Re: Questions regarding the Security Secretary Position
Matt Zimmerman wrote: I think the security secretary, if we have one, should be a Debian developer. We have two of them, and they are both card-carrying developers. Unnghhh... 'Card-carrying' sounds like fiery-eyed anarchist or extreme left revolutionary, some kind of luddite the least.. -- Lauri Tischler, Network Admin Tel:+358-9-47846331* Mouse movement detected * Fax:+358-9-47846500* Reboot Windows to activate changes * Mobile: +358-40-5569010 EMail: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 09:40:45AM +0300, Lauri Tischler wrote: Matt Zimmerman wrote: I think the security secretary, if we have one, should be a Debian developer. We have two of them, and they are both card-carrying developers. Unnghhh... 'Card-carrying' sounds like fiery-eyed anarchist or extreme left revolutionary, some kind of luddite the least.. I hate spoiling a joke this way, but a surprising number of people seem to have misinterpreted my remark. It was tongue-in-cheek humour, reflecting on the present political atmosphere of Debian. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 09:40:45AM +0300, Lauri Tischler wrote: Matt Zimmerman wrote: I think the security secretary, if we have one, should be a Debian developer. We have two of them, and they are both card-carrying developers. Unnghhh... 'Card-carrying' sounds like fiery-eyed anarchist or extreme left revolutionary, some kind of luddite the least.. And the problem with this is? (No, I don't like leftists or luddites, but I'm all in favor of fiery-eyed anarchists). -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh vulernability
On Fri, Oct 19, 2001 at 05:06:03PM -0700, Garrett Ellis wrote: I run Debian; and I applied the OpenSSH patch myself as soon as it was posted. Does anybody know of the advantages of waiting for a new .deb file to get circulated are? It's easier, esp. if you don't already have source for the latest version. The patch was a change to two lines of code; so I just made the changes and rebuilt OpenSSH. That's how I do all of my non-kernel patches; seems a bit odd to wait around for the distribution's official patch-maker-squad to churn out a new .DEB file. A lot of people are lazy, and will wait for a .deb in the archive. This is a sensible response, because the vulnerability is not severe. As long as they don't have your keys, they still can't get in. I had a physics prof who always told us that we should be lazy. He meant that we figure out how to solve the problem with simple equations, instead of creating a monster, or a whole lot of equations. (this was quantum mechanics, so it's pretty easy to get screwed if you head off into the wilderness crunching equations.) This principle applies to being a sysadmin. Just as you automate everything you can, in the name of laziness, you can wait until stuff falls into your lap instead of going out and fixing it yourself, if the problem is not at all likely to lead to any real problems for your system. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh vulernability
On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: On Fri, Oct 19, 2001 at 05:06:03PM -0700, Garrett Ellis wrote: I run Debian; and I applied the OpenSSH patch myself as soon as it was posted. Does anybody know of the advantages of waiting for a new .deb file to get circulated are? It's easier, esp. if you don't already have source for the latest version. BTW, I'm talking about http://www.securityfocus.com/bid/3369 OpenSSH Key Based Source IP Access Control Bypass Vulnerability Someone else mentioned a buffer overflow exploit. In that case (remote root exploit or something), then laziness is overruled by the need to keep one's system secure. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central administration techniques
On Fri, Oct 19, 2001 at 05:54:28PM +0300, Juha J?ykk? wrote: I was wondering if there are any secure methods of centrally managing the versions of certain files on Debian machines. The problem you describe (in the part of your email that I deleted) seems to be not wanting to give access to modify anything without a password - impossible to automate syncing config files. If you have read access, or even have a cron job on each machine that mails or otherwise submits md5 hashes of your config files, you could determine when a re-sync needs to be done, then manually run a shell script that runs rsync over ssh to bring things up to date. You would have to put in the necessary passwords for that to happen, but you only need to run it once a need for resyncing is detected. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port Scan for UDP
# netstat -anp|less that works for me all the time Without the darkness, how would you recognize the light? -Original Message- From: Ben Staffin [EMAIL PROTECTED] Date: Sat, 20 Oct 2001 23:27:09 -0500 Subject: Re: Port Scan for UDP On Sat, Oct 20, 2001 at 09:22:57PM -0700, tony mancill blathered thusly: A good way to find out what process is listening on a port is to load the lsof package and use lsof -i (as root so that you'll see everything). I find that fuser is more convenient at times - fuser -v -n udp port returns the process(es) listening on the named UDP port. -- /-- | Ben Staffin gpg key: http://darkskie.net/~benley/pgp.txt | --/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Firewall Related Question
I've got some simple questions related to using a Firewall on some single pubblic Debian Boxes, I choose to post my questions here because I've always securitty in mind during the Developing time of my Network Services. Let me asume I've got a simple Network with 3 Pubblic Debian Servers and 1 Cisco Router (Internet Gateway). The router belongs to my Connection ISP so I can't configure it, but onlu use it for Internet connectivity. The 3 Debian Boxes are under my full control. The best way to protect my Debian Servers would be to install a Firewall on my Gateway (Cisco Router) but actually I can't, so my question is: Can I install a Firewall on each of my Debian Boxes to filter/block incoming and outgoing Network Traffic ? Is this a good choice ? or should I put another machine in my Network, between the Gateway and the Servers, which acts as Firewall ? Thank you for all you suggestions, Have a nice time... Ivo Marino -- Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux http://eimbox.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Related Question
On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: I've got some simple questions related to using a Firewall on some single pubblic Debian Boxes, I choose to post my questions here because I've always securitty in mind during the Developing time of my Network Services. Let me asume I've got a simple Network with 3 Pubblic Debian Servers and 1 Cisco Router (Internet Gateway). The router belongs to my Connection ISP so I can't configure it, but onlu use it for Internet connectivity. The 3 Debian Boxes are under my full control. The best way to protect my Debian Servers would be to install a Firewall on my Gateway (Cisco Router) but actually I can't, so my question is: Can I install a Firewall on each of my Debian Boxes to filter/block incoming and outgoing Network Traffic ? Is this a good choice ? or should I put another machine in my Network, between the Gateway and the Servers, which acts as Firewall ? You can just configure a packet filter on all your servers, the main disadvantage is that it's more difficult to administer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Firewall Related Question
Yes, you could definitely do a firewall on each server. Also, have you considered setting up a 4th machine between the Cisco and 3 servers? That could work also. You wouldn't make it a masq box, just configure it to pass packets based on the rules. - James -Original Message- From: Alson van der Meulen [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 6:58 AM To: Debian Security List Subject: Re: Firewall Related Question On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: I've got some simple questions related to using a Firewall on some single pubblic Debian Boxes, I choose to post my questions here because I've always securitty in mind during the Developing time of my Network Services. Let me asume I've got a simple Network with 3 Pubblic Debian Servers and 1 Cisco Router (Internet Gateway). The router belongs to my Connection ISP so I can't configure it, but onlu use it for Internet connectivity. The 3 Debian Boxes are under my full control. The best way to protect my Debian Servers would be to install a Firewall on my Gateway (Cisco Router) but actually I can't, so my question is: Can I install a Firewall on each of my Debian Boxes to filter/block incoming and outgoing Network Traffic ? Is this a good choice ? or should I put another machine in my Network, between the Gateway and the Servers, which acts as Firewall ? You can just configure a packet filter on all your servers, the main disadvantage is that it's more difficult to administer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BugTraq Kernel 2.2.19
Kenneth Pronovici [EMAIL PROTECTED] writes: I can't make the ptrace exploit work on my 2.2.19 system... but I might be doing something wrong (I'm not quite sure what to expect). I get: attached exec ./insert_shellcode 30505 execl: Operation not permitted Since the bug is a race condition, it's possible that it is hard to exploit. Especially the exploit using newgrp is a bit fragile. There's a different exploit using /bin/su, which is perhaps a bit more reliable. See: http://cert.uni-stuttgart.de/archive/bugtraq/2001/10/msg00153.html -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ADSL connection problem
Hi, I use an ADSL connection. The link seems to be up, because I can ping my own fixed IP address. I have configureg the IP address of my provider in /etc/resolv.conf, but I can't resolve any name. Where is the problem ? Regards -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Get guaranteed traffic to your website today @ incredible prices
Are you looking for effective traffic to your website? Look no further... ** For the first time on the Internet, Trafficdelivered.com offers you a centralised means or ordering high-quality traffic, with a members area where you can check how your traffic purchase is doing and be involved in the project. Establish your web presence today with the most affordable marketing packages available on the Internet. At an unbeliveable low cost we can deliver a flood of targeted prospects to your web page. Stop wasting time and energy on marketing techniques that never deliver the traffic. Your online business needs to survive. In less than 1 week we can have a steady flow of fresh prospects landing on your site... Guaranteed! So why not start today? Go to http://www.trafficdelivered.com and start enjoying the benefits of Internet marketing. Thank you for doing business with us. We look forward to providing you with the services you need to grow and maintain your unique online identity. We encourage you to visit our Web site regularly to learn about our expanding catalogue of traffic solutions/packages: http://www.trafficdelivered.com Best regards, TrafficDelivered Team -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ADSL connection problem
Your /etc/resolv.conf file should contain the ip addresses of nameservers. Is that what you are referring to when you state IP address of my provider? On Mon, 2001-10-22 at 11:23, Luc MAIGNAN wrote: Hi, I use an ADSL connection. The link seems to be up, because I can ping my own fixed IP address. I have configureg the IP address of my provider in /etc/resolv.conf, but I can't resolve any name. Where is the problem ? Regards -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ADSL connection problem
On Mon, Oct 22, 2001 at 05:23:02PM +0200, Luc MAIGNAN wrote: Hi, I use an ADSL connection. The link seems to be up, because I can ping my own fixed IP address. I have configureg the IP address of my provider in /etc/resolv.conf, but I can't resolve any name. Where is the problem ? Can you ping any other externel IP? (e.g. 198.186.203.20) -- ,---. Name: Alson van der Meulen Personal:[EMAIL PROTECTED] School: [EMAIL PROTECTED] `---' It didn't do that a minute ago... - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ADSL connection problem
Hi, I use an ADSL connection. The link seems to be up, because I can ping my own fixed IP address. I have configureg the IP address of my provider in /etc/resolv.conf, but I can't resolve any name. Where is the problem ? the IP address of my provider is the IP address of the DNS server of your provider ? if not, it may be the problem ! resolv.conf must contain one or more lines with nameserver xxx.yyy.zzz.www where xxx.yyy.zzz.www is the IP address of the DNS server of your provider. Regards -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Does Debian need to enforce a better Security policy for packages?
I am looking into the security policies outlined for package building, in order to include some notes regarding them in the section How does Debian handle security in the Securing Debian Manual (http://www.debian.org/doc/ddp) For example, I have been recently asked if a maintainer can do whatever he wishes in a package. Can he? Sure, we have policies, but what if we have a debian developer distributing a trojan in a package. IMHO lintian does check many issues regarding policy, but it does not test potential security problems. I just made an empty package with dh_make with only a postinst having 'rm -rf /'. Lintian says: $ lintian test-rm*deb E: test-rm: description-is-dh_make-template E: test-rm: helper-templates-in-copyright W: test-rm: readme-debian-is-debmake-template W: test-rm: unknown-section unknown So. Since we do not source code audits of incoming packages and this kind of issues are not detected automatically... does this leave the Debian distribution open to attack if a developer box gets hacked into? I can only imagine this kind of automatic test for correct package being done using automatic installation on a controlled chrooted environment before accepting incoming packages on the upload queues). And, even so, events can be triggered only in some conditions. Should we improve lintian in order to yell if some (destructive) action is taken upon installation/de-installation? Should we further limit the kind of commands available on this scripts? (BTW, this only tackles he problem of installation scripts, not of the program itself...) Best regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Firewall Related Question
I'd recommend the former (firewalling on each server). This will let you customize the firewall for that server alone, and spread the packet filtering load and logging. Also, with no access the Cisco box, you'd have to either MASQ or SNAT with proxy arps if you do insert a firewall into the packet path to get the traffic to cross the firewall. (The Cisco is going to assume that the subnet with the DMZ address space is still directly attached.) Cheers, [EMAIL PROTECTED] On Mon, 22 Oct 2001, James wrote: Yes, you could definitely do a firewall on each server. Also, have you considered setting up a 4th machine between the Cisco and 3 servers? That could work also. You wouldn't make it a masq box, just configure it to pass packets based on the rules. - James -Original Message- From: Alson van der Meulen [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 6:58 AM To: Debian Security List Subject: Re: Firewall Related Question On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: I've got some simple questions related to using a Firewall on some single pubblic Debian Boxes, I choose to post my questions here because I've always securitty in mind during the Developing time of my Network Services. Let me asume I've got a simple Network with 3 Pubblic Debian Servers and 1 Cisco Router (Internet Gateway). The router belongs to my Connection ISP so I can't configure it, but onlu use it for Internet connectivity. The 3 Debian Boxes are under my full control. The best way to protect my Debian Servers would be to install a Firewall on my Gateway (Cisco Router) but actually I can't, so my question is: Can I install a Firewall on each of my Debian Boxes to filter/block incoming and outgoing Network Traffic ? Is this a good choice ? or should I put another machine in my Network, between the Gateway and the Servers, which acts as Firewall ? You can just configure a packet filter on all your servers, the main disadvantage is that it's more difficult to administer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port Scan for UDP
Excuse your arrogance, but let me correct you in some points you made! First of all nmap does not scan only the services listed in /etc/services, if you were to have bothered reading the manual before answering you would have read, and I quote: If you had actually read what I'd written, you'd see I didn't mention anywhere that nmap only scans ports listed in /etc/services. I said that nmap only scans ports mentioned in ITS OWN services file, which I assumed most people would be intelligent enough to realize was the nmap- services file (as documented in the manpage, if anyone would bother to read it). You're right that I neglected to mention that it also scans anything from 1 to 1024 even if it's not listed in the services file, though. You could have spared the TCP/UDP diff lecture since the question wasn't directed to that... The question was EXACTLY directed to that. The gentleman was asking why every UDP port scanned was being listed as open. I explained the reason for it; the firewall was dropping the UDP packets, and the way portscans work with UDP is central to that. I fail to see the lack of relevance. jc: If you own the box and *don't* have any reason to assume/think you've been compromised (Just checking) you can check locally using nice tools like: netstat -an --ip for both udp and tcp or netstat -an --udp[--tcp] for either one. lsof -i -n nmap localhost -p 1-[HigherPortNumber] fuser and the list goes on =) -- Craig McPherson Information Technology Coordinator Baptist Collegiate Ministry -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port Scan for UDP
Excuse your arrogance, but let me correct you in some points you made! First of all nmap does not scan only the services listed in /etc/services, if you were to have bothered reading the manual before answering you would have read, and I quote: If you had actually read what I'd written, you'd see I didn't mention anywhere that nmap only scans ports listed in /etc/services. I said that nmap only scans ports mentioned in ITS OWN services file, which I assumed most people would be intelligent enough to realize was the nmap- services file (as documented in the manpage, if anyone would bother to read it). You're right that I neglected to mention that it also scans anything from 1 to 1024 even if it's not listed in the services file, though. You could have spared the TCP/UDP diff lecture since the question wasn't directed to that... The question was EXACTLY directed to that. The gentleman was asking why every UDP port scanned was being listed as open. I explained the reason for it; the firewall was dropping the UDP packets, and the way portscans work with UDP is central to that. I fail to see the lack of relevance. jc: If you own the box and *don't* have any reason to assume/think you've been compromised (Just checking) you can check locally using nice tools like: netstat -an --ip for both udp and tcp or netstat -an --udp[--tcp] for either one. lsof -i -n nmap localhost -p 1-[HigherPortNumber] fuser and the list goes on =) -- Craig McPherson Information Technology Coordinator Baptist Collegiate Ministry -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
Javier Fernández-Sanguino Peña wrote: Should we improve lintian in order to yell if some (destructive) action is taken upon installation/de-installation? Should we further limit the kind of commands available on this scripts? That would be a waste of time, IMHO. It would be trivial for a malicious person to bypass these measures. Neil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Related Question
On Mon, Oct 22, 2001 at 10:17:59AM -0700, tony mancill wrote: I'd recommend the former (firewalling on each server). This will let you customize the firewall for that server alone, and spread the packet filtering load and logging. Also, with no access the Cisco box, you'd have to either MASQ or SNAT with proxy arps if you do insert a firewall into the packet path to get the traffic to cross the firewall. (The Cisco is going to assume that the subnet with the DMZ address space is still directly attached.) With FreeBSD/OpenBSD, you could use a packet filtering bridge (quit nice IMO), put two ethernet cards in a box, one to cisco, second to switch with Debian servers, no need for an IP address at the bridge, just bridge and firewall. I'm not sure if Linux can do this, maybe there are some patches for iptables to do it? On Mon, 22 Oct 2001, James wrote: Yes, you could definitely do a firewall on each server. Also, have you considered setting up a 4th machine between the Cisco and 3 servers? That could work also. You wouldn't make it a masq box, just configure it to pass packets based on the rules. - James -Original Message- From: Alson van der Meulen [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 6:58 AM To: Debian Security List Subject: Re: Firewall Related Question On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: I've got some simple questions related to using a Firewall on some single pubblic Debian Boxes, I choose to post my questions here because I've always securitty in mind during the Developing time of my Network Services. Let me asume I've got a simple Network with 3 Pubblic Debian Servers and 1 Cisco Router (Internet Gateway). The router belongs to my Connection ISP so I can't configure it, but onlu use it for Internet connectivity. The 3 Debian Boxes are under my full control. The best way to protect my Debian Servers would be to install a Firewall on my Gateway (Cisco Router) but actually I can't, so my question is: Can I install a Firewall on each of my Debian Boxes to filter/block incoming and outgoing Network Traffic ? Is this a good choice ? or should I put another machine in my Network, between the Gateway and the Servers, which acts as Firewall ? You can just configure a packet filter on all your servers, the main disadvantage is that it's more difficult to administer -- ,---. Name: Alson van der Meulen Personal:[EMAIL PROTECTED] School: [EMAIL PROTECTED] `---' I remember the last time I saw it do that... - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Related Question
On Mon, Oct 22, 2001 at 07:30:56PM +0200, Alson van der Meulen wrote: On Mon, Oct 22, 2001 at 10:17:59AM -0700, tony mancill wrote: I'd recommend the former (firewalling on each server). This will let you customize the firewall for that server alone, and spread the packet filtering load and logging. Also, with no access the Cisco box, you'd have to either MASQ or SNAT with proxy arps if you do insert a firewall into the packet path to get the traffic to cross the firewall. (The Cisco is going to assume that the subnet with the DMZ address space is still directly attached.) With FreeBSD/OpenBSD, you could use a packet filtering bridge (quit nice IMO), put two ethernet cards in a box, one to cisco, second to switch with Debian servers, no need for an IP address at the bridge, just bridge and firewall. I'm not sure if Linux can do this, maybe there are some patches for iptables to do it? Linux can do this as well - that's how the DMZ on our network is firewalled. I'd recommed inserting a DMZ box and using packet filtering on each of the boxes individually. Note that when you insert the firewall box in front of your network it can take up to four hours for the upstream arp cache to refresh. Of course, you could buy a hardware-based firewall to replace the DMZ box for $2-3K, but that takes all the fun out of it. g PGP signature
Re: Does Debian need to enforce a better Security policy for packages?
On 22/10/01, Javier Fernández-Sanguino Peña wrote: I am looking into the security policies outlined for package building, in order to include some notes regarding them in the section How does Debian handle security in the Securing Debian Manual (http://www.debian.org/doc/ddp) What does security policies for building a debian package exactly have to do with securing a debian box? System administrator reading this document will be interested in tips and howtos on improving the security on the boxes, that he administrates. He's certainly not interested in knowing how to securely build a debian package. For example, I have been recently asked if a maintainer can do whatever he wishes in a package. Can he? Sure, we have policies, but what if we have a debian developer distributing a trojan in a package. IMHO That will soon be discovered and I would say those maintainer is facing definetely problems. lintian does check many issues regarding policy, but it does not test potential security problems. Which is correct, since lintian is only written for checking policy compliance. If you want a tool checking for security problems, you should write another new tool for this purpose. I just made an empty package with dh_make with only a postinst having 'rm -rf /'. Lintian says: $ lintian test-rm*deb E: test-rm: description-is-dh_make-template E: test-rm: helper-templates-in-copyright W: test-rm: readme-debian-is-debmake-template W: test-rm: unknown-section unknown So. Since we do not source code audits of incoming packages and this kind of issues are not detected automatically... does this leave the Debian distribution open to attack if a developer box gets hacked into? No, new packages are not automatically becoming available for everyone and will be reviewed before. So this doesn't leave the distribution open for that kind of attacks you imagine. Should we improve lintian in order to yell if some (destructive) action is taken upon installation/de-installation? Should we further limit the kind No, because that's not the purpose of lintian. Write either a new tool for that purpose or leave it. But be aware that it's very difficult to detect all kinds of possible attacks or trojans that one could create. Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 PGP signature
Re: Firewall Related Question
Linux can do this as well - that's how the DMZ on our network is firewalled. I'd recommed inserting a DMZ box and using packet filtering on each of the boxes individually. you should take a look at http://lug.irk.ru/misc/iptables-tutorial-1.0.6.html#AEN690 there is more info about a DMZ firewall we used it modified and it works great Good luck Martijn Knuiman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
On Mon, Oct 22, 2001 at 09:31:38PM +0200, Christian Kurz wrote: What does security policies for building a debian package exactly have to do with securing a debian box? System administrator reading this document will be interested in tips and howtos on improving the security on the boxes, that he administrates. He's certainly not interested in knowing how to securely build a debian package. The point is. I'm starting to think on changing the document title to something on the lines of Debian Security Manual and go a little deeper into Debian security stuff (advisories, the security team, etc..) That will soon be discovered and I would say those maintainer is facing definetely problems. Migh I remember you that we are not (IIRC) doing a source code audit of packages. That soon is supposing that his package is widely used and the mischief promptly discovered. lintian does check many issues regarding policy, but it does not test potential security problems. Which is correct, since lintian is only written for checking policy compliance. If you want a tool checking for security problems, you should write another new tool for this purpose. Not exactly right, policy does talk about security related issues, and lintian should check them. For example: 11.9. Permissions and owners The rules in this section are guidelines for general use. If necessary you may deviate from the details below. However, if you do so you must make sure that what is done is *secure* and you should try to be as consistent as possible with the rest of the system. (emphasis is mine) So. Since we do not source code audits of incoming packages and this kind of issues are not detected automatically... does this leave the Debian distribution open to attack if a developer box gets hacked into? No, new packages are not automatically becoming available for everyone and will be reviewed before. So this doesn't leave the distribution open for that kind of attacks you imagine. So, then, for the record (i.e. the manual) what kind of reviews are made for incoming/new packages (besides lintian checks). I do know that the archive maintainers do this stuff, could someone introduce me to what reviews (security-wise) are made? No, because that's not the purpose of lintian. Write either a new tool for that purpose or leave it. But be aware that it's very difficult to detect all kinds of possible attacks or trojans that one could create. I agree. However, with the Debian package format becoming increasingly popular, it does have some flaws (IMHO, I might get smacked for saying this :) which might be used to introduce simple troyans. Regardless of the package contents (which might be a troyan by itself) having the post-pre-install-remove script as a root user with an unrestricted shell (or perl, or whatever) could turn into potential problems on the long term. *If* the contents are troyaned, the user still has to run them (unless the package installs daemons or cron items, or simply calls them himself) in order to be affected. However, installation scripts are run regardless of the package contents. So, is it possible to limit those scripts or am I just thinking on trying to put a fence around the desert? (not really sure if that's the appropiate expression BTW :P Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
It really didn't need to go to -devel in the first place: this is internal to debian-security until there's a candidate. Folloups redirected. On Tue, 23 Oct 2001, Jason Thomas wrote: only one thing, does this have to go to both lists, I'm alot of messages twice, and yes they have different message id's. On Mon, Oct 22, 2001 at 09:43:05AM -0700, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. How is it a barrier? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
John Galt [EMAIL PROTECTED] writes: On 22 Oct 2001, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. How is it a barrier? It's an extra qualification. It's one that until you objected, didn't exist. My point still stands: if you want to add qualifications, add them by raising the bar and volunteering yourself. I think it's an entirely appropriate qualification. But it's no barrier: it simply requires that we know who the person is and that they share our commitments. I think those are reasonable things to expect. Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On 22 Oct 2001, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: On 22 Oct 2001, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. How is it a barrier? It's an extra qualification. It's one that until you objected, didn't exist. My point still stands: if you want to add qualifications, add them by raising the bar and volunteering yourself. I think it's an entirely appropriate qualification. But it's no barrier: it simply requires that we know who the person is and that they share our commitments. I think those are reasonable things to expect. They aren't reasonable things to add at the last minute. The search happened, AFAICT there is a candidate, yet you had to object now. If it was so reasonable, why didn't you mention it when it came up? Reasonableness cannot be applied to concepts that are brought up at the last minute: the very fact that they were shoved in at the last minute makes them unreasonable. Now do as I asked and shut up. Thomas -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
John Galt [EMAIL PROTECTED] writes: They aren't reasonable things to add at the last minute. The search happened, AFAICT there is a candidate, yet you had to object now. If it was so reasonable, why didn't you mention it when it came up? Reasonableness cannot be applied to concepts that are brought up at the last minute: the very fact that they were shoved in at the last minute makes them unreasonable. Now do as I asked and shut up. Actually, the security team was operating all the time under the expectation that the person should be a developer, despite the public statement on the list (as has already been said). Nor for that matter is it unreasonable for me to make a suggestion late in the day; it is for the appropriate people to decide whether or not they want to take the suggestion--where that is the security team--and I'm happy to let them take whatever suggestions I might offer and do with them what they think fit. As for why I didn't bring it up sooner: I simply hadn't noticed it sooner. I don't therefore void my right to bring it up, though the security team would be well within its rights to decide that it's too late to change things. Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On 22 Oct 2001, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: They aren't reasonable things to add at the last minute. The search happened, AFAICT there is a candidate, yet you had to object now. If it was so reasonable, why didn't you mention it when it came up? Reasonableness cannot be applied to concepts that are brought up at the last minute: the very fact that they were shoved in at the last minute makes them unreasonable. Now do as I asked and shut up. Actually, the security team was operating all the time under the expectation that the person should be a developer, despite the public statement on the list (as has already been said). You just don't know when to drop things, do you? I've told you to shut up twice, at least two others have at various times told us to drop it, and one person's pointed out that you ECP'd it in the first place. I'm almost positive Joey's ready to kill us (I've finally removed him from the CC list, as he really isn't germane to this discussion any more...) Nor for that matter is it unreasonable for me to make a suggestion late in the day; it is for the appropriate people to decide whether or not they want to take the suggestion--where that is the security team--and I'm happy to let them take whatever suggestions I might offer and do with them what they think fit. The whole problem here is they DIDN'T ask you. You threw in your two cents worth without a corresponding pledge of support. As for why I didn't bring it up sooner: I simply hadn't noticed it sooner. I don't therefore void my right to bring it up, though the No, but you DO make yourself a hypocrite for calling ME obstructionist... Compared to you, I'm a piker in this context apparently. security team would be well within its rights to decide that it's too late to change things. Thomas -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Multiple IP addresses
Can any one tell me the kernel option to enable on 2.2.17 to be able to specify multiple ethernet addresses in the /etc/network/interfaces file. ie. eth0 eth0:1 eth0:2 .. on the same physical interface ? I know it works on the standard kernel but every time i compile my own kernel i lose the ability to do this. Thanks ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
John Galt [EMAIL PROTECTED] writes: The whole problem here is they DIDN'T ask you. You threw in your two cents worth without a corresponding pledge of support. It's a public mailing list, and I was simply contributing my suggestion. You decided it should be a big Federal case. I'll make you a deal. When you rudely say shut up, I'll pay attention if you return the favor when I say shut up to you. No, but you DO make yourself a hypocrite for calling ME obstructionist... Compared to you, I'm a piker in this context apparently. I'm not trying to obstruct anything. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Multiple IP addresses
Previously Marcel Welschbillig wrote: I know it works on the standard kernel but every time i compile my own kernel i lose the ability to do this. Enable IP aliasing. Wichert. -- _ / Nothing is fool-proof to a sufficiently talented fool \ | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Multiple IP addresses
Marcel Welschbillig [EMAIL PROTECTED] writes: Can any one tell me the kernel option to enable on 2.2.17 to be able to specify multiple ethernet addresses in the /etc/network/interfaces file. ie. eth0 eth0:1 eth0:2 .. on the same physical interface ? I know it works on the standard kernel but every time i compile my own kernel i lose the ability to do this. CONFIG_IP_ALIAS Phil. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Multiple IP addresses
its called alias support, and can be found in networking options. CONFIG_IP_ALIAS=y On Tue, Oct 23, 2001 at 12:29:36PM +0800, Marcel Welschbillig wrote: Can any one tell me the kernel option to enable on 2.2.17 to be able to specify multiple ethernet addresses in the /etc/network/interfaces file. ie. eth0 eth0:1 eth0:2 .. on the same physical interface ? -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ PGP signature
Re: Multiple IP addresses
IP aliasing. Cya. Marcel Welschbillig wrote: Can any one tell me the kernel option to enable on 2.2.17 to be able to specify multiple ethernet addresses in the /etc/network/interfaces file. ie. eth0 eth0:1 eth0:2 .. on the same physical interface ? I know it works on the standard kernel but every time i compile my own kernel i lose the ability to do this. Thanks ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Regards, Robert Davidson. http://www.mlug.org.au/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Multiple IP addresses
Quite obvious when you look at it (DUH!) Thanks for all who replied. Marcel Robert Davidson wrote: IP aliasing. Cya. Marcel Welschbillig wrote: Can any one tell me the kernel option to enable on 2.2.17 to be able to specify multiple ethernet addresses in the /etc/network/interfaces file. ie. eth0 eth0:1 eth0:2 .. on the same physical interface ? I know it works on the standard kernel but every time i compile my own kernel i lose the ability to do this. Thanks ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Regards, Marcel Welschbillig -- Inter-Network Engineer Comdek Limited 673 Murray Street West Perth WA 6005 Ph : (08)9214 5259 FAX: (08)9214 5201 -- The information contained in this e-mail is confidential and privileged. It is intended solely for the addressee. If you receive this e-mail by mistake please promptly inform us by reply e-mail or by telephoning the phone number listed above and then delete the e-mail and destroy any printed copy --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On 22 Oct 2001, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: The whole problem here is they DIDN'T ask you. You threw in your two cents worth without a corresponding pledge of support. It's a public mailing list, and I was simply contributing my suggestion. You decided it should be a big Federal case. I find that hilarious coming from you. Didn't you once try to muzzle myself and another on -legal, claiming that lists.debian.org wasn't a public resource? Hypocrite. I'll make you a deal. When you rudely say shut up, I'll pay attention if you return the favor when I say shut up to you. Yeah, sure. You have yet to back that statement with lack of words... No, but you DO make yourself a hypocrite for calling ME obstructionist... Compared to you, I'm a piker in this context apparently. I'm not trying to obstruct anything. No, you're just making reasonable suggestions after the fact. Whatever, if you can't figure that what you're doing is being obstructionist, there ain't nothing I'm going to tell you that will change it, even if I could. -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
Hi, Quoting Colin Phipps ([EMAIL PROTECTED]): On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. The barriers to becoming a developer are mainly commitment to the project and to the social contract, both of which should be requirements for any security secretary. It doesn't imply package maintenance (IIRC). Sure they don't have to be a developer *yet*, but they should (either in fact or in effect) become one. Which was what Thomas suggested. Please read the thread first :) mdz already noted that we already have two security secretaries. A couple of members of the security team, including me, feel that the person(s) to be appointed secretary should already _be_ developers. Not that this all matters anymore, as the whole thing already has been resolved. Greets, Robert -- Linux Generation encrypted mail preferred. finger [EMAIL PROTECTED] for my GnuPG/PGP key. Life is a sexually transmitted disease with 100% mortality. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
John Galt [EMAIL PROTECTED] writes: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. How is it a barrier? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On 21 Oct 2001, Thomas Bushnell, BSG wrote: Martin Schulze [EMAIL PROTECTED] writes: Q: Is a requirement being a Debian developer? No. It is my understanding that it would be good to have fresh blood in the team. Working on security can cost a lot of time, thus it could even be helpful not being a Debian developer since that implies active package maintenance as well. However, similar knowledge is very helpful, and may be required when working on issues. I think the security secretary, if we have one, should be a Debian developer. I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. But it doesn't have to be someone who is already a Debian developer, and I have no objection to fast-tracking their application. -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
only one thing, does this have to go to both lists, I'm alot of messages twice, and yes they have different message id's. On Mon, Oct 22, 2001 at 09:43:05AM -0700, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. How is it a barrier? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ PGP signature
Re: Questions regarding the Security Secretary Position
On 22 Oct 2001, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. How is it a barrier? It's an extra qualification. It's one that until you objected, didn't exist. My point still stands: if you want to add qualifications, add them by raising the bar and volunteering yourself. -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote: On 21 Oct 2001, Thomas Bushnell, BSG wrote: Martin Schulze [EMAIL PROTECTED] writes: Q: Is a requirement being a Debian developer? No. It is my understanding that it would be good to have fresh blood in the team. Working on security can cost a lot of time, thus it could even be helpful not being a Debian developer since that implies active package maintenance as well. However, similar knowledge is very helpful, and may be required when working on issues. I think the security secretary, if we have one, should be a Debian developer. I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. The barriers to becoming a developer are mainly commitment to the project and to the social contract, both of which should be requirements for any security secretary. It doesn't imply package maintenance (IIRC). Sure they don't have to be a developer *yet*, but they should (either in fact or in effect) become one. Which was what Thomas suggested. -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Mon, 22 Oct 2001, Colin Phipps wrote: On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote: On 21 Oct 2001, Thomas Bushnell, BSG wrote: Martin Schulze [EMAIL PROTECTED] writes: Q: Is a requirement being a Debian developer? No. It is my understanding that it would be good to have fresh blood in the team. Working on security can cost a lot of time, thus it could even be helpful not being a Debian developer since that implies active package maintenance as well. However, similar knowledge is very helpful, and may be required when working on issues. I think the security secretary, if we have one, should be a Debian developer. I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. The barriers to becoming a developer are mainly commitment to the project and to the social contract, both of which should be requirements for any security secretary. It doesn't imply package maintenance (IIRC). Sure they don't have to Actually, it does. be a developer *yet*, but they should (either in fact or in effect) become one. Which was what Thomas suggested. -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
John Galt wrote: It really didn't need to go to -devel in the first place: this is internal to debian-security until there's a candidate. Folloups redirected. Err... you have noticed that there are already two people filling this position, haven't you? Regards, Joey -- This is Linux Country. On a quiet night, you can hear Windows reboot. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Tue, 23 Oct 2001, Martin Schulze wrote: John Galt wrote: It really didn't need to go to -devel in the first place: this is internal to debian-security until there's a candidate. Folloups redirected. Err... you have noticed that there are already two people filling this position, haven't you? An since the candidate wasn't announced on -devel, once can only assume that their qualifications aren't germane to -devel (followups NOT redirected, I've futilely tried too many times to redirect to care who the hell gets this). Regards, Joey -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
John Galt wrote: On Tue, 23 Oct 2001, Martin Schulze wrote: John Galt wrote: It really didn't need to go to -devel in the first place: this is internal to debian-security until there's a candidate. Folloups redirected. Err... you have noticed that there are already two people filling this position, haven't you? An since the candidate wasn't announced on -devel, once can only assume I'm sorry, but things are announced to -devel-announce, -news or -announce. If you don't follow these lists, I'm sorry... Regards, Joey -- This is Linux Country. On a quiet night, you can hear Windows reboot. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 08:23:24AM -0600, John Galt wrote: On Mon, 22 Oct 2001, Colin Phipps wrote: The barriers to becoming a developer are mainly commitment to the project and to the social contract, both of which should be requirements for any security secretary. It doesn't imply package maintenance (IIRC). Actually, it does. No. *Most* developers maintain packages, sure, but they don't have to. http://nm.debian.org/newnm.html (I think that's the URL, I'm looking at it in CVS because pandora seems inaccessible): If you intend to package software, do you have a Debian package you have adopted or created ready to show your AM? And if you intend to do other things (e.g. port Debian to other architectures, help with documentation, Quality Assurance or Security), do you have experience in those things which you can tell your AM about? -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
Matt Zimmerman wrote: I think the security secretary, if we have one, should be a Debian developer. We have two of them, and they are both card-carrying developers. Unnghhh... 'Card-carrying' sounds like fiery-eyed anarchist or extreme left revolutionary, some kind of luddite the least.. -- Lauri Tischler, Network Admin Tel:+358-9-47846331* Mouse movement detected * Fax:+358-9-47846500* Reboot Windows to activate changes * Mobile: +358-40-5569010 EMail: [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 09:40:45AM +0300, Lauri Tischler wrote: Matt Zimmerman wrote: I think the security secretary, if we have one, should be a Debian developer. We have two of them, and they are both card-carrying developers. Unnghhh... 'Card-carrying' sounds like fiery-eyed anarchist or extreme left revolutionary, some kind of luddite the least.. I hate spoiling a joke this way, but a surprising number of people seem to have misinterpreted my remark. It was tongue-in-cheek humour, reflecting on the present political atmosphere of Debian. -- - mdz
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 09:40:45AM +0300, Lauri Tischler wrote: Matt Zimmerman wrote: I think the security secretary, if we have one, should be a Debian developer. We have two of them, and they are both card-carrying developers. Unnghhh... 'Card-carrying' sounds like fiery-eyed anarchist or extreme left revolutionary, some kind of luddite the least.. And the problem with this is? (No, I don't like leftists or luddites, but I'm all in favor of fiery-eyed anarchists). -- Share and Enjoy.
Re: ssh vulernability
On Fri, Oct 19, 2001 at 05:06:03PM -0700, Garrett Ellis wrote: I run Debian; and I applied the OpenSSH patch myself as soon as it was posted. Does anybody know of the advantages of waiting for a new .deb file to get circulated are? It's easier, esp. if you don't already have source for the latest version. The patch was a change to two lines of code; so I just made the changes and rebuilt OpenSSH. That's how I do all of my non-kernel patches; seems a bit odd to wait around for the distribution's official patch-maker-squad to churn out a new .DEB file. A lot of people are lazy, and will wait for a .deb in the archive. This is a sensible response, because the vulnerability is not severe. As long as they don't have your keys, they still can't get in. I had a physics prof who always told us that we should be lazy. He meant that we figure out how to solve the problem with simple equations, instead of creating a monster, or a whole lot of equations. (this was quantum mechanics, so it's pretty easy to get screwed if you head off into the wilderness crunching equations.) This principle applies to being a sysadmin. Just as you automate everything you can, in the name of laziness, you can wait until stuff falls into your lap instead of going out and fixing it yourself, if the problem is not at all likely to lead to any real problems for your system. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: ssh vulernability
On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: On Fri, Oct 19, 2001 at 05:06:03PM -0700, Garrett Ellis wrote: I run Debian; and I applied the OpenSSH patch myself as soon as it was posted. Does anybody know of the advantages of waiting for a new .deb file to get circulated are? It's easier, esp. if you don't already have source for the latest version. BTW, I'm talking about http://www.securityfocus.com/bid/3369 OpenSSH Key Based Source IP Access Control Bypass Vulnerability Someone else mentioned a buffer overflow exploit. In that case (remote root exploit or something), then laziness is overruled by the need to keep one's system secure. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: central administration techniques
On Fri, Oct 19, 2001 at 05:54:28PM +0300, Juha J?ykk? wrote: I was wondering if there are any secure methods of centrally managing the versions of certain files on Debian machines. The problem you describe (in the part of your email that I deleted) seems to be not wanting to give access to modify anything without a password - impossible to automate syncing config files. If you have read access, or even have a cron job on each machine that mails or otherwise submits md5 hashes of your config files, you could determine when a re-sync needs to be done, then manually run a shell script that runs rsync over ssh to bring things up to date. You would have to put in the necessary passwords for that to happen, but you only need to run it once a need for resyncing is detected. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: Port Scan for UDP
# netstat -anp|less that works for me all the time Without the darkness, how would you recognize the light? -Original Message- From: Ben Staffin [EMAIL PROTECTED] Date: Sat, 20 Oct 2001 23:27:09 -0500 Subject: Re: Port Scan for UDP On Sat, Oct 20, 2001 at 09:22:57PM -0700, tony mancill blathered thusly: A good way to find out what process is listening on a port is to load the lsof package and use lsof -i (as root so that you'll see everything). I find that fuser is more convenient at times - fuser -v -n udp port returns the process(es) listening on the named UDP port. -- /-- | Ben Staffin gpg key: http://darkskie.net/~benley/pgp.txt | --/
Firewall Related Question
I've got some simple questions related to using a Firewall on some single pubblic Debian Boxes, I choose to post my questions here because I've always securitty in mind during the Developing time of my Network Services. Let me asume I've got a simple Network with 3 Pubblic Debian Servers and 1 Cisco Router (Internet Gateway). The router belongs to my Connection ISP so I can't configure it, but onlu use it for Internet connectivity. The 3 Debian Boxes are under my full control. The best way to protect my Debian Servers would be to install a Firewall on my Gateway (Cisco Router) but actually I can't, so my question is: Can I install a Firewall on each of my Debian Boxes to filter/block incoming and outgoing Network Traffic ? Is this a good choice ? or should I put another machine in my Network, between the Gateway and the Servers, which acts as Firewall ? Thank you for all you suggestions, Have a nice time... Ivo Marino -- Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux http://eimbox.org
Re: Firewall Related Question
On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: I've got some simple questions related to using a Firewall on some single pubblic Debian Boxes, I choose to post my questions here because I've always securitty in mind during the Developing time of my Network Services. Let me asume I've got a simple Network with 3 Pubblic Debian Servers and 1 Cisco Router (Internet Gateway). The router belongs to my Connection ISP so I can't configure it, but onlu use it for Internet connectivity. The 3 Debian Boxes are under my full control. The best way to protect my Debian Servers would be to install a Firewall on my Gateway (Cisco Router) but actually I can't, so my question is: Can I install a Firewall on each of my Debian Boxes to filter/block incoming and outgoing Network Traffic ? Is this a good choice ? or should I put another machine in my Network, between the Gateway and the Servers, which acts as Firewall ? You can just configure a packet filter on all your servers, the main disadvantage is that it's more difficult to administer
RE: Firewall Related Question
Yes, you could definitely do a firewall on each server. Also, have you considered setting up a 4th machine between the Cisco and 3 servers? That could work also. You wouldn't make it a masq box, just configure it to pass packets based on the rules. - James -Original Message- From: Alson van der Meulen [mailto:[EMAIL PROTECTED] Sent: Monday, October 22, 2001 6:58 AM To: Debian Security List Subject: Re: Firewall Related Question On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: I've got some simple questions related to using a Firewall on some single pubblic Debian Boxes, I choose to post my questions here because I've always securitty in mind during the Developing time of my Network Services. Let me asume I've got a simple Network with 3 Pubblic Debian Servers and 1 Cisco Router (Internet Gateway). The router belongs to my Connection ISP so I can't configure it, but onlu use it for Internet connectivity. The 3 Debian Boxes are under my full control. The best way to protect my Debian Servers would be to install a Firewall on my Gateway (Cisco Router) but actually I can't, so my question is: Can I install a Firewall on each of my Debian Boxes to filter/block incoming and outgoing Network Traffic ? Is this a good choice ? or should I put another machine in my Network, between the Gateway and the Servers, which acts as Firewall ? You can just configure a packet filter on all your servers, the main disadvantage is that it's more difficult to administer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BugTraq Kernel 2.2.19
Kenneth Pronovici [EMAIL PROTECTED] writes: I can't make the ptrace exploit work on my 2.2.19 system... but I might be doing something wrong (I'm not quite sure what to expect). I get: attached exec ./insert_shellcode 30505 execl: Operation not permitted Since the bug is a race condition, it's possible that it is hard to exploit. Especially the exploit using newgrp is a bit fragile. There's a different exploit using /bin/su, which is perhaps a bit more reliable. See: http://cert.uni-stuttgart.de/archive/bugtraq/2001/10/msg00153.html -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Re: Questions regarding the Security Secretary Position
On 21 Oct 2001, Thomas Bushnell, BSG wrote: Martin Schulze [EMAIL PROTECTED] writes: Q: Is a requirement being a Debian developer? No. It is my understanding that it would be good to have fresh blood in the team. Working on security can cost a lot of time, thus it could even be helpful not being a Debian developer since that implies active package maintenance as well. However, similar knowledge is very helpful, and may be required when working on issues. I think the security secretary, if we have one, should be a Debian developer. I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. But it doesn't have to be someone who is already a Debian developer, and I have no objection to fast-tracking their application. -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote: On 21 Oct 2001, Thomas Bushnell, BSG wrote: Martin Schulze [EMAIL PROTECTED] writes: Q: Is a requirement being a Debian developer? No. It is my understanding that it would be good to have fresh blood in the team. Working on security can cost a lot of time, thus it could even be helpful not being a Debian developer since that implies active package maintenance as well. However, similar knowledge is very helpful, and may be required when working on issues. I think the security secretary, if we have one, should be a Debian developer. I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. The barriers to becoming a developer are mainly commitment to the project and to the social contract, both of which should be requirements for any security secretary. It doesn't imply package maintenance (IIRC). Sure they don't have to be a developer *yet*, but they should (either in fact or in effect) become one. Which was what Thomas suggested. -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/
Re: Questions regarding the Security Secretary Position
On Mon, 22 Oct 2001, Colin Phipps wrote: On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote: On 21 Oct 2001, Thomas Bushnell, BSG wrote: Martin Schulze [EMAIL PROTECTED] writes: Q: Is a requirement being a Debian developer? No. It is my understanding that it would be good to have fresh blood in the team. Working on security can cost a lot of time, thus it could even be helpful not being a Debian developer since that implies active package maintenance as well. However, similar knowledge is very helpful, and may be required when working on issues. I think the security secretary, if we have one, should be a Debian developer. I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. The barriers to becoming a developer are mainly commitment to the project and to the social contract, both of which should be requirements for any security secretary. It doesn't imply package maintenance (IIRC). Sure they don't have to Actually, it does. be a developer *yet*, but they should (either in fact or in effect) become one. Which was what Thomas suggested. -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
Hi, Quoting Colin Phipps ([EMAIL PROTECTED]): On Mon, Oct 22, 2001 at 07:12:57AM -0600, John Galt wrote: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. The barriers to becoming a developer are mainly commitment to the project and to the social contract, both of which should be requirements for any security secretary. It doesn't imply package maintenance (IIRC). Sure they don't have to be a developer *yet*, but they should (either in fact or in effect) become one. Which was what Thomas suggested. Please read the thread first :) mdz already noted that we already have two security secretaries. A couple of members of the security team, including me, feel that the person(s) to be appointed secretary should already _be_ developers. Not that this all matters anymore, as the whole thing already has been resolved. Greets, Robert -- Linux Generation encrypted mail preferred. finger [EMAIL PROTECTED] for my GnuPG/PGP key. Life is a sexually transmitted disease with 100% mortality.
ADSL connection problem
Hi, I use an ADSL connection. The link seems to be up, because I can ping my own fixed IP address. I have configureg the IP address of my provider in /etc/resolv.conf, but I can't resolve any name. Where is the problem ? Regards
Get guaranteed traffic to your website today @ incredible prices
Are you looking for effective traffic to your website? Look no further... ** For the first time on the Internet, Trafficdelivered.com offers you a centralised means or ordering high-quality traffic, with a members area where you can check how your traffic purchase is doing and be involved in the project. Establish your web presence today with the most affordable marketing packages available on the Internet. At an unbeliveable low cost we can deliver a flood of targeted prospects to your web page. Stop wasting time and energy on marketing techniques that never deliver the traffic. Your online business needs to survive. In less than 1 week we can have a steady flow of fresh prospects landing on your site... Guaranteed! So why not start today? Go to http://www.trafficdelivered.com and start enjoying the benefits of Internet marketing. Thank you for doing business with us. We look forward to providing you with the services you need to grow and maintain your unique online identity. We encourage you to visit our Web site regularly to learn about our expanding catalogue of traffic solutions/packages: http://www.trafficdelivered.com Best regards, TrafficDelivered Team
Re: ADSL connection problem
Your /etc/resolv.conf file should contain the ip addresses of nameservers. Is that what you are referring to when you state IP address of my provider? On Mon, 2001-10-22 at 11:23, Luc MAIGNAN wrote: Hi, I use an ADSL connection. The link seems to be up, because I can ping my own fixed IP address. I have configureg the IP address of my provider in /etc/resolv.conf, but I can't resolve any name. Where is the problem ? Regards -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ADSL connection problem
On Mon, Oct 22, 2001 at 05:23:02PM +0200, Luc MAIGNAN wrote: Hi, I use an ADSL connection. The link seems to be up, because I can ping my own fixed IP address. I have configureg the IP address of my provider in /etc/resolv.conf, but I can't resolve any name. Where is the problem ? Can you ping any other externel IP? (e.g. 198.186.203.20) -- ,---. Name: Alson van der Meulen Personal:[EMAIL PROTECTED] School: [EMAIL PROTECTED] `---' It didn't do that a minute ago... -
Re: ADSL connection problem
Hi, I use an ADSL connection. The link seems to be up, because I can ping my own fixed IP address. I have configureg the IP address of my provider in /etc/resolv.conf, but I can't resolve any name. Where is the problem ? the IP address of my provider is the IP address of the DNS server of your provider ? if not, it may be the problem ! resolv.conf must contain one or more lines with nameserver xxx.yyy.zzz.www where xxx.yyy.zzz.www is the IP address of the DNS server of your provider. Regards -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
John Galt [EMAIL PROTECTED] writes: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. How is it a barrier?
Does Debian need to enforce a better Security policy for packages?
I am looking into the security policies outlined for package building, in order to include some notes regarding them in the section How does Debian handle security in the Securing Debian Manual (http://www.debian.org/doc/ddp) For example, I have been recently asked if a maintainer can do whatever he wishes in a package. Can he? Sure, we have policies, but what if we have a debian developer distributing a trojan in a package. IMHO lintian does check many issues regarding policy, but it does not test potential security problems. I just made an empty package with dh_make with only a postinst having 'rm -rf /'. Lintian says: $ lintian test-rm*deb E: test-rm: description-is-dh_make-template E: test-rm: helper-templates-in-copyright W: test-rm: readme-debian-is-debmake-template W: test-rm: unknown-section unknown So. Since we do not source code audits of incoming packages and this kind of issues are not detected automatically... does this leave the Debian distribution open to attack if a developer box gets hacked into? I can only imagine this kind of automatic test for correct package being done using automatic installation on a controlled chrooted environment before accepting incoming packages on the upload queues). And, even so, events can be triggered only in some conditions. Should we improve lintian in order to yell if some (destructive) action is taken upon installation/de-installation? Should we further limit the kind of commands available on this scripts? (BTW, this only tackles he problem of installation scripts, not of the program itself...) Best regards Javi
RE: Firewall Related Question
I'd recommend the former (firewalling on each server). This will let you customize the firewall for that server alone, and spread the packet filtering load and logging. Also, with no access the Cisco box, you'd have to either MASQ or SNAT with proxy arps if you do insert a firewall into the packet path to get the traffic to cross the firewall. (The Cisco is going to assume that the subnet with the DMZ address space is still directly attached.) Cheers, [EMAIL PROTECTED] On Mon, 22 Oct 2001, James wrote: Yes, you could definitely do a firewall on each server. Also, have you considered setting up a 4th machine between the Cisco and 3 servers? That could work also. You wouldn't make it a masq box, just configure it to pass packets based on the rules. - James -Original Message- From: Alson van der Meulen [mailto:[EMAIL PROTECTED] Sent: Monday, October 22, 2001 6:58 AM To: Debian Security List Subject: Re: Firewall Related Question On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: I've got some simple questions related to using a Firewall on some single pubblic Debian Boxes, I choose to post my questions here because I've always securitty in mind during the Developing time of my Network Services. Let me asume I've got a simple Network with 3 Pubblic Debian Servers and 1 Cisco Router (Internet Gateway). The router belongs to my Connection ISP so I can't configure it, but onlu use it for Internet connectivity. The 3 Debian Boxes are under my full control. The best way to protect my Debian Servers would be to install a Firewall on my Gateway (Cisco Router) but actually I can't, so my question is: Can I install a Firewall on each of my Debian Boxes to filter/block incoming and outgoing Network Traffic ? Is this a good choice ? or should I put another machine in my Network, between the Gateway and the Servers, which acts as Firewall ? You can just configure a packet filter on all your servers, the main disadvantage is that it's more difficult to administer
Re: Port Scan for UDP
Excuse your arrogance, but let me correct you in some points you made! First of all nmap does not scan only the services listed in /etc/services, if you were to have bothered reading the manual before answering you would have read, and I quote: If you had actually read what I'd written, you'd see I didn't mention anywhere that nmap only scans ports listed in /etc/services. I said that nmap only scans ports mentioned in ITS OWN services file, which I assumed most people would be intelligent enough to realize was the nmap- services file (as documented in the manpage, if anyone would bother to read it). You're right that I neglected to mention that it also scans anything from 1 to 1024 even if it's not listed in the services file, though. You could have spared the TCP/UDP diff lecture since the question wasn't directed to that... The question was EXACTLY directed to that. The gentleman was asking why every UDP port scanned was being listed as open. I explained the reason for it; the firewall was dropping the UDP packets, and the way portscans work with UDP is central to that. I fail to see the lack of relevance. jc: If you own the box and *don't* have any reason to assume/think you've been compromised (Just checking) you can check locally using nice tools like: netstat -an --ip for both udp and tcp or netstat -an --udp[--tcp] for either one. lsof -i -n nmap localhost -p 1-[HigherPortNumber] fuser and the list goes on =) -- Craig McPherson Information Technology Coordinator Baptist Collegiate Ministry
Re: Port Scan for UDP
Excuse your arrogance, but let me correct you in some points you made! First of all nmap does not scan only the services listed in /etc/services, if you were to have bothered reading the manual before answering you would have read, and I quote: If you had actually read what I'd written, you'd see I didn't mention anywhere that nmap only scans ports listed in /etc/services. I said that nmap only scans ports mentioned in ITS OWN services file, which I assumed most people would be intelligent enough to realize was the nmap- services file (as documented in the manpage, if anyone would bother to read it). You're right that I neglected to mention that it also scans anything from 1 to 1024 even if it's not listed in the services file, though. You could have spared the TCP/UDP diff lecture since the question wasn't directed to that... The question was EXACTLY directed to that. The gentleman was asking why every UDP port scanned was being listed as open. I explained the reason for it; the firewall was dropping the UDP packets, and the way portscans work with UDP is central to that. I fail to see the lack of relevance. jc: If you own the box and *don't* have any reason to assume/think you've been compromised (Just checking) you can check locally using nice tools like: netstat -an --ip for both udp and tcp or netstat -an --udp[--tcp] for either one. lsof -i -n nmap localhost -p 1-[HigherPortNumber] fuser and the list goes on =) -- Craig McPherson Information Technology Coordinator Baptist Collegiate Ministry
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 08:23:24AM -0600, John Galt wrote: On Mon, 22 Oct 2001, Colin Phipps wrote: The barriers to becoming a developer are mainly commitment to the project and to the social contract, both of which should be requirements for any security secretary. It doesn't imply package maintenance (IIRC). Actually, it does. No. *Most* developers maintain packages, sure, but they don't have to. http://nm.debian.org/newnm.html (I think that's the URL, I'm looking at it in CVS because pandora seems inaccessible): If you intend to package software, do you have a Debian package you have adopted or created ready to show your AM? And if you intend to do other things (e.g. port Debian to other architectures, help with documentation, Quality Assurance or Security), do you have experience in those things which you can tell your AM about? -- Colin Watson [EMAIL PROTECTED]
Re: Firewall Related Question
On Mon, Oct 22, 2001 at 07:30:56PM +0200, Alson van der Meulen wrote: On Mon, Oct 22, 2001 at 10:17:59AM -0700, tony mancill wrote: I'd recommend the former (firewalling on each server). This will let you customize the firewall for that server alone, and spread the packet filtering load and logging. Also, with no access the Cisco box, you'd have to either MASQ or SNAT with proxy arps if you do insert a firewall into the packet path to get the traffic to cross the firewall. (The Cisco is going to assume that the subnet with the DMZ address space is still directly attached.) With FreeBSD/OpenBSD, you could use a packet filtering bridge (quit nice IMO), put two ethernet cards in a box, one to cisco, second to switch with Debian servers, no need for an IP address at the bridge, just bridge and firewall. I'm not sure if Linux can do this, maybe there are some patches for iptables to do it? Linux can do this as well - that's how the DMZ on our network is firewalled. I'd recommed inserting a DMZ box and using packet filtering on each of the boxes individually. Note that when you insert the firewall box in front of your network it can take up to four hours for the upstream arp cache to refresh. Of course, you could buy a hardware-based firewall to replace the DMZ box for $2-3K, but that takes all the fun out of it. g pgpARrIwou7NW.pgp Description: PGP signature
Re: Does Debian need to enforce a better Security policy for packages?
On 22/10/01, Javier Fernández-Sanguino Peña wrote: I am looking into the security policies outlined for package building, in order to include some notes regarding them in the section How does Debian handle security in the Securing Debian Manual (http://www.debian.org/doc/ddp) What does security policies for building a debian package exactly have to do with securing a debian box? System administrator reading this document will be interested in tips and howtos on improving the security on the boxes, that he administrates. He's certainly not interested in knowing how to securely build a debian package. For example, I have been recently asked if a maintainer can do whatever he wishes in a package. Can he? Sure, we have policies, but what if we have a debian developer distributing a trojan in a package. IMHO That will soon be discovered and I would say those maintainer is facing definetely problems. lintian does check many issues regarding policy, but it does not test potential security problems. Which is correct, since lintian is only written for checking policy compliance. If you want a tool checking for security problems, you should write another new tool for this purpose. I just made an empty package with dh_make with only a postinst having 'rm -rf /'. Lintian says: $ lintian test-rm*deb E: test-rm: description-is-dh_make-template E: test-rm: helper-templates-in-copyright W: test-rm: readme-debian-is-debmake-template W: test-rm: unknown-section unknown So. Since we do not source code audits of incoming packages and this kind of issues are not detected automatically... does this leave the Debian distribution open to attack if a developer box gets hacked into? No, new packages are not automatically becoming available for everyone and will be reviewed before. So this doesn't leave the distribution open for that kind of attacks you imagine. Should we improve lintian in order to yell if some (destructive) action is taken upon installation/de-installation? Should we further limit the kind No, because that's not the purpose of lintian. Write either a new tool for that purpose or leave it. But be aware that it's very difficult to detect all kinds of possible attacks or trojans that one could create. Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 pgpRqfg4yvcfm.pgp Description: PGP signature
Re: Firewall Related Question
Linux can do this as well - that's how the DMZ on our network is firewalled. I'd recommed inserting a DMZ box and using packet filtering on each of the boxes individually. you should take a look at http://lug.irk.ru/misc/iptables-tutorial-1.0.6.html#AEN690 there is more info about a DMZ firewall we used it modified and it works great Good luck Martijn Knuiman
Re: Questions regarding the Security Secretary Position
only one thing, does this have to go to both lists, I'm alot of messages twice, and yes they have different message id's. On Mon, Oct 22, 2001 at 09:43:05AM -0700, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. How is it a barrier? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ pgph88wE2aMSn.pgp Description: PGP signature
Re: Does Debian need to enforce a better Security policy for packages?
On Mon, Oct 22, 2001 at 09:31:38PM +0200, Christian Kurz wrote: What does security policies for building a debian package exactly have to do with securing a debian box? System administrator reading this document will be interested in tips and howtos on improving the security on the boxes, that he administrates. He's certainly not interested in knowing how to securely build a debian package. The point is. I'm starting to think on changing the document title to something on the lines of Debian Security Manual and go a little deeper into Debian security stuff (advisories, the security team, etc..) That will soon be discovered and I would say those maintainer is facing definetely problems. Migh I remember you that we are not (IIRC) doing a source code audit of packages. That soon is supposing that his package is widely used and the mischief promptly discovered. lintian does check many issues regarding policy, but it does not test potential security problems. Which is correct, since lintian is only written for checking policy compliance. If you want a tool checking for security problems, you should write another new tool for this purpose. Not exactly right, policy does talk about security related issues, and lintian should check them. For example: 11.9. Permissions and owners The rules in this section are guidelines for general use. If necessary you may deviate from the details below. However, if you do so you must make sure that what is done is *secure* and you should try to be as consistent as possible with the rest of the system. (emphasis is mine) So. Since we do not source code audits of incoming packages and this kind of issues are not detected automatically... does this leave the Debian distribution open to attack if a developer box gets hacked into? No, new packages are not automatically becoming available for everyone and will be reviewed before. So this doesn't leave the distribution open for that kind of attacks you imagine. So, then, for the record (i.e. the manual) what kind of reviews are made for incoming/new packages (besides lintian checks). I do know that the archive maintainers do this stuff, could someone introduce me to what reviews (security-wise) are made? No, because that's not the purpose of lintian. Write either a new tool for that purpose or leave it. But be aware that it's very difficult to detect all kinds of possible attacks or trojans that one could create. I agree. However, with the Debian package format becoming increasingly popular, it does have some flaws (IMHO, I might get smacked for saying this :) which might be used to introduce simple troyans. Regardless of the package contents (which might be a troyan by itself) having the post-pre-install-remove script as a root user with an unrestricted shell (or perl, or whatever) could turn into potential problems on the long term. *If* the contents are troyaned, the user still has to run them (unless the package installs daemons or cron items, or simply calls them himself) in order to be affected. However, installation scripts are run regardless of the package contents. So, is it possible to limit those scripts or am I just thinking on trying to put a fence around the desert? (not really sure if that's the appropiate expression BTW :P Javi
Re: Questions regarding the Security Secretary Position
On 22 Oct 2001, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. How is it a barrier? It's an extra qualification. It's one that until you objected, didn't exist. My point still stands: if you want to add qualifications, add them by raising the bar and volunteering yourself. -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
It really didn't need to go to -devel in the first place: this is internal to debian-security until there's a candidate. Folloups redirected. On Tue, 23 Oct 2001, Jason Thomas wrote: only one thing, does this have to go to both lists, I'm alot of messages twice, and yes they have different message id's. On Mon, Oct 22, 2001 at 09:43:05AM -0700, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. How is it a barrier? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
John Galt [EMAIL PROTECTED] writes: On 22 Oct 2001, Thomas Bushnell, BSG wrote: John Galt [EMAIL PROTECTED] writes: I take it then that you volunteer. If not, shut up. Throwing artifical barriers at this office isn't going to add volunteers. How is it a barrier? It's an extra qualification. It's one that until you objected, didn't exist. My point still stands: if you want to add qualifications, add them by raising the bar and volunteering yourself. I think it's an entirely appropriate qualification. But it's no barrier: it simply requires that we know who the person is and that they share our commitments. I think those are reasonable things to expect. Thomas