Re: Logjam mitigation for Wheezy?
hi folks sorry my poor english all linux users must read https://weakdh.org/... all must use ecdh ciphers, with diffie hellman key exchange method, only on tls 1.2, on all criptographic conections... the site above contains all explanations the great secret is use diffie hellman with at least 2048 bit . all inferior grades are suspect to be broken by some government, because low grade ciphers export laws in 90's obviously... apply all security patches to yours systems.. Em 02/06/2015 11:33, Michael Stone mst...@debian.org escreveu: On Tue, Jun 02, 2015 at 02:01:47PM +, Thorsten Glaser wrote: Michael Stone mstone at debian.org writes: You can mitigate it right now by reconfiguring your server to remove DH ciphers from SSLCipherSuite. That’s throwing the baby out with the bathwater and removing the ability to use PFS with clients that do not use ECC, for whatever reason (any discussing these reasons is off-topic). So, no. Bad advice, actually, which should not be given. That's really something you need to evaluate for yourself. If you've got a reason not to use ECDH and still want PFS then you'll have to do something else. If you're happy to use ECDH and don't care about clients that can't support that, then turning off DH could be a reasonable mitigation. From a practical risk management perspective, even in the face of a threat model that involves attacking crypto, I'd be more worried about the vulnerabilities of something that's so old that it doesn't do ECDH than I'd be about any quibbles over DH vs RSA. If your concern is simply about the security of ECDH then this goes back to evaluate for yourself. Hopefully someone considers all the pros and cons of whatever crypto configuration they're using. Mike Stone -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/c65bb9cc-0930-11e5-9b6a-00163eeb5...@msgid.mathom.us
Re: [SECURITY] [DSA 2403-1] php5 security update
Do you think that there will be a fix for Lenny even though Lenny will be ending his life this weekend ? M.A. On 2/2/2012 4:29 PM, Thijs Kinkhorst wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2403-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst February 02, 2012 http://www.debian.org/security/faq - - Package: php5 Vulnerability : code injection Problem type : remote Debian-specific: no CVE ID : CVE-2012-0830 Stefan Esser discovered that the implementation of the max_input_vars configuration variable in a recent PHP security update was flawed such that it allows remote attackers to crash PHP or potentially execute code. For the oldstable distribution (lenny), no fix is available at this time. For the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze7. The testing distribution (wheezy) and unstable distribution (sid) will be fixed soon. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJPKv//AAoJEOxfUAG2iX57gpEIANgTI7dZgT2Pdf7ajBy3fFVX uGSwFoGe9lFVpF2i3tlvB/riN1wlvn6Q13lLjR257DQk0lwi0vwJWFmfITG6CGMS ARNVdHVBMAZpoyiAsQDdYid7FPJQONxGaubEO9MMGgnBYkMtea7jXtJqrkTCcvvg 4qccjxnd5VhQ6d2prPqbqjvouC7E3oxLPtw0quc6tzXjVvP0cAD0dICtJHZpgzNb IjyEWpds5GV+hvPoqa57lqC0BjeUrFQCKJvbwWOAPJvSfE4jn0KE3+LwwS+znSs4 VvHjsASRw7h0e8vhlrph8dWFeD9Qc8sNInMaf8PvS7CkGrJ7xenEnWnbkUNzXc8= =2Af1 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f2c5308.7030...@webjogger.net
Re: [SECURITY] [DSA 1601-1] New wordpress packages fix several vulnerabilities
On Fri, Jul 4, 2008 at 9:16 AM, Thijs Kinkhorst [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1601-1 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst July 04, 2008 http://www.debian.org/security/faq - Package: wordpress Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-1599 CVE-2008-0664 Debian Bug : 437085 464170 Several remote vulnerabilities have been discovered in Wordpress, the weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1599 WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information. CVE-2008-0664 The XML-RPC implementation, when registration is enabled, allows remote attackers to edit posts of other blog users. For the stable distribution (etch), these problems have been fixed in version 2.0.10-1etch3. For the unstable distribution (sid), these problems have been fixed in version 2.3.3-1. We recommend that you upgrade your wordpress package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz Size/MD5 checksum: 520314 e9d5373b3c6413791f864d56b473dd54 http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3.dsc Size/MD5 checksum: 891 d925a63731976b72ad35e4c1805623bf http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3.diff.gz Size/MD5 checksum:46073 486916bd4fc6463181eaba84fdc2db31 Architecture independent packages: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3_all.deb Size/MD5 checksum: 527158 280ba949f5c38079d2209a468697fb00 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSG3OXGz0hbPcukPfAQKS9QgAlFpafzarPjVU4EUuxx2hlN0xcL6pvgMD 8kj7LlaU+6CU2roiQ9OVbFg7lXT0JK5DfGjlhd+ptFyoodfJacEltPWGrbACEnDS 50BX48+24cjlQYBuYsmY5SpdAiH9kwe1LYQVjkGnSDRnbR2iZmIR264tQ1f0VhIA Fq6XXUH2jU5rFTc0w5+4o1gfL+0INhnANR8NdTWHT13LY3lXQpnZ/LxaEllAjRgx AV2AiO39anV5gwrDBg5ypinxQ3JhhlQmzxIOCBD946E/wySGarA7aF2xAbKtiSAS WNtzGUtoVlUB8DGrEGNv+JT9jrQAuiK+nQ9xu+uBqz85VYzy10iGPw== =fsW/ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DSA/DSS keys and DSA 1576-1/CVE-2008-0166.
Mario 'BitKoenig' Holbe [EMAIL PROTECTED] wrote: ssh-dss.c:ssh_dss_sign() calls openssh's DSA_do_sign() which finally ^ openssl's, of course. regards Mario -- The social dynamics of the net are a direct consequence of the fact that nobody has yet developed a Remote Strangulation Protocol. -- Larry Wall -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DSA/DSS keys and DSA 1576-1/CVE-2008-0166.
On Thu, May 15, 2008 at 10:37:37AM +1000, Andrew McGlashan wrote: Okay, if we updated (on stable): openssl_0.9.8c-4etch3_i386.deb libssl0.9.8_0.9.8c-4etch3_i386.deb Then re-generated all keys and certificates. Then you are fine. Later we get these updates: openssh-server_1%3a4.3p2-9etch1_i386.deb openssh-client_1%3a4.3p2-9etch1_i386.deb So, do we need to re-generate keys and certs again now or will they be fine? You don't need to re-generate keys again. The problem was in the libssl package and was solved with libssl0.9.8_0.9.8c-4etch3_i386.deb. So, the keys you generated after the libssl0.9.8 update are fine. All the updated openssh-packages do regarding to this issue is trying to ensure you don't use weak keys in the future (i.e. harden dependencies, regenerate known-weak host keys and refuse known-weak keys for authentication). The way you have chosen was absolutely correct. regards Mario -- Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music. -- Kristian Wilson, Nintendo Inc, 1989 signature.asc Description: Digital signature
Re: DSA/DSS keys and DSA 1576-1/CVE-2008-0166.
Kurt Roeckx [EMAIL PROTECTED] wrote: So my question is, does either the ssh client or server use openssl to generate the random number used to sign? Yes, they both do. ssh-dss.c:ssh_dss_sign() calls openssh's DSA_do_sign() which finally goes down to ssleay_rand_add() (via dsa_sign_setup()-BN_rand_range()- RAND_add()-RAND_SSLeay()). And ssh_dss_sign(), in turn, is used via key_sign() in the ssh server as well as the client. regards Mario -- The secret that the NSA could read the Iranian secrets was more important than any specific Iranian secrets that the NSA could read. -- Bruce Schneier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Mass update deployment strategy
Hello List, i am responsible for 10 (ubuntu and debian) installations so far. I have installed apticron which informs me about updates frequently. Actually, its that often that i sometimes need to invest 1h a day just doing updates. Do you have a strategy or anything to automate this task a little more? The server farm is growing and i might have to look after 20 or 30 installations soon. I can already see myself updating ubuntu/debian installations all day long :(. My installations are most of the time small firewalls and samba servers. Any comments or field reports about this? Thanks, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Mario Specht ist außer Haus.
Ich werde ab 17.11.2006 nicht im Büro sein. Ich kehre zurück am 20.11.2006. Bei Fragen wenden Sie sich bitte an meine Kollegin Frau Holzwarth unter +49 721 / 4905 4240.
Mario Specht ist außer Haus.
Ich werde ab 23.10.2006 nicht im Büro sein. Ich kehre zurück am 24.10.2006. Bei Fragen wenden Sie sich bitte an meine Kollegin Frau Holzwarth unter +49 721 / 4905 4240.
Re: harden-doc: chapter 4.8 Restricting system reboots through the console
Am Samstag, 16. September 2006 23.09 schrieb Hans: Good morning in inittab # What to do when CTRL-ALT-DEL is pressed. ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now change /sbin/shutdown -t1 -a -r now for /bin/false or anything else you whant to happen with ctrl-alt-delete Yes, I know. I seem to be unprecise. In harden-doc is written that when the -a option is included only users in /etc/shutdown.allow are allowed to shutdown or reboot respectively the system by pressing ctrl-alt-delete. I have no /etc/shutdown.allow at all but I think the entry in harden-doc is wrong. This may be the wrong list. griits Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
harden-doc: chapter 4.8 Restricting system reboots through the console
Good morning I don't know if this is the right list please redirect me to the correct one if I'm wrong. ATM I try to securing my system and so I use harden-doc as well. I tried the things in chapter 4.8 but it doesn't work. Even when the -a option is in /etc/inittab a normal user can reboot the system, before and after a login. thx Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: harden-doc: chapter 4.8 Restricting system reboots through the console
Am Samstag, 16. September 2006 21.36 schrieb James Stevenson: Good morning In which way are they able to reboot the system ? By pressing Alt+Ctrl+Del griits Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Mario Specht ist außer Haus.
Ich werde ab 25.08.2006 nicht im Büro sein. Ich kehre zurück am 15.09.2006. Bei Fragen wenden Sie sich bitte an meine Kollegin Frau Holzwarth unter +49 721 / 4905 4240.
sendmail-bin: uninstallable due to unavailable libsasl2 (= 2.1.19.dfsg1)
Package: sendmail-bin Version: 8.13.4-3sarge2 Severity: grave Tags: sarge, security Hello, the just released security fix package 8.13.4-3sarge2 does not install on sarge, because it depends on libsasl2 (= 2.1.19.dfsg1) while on sarge only libsasl2 (2.1.19-1.5sarge1) is available. Package: sendmail-bin Version: 8.13.4-3sarge2 Depends: ..., libsasl2 (= 2.1.19.dfsg1), ... Package: libsasl2 Version: 2.1.19-1.5sarge1 I'm not sure whether this bug is to be best off, so I'm CC:ing debian-security@lists.debian.org as hinted in the Security Advisory. regards Mario -- User sind wie ideale Gase - sie verteilen sich gleichmaessig ueber alle Platten signature.asc Description: Digital signature
Mario Specht ist außer Haus.
Ich werde ab 27.02.2006 nicht im Büro sein. Ich kehre zurück am 28.02.2006. Bei Fragen wenden Sie sich bitte an meine Kollegin Frau Holzwarth unter +49 721 / 4905 4240.
Re: encrpyt harddrive without passphrase/userinput
Hi Horst On Sun, 2006-02-26 at 22:23 +0100, Horst Pflugstaedt wrote: On Sun, Feb 26, 2006 at 10:11:44PM +0100, Mario Ohnewald wrote: Hello security list! I would like to secure the harddrive/partitions of linux box. The whole setup must fulfill the following requirements: a) it must be able to boot (remotely) without userinput/passphrase b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. I just ask myself why you bother encrypting a filesystem that will be accessible to anyone having access to the machine since it boots without password? It boots with grub and pam/unix password. Is this even possible? Is there a way? Is it something you'd really want? Encrypting a filesystem is a protection against someone having physical access to the machine or the harddrive. If the machine (the disk in another machine) boots without password, you might as well _not_ encrypt it. Thats the point. In my case i can not protect the linux box or lock it away 100% securely. I need to secure the box in some way without having a physical protection. Someone should be able to: Steal the whole server or hard drives, but still not be able to read it. Maybe we could narrow the actual problem down to where this scenario actually fails or where the problems are?! Maybe someone has some cool ideas, too. Cheers, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
On Sun, 2006-02-26 at 14:13 -0800, Stephan Wehner wrote: Who is going to be booting this machine?? It´s a server. It is supposed to be online all the time. Once turned on it will run till someone reboots its remotely or due to power failure or something alike. The whole scenario can be pictured like this: Put your server in a corner of a street and secure it. In case someone hits the reset button it needs to be able to boot automatically without user input. In a nutshell: Secure it without physical security and user input. I guess it can`t be done?! :( Not the usual way... Stephan Mario Ohnewald wrote: Hi Horst On Sun, 2006-02-26 at 22:23 +0100, Horst Pflugstaedt wrote: On Sun, Feb 26, 2006 at 10:11:44PM +0100, Mario Ohnewald wrote: Hello security list! I would like to secure the harddrive/partitions of linux box. The whole setup must fulfill the following requirements: a) it must be able to boot (remotely) without userinput/passphrase b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. I just ask myself why you bother encrypting a filesystem that will be accessible to anyone having access to the machine since it boots without password? It boots with grub and pam/unix password. Is this even possible? Is there a way? Is it something you'd really want? Encrypting a filesystem is a protection against someone having physical access to the machine or the harddrive. If the machine (the disk in another machine) boots without password, you might as well _not_ encrypt it. Thats the point. In my case i can not protect the linux box or lock it away 100% securely. I need to secure the box in some way without having a physical protection. Someone should be able to: Steal the whole server or hard drives, but still not be able to read it. Maybe we could narrow the actual problem down to where this scenario actually fails or where the problems are?! Maybe someone has some cool ideas, too. Cheers, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: suid
On Saturday 17 April 2004 01:33, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: -rwsr-xr-x1 root root22460 Oct 1 2001 /usr/bin/crontab yes, because only in this condition normal user can set crontab rules. this deends on the cron used. The cron in qustion needs to restrict the access to the spool directory because it is shared. One could change the owner of the crontab file, but then it is hard to atomically replace the file without write access to the spool dir. The best solution is to have the crontab in a user owned directory. That sounds good! It is not a good idea to change this without having a close look at the cron code in question. It might be much better to use another cron flavor. What are the secure alternatives? Thanks, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: suid
On Saturday 17 April 2004 01:33, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: -rwsr-xr-x1 root root22460 Oct 1 2001 /usr/bin/crontab yes, because only in this condition normal user can set crontab rules. this deends on the cron used. The cron in qustion needs to restrict the access to the spool directory because it is shared. One could change the owner of the crontab file, but then it is hard to atomically replace the file without write access to the spool dir. The best solution is to have the crontab in a user owned directory. That sounds good! It is not a good idea to change this without having a close look at the cron code in question. It might be much better to use another cron flavor. What are the secure alternatives? Thanks, Mario
suid
Hello! Everybody knows that files with a suid bit set can be dangerous. Well, i was asking myself today why exactly linux uses the suid bit files?! Could someone please explain that to me? Example: ~$ ls -lah /var/spool/cron/crontabs/user -rw---1 root user 408 Apr 16 Ok, the suid is set for the crontab binary because you have to edit the root owned file. But why is it owned by root in the first place? Cheers, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
suid
Hello! Everybody knows that files with a suid bit set can be dangerous. Well, i was asking myself today why exactly linux uses the suid bit files?! Could someone please explain that to me? Example: ~$ ls -lah /var/spool/cron/crontabs/user -rw---1 root user 408 Apr 16 Ok, the suid is set for the crontab binary because you have to edit the root owned file. But why is it owned by root in the first place? Cheers, Mario
Tripwire email
Hello list!
This is a part of my tripwire config file:
#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
rulename = Critical system boot files,
emailto = [EMAIL PROTECTED], severity = $(SIG_HI)
)
{
/boot - $(SEC_CRIT) ;
/lib/modules- $(SEC_CRIT) ;
}
Well, if i run tripwire -m c and this rule is beeing broken, then it should
send me out an email to emailto = [EMAIL PROTECTED], right?
Or am i wrong here?
Cheers, Mario
p.s. Hi Mic :D
--
NEU : GMX Internet.FreeDSL
Ab sofort DSL-Tarif ohne Grundgebühr: http://www.gmx.net/info
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Tripwire email
Hello list!
This is a part of my tripwire config file:
#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
rulename = Critical system boot files,
emailto = [EMAIL PROTECTED], severity = $(SIG_HI)
)
{
/boot - $(SEC_CRIT) ;
/lib/modules- $(SEC_CRIT) ;
}
Well, if i run tripwire -m c and this rule is beeing broken, then it should
send me out an email to emailto = [EMAIL PROTECTED], right?
Or am i wrong here?
Cheers, Mario
p.s. Hi Mic :D
--
NEU : GMX Internet.FreeDSL
Ab sofort DSL-Tarif ohne Grundgebühr: http://www.gmx.net/info
bsign
Hello! Is there a bsign howto out there or any more info than the manpage? The problem i am stuck with at the moment is: bsign --sign -i / -e /proc -I -s --P --homedir keydir Enter pass phrase: bsign: incorrect passphrase or gpg not installed I never set a passphrase i think. Anyway, a dpkg -P bsign and a resinstall did not help. How can i set a passphrase? And no, its not an empty one :P gnupg is installed. Cheers, Mario -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++
RE: execute application from webinterface
Hello! -Original Message- From: Jens Gutzeit [mailto:[EMAIL PROTECTED] Sent: 02 September 2003 18:44 To: debian-security@lists.debian.org Subject: Re: execute application from webinterface On Tuesday 02 September 2003 19:25, Jens Gutzeit wrote: what's wrong with making the program suid-to-some-other-user (not root) and then just executing it? I reallize this doesn't work for ping, which is suid-to-root anyway. Well, to be honest, I just have forgotten this option. Damn, I should think first and then hit send, sorry for making so much noise. Anyway, with making the programm setuid anyone who has access to the webserver could execute this programm under a fixed userid. So this option is a realy bad idea if this is a customers webserver or s.th. similar. This means, if you're the only one who has access to the webserver, setuid is probably one of the best and easiest options, but if there are webs that are administrated by a different person you might end up with security problems (think of the setuid programm has a bug which allows to execute abitrary code). I would still sugest to setup a second webserver instance, and if you need port 80 use apaches mod_proxy. I like the idea of a 2nd apache and the mod_proxy. But how do you install a 2nd httpd in debian? will i have to build it from source, or is there a trick with a apache package? Cheers, Mario Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
execute application from webinterface
Hello List! What is the securest way of starting a application, like ping, from a webinterface as a diffrent user. Lets say, to run ping 123.456.789.000 as user user123. If i use system, it executes it as www-data. Any idea how i could solve this problem? With php, perl, bash, etc... ? Thank you very much in advance! Cheers, Mario p.s. i hope i explained it well enough. If not, let me know! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
execute application from webinterface
Hello List! What is the securest way of starting a application, like ping, from a webinterface as a diffrent user. Lets say, to run ping 123.456.789.000 as user user123. If i use system, it executes it as www-data. Any idea how i could solve this problem? With php, perl, bash, etc... ? Thank you very much in advance! Cheers, Mario p.s. i hope i explained it well enough. If not, let me know!
Re: Heute abend
and in english? He will properly drive up with the bike. Can you bring the battery changer for the mobile with you onto the mountain. -- Wrong address i guess :D On Tue, 29 Jul 2003, Andreas Zeitz-Fehse wrote: Hi, ich werd wohl heute mit dem Fahrad hochfahren. Kannst du mir bitte das ladegeraete fuers Handy mit auf den Berg bringen? mfg Andy -- --- Optel Informatik GmbH Rathausallee 10 53757 St. Augustin Germany Tel.: +49 2241 9211020 Fax : +49 2241 9211029 Email: [EMAIL PROTECTED] --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test -- 1. GMX TopMail - Platz 1 und Testsieger! 2. GMX ProMail - Platz 2 und Preis-Qualitätssieger! 3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Heute abend
and in english? He will properly drive up with the bike. Can you bring the battery changer for the mobile with you onto the mountain. -- Wrong address i guess :D On Tue, 29 Jul 2003, Andreas Zeitz-Fehse wrote: Hi, ich werd wohl heute mit dem Fahrad hochfahren. Kannst du mir bitte das ladegeraete fuers Handy mit auf den Berg bringen? mfg Andy -- --- Optel Informatik GmbH Rathausallee 10 53757 St. Augustin Germany Tel.: +49 2241 9211020 Fax : +49 2241 9211029 Email: [EMAIL PROTECTED] --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test -- 1. GMX TopMail - Platz 1 und Testsieger! 2. GMX ProMail - Platz 2 und Preis-Qualitätssieger! 3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post
RE: configure ssh-access
Hello! -Original Message- From: Anne Carasik [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:05 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: configure ssh-access Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. I think this problem should not be solved with configuring sshd. I solved it with iptables script which resolv my dynamic host every 5mins, and then reload the firewall if needed. A ssh solution has the disadvantage that if it is buggy, a sshd config change might not save your box from unallowed access. That is my i block my ssh daemon, cause the posibility is there that there might be a ssh exploit soon ;) In my eyes a combination of a sshd config solution and a iptables rule would properly do its joy quite safely. Yours, Mario -Anne [EMAIL PROTECTED] grabbed a keyboard and typed... Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: configure ssh-access
Hello! -Original Message- From: Anne Carasik [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:05 PM To: [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Subject: Re: configure ssh-access Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. I think this problem should not be solved with configuring sshd. I solved it with iptables script which resolv my dynamic host every 5mins, and then reload the firewall if needed. A ssh solution has the disadvantage that if it is buggy, a sshd config change might not save your box from unallowed access. That is my i block my ssh daemon, cause the posibility is there that there might be a ssh exploit soon ;) In my eyes a combination of a sshd config solution and a iptables rule would properly do its joy quite safely. Yours, Mario -Anne [EMAIL PROTECTED] grabbed a keyboard and typed... Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus
chroot, su and sudo
Hello! I want to chroot a application/gameserver. What is the better/securest way? 1.) Chroot /path and then do a su -s /bin/sh user -c start.sh or 2.) su -s /bin/sh user and then do the chroot /path as normal user and execute the start.sh in the chroot? Solution 2 does not need a root shell at all, why i think it is a little more secure. What do you think? WHat do u recommend? How would do solve this? Cheers, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: chroot, su and sudo
Hi, -Original Message- From: Vincent Hanquez [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 10:46 AM To: Mario Ohnewald Cc: [EMAIL PROTECTED] Subject: Re: chroot, su and sudo On Mon, Jun 16, 2003 at 10:22:49AM +0200, Mario Ohnewald wrote: Hello! I want to chroot a application/gameserver. What is the better/securest way? 1.) Chroot /path and then do a su -s /bin/sh user -c start.sh or 2.) su -s /bin/sh user and then do the chroot /path as normal user and execute the start.sh in the chroot? Solution 2 does not need a root shell at all, why i think it is a little more secure. What do you think? WHat do u recommend? How would do solve this? You can't chroot as normal user. So solution 1. Not even with sudo? Cheers, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
chroot, su and sudo
Hello! I want to chroot a application/gameserver. What is the better/securest way? 1.) Chroot /path and then do a su -s /bin/sh user -c start.sh or 2.) su -s /bin/sh user and then do the chroot /path as normal user and execute the start.sh in the chroot? Solution 2 does not need a root shell at all, why i think it is a little more secure. What do you think? WHat do u recommend? How would do solve this? Cheers, Mario
RE: chroot, su and sudo
Hi, -Original Message- From: Vincent Hanquez [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 10:46 AM To: Mario Ohnewald Cc: debian-security@lists.debian.org Subject: Re: chroot, su and sudo On Mon, Jun 16, 2003 at 10:22:49AM +0200, Mario Ohnewald wrote: Hello! I want to chroot a application/gameserver. What is the better/securest way? 1.) Chroot /path and then do a su -s /bin/sh user -c start.sh or 2.) su -s /bin/sh user and then do the chroot /path as normal user and execute the start.sh in the chroot? Solution 2 does not need a root shell at all, why i think it is a little more secure. What do you think? WHat do u recommend? How would do solve this? You can't chroot as normal user. So solution 1. Not even with sudo? Cheers, Mario
unsubscribe
_ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
_ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com
imapD problems
Hi, For months now my ImapD has been working flawlessly and it has only recently come to my attention of the following error in my log files..Can anyone shed some light on why it is connecting from localhost and how/if can to fix it ?? May 7 10:49:39 sleepy imapd[18831]: connect from 127.0.0.1 May 7 10:49:39 sleepy imapd[18831]: port 220 service init from 127.0.0.1 May 7 10:49:39 sleepy imapd[18831]: Connection reset by peer, while reading line user=??? host=UNKNOWN Mario.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
imapD problems
To add more info to the problem, im also getting errors at the same time with my qpopper as below.. May 7 12:29:38 sleepy in.qpopper[8370]: connect from 127.0.0.1 May 7 12:29:38 sleepy in.qpopper[8370]: (null) at sleepy (127.0.0.1): -ERR POP EOF or I/O Error [popper.c:794] May 7 12:29:38 sleepy in.qpopper[8370]: I/O error flushing output to client at sleepy [127.0.0.1]: Operation not permitted (1) [pop_send.c:685] May 7 12:29:38 sleepy in.qpopper[8370]: I/O error flushing output to client at sleepy [127.0.0.1]: Operation not permitted (1) [pop_send.c:685] May 7 12:29:38 sleepy imapd[8371]: connect from 127.0.0.1 May 7 12:29:38 sleepy imapd[8371]: imap service init from 127.0.0.1 May 7 12:29:38 sleepy imapd[8371]: Connection reset by peer, while reading line user=??? host=UNKNOWN -Original Message- From: Mario Zuppini [mailto:[EMAIL PROTECTED] Sent: Tuesday, 7 May 2002 11:04 AM To: 'Debian Security' Subject: imapD problems Hi, For months now my ImapD has been working flawlessly and it has only recently come to my attention of the following error in my log files..Can anyone shed some light on why it is connecting from localhost and how/if can to fix it ?? May 7 10:49:39 sleepy imapd[18831]: connect from 127.0.0.1 May 7 10:49:39 sleepy imapd[18831]: port 220 service init from 127.0.0.1 May 7 10:49:39 sleepy imapd[18831]: Connection reset by peer, while reading line user=??? host=UNKNOWN Mario.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anti Virus for Debian
I would also like to know of virus scanners especially for mail servers ie sendmail that will work on a SPARC ??? there are a few that work under i386 ie like amavris etc can be found on freshmeat.net but nothing will work under a sparc - Original Message - From: "Matthew Sherborne" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 20, 2001 1:41 PM Subject: Anti Virus for Debian Are there any gpl or similar anti-virus programs for linux ? Any reccomendations ? GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Andres Salomon wrote: Ooops. Mandrake cooker, and Debian unstable. In other words: glibc2.2 systems. glibc 2.1's resolver (/lib/libnss_db.so.2) appears unaffected. This is why some of you aren't seeing it. ii libc6 2.2-6 GNU C Library: Shared libraries and Timezone Not really, with fping and traceroute suid root it works when logged as root and does not when I 'm a regular user. Ping works as usual in both the cases. Debian 2.2rev2 stable and ii libc6 2.1.3-13 GNU C Library: Shared libraries and Timezone Mario. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
Andres Salomon wrote: Ooops. Mandrake cooker, and Debian unstable. In other words: glibc2.2 systems. glibc 2.1's resolver (/lib/libnss_db.so.2) appears unaffected. This is why some of you aren't seeing it. ii libc6 2.2-6 GNU C Library: Shared libraries and Timezone Not really, with fping and traceroute suid root it works when logged as root and does not when I 'm a regular user. Ping works as usual in both the cases. Debian 2.2rev2 stable and ii libc6 2.1.3-13 GNU C Library: Shared libraries and Timezone Mario.
Re: Logging atempts
[EMAIL PROTECTED] wrote: On Sun, Jul 16, 2000 at 04:21:28PM +, Patrick Barr wrote: I need somebodys help on this What I want to do, is run a programme that will monitor my ppp0 connection for any attempts from anyone to connect to a port and FAIL. I am running 2.4.0 test2 (but I will soon move back to 2.2.16 when potato comes out) and I dont have netfilter on, I just have hosts.deny set to all:all. If you are looking to see if someone is getting through your ipchains and getting stopped by tcp_wrappers, you can change your hosts.deny from ALL: ALL to ALL: ALL: spawn ( \ echo -e \n\ TCP Wrappers\: Connection refused\n\ By\:$(uname -n)\n\ Process\: %d (pid %p)\n\ User\: %u\n\ Host\: %c\n\ Date\: $(date)\n\ | /bin/mail -s Connection to %d blocked root) This will send you an email whenever someone gets through to tco_wrappers. Please consider the side effects of this: a simple DOS would be generating a huge amount of TCP requests towards this machine forcing the system to send an email every time. Sometimes it can make the target unusable... Ciao, Mario.
