Dariush Pietrzak wrote:
On Mon, Sep 22, 2003 at 10:18:20PM +0200, Bernd Eckenfels wrote:
FTP is a firewal nightmare,
You think?
Not only he thinks that way. It's an accepted fact within the InfoSec
community.
Firewalls are nightmare, and the only result of prefering
http-only protocols is what
On Fri, Sep 26, 2003 at 12:51:35AM -0400, Matt Zimmerman wrote:
On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
It can be damnably difficult to dump the web server... I've ended
up downloading dhttpd and then removing links or changing the
init.d/dhttpd file name.
What is so
On Thu, Sep 25, 2003 at 07:33:00AM -0700, Adam Lydick wrote:
I like that idea, and it sounds fairly simple - packages just check
/etc/secure_level (or something similar) and do the right thing. The
tricky part is convincing every package maintainer to adopt it ;)
Well, Mandrake packages IIRC
[EMAIL PROTECTED] wrote:
The point of a protocol-proxy is that you want to provide services to
the outside world, but you don't trust your server software to be robust
against protocol-level attacks (buffer overflows, primarily). Since one
of the points of Debian is to fix bugs in software,
On Thu, Sep 25, 2003 at 06:05:13PM -0400, Michael Stone wrote:
That's been the policy, but's it's stupid nowadays. It's too easy to
pull in an unexpected service when installing something with all the
tasks and dependency chains. There needs to be a mode where a user can
say, I don't want to
In article [EMAIL PROTECTED] you wrote:
+++-==-==-
ii ssh3.4p1-1.woody.3Secure rlogin/rsh/rcp replacement (OpenSSH)
ii ssh3.4p1-2Secure rlogin/rsh/rcp
Hello
I am intending to use lids with a server I will be soon
setting up and was wondering if anyone would be so very
kind as to send me sample files for lids.cap and lids.conf
(or any scripts that generate the lids.conf file).
I was really hoping to save some time, though I understand
that
On Fri, Sep 26, 2003 at 04:29:45AM -0300, Peter Cordes wrote:
On Fri, Sep 26, 2003 at 12:51:35AM -0400, Matt Zimmerman wrote:
What is so difficult? No web server is installed by default. If you don't
want one, don't install one.
Dependencies. I've had the same annoying experience as
Quoting Matt Zimmerman ([EMAIL PROTECTED]):
On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
For starters, I think portmap, rpc.statd, and inetd should not run by
default. Not running a mail server (or perhaps
David Wright [EMAIL PROTECTED] writes:
Quoting Matt Zimmerman ([EMAIL PROTECTED]):
On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
For starters, I think portmap, rpc.statd, and inetd should not run by
default.
On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
Quoting Matt Zimmerman ([EMAIL PROTECTED]):
It can be damnably difficult to dump the web server... I've ended
up downloading dhttpd and then removing links or changing the
init.d/dhttpd file name.
What is so difficult?
On Wed, Sep 24, 2003 at 07:44:16PM +0200, Bernd Eckenfels wrote:
looks like somebody installed ssh some (long) time ago from testing or
unstable on server b. This is a problem, since it is the higher version
number. Another thing where package build-stamps may help to generate a report.
Then
On Fri, Sep 26, 2003 at 10:44:21AM -0400, Matt Zimmerman wrote:
On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
Where does one go from here?
If you only want the web server for reading documentation, reconfigure the
web server to only listen on localhost.
Precisely. One
On Fri, Sep 26, 2003 at 05:52:54PM +0100, Dale Amon wrote:
On Fri, Sep 26, 2003 at 10:44:21AM -0400, Matt Zimmerman wrote:
On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
Where does one go from here?
If you only want the web server for reading documentation, reconfigure
On Thu, Sep 25, 2003 at 04:02:01PM +0300, Haim Ashkenazi wrote:
Hi
I've read an article about FreeBSD which made me read some parts of the
FreeBSD docuemtations. in the firewall section there is a short description
about proxy firewalls. I've made some more searching and found a free
In article [EMAIL PROTECTED] you wrote:
I should have defined my terms: When I said ftp transfers are more
reliable than are ftp ones (in my experience), I meant that, once
started, they are much less prone to dying. That is observed fact.
This depends totally on the client and proxy and has
In article [EMAIL PROTECTED] you wrote:
Until installing a package has the side effect of installing a network
service. Having a default-deny-incoming firewall or some such would go a
long way toward preventing accidental vulnerability exposure.
On the other hand this pretty much sounds like
On Thu, Sep 25, 2003 at 08:47:22AM +, [EMAIL PROTECTED] wrote:
serverB:~# apt-cache policy ssh
ssh:
Installed: 1:3.4p1-2
Candidate: 1:3.4p1-2
Version Table:
*** 1:3.4p1-2 0
100 /var/lib/dpkg/status
1:3.4p1-1.woody.3 0
500 http://security.debian.org
On Fri, Sep 26, 2003 at 02:06:01PM -0400, Matt Zimmerman wrote:
He wants the service, he just wants it only for local use. That is not
something that should be handled at the package level.
Why not? The boot-floppies already set the locale for the whole system.
I think it would be nice if
[EMAIL PROTECTED] crivait :
openssh (1:3.4p1-2) unstable; urgency=high
* Get a security-fixed version into unstable
* Also tidy README.Debian up a little
-- Matthew Vernon [EMAIL PROTECTED] Fri, 28 Jun 2002 17:20:59 +0100
Ok, Google says there was such a version, but it was from
On Fri, Sep 26, 2003 at 09:37:22PM +0200, Marcin Owsiany wrote:
On Fri, Sep 26, 2003 at 02:06:01PM -0400, Matt Zimmerman wrote:
He wants the service, he just wants it only for local use. That is not
something that should be handled at the package level.
Why not? The boot-floppies already
On Fri, Sep 26, 2003 at 08:09:14PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
Just FYI, TIS was the company founded by Marcus Ranum which provided the
firewall toolkit (see www.fwtk.org). The FWTK was the basis for the first
commercial firewall: Gauntlet [1]. FWTK is not free in any sense,
Am 2003-09-23 02:08:29, schrieb Michelle Konzack:
Hello All,
I was surfing the Website http://www.xmms.org/ for new skins and
at one klick...
...xmms was hijacked !!!
No access on xmms posibel. Can anyone confirm this please...
Please Cc: me.
Three other .org Domains (my own) are hijacked
Am 2003-09-24 09:14:52, schrieb Yogesh Sharma:
As far as my understanding goes, ssh was patched recently for security
fixes, so it should be coming from security.debian.org not us.debian.org.
Now security.debian.org is not at all mirrored for security reason than
how he has 2 different versions
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
At high security levels, any new services that get installed (from RPMs)
are only allowed from localhost or even, IIRC, services may not even
be started by default, neither post-install nor on reboot: you have to
set them up
Hello,
for some seconds I have tried to access the following Link:
http://www.uni-bilefeld.de/~gsauthoff/mailfilterrc
and was on Verisign.com. So Verising catch not only .com and .net,
but de and fr too !!!
The right Link is
http://www.uni-bielefeld.de/~gsauthoff/mailfilterrc
On Fri, Sep 26, 2003 at 12:50:13AM +0200, Michelle Konzack wrote:
Hello,
for some seconds I have tried to access the following Link:
http://www.uni-bilefeld.de/~gsauthoff/mailfilterrc
and was on Verisign.com. So Verising catch not only .com and .net,
but de and fr too !!!
Is
On Thu, Sep 25, 2003 at 03:04:40PM +0700, Jean Christophe ANDR? wrote:
Anybody could give a hint on the right way to clean an entry from
/var/lib/dpkg/status? I've not investigated so far until now... :)
Is this using dselect update or thing like this? (I never use dselect)
Is that what dpkg
In article [EMAIL PROTECTED] you wrote:
The point of a protocol-proxy is that you want to provide services to
the outside world, but you don't trust your server software to be robust
against protocol-level attacks (buffer overflows, primarily).
It is also the other way around. Clients which
On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
For starters, I think portmap, rpc.statd, and inetd should not run by
default. Not running a mail server (or perhaps only running one on the
loopback interface)
On Thu, Sep 25, 2003 at 12:34:34PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
The base installation is partially decided by the priority of the package
('required', 'important', 'standard', 'optional', 'extra'). The
archive maintainers have the final word (that is the 'ftp.debian.org'
Dariush Pietrzak wrote:
On Mon, Sep 22, 2003 at 10:18:20PM +0200, Bernd Eckenfels wrote:
FTP is a firewal nightmare,
You think?
Not only he thinks that way. It's an accepted fact within the InfoSec
community.
Firewalls are nightmare, and the only result of prefering
http-only
On Fri, Sep 26, 2003 at 12:51:35AM -0400, Matt Zimmerman wrote:
On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
It can be damnably difficult to dump the web server... I've ended
up downloading dhttpd and then removing links or changing the
init.d/dhttpd file name.
What is so
On Thu, Sep 25, 2003 at 07:33:00AM -0700, Adam Lydick wrote:
I like that idea, and it sounds fairly simple - packages just check
/etc/secure_level (or something similar) and do the right thing. The
tricky part is convincing every package maintainer to adopt it ;)
Well, Mandrake packages IIRC
In article [EMAIL PROTECTED] you wrote:
+++-==-==-
ii ssh3.4p1-1.woody.3Secure rlogin/rsh/rcp replacement
(OpenSSH)
ii ssh3.4p1-2Secure rlogin/rsh/rcp
Hello
I am intending to use lids with a server I will be soon
setting up and was wondering if anyone would be so very
kind as to send me sample files for lids.cap and lids.conf
(or any scripts that generate the lids.conf file).
I was really hoping to save some time, though I understand
that
On Fri, Sep 26, 2003 at 04:29:45AM -0300, Peter Cordes wrote:
On Fri, Sep 26, 2003 at 12:51:35AM -0400, Matt Zimmerman wrote:
What is so difficult? No web server is installed by default. If you don't
want one, don't install one.
Dependencies. I've had the same annoying experience as
Quoting Matt Zimmerman ([EMAIL PROTECTED]):
On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
For starters, I think portmap, rpc.statd, and inetd should not run by
default. Not running a mail server (or perhaps
David Wright [EMAIL PROTECTED] writes:
Quoting Matt Zimmerman ([EMAIL PROTECTED]):
On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
For starters, I think portmap, rpc.statd, and inetd should not run by
default.
On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
Quoting Matt Zimmerman ([EMAIL PROTECTED]):
It can be damnably difficult to dump the web server... I've ended
up downloading dhttpd and then removing links or changing the
init.d/dhttpd file name.
What is so difficult?
On Wed, Sep 24, 2003 at 07:44:16PM +0200, Bernd Eckenfels wrote:
looks like somebody installed ssh some (long) time ago from testing or
unstable on server b. This is a problem, since it is the higher version
number. Another thing where package build-stamps may help to generate a
report.
Then
On Fri, Sep 26, 2003 at 10:44:21AM -0400, Matt Zimmerman wrote:
On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
Where does one go from here?
If you only want the web server for reading documentation, reconfigure the
web server to only listen on localhost.
Precisely. One
On Fri, Sep 26, 2003 at 05:52:54PM +0100, Dale Amon wrote:
On Fri, Sep 26, 2003 at 10:44:21AM -0400, Matt Zimmerman wrote:
On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
Where does one go from here?
If you only want the web server for reading documentation, reconfigure
On Thu, Sep 25, 2003 at 08:47:22AM +, [EMAIL PROTECTED] wrote:
serverB:~# apt-cache policy ssh
ssh:
Installed: 1:3.4p1-2
Candidate: 1:3.4p1-2
Version Table:
*** 1:3.4p1-2 0
100 /var/lib/dpkg/status
1:3.4p1-1.woody.3 0
500 http://security.debian.org
On Fri, Sep 26, 2003 at 02:06:01PM -0400, Matt Zimmerman wrote:
He wants the service, he just wants it only for local use. That is not
something that should be handled at the package level.
Why not? The boot-floppies already set the locale for the whole system.
I think it would be nice if
[EMAIL PROTECTED] écrivait :
openssh (1:3.4p1-2) unstable; urgency=high
* Get a security-fixed version into unstable
* Also tidy README.Debian up a little
-- Matthew Vernon [EMAIL PROTECTED] Fri, 28 Jun 2002 17:20:59 +0100
Ok, Google says there was such a version, but it was from
On Fri, Sep 26, 2003 at 09:37:22PM +0200, Marcin Owsiany wrote:
On Fri, Sep 26, 2003 at 02:06:01PM -0400, Matt Zimmerman wrote:
He wants the service, he just wants it only for local use. That is not
something that should be handled at the package level.
Why not? The boot-floppies already
On Fri, Sep 26, 2003 at 08:09:14PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
Just FYI, TIS was the company founded by Marcus Ranum which provided the
firewall toolkit (see www.fwtk.org). The FWTK was the basis for the first
commercial firewall: Gauntlet [1]. FWTK is not free in any sense,
Javier Fernández-Sanguino Peña wrote:
Also, Checkpoint is not a proxy firewall (but it is starting to become
like one with this new 'Application Intelligence' stuff)
well, as I said I know very little about that, but someone told me that some
commercial firewalls work at the application level
Am 2003-09-23 02:08:29, schrieb Michelle Konzack:
Hello All,
I was surfing the Website http://www.xmms.org/ for new skins and
at one klick...
...xmms was hijacked !!!
No access on xmms posibel. Can anyone confirm this please...
Please Cc: me.
Three other .org Domains (my own) are hijacked
Am 2003-09-24 09:14:52, schrieb Yogesh Sharma:
As far as my understanding goes, ssh was patched recently for security
fixes, so it should be coming from security.debian.org not us.debian.org.
Now security.debian.org is not at all mirrored for security reason than
how he has 2 different versions
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
At high security levels, any new services that get installed (from RPMs)
are only allowed from localhost or even, IIRC, services may not even
be started by default, neither post-install nor on reboot: you have to
set them up
Hello,
for some seconds I have tried to access the following Link:
http://www.uni-bilefeld.de/~gsauthoff/mailfilterrc
and was on Verisign.com. So Verising catch not only .com and .net,
but de and fr too !!!
The right Link is
http://www.uni-bielefeld.de/~gsauthoff/mailfilterrc
On Fri, Sep 26, 2003 at 12:50:13AM +0200, Michelle Konzack wrote:
Hello,
for some seconds I have tried to access the following Link:
http://www.uni-bilefeld.de/~gsauthoff/mailfilterrc
and was on Verisign.com. So Verising catch not only .com and .net,
but de and fr too !!!
Is
On Thu, Sep 25, 2003 at 03:04:40PM +0700, Jean Christophe ANDR? wrote:
Anybody could give a hint on the right way to clean an entry from
/var/lib/dpkg/status? I've not investigated so far until now... :)
Is this using dselect update or thing like this? (I never use dselect)
Is that what dpkg
In article [EMAIL PROTECTED] you wrote:
The point of a protocol-proxy is that you want to provide services to
the outside world, but you don't trust your server software to be robust
against protocol-level attacks (buffer overflows, primarily).
It is also the other way around. Clients which
56 matches
Mail list logo