism in the exim manual - chapter 55. My quick scan of it revealed that setuid root is used for: - setting up a listening socked on port 25 (not required when run from inetd) - local deliveries (=writing to /var/mail ?) - reading .forward files (NFS considerations + .forward need not be world-readable and I wouldn't be surprised that setuid is required for running .procmailrc's too Hope this helps Cautionary note: No: I haven't read the source code. -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh pgpzm8M6GwguZ.pgp Description: PGP signature
Re: New IIS worm
On Sun, Sep 23, 2001 at 02:08:40PM +1000, Sam Couter wrote: Karl E. Jorgensen [EMAIL PROTECTED] wrote: Doesn't this leave you open to DOS attacks? I'm thinking that source IP addresses are relatively easy to forge, and hence an attacher can forge a nimda attach and cause you to block off legitimate IP addresses - ie. your DNS server our default gateway... To forge a Nimda attack would require you to forge a TCP connection. That's not easy, unless the attacker is on the network path to the forged address. Obvious, but true. I stand(/sit?) corrected. -- Sam Couter | Internet Engineer | http://www.topic.com.au/ [EMAIL PROTECTED]| tSA Consulting | OpenPGP key ID: DE89C75C, available on key servers OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: We don't know who it was that discovered water, but we're pretty sure that it wasn't a fish. -- Marshall McLuhan PGP signature
Re: New IIS worm
On Sun, Sep 23, 2001 at 02:08:40PM +1000, Sam Couter wrote: Karl E. Jorgensen [EMAIL PROTECTED] wrote: Doesn't this leave you open to DOS attacks? I'm thinking that source IP addresses are relatively easy to forge, and hence an attacher can forge a nimda attach and cause you to block off legitimate IP addresses - ie. your DNS server our default gateway... To forge a Nimda attack would require you to forge a TCP connection. That's not easy, unless the attacker is on the network path to the forged address. Obvious, but true. I stand(/sit?) corrected. -- Sam Couter | Internet Engineer | http://www.topic.com.au/ [EMAIL PROTECTED]| tSA Consulting | OpenPGP key ID: DE89C75C, available on key servers OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: We don't know who it was that discovered water, but we're pretty sure that it wasn't a fish. -- Marshall McLuhan pgpKa6klWL5hd.pgp Description: PGP signature
Re: New IIS worm
Doesn't this leave you open to DOS attacks? I'm thinking that source IP addresses are relatively easy to forge, and hence an attacher can forge a nimda attach and cause you to block off legitimate IP addresses - ie. your DNS server our default gateway... On Fri, Sep 21, 2001 at 10:37:58PM +0200, Johann Schwarzmeier wrote: Hello, Hint: see wat iv'ed done: /etc/apache/srm.conf: Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi The CGI: echo You come from : ${REMOTE_ADDR} sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR} sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR} keep in mind: sudo ! /etc/sudoers . Cmnd_Alias FIREWALL=/sbin/ipchains . www-data ALL=NOPASSWD: WWW,FIREWALL it works fine. The cracker come only one time. :-) On Thursday 20 September 2001 03:48, R Allen Blowers wrote: You could use the hosts.deny file for this also, no? Best Regards, Allen -Original Message- From: Emmanuel Valliet [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:09 PM To: [EMAIL PROTECTED] Subject: Re: New IIS worm (2001-09-18) Emmanuel Valliet sed : | I know we don't care on linux, but I have reallly a lot of hits from | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie. | And it starts to make a lot of apache childs, and the global charge | grows consequently. | Is there a way to protect from that ? | Using an apache configuration trick ? | Or blacklisting and using some firewall rules behind ? | If anyone knows how to do, or has already done the script that kicks | these infected servers, it could interest me... Hum, doing a script that parse the logs and catch the bad servers was easy. But I didn't realize that the infection could be that big and quick. Euh can ipchains or iptables support some more 1500 denying rules ? I don't think so... Anyway, it doesn't matter, my apache servers seem to survive the flood, I'm just happy to have big CPU and lot of mem. Just the script, if you want to count the worm hit on your box: (really not a piece of art) #!/usr/bin/perl my %bannlist; while () { next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/; $host=$1; next if $bannlist{$host}; $bannlist{$host}=1; # system(/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www -j DENY); print Worm victim: $host\n; } -- VALLIET Emmanuel ! http://www.webmotion.com Webmotion Inc. ! mailto:[EMAIL PROTECTED] Oxymoron: Stuck in traffic. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: The rate at which a disease spreads through a corn field is a precise measurement of the speed of blight. PGP signature
Re: New IIS worm
Doesn't this leave you open to DOS attacks? I'm thinking that source IP addresses are relatively easy to forge, and hence an attacher can forge a nimda attach and cause you to block off legitimate IP addresses - ie. your DNS server our default gateway... On Fri, Sep 21, 2001 at 10:37:58PM +0200, Johann Schwarzmeier wrote: Hello, Hint: see wat iv'ed done: /etc/apache/srm.conf: Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi The CGI: echo You come from : ${REMOTE_ADDR} sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR} sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR} keep in mind: sudo ! /etc/sudoers . Cmnd_Alias FIREWALL=/sbin/ipchains . www-data ALL=NOPASSWD: WWW,FIREWALL it works fine. The cracker come only one time. :-) On Thursday 20 September 2001 03:48, R Allen Blowers wrote: You could use the hosts.deny file for this also, no? Best Regards, Allen -Original Message- From: Emmanuel Valliet [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2001 8:09 PM To: debian-security@lists.debian.org Subject: Re: New IIS worm (2001-09-18) Emmanuel Valliet sed : | I know we don't care on linux, but I have reallly a lot of hits from | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie. | And it starts to make a lot of apache childs, and the global charge | grows consequently. | Is there a way to protect from that ? | Using an apache configuration trick ? | Or blacklisting and using some firewall rules behind ? | If anyone knows how to do, or has already done the script that kicks | these infected servers, it could interest me... Hum, doing a script that parse the logs and catch the bad servers was easy. But I didn't realize that the infection could be that big and quick. Euh can ipchains or iptables support some more 1500 denying rules ? I don't think so... Anyway, it doesn't matter, my apache servers seem to survive the flood, I'm just happy to have big CPU and lot of mem. Just the script, if you want to count the worm hit on your box: (really not a piece of art) #!/usr/bin/perl my %bannlist; while () { next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/; $host=$1; next if $bannlist{$host}; $bannlist{$host}=1; # system(/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www -j DENY); print Worm victim: $host\n; } -- VALLIET Emmanuel ! http://www.webmotion.com Webmotion Inc. ! mailto:[EMAIL PROTECTED] Oxymoron: Stuck in traffic. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: The rate at which a disease spreads through a corn field is a precise measurement of the speed of blight. pgpDTNCXXUflb.pgp Description: PGP signature
Re: Running root commands by http
On Thu, Aug 23, 2001 at 02:58:23PM +0200, Emmanuel Lacour wrote: Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Sounds like you're getting into doing normal remote admin of a box. But why over HTTP ? If you have network connectivity to it, ssh should do the job (ssh in as yourself and su/sudo to root?). If you can get to via HTTP (e.g. you're behind some company firewall?), then httptunnel might help. YMMV. But if you can get SSH over HTTP running, you should be able to use all the existing tools. Better than writing new tools from scratch... Failing everything else, you *could* use the email method. I guess that some (big?) procmail recipe should be able to call a script that: - de-crypts the mail and verifies that it is *your* signature (you weren't going to do things in plaintext, where you?) - executes any command - sends stdout/stderr back (encrypted again of course). But doing this for interactive commands would be difficult... tangentTCP/IP over email anyone?/tangent -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh PGP signature
Re: Running root commands by http
On Thu, Aug 23, 2001 at 02:58:23PM +0200, Emmanuel Lacour wrote: Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Sounds like you're getting into doing normal remote admin of a box. But why over HTTP ? If you have network connectivity to it, ssh should do the job (ssh in as yourself and su/sudo to root?). If you can get to via HTTP (e.g. you're behind some company firewall?), then httptunnel might help. YMMV. But if you can get SSH over HTTP running, you should be able to use all the existing tools. Better than writing new tools from scratch... Failing everything else, you *could* use the email method. I guess that some (big?) procmail recipe should be able to call a script that: - de-crypts the mail and verifies that it is *your* signature (you weren't going to do things in plaintext, where you?) - executes any command - sends stdout/stderr back (encrypted again of course). But doing this for interactive commands would be difficult... tangentTCP/IP over email anyone?/tangent -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh pgpokor9N91Qj.pgp Description: PGP signature
Re: Security in general
On Tue, May 29, 2001 at 10:50:07AM +0200, kjfsgjks ksjgkfhfd wrote: Hi, kjfsgjks: You probably have a real name. Why not use it? I have a question which has been bothering me all along, with windows / linux / *bsd / etc. In this case, it's about Debian so I thought I'd post my question here. Right now I have a linux-box (Debian 2.2r2) doing my masquerading/firewalling. It has a dynamic ip (and changes quite often, like 3 times a day). It runs all the latest patches, no services except for sshd (for internal hosts) and identd (which is open for external connects. yeah I know I shouldn't, but I need it). I have a firewall set up (ipchains in this case), which blocks just about anything incoming, except for the high ports (for ftp) and identd. Are your users using passive mode FTP? If so, then you can block off the high port numbers too. Just my 2p worth ...snip... Tubby -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: Facts are stubborn, but statistics are more pliable. PGP signature
Re: Security in general
On Tue, May 29, 2001 at 10:50:07AM +0200, kjfsgjks ksjgkfhfd wrote: Hi, kjfsgjks: You probably have a real name. Why not use it? I have a question which has been bothering me all along, with windows / linux / *bsd / etc. In this case, it's about Debian so I thought I'd post my question here. Right now I have a linux-box (Debian 2.2r2) doing my masquerading/firewalling. It has a dynamic ip (and changes quite often, like 3 times a day). It runs all the latest patches, no services except for sshd (for internal hosts) and identd (which is open for external connects. yeah I know I shouldn't, but I need it). I have a firewall set up (ipchains in this case), which blocks just about anything incoming, except for the high ports (for ftp) and identd. Are your users using passive mode FTP? If so, then you can block off the high port numbers too. Just my 2p worth ...snip... Tubby -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: Facts are stubborn, but statistics are more pliable. pgp4Snv8ZuZhL.pgp Description: PGP signature
What is port 500?
Recently, logcheck alerted me to the following in my logs (sorry about the long lines): May 17 17:06:48 localhost pppd[789]: pppd 2.4.1 started by karl, uid 1000 May 17 17:07:14 localhost pppd[789]: Connect: ppp0 -- /dev/modem May 17 17:07:14 localhost pppd[789]: Serial connection established. May 17 17:07:14 localhost pppd[789]: Using interface ppp0 May 17 17:07:16 localhost pppd[789]: local IP address 212.1.137.43 May 17 17:07:16 localhost pppd[789]: remote IP address 212.1.128.28 May 17 17:07:40 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=104 S=0x00 I=12390 F=0x T=50 (#29) May 17 17:07:56 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=104 S=0x00 I=12391 F=0x T=50 (#29) May 17 17:08:12 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=104 S=0x00 I=12394 F=0x T=50 (#29) May 17 17:08:30 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=104 S=0x00 I=12395 F=0x T=50 (#29) May 17 17:08:46 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=104 S=0x00 I=12404 F=0x T=50 (#29) May 17 17:08:46 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=96 S=0x00 I=12403 F=0x T=50 (#29) But I am at loss to what port 500/udp is? By the timings, (starting 30 seconds after connecting to my ISP), it actually looks like my ISP is trying to send those packets to me (the source IP is the other endpoint of my ppp connection). Any ideas out there? Where I can I find an authoritative list of port numbers? -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: Always draw your curves, then plot your reading. PGP signature
What is port 500?
Recently, logcheck alerted me to the following in my logs (sorry about the long lines): May 17 17:06:48 localhost pppd[789]: pppd 2.4.1 started by karl, uid 1000 May 17 17:07:14 localhost pppd[789]: Connect: ppp0 -- /dev/modem May 17 17:07:14 localhost pppd[789]: Serial connection established. May 17 17:07:14 localhost pppd[789]: Using interface ppp0 May 17 17:07:16 localhost pppd[789]: local IP address 212.1.137.43 May 17 17:07:16 localhost pppd[789]: remote IP address 212.1.128.28 May 17 17:07:40 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=104 S=0x00 I=12390 F=0x T=50 (#29) May 17 17:07:56 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=104 S=0x00 I=12391 F=0x T=50 (#29) May 17 17:08:12 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=104 S=0x00 I=12394 F=0x T=50 (#29) May 17 17:08:30 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=104 S=0x00 I=12395 F=0x T=50 (#29) May 17 17:08:46 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=104 S=0x00 I=12404 F=0x T=50 (#29) May 17 17:08:46 localhost kernel: Packet log: input REJECT ppp0 PROTO=17 194.7.187.90:500 212.1.137.43:500 L=96 S=0x00 I=12403 F=0x T=50 (#29) But I am at loss to what port 500/udp is? By the timings, (starting 30 seconds after connecting to my ISP), it actually looks like my ISP is trying to send those packets to me (the source IP is the other endpoint of my ppp connection). Any ideas out there? Where I can I find an authoritative list of port numbers? -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: Always draw your curves, then plot your reading. pgpzvFiWrLo4Q.pgp Description: PGP signature
Re: sshd port config and security
On Fri, Apr 06, 2001 at 11:57:51PM -0500, Vinh Truong wrote: * Karl E. Jorgensen [EMAIL PROTECTED] [010406 15:23]: Sounds like you need to talk to your firewall administrator. If you trust him that is... How can you be sure that he's not snooping on the passing telnet traffic? hmm, i thought that ssh encrypted traffic between server and client? wouldn't that defeat his snooping, assuming he is? Yep. Ssh does. But telnet doesn't. And it *does* look a bit suspicious if your firewall administrator tries to encourage telnet and block ssh... -- Karl E. Jrgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: There is no opinion so absurd that some philosopher will not express it. -- Marcus Tullius Cicero, "Ad familiares" PGP signature
Re: sshd port config and security
On Fri, Apr 06, 2001 at 11:57:51PM -0500, Vinh Truong wrote: * Karl E. Jorgensen [EMAIL PROTECTED] [010406 15:23]: Sounds like you need to talk to your firewall administrator. If you trust him that is... How can you be sure that he's not snooping on the passing telnet traffic? hmm, i thought that ssh encrypted traffic between server and client? wouldn't that defeat his snooping, assuming he is? Yep. Ssh does. But telnet doesn't. And it *does* look a bit suspicious if your firewall administrator tries to encourage telnet and block ssh... -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: There is no opinion so absurd that some philosopher will not express it. -- Marcus Tullius Cicero, Ad familiares pgpodaJpc8RrK.pgp Description: PGP signature
Re: Ports to block?
On Fri, Apr 06, 2001 at 10:39:47AM -0700, Eric N. Valor wrote: snip Well, most folks like to connect to the Web, so port 80 is a must for that (it's 2-way on the same port). 53 is required only if you're running BIND Is that true? I only block *incoming* port 80, but I'm still able to surf the web. Remember that when your browser talks to the web server, it will be using a normal (i.e. 1023) port locally, not port 80. so other servers can make information requests. But I warned about SSH because unless you're checking logs or have some other reporting system it's a way for someone to brute-force into your system. I've seen way too many bad username/password combinations and quite a lack of vigilance to not put up a warning. Also, there was an exploit put out on BugTraq a If you set "PasswordAuthentication no" in /etc/ssh/sshd_config, then even brute-force hacking of passwords will fail. while ago regarding SSH-1. I use ssh on my external systems, but only where the security requirement is medium-low. Even then I make it a point to keep my eye on the logs. And an IDS isn't a bad idea, either. -- Karl E. Jrgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: __ /\ \ \_| I have hardly ever known a mathematician who was capable of reasoning. | | -- Plato | | _|_ \_/___/ PGP signature
Re: Ports to block?
On Fri, Apr 06, 2001 at 10:39:47AM -0700, Eric N. Valor wrote: snip Well, most folks like to connect to the Web, so port 80 is a must for that (it's 2-way on the same port). 53 is required only if you're running BIND Is that true? I only block *incoming* port 80, but I'm still able to surf the web. Remember that when your browser talks to the web server, it will be using a normal (i.e. 1023) port locally, not port 80. so other servers can make information requests. But I warned about SSH because unless you're checking logs or have some other reporting system it's a way for someone to brute-force into your system. I've seen way too many bad username/password combinations and quite a lack of vigilance to not put up a warning. Also, there was an exploit put out on BugTraq a If you set PasswordAuthentication no in /etc/ssh/sshd_config, then even brute-force hacking of passwords will fail. while ago regarding SSH-1. I use ssh on my external systems, but only where the security requirement is medium-low. Even then I make it a point to keep my eye on the logs. And an IDS isn't a bad idea, either. -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: __ /\ \ \_| I have hardly ever known a mathematician who was capable of reasoning. | | -- Plato | | _|_ \_/___/ pgpDfpHxxgoiS.pgp Description: PGP signature
Re: sshd port config and security
On Fri, Apr 06, 2001 at 10:31:27AM -0500, Vinh Truong wrote: I have sshd set up on my machine at home. Instead of the default port 22, I uninstalled telnetd and run sshd on 23. I do this mostly because I want to ssh into my machine from work where they don't open port 22 on the firewall. They do however allow telnet to the outside. I have Sounds like you need to talk to your firewall administrator. If you trust him that is... How can you be sure that he's not snooping on the passing telnet traffic? Perhaps running telnet-ssl might be an idea; but ssh is just so much better anyway... commented out everything in inetd.conf, set up hosts.allow / hosts.deny so that only specific ips can connect. I made sure using netstat -an that only port 23 was open. I set up my hardware firewall to block all requests except for ones coming on 23. For those, it is redirecting to my debian machine. I configured sshd to allow only RSA key authentication and disabled root login. I also increased the host key size to 1024. Perhaps PasswordAuthentification no on sshd ? -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: Try to remove the color-problem by restarting your computer several times. -- Microsoft-Internet Explorer README.TXT pgp4zRYikxaJM.pgp Description: PGP signature