On Thu, Aug 12, 2004 at 10:40:14AM -0700, Adam Morley wrote:
I'm looking for a software package that provides:
- An NTP server (to serve time to NTP clients) that I can run as a non-priveleged
user, chrooted.
- An NTP client, that will keep the clock of the computer doing the NTP
On Tue, Jul 27, 2004 at 01:42:19PM +0200, Christian Hammers wrote:
On Tue, Jul 27, 2004 at 01:01:10PM +0200, Rhesa Rozendaal wrote:
In my case, the frontend handles SSL connections. Its config file is
/etc/apache/ht-light.conf.
The backend instance uses the original filename
On Wed, Mar 24, 2004 at 06:22:35AM -0500, Michael Stone wrote:
On Wed, Mar 24, 2004 at 12:55:11PM +0200, Haim Ashkenazi wrote:
(key). I've looked in the documentation and found that ssl doesn't support
name based virtual domains.
Correct; that would be impossible (the SSL session is
On Wed, Mar 24, 2004 at 06:22:35AM -0500, Michael Stone wrote:
On Wed, Mar 24, 2004 at 12:55:11PM +0200, Haim Ashkenazi wrote:
(key). I've looked in the documentation and found that ssl doesn't support
name based virtual domains.
Correct; that would be impossible (the SSL session is
On Sun, Mar 14, 2004 at 05:51:55PM +0100, Ulrich Scholler wrote:
Hi,
On Sun Feb 29, 2004 at 21:15:39 +0100, Nejc Novak wrote:
I would like to make users avaiable some kind of 'web control panel'. I
have created a design and also already intergrated squirrelmail into it.
Now i would
On Sun, Mar 14, 2004 at 05:51:55PM +0100, Ulrich Scholler wrote:
Hi,
On Sun Feb 29, 2004 at 21:15:39 +0100, Nejc Novak wrote:
I would like to make users avaiable some kind of 'web control panel'. I
have created a design and also already intergrated squirrelmail into it.
Now i would
On Thu, Feb 19, 2004 at 10:37:50AM +0100, m wrote:
Control, I mean as doing proxy arp only for special IP's not for
all, or etc..
I do not have any idea :( This is more important from day to day for
me :( I have some hakers;) in my networks who trying to spoof
another computers, If I turn
On Thu, Feb 19, 2004 at 10:37:50AM +0100, m wrote:
Control, I mean as doing proxy arp only for special IP's not for
all, or etc..
I do not have any idea :( This is more important from day to day for
me :( I have some hakers;) in my networks who trying to spoof
another computers, If I turn
On Thu, Feb 19, 2004 at 01:00:02AM +0100, m wrote:
Another question :
it is possible to control arp protocol packets by kernel ?
... if so - this will solve some of problems. But how control arps?
perhaps on firewall ? kern 2.4.24/grsec/...
I didn't follow the thread closely, could you
On Thu, Feb 19, 2004 at 01:00:02AM +0100, m wrote:
Another question :
it is possible to control arp protocol packets by kernel ?
... if so - this will solve some of problems. But how control arps?
perhaps on firewall ? kern 2.4.24/grsec/...
I didn't follow the thread closely, could you
On Sat, Feb 14, 2004 at 10:56:20PM -0700, Hein Roehrig wrote:
can you recommend a SSL client ` la openssl s_client that performs
both verification of the peer certificate and that the peer CN
actually corresponds to the requested host name? stunnel4, openssl
s_client, and telnet-ssl do not,
On Sat, Feb 14, 2004 at 10:56:20PM -0700, Hein Roehrig wrote:
can you recommend a SSL client ` la openssl s_client that performs
both verification of the peer certificate and that the peer CN
actually corresponds to the requested host name? stunnel4, openssl
s_client, and telnet-ssl do not,
On Tue, Feb 03, 2004 at 02:09:42PM +0100, François TOURDE wrote:
Le 12451i?me jour apr?s Epoch,
Richard Atterer écrivait:
On Tue, Feb 03, 2004 at 05:38:40AM +0100, Philipp Schulte wrote:
No, with REJECT they would show up as closed. DROP produces filtered.
FWIW, you also need
On Wed, Jan 21, 2004 at 05:12:18AM -0400, Peter Cordes wrote:
On Tue, Jan 20, 2004 at 11:07:51PM -0800, Johannes Graumann wrote:
I feel this is kind of over my head ... to boil it down: does it even
make sense to run reiserfs inside a loopback partition?
Yes, if the file you're looping
On Mon, Dec 22, 2003 at 10:23:56AM +0200, EErdem wrote:
From i've set up iptables i've get this messages continual on tty's
(console):
I suggest that you explore the `dmesg' command and experiment
with the -n argument.
bit,
adam
--
Am I a cleric? | 1024D/37B8D989
Or maybe a sinner? |
On Sun, Dec 21, 2003 at 10:08:44PM -0700, s. keeling wrote:
My trouble right now is verifying keys. If I send myself mail, it's
correctly compared to my local copy (in my keyring?) and gpg says it's
good. Other mail coming in triggers a lookup at pgp.mit.edu for keys,
leading to strange
On Mon, Dec 22, 2003 at 10:23:56AM +0200, EErdem wrote:
From i've set up iptables i've get this messages continual on tty's
(console):
I suggest that you explore the `dmesg' command and experiment
with the -n argument.
bit,
adam
--
Am I a cleric? | 1024D/37B8D989
Or maybe a sinner? |
On Sun, Dec 21, 2003 at 10:08:44PM -0700, s. keeling wrote:
My trouble right now is verifying keys. If I send myself mail, it's
correctly compared to my local copy (in my keyring?) and gpg says it's
good. Other mail coming in triggers a lookup at pgp.mit.edu for keys,
leading to strange
On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote:
We don't use AIDE exclusively at a client site, but in combination
with Tripwire. We think tripwire is a little more secure becuse it
uses signed databases.
Perhaps the following ./configure options will prove themselves
On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote:
We don't use AIDE exclusively at a client site, but in combination
with Tripwire. We think tripwire is a little more secure becuse it
uses signed databases.
Perhaps the following ./configure options will prove themselves
On Thu, Dec 11, 2003 at 12:44:27PM +0100, DI Peter Burgstaller wrote:
I'm trying to use aide now as well .. but with the default debian
config .. it produces
every day massive changes .. especially to the /var/log/* files due to
logrotate.
Any reasonable settings that account for that?
On Thu, Dec 11, 2003 at 12:44:27PM +0100, DI Peter Burgstaller wrote:
I'm trying to use aide now as well .. but with the default debian
config .. it produces
every day massive changes .. especially to the /var/log/* files due to
logrotate.
Any reasonable settings that account for that?
On Thu, Dec 04, 2003 at 07:54:03AM -0800, Karsten M. Self wrote:
on Wed, Dec 03, 2003 at 04:57:29PM +0100, Adam ENDRODI ([EMAIL PROTECTED]) wrote:
I tend to disagree. The kernel is a versatile program, it can be
patched, configured and compiled in too many ways.
...including many
On Fri, Dec 05, 2003 at 08:32:02PM +0100, Florian Weimer wrote:
Keep in mind that there is no official security contact for the kernel,
and no established bug handling procedure.
What about http://bugzilla.kernel.org ?
Time to fix is now measured
in months, and official kernel release
On Thu, Dec 04, 2003 at 07:54:03AM -0800, Karsten M. Self wrote:
on Wed, Dec 03, 2003 at 04:57:29PM +0100, Adam ENDRODI ([EMAIL PROTECTED])
wrote:
I tend to disagree. The kernel is a versatile program, it can be
patched, configured and compiled in too many ways.
...including many
On Fri, Dec 05, 2003 at 08:32:02PM +0100, Florian Weimer wrote:
Keep in mind that there is no official security contact for the kernel,
and no established bug handling procedure.
What about http://bugzilla.kernel.org ?
Time to fix is now measured
in months, and official kernel release
On Wed, Dec 03, 2003 at 06:46:51AM -0800, Karsten M. Self wrote:
on Wed, Dec 03, 2003 at 01:31:29PM +, Dale Amon ([EMAIL PROTECTED]) wrote:
On Wed, Dec 03, 2003 at 03:21:57PM +0200, Riku Valli wrote:
This is reason why i ask what about stock kernels, because i belive i am not
lonely
On Wed, Dec 03, 2003 at 06:46:51AM -0800, Karsten M. Self wrote:
on Wed, Dec 03, 2003 at 01:31:29PM +, Dale Amon ([EMAIL PROTECTED]) wrote:
On Wed, Dec 03, 2003 at 03:21:57PM +0200, Riku Valli wrote:
This is reason why i ask what about stock kernels, because i belive i am
not
Just a humble question: how the average user who doesn't use the
kernel sources provided by Debian and cannot follow lk should have
known about the bug? The changelog read ``Add TASK_SIZE check to
do_brk()'', there's no indication that it's a security fix.
I'm really curious how you cope with
Just a humble question: how the average user who doesn't use the
kernel sources provided by Debian and cannot follow lk should have
known about the bug? The changelog read ``Add TASK_SIZE check to
do_brk()'', there's no indication that it's a security fix.
I'm really curious how you cope with
On Sat, Nov 15, 2003 at 10:43:14PM -0500, Alex J. Avriette wrote:
On Sat, Nov 15, 2003 at 08:11:34PM -0600, Tom Goulet (UID0) wrote:
If you have register globals off *or* safe mode on, this particular
exploit is useless.
If you had register globals on and safe mode off then he could run
First off, thank all of you for your replies. Since I was unable
to find a standard way to achieve what I wanted, I've developed a
set of patches for OpenSSH 3.7.1p1. The patch adds a new
configuration option, by which you can define what authentication
methods are available for a given
On Sat, Nov 15, 2003 at 10:43:14PM -0500, Alex J. Avriette wrote:
On Sat, Nov 15, 2003 at 08:11:34PM -0600, Tom Goulet (UID0) wrote:
If you have register globals off *or* safe mode on, this particular
exploit is useless.
If you had register globals on and safe mode off then he could run
First off, thank all of you for your replies. Since I was unable
to find a standard way to achieve what I wanted, I've developed a
set of patches for OpenSSH 3.7.1p1. The patch adds a new
configuration option, by which you can define what authentication
methods are available for a given
How can I tell sshd to only accept a particular authentication
method for some users, while letting others to use any methods
they wish?
One of our servers has two kinds of users: a group of
low-privileged ones and a few power users. The former class
may choose to log in by providing his
How can I tell sshd to only accept a particular authentication
method for some users, while letting others to use any methods
they wish?
One of our servers has two kinds of users: a group of
low-privileged ones and a few power users. The former class
may choose to log in by providing his
On Sat, Nov 01, 2003 at 07:49:30PM -0500, Phillip Hofmeister wrote:
If you are really looking for assurance than 'rm -rf /' would not affect
your day because weekly full backups and nightly incremental should be
made. If you don't have valid off system, perhaps off-site backups,
then what
On Sat, Nov 01, 2003 at 07:49:30PM -0500, Phillip Hofmeister wrote:
If you are really looking for assurance than 'rm -rf /' would not affect
your day because weekly full backups and nightly incremental should be
made. If you don't have valid off system, perhaps off-site backups,
then what
On Sat, Nov 01, 2003 at 11:03:16AM +0100, [EMAIL PROTECTED] wrote:
For example, people sometimes file bugs about buffer overflows in
simple programs (which run with no privileges and do not act on any
untrusted input) just because they are buffer overflows, a type of bug
which is
On Sat, Nov 01, 2003 at 11:03:16AM +0100, [EMAIL PROTECTED] wrote:
For example, people sometimes file bugs about buffer overflows in
simple programs (which run with no privileges and do not act on any
untrusted input) just because they are buffer overflows, a type of bug
which is
On Fri, Oct 17, 2003 at 08:57:43PM +0200, Christian Storch wrote:
Yes, a very sophisticated kind of definition.
But what about the small gap between theory and practice?
In theory, it approximates the practice :)
So I think security and availability represent to basic independend points of
On Fri, Oct 17, 2003 at 08:57:43PM +0200, Christian Storch wrote:
Yes, a very sophisticated kind of definition.
But what about the small gap between theory and practice?
In theory, it approximates the practice :)
So I think security and availability represent to basic independend points of
On Mon, Sep 29, 2003 at 11:02:53AM +0100, Dale Amon wrote:
There is another common case I'd not mentioned. Since I do a lot
of development work, I tend to have a *lot* of servers installed
on my laptop, ready to run, but only when I need them. I do this
entirely manually at present. I'd like
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
At high security levels, any new services that get installed (from RPMs)
are only allowed from localhost or even, IIRC, services may not even
be started by default, neither post-install nor on reboot: you have to
set them up
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
At high security levels, any new services that get installed (from RPMs)
are only allowed from localhost or even, IIRC, services may not even
be started by default, neither post-install nor on reboot: you have to
set them up
On Tue, Sep 02, 2003 at 01:38:24AM +0200, Christopher Taylor wrote:
Jens Gutzeit wrote:
On Monday 01 September 2003 21:53, mario ohnewald wrote:
What is the securest way of starting a application, like ping, from a
webinterface as a diffrent user.
what's wrong with making the program
On Fri, Aug 22, 2003 at 01:04:54PM -0400, Matt Zimmerman wrote:
On Thu, Aug 21, 2003 at 12:56:30PM +0200, Tarjei Huse wrote:
I'm no expert on handling certificates and I hope not having to learn
all the commandline switches of openssl by heart. However, I do need a
simple setup of a CA
On Fri, Aug 22, 2003 at 01:04:54PM -0400, Matt Zimmerman wrote:
On Thu, Aug 21, 2003 at 12:56:30PM +0200, Tarjei Huse wrote:
I'm no expert on handling certificates and I hope not having to learn
all the commandline switches of openssl by heart. However, I do need a
simple setup of a CA
On Thu, Aug 21, 2003 at 12:56:30PM +0200, Tarjei Huse wrote:
What are the alternatives besides OpenCA? Does anyone know of a set of
scipts that are a bit less complex and at the same time gives me some of
the same functionality?
http://vekoll.saturnus.vein.hu/~borso/ca.tgz
You'll find here
On Thu, Aug 21, 2003 at 12:56:30PM +0200, Tarjei Huse wrote:
What are the alternatives besides OpenCA? Does anyone know of a set of
scipts that are a bit less complex and at the same time gives me some of
the same functionality?
http://vekoll.saturnus.vein.hu/~borso/ca.tgz
You'll find here
On Thu, Aug 14, 2003 at 12:00:40PM -0400, Matt Zimmerman wrote:
On Wed, Aug 13, 2003 at 09:00:51PM -0400, valerian wrote:
It actually does a very good job of stopping any kind of stack-smashing
attack dead in its tracks (both the stack and heap are marked as
non-executable). That takes
Hello all,
I'm toying with POSIX(-like) capabilities. I've dug up the
libcap* packages, played with their source and done some
research. Below I list three problems I need to resolve and the
conclusions I've come to.
-- Problem 1: I want to execute as root a program with reduced
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote:
I'd prefer to specify the rules for loggin into the machine
in the sshd_config-file, not in hosts.allow/deny.
But the AllowHosts/DenyHosts-options that could be used in
/etc/sshd_config earlier seem to be not any
longer
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote:
I'd prefer to specify the rules for loggin into the machine
in the sshd_config-file, not in hosts.allow/deny.
But the AllowHosts/DenyHosts-options that could be used in
/etc/sshd_config earlier seem to be not any
longer
On Sat, Jul 05, 2003 at 02:26:24PM +0200, Christian Kujau wrote:
the things is, when some of the nobody processes are compromised,
*every* daemon nobody has started is in danger to be killed or misused.
/etc/password lists a lot of unused (but somehow standard-)users, they
could be used
On Sat, Jul 05, 2003 at 02:26:24PM +0200, Christian Kujau wrote:
the things is, when some of the nobody processes are compromised,
*every* daemon nobody has started is in danger to be killed or misused.
/etc/password lists a lot of unused (but somehow standard-)users, they
could be used
On Wed, Jul 02, 2003 at 01:17:22PM +0200, Thomas Sjgren wrote:
-- than use the latest php, apache, postfix, mysql, dns
- probably want to chroot your dns app
... and don't forget to build the packages with your SSP patched GCC :)
I doubt if SSP provides additional security beyound
On Wed, Jul 02, 2003 at 01:17:22PM +0200, Thomas Sjögren wrote:
-- than use the latest php, apache, postfix, mysql, dns
- probably want to chroot your dns app
... and don't forget to build the packages with your SSP patched GCC :)
I doubt if SSP provides additional security beyound
Folks,
How widely do you think changing the MAC address of a NIC via
``ifconfig if hw'' is supported by the various network cards
and drivers out there nowadays?
My collegue and me have debated several times whether watching
the LAN for non-matching IP-MAC pairs can reveal any useful
Folks,
How widely do you think changing the MAC address of a NIC via
``ifconfig if hw'' is supported by the various network cards
and drivers out there nowadays?
My collegue and me have debated several times whether watching
the LAN for non-matching IP-MAC pairs can reveal any useful
On Thu, Jun 05, 2003 at 10:44:47AM +0200, Lars Ellenberg wrote:
or keep an encrypted copy of all relevant files separately, and on
bootup / service startup you decrypt it temporarily to the correct
location, start the service, and unlink it again (after you wiped it
with garbage, of course
On Thu, Jun 05, 2003 at 09:30:51AM +0200, Luis Gomez - InfoEmergencias wrote:
We'd like to protect that content, so that even if someone unplugs the
machine
and connects the HD to another Linux box, they can't access that information.
Default answer: encrypt your file system.
On Thu, Jun 05, 2003 at 10:44:47AM +0200, Lars Ellenberg wrote:
or keep an encrypted copy of all relevant files separately, and on
bootup / service startup you decrypt it temporarily to the correct
location, start the service, and unlink it again (after you wiped it
with garbage, of course
On Fri, May 23, 2003 at 04:16:22PM +0200, Steffen Schulz wrote:
Am I right that a local User is able to crash the system
by putting evil data into these mysterious I/O-Ports?
I'm not sure, but I don't *think* that the attacker is free to
chose any target port.
Is privilege escalation
On Fri, May 16, 2003 at 01:04:09PM +0300, Haim Ashkenazi wrote:
Does anybody knows about this?,
http://www.secunia.com/advisories/8786/
It has been fixed for two weeks both in 2.4 and 2.5.
See http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]|[EMAIL PROTECTED]
bit,
adam
--
On Fri, May 16, 2003 at 05:35:37PM +0300, Haim Ashkenazi wrote:
On Fri, 16 May 2003 15:54:57 +0200
Adam ENDRODI [EMAIL PROTECTED] wrote:
On Fri, May 16, 2003 at 01:04:09PM +0300, Haim Ashkenazi wrote:
Does anybody knows about this?,
http://www.secunia.com/advisories/8786
On Mon, May 12, 2003 at 03:10:05AM +0200, Peter Holm wrote:
On Fri, 09 May 2003 14:10:05 +0200, in linux.debian.security you
wrote:
Yesterday Bernhard Kaindl committed a cleanup patch addressing
numerous problems encountered with the original ptrace fix.
Now it should be in -rc2. For more
Hi -
Yesterday Bernhard Kaindl committed a cleanup patch addressing
numerous problems encountered with the original ptrace fix.
Now it should be in -rc2. For more information and diffs, see
http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]|[EMAIL PROTECTED]
and
On Thu, Apr 24, 2003 at 07:32:01PM +0200, Kay-Michael Voit wrote:
If I understand promisc mode, this is not a problem, so I can't fix
it, so there will always be output (which I dont want, because cron
sends a mail then)
Promiscuous mode is a sign of a running sniffer. Not necessarily
an
On Thu, Apr 24, 2003 at 08:52:10PM +0200, Jose Luis Domingo Lopez wrote:
The implementation consisted in syslog-ng logging to a pipe (using a
template for SQL output), which is depleted from an ever running PERL
script that executes the SQL sentences in the remote server through a
secure SSH
On Thu, Apr 24, 2003 at 11:43:06AM +0200, I.R. van Dongen wrote:
lamorak:~# crontab -l
@daily apt-get -q -q -q -q update apt-get -s -q -q -q -q
dist-upgrade
Before you deploy such a mechanism, I advise that you set up
another one between the update and upgrade which checks the
Due to several requests received both in private and in public
I decided the best would be to post the script on the list.
It requires perl5, wget and gnupg. The current Debian Archive
Automatic Signing Key (38C6029A) should be present in the keyring
of the user executing the script (who
On Wed, Apr 23, 2003 at 01:07:22AM +0200, Alexander Schmehl wrote:
* Konstantin [EMAIL PROTECTED] [030422 23:03]:
can anyone post the patch for the 2.4.20-kernel (from kernel.org) or give me
an adress I can leech it from.
http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html
On Wed, Apr 23, 2003 at 09:35:32AM +0200, Alexander Schmehl wrote:
* Adam ENDRODI [EMAIL PROTECTED] [030423 07:59]:
http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html
http://sinuspl.net/ptrace/
Can you tell me whether these patches are the ones which were
known to break
74 matches
Mail list logo