Re: Webserver questions: using samba, avoiding cleartext passwords,co-existing with Windows
There is a Explorer-like interface to PuTTY's scp command. Maybe an option. Don't have much experience with this, I personally use some mini-shell-scripts attached to the sendto-menue for uploading. http://www.i-tree.org/ixplorer.htm Cheers, Marcel --On Donnerstag, 18. April 2002 17:34 -0700 John Morris [EMAIL PROTECTED] wrote: Samba and encrypted passwords. The encrpyted passwords should be default on later Windows boxes, but may require registry edits on older Windows OSes. Fast, easy, and secure. Windows Netbios SMB traffic should probably already be firewalled in and out,(If not, seriously consider it), but you can always run Samba tcpwrapped, and so forth. Samba is good, and IMHO the right choice for sharing files (and some other stuff too) to Windows. - John [EMAIL PROTECTED] On Thu, 18 Apr 2002, Tom Dominico wrote: I have a Debian webserver that currently runs SSH, HTTP, and SMTP services. The SMTP service only accepts mail from the local interface. I try to keep my box free of any excess services that might lead to vulnerabilities, or that transmit authentication information via cleartext. I am running into some issues, however, where having only SCP access for file transfer is not convenient. For example, all workstations here are running some version of Windows. I have yet to run across Windows applications that have SCP support built-in, though. I have instances where I would like to be able to upload/download files from the server to my text editor, synchronize directories between a workstation and the server, etc. My options are generally only FTP, or using windows shares. I hesitate to install FTP because of the issues with cleartext passwords being transmitted, as well as potential vulnerabilities in the FTP daemon. I understand that some daemons now support SSL for encryption, but I do not know if running a FTP server is really a wise idea or not, even with SSL. I am debating installing samba on the webserver, and setting it up to use encrypted passwords. I would not allow guest usage of any shares. This would make it much easier for me to do development and other tasks on the server via my Windows workstation. However, I do not know if I would be making a large mistake, security-wise, by doing this. We have an external firewall, and I would think I could firewall off samba traffic, so that only internal users would even have access, and even then it would be protected with an encrypted password. I am curious to see what the users of this list would suggest. It seems that I could do the following: 1) Install samba, and connect to the webserver via shares from my workstation. 2) Try to install FTP with SSL functionality, and perhaps firewall it off for internal use only. 3) Do none of the above and use an SCP client to manually transfer things back and forth when necessary. In a nutshell, I am wondering what the best way is to co-exist with Windows on the desktop, while still running a relatively secure server. My other question relates to cleartext passwords. I am writing some web-based administrative tools to allow selected users to update sections of the website, without having to know how to code. Using a simple htpasswd scheme, passwords are sent out in cleartext. I am concerned that anyone with a sniffer could then gain access to those passwords. I work in a school district, and some of these kids are very clever, and have a lot of time on their hands. Is there a way to encrypt htpasswd traffic, or is there another solution I should examine? I greatly appreciate any advice. Tom Dominico District Technology Coordinator Parlier Unified School District -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Webserver questions: using samba, avoiding cleartext passwords,co-existing with Windows
Look at winscp ( http://winscp.vse.cz if I recall correctly ). It's a scp client that can be easily used by end users. Best bet is to use winscp 2, as that has drag and drop with explorer. Mark Marcel Hicking wrote: There is a Explorer-like interface to PuTTY's scp command. Maybe an option. Don't have much experience with this, I personally use some mini-shell-scripts attached to the sendto-menue for uploading. http://www.i-tree.org/ixplorer.htm Cheers, Marcel --On Donnerstag, 18. April 2002 17:34 -0700 John Morris [EMAIL PROTECTED] wrote: Samba and encrypted passwords. The encrpyted passwords should be default on later Windows boxes, but may require registry edits on older Windows OSes. Fast, easy, and secure. Windows Netbios SMB traffic should probably already be firewalled in and out,(If not, seriously consider it), but you can always run Samba tcpwrapped, and so forth. Samba is good, and IMHO the right choice for sharing files (and some other stuff too) to Windows. - John [EMAIL PROTECTED] On Thu, 18 Apr 2002, Tom Dominico wrote: I have a Debian webserver that currently runs SSH, HTTP, and SMTP services. The SMTP service only accepts mail from the local interface. I try to keep my box free of any excess services that might lead to vulnerabilities, or that transmit authentication information via cleartext. I am running into some issues, however, where having only SCP access for file transfer is not convenient. For example, all workstations here are running some version of Windows. I have yet to run across Windows applications that have SCP support built-in, though. I have instances where I would like to be able to upload/download files from the server to my text editor, synchronize directories between a workstation and the server, etc. My options are generally only FTP, or using windows shares. I hesitate to install FTP because of the issues with cleartext passwords being transmitted, as well as potential vulnerabilities in the FTP daemon. I understand that some daemons now support SSL for encryption, but I do not know if running a FTP server is really a wise idea or not, even with SSL. I am debating installing samba on the webserver, and setting it up to use encrypted passwords. I would not allow guest usage of any shares. This would make it much easier for me to do development and other tasks on the server via my Windows workstation. However, I do not know if I would be making a large mistake, security-wise, by doing this. We have an external firewall, and I would think I could firewall off samba traffic, so that only internal users would even have access, and even then it would be protected with an encrypted password. I am curious to see what the users of this list would suggest. It seems that I could do the following: 1) Install samba, and connect to the webserver via shares from my workstation. 2) Try to install FTP with SSL functionality, and perhaps firewall it off for internal use only. 3) Do none of the above and use an SCP client to manually transfer things back and forth when necessary. In a nutshell, I am wondering what the best way is to co-exist with Windows on the desktop, while still running a relatively secure server. My other question relates to cleartext passwords. I am writing some web-based administrative tools to allow selected users to update sections of the website, without having to know how to code. Using a simple htpasswd scheme, passwords are sent out in cleartext. I am concerned that anyone with a sniffer could then gain access to those passwords. I work in a school district, and some of these kids are very clever, and have a lot of time on their hands. Is there a way to encrypt htpasswd traffic, or is there another solution I should examine? I greatly appreciate any advice. Tom Dominico District Technology Coordinator Parlier Unified School District -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Webserver questions: using samba, avoiding cleartext passwords, co-existing with Windows
There is a Explorer-like interface to PuTTY's scp command. Maybe an option. Don't have much experience with this, I personally use some mini-shell-scripts attached to the sendto-menue for uploading. http://www.i-tree.org/ixplorer.htm I tried that program before, but it has issues. It can't for instance cd to a directory above your homedir. A program I usually recommend is winscp. I don't have the URL present here, but I think google has Greetz, Ivo van Dongen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
what is means ?
Hi all. In output of 'w' command I saw something like that: --cut-- root 7073 0.0 0.0 1240 636 ?S11:09 0:05 in.telnetd: some.host.in.my.domain --cut-- Correct address I replaced with some.host.in.my.domain. Is root is logging to this mashine by telnet ??? Regards, Marcin B. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what is means ?
On Sex 19 Abr 2002 09:05, Marcin Bednarz wrote: | Hi all. | | In output of 'w' command I saw something like that: | | --cut-- | root 7073 0.0 0.0 1240 636 ?S11:09 0:05 in.telnetd: | some.host.in.my.domain --cut-- | | Correct address I replaced with some.host.in.my.domain. | Is root is logging to this mashine by telnet ??? Clearly yes. In my opinion you should disable telnet and use ssh. Once i left telnet open after installing a server, and the next day i found a rootkit inside it. Telnet suckz badly. -- Sidnei da Silva (dreamcatcher) [EMAIL PROTECTED] X3ng Web Technology http://www.x3ng.com.br GNU/Linux user 257852 Debian GNU/Linux 3.0 (Sid) 2.4.19-pre6-ben0 ppc It is easier to change the specification to fit the program than vice versa. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: what is means ?
Telnet suckz badly. How do you know it was exploited via telnetd? I can think of a lot of services more readibly exploitable then telnet. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what is means ? + rootkits..
Hi al. On Fri, 19 Apr 2002, Sidnei da Silva wrote: Clearly yes. In my opinion you should disable telnet and use ssh. Once i left telnet open after installing a server, and the next day i found a rootkit inside it. Telnet suckz badly. How to protect against rootkis ? Is it some kind of trojan wich working with root priviledges ? Why some people says that eg. tripwire doesn't discover it ? Regards, Marcin B. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: what is means ? + rootkits..
How to protect against rootkis ? Keep your system up to date, do not run unrelaibale software, do not give accounts to people you do not trust. Is it some kind of trojan wich working with root priviledges ? Basically, yes. It is typically a kit you drop on the system via a remote root exploit, which replaces binaries, and tries to mask itself. Why some people says that eg. tripwire doesn't discover it ? Then they dont know what they are saying, i would say that Tripwire / AIDE / such will be 100% efficient in detecting kits _PROVIDING_ that your database is current, and is stored in a tamper-proof location... and ofcource you actually use and update teh IDS database. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what is means ?
In output of 'w' command I saw something like that: --cut-- root 7073 0.0 0.0 1240 636 ?S11:09 0:05 in.telnetd: some.host.in.my.domain --cut-- Correct address I replaced with some.host.in.my.domain. Is root is logging to this mashine by telnet ??? Maybe, but probably not. If you had done a px axfl (output trimmed below) and looked at process 7073 and its children, you probably would have seen something like this: UID PID PPID PRI NI VSZ RSS TTYTIME COMMAND 0 322 1 0 0 2028 740? 0:02 /usr/sbin/inetd 0 9308 322 0 0 1492 712? 0:00 \_ in.telnetd 481 9309 9308 10 0 2248 1300 pts/6 0:00 \_ -bash in.telnetd may be run with root privs, in order to set up the login environment for the user. It does not mean that someone is telnetting in as root. By default in testing, in.telnetd runs as user telnetd (uid 103) rather than root. --Joe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what is means ? + rootkits..
On Fri, Apr 19, 2002 at 02:47:08PM +0200, Jan Johansson wrote: Why some people says that eg. tripwire doesn't discover it ? Then they dont know what they are saying, i would say that Tripwire / AIDE / such will be 100% efficient in detecting kits _PROVIDING_ that your database is current, and is stored in a tamper-proof location... and ofcource you actually use and update teh IDS database. I've heard of, but not confirmed the existence of, a root kit that is not detected by Tripwire and other intrusion detection software. It does this by keeping a backup of the original utility (eg. ls, ps, etc.) and then provides either it's own utility or the original depending on how it is opened (eg. if by ld.so, open trojan, else open original). I think that as long as the source of the open system call can be determined, a carefully crafted root-kit might be able remain undetected as long as the system is running tainted code. I think the only way to be sure that a utility such as tripwire works is to run it on an untainted system (ie. boot from known good floppy/CD before running the software). Am I just being paranoid, or is this sort of compromise really possible? Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: what is means ? + rootkits..
I've heard of, but not confirmed the existence of, a root kit that is not detected by Tripwire and other intrusion detection software. It does this by keeping a backup of the original utility (eg. ls, ps, etc.) and then provides either it's own utility or the original depending on how it is opened (eg. if by ld.so, open trojan, else open original). Am I just being paranoid, or is this sort of compromise really possible? There is a reason that tripwire and aide are normally compiled as statical binaries. And frankly, just copying the file will trigger teh IDS, since it can use inode/sector location as one of the fingerprints. Personally i (pretty much) do the following: Install system from a known safe source, as well as applicable patches. Then we install AIDE. And set up a decent log set. Then we copy the AIDE binary aswell as the initial database to a media such as CD-ROM, which we then keep mounted in a CD unit. Now, run AIDE check periodically (nightly) against that db. And all is well. When i patch the system, just make sure the AIDE check is clean before the upgrade. Do the patches, do a new AIDE database and do an incremental burn of the CD. Then keep that routine up. That, and keeping the kernel monolithical to prevent the module type exploits, and you have a pretty good setup. Add to this logging of key elements to an old matrix printer.. Good luck in manipulating those logs remotely. Frankly, i would actually like to see how to taint such a system... Now, a fun thought would be to use a mirrored disk on either shared SCSI or fiber scsi for the system. Then break the mirror, mount one disk to a secure system and run the analyze from there, thereby bypassing ALL elements of the original object. (Okay, overkill). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: what is means ? + rootkits..
Am I just being paranoid, or is this sort of compromise really possible? And also: If the IDS was there first it would trigger on the modified kernel/module/library (or whatever) since it has to differ between the last check _before_ the infection and the first check _after_ infection. Now, if the exploit was there first, the IDS is a moot point alltogether. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what is means ? + rootkits..
On Fri, 19 Apr 2002, Patrick Maheral wrote: I've heard of, but not confirmed the existence of, a root kit that is not detected by Tripwire and other intrusion detection software. It does this by keeping a backup of the original utility (eg. ls, ps, etc.) and then provides either it's own utility or the original depending on how it is opened (eg. if by ld.so, open trojan, else open original). any root kit based upon kernel modules can do that. Search for knark with Google... I think that as long as the source of the open system call can be determined, a carefully crafted root-kit might be able remain undetected as long as the system is running tainted code. I think the only way to be sure that a utility such as tripwire works is to run it on an untainted system (ie. boot from known good floppy/CD before running the software). Yes, you are correct. To be safe, you need to keep the tripwire database on a separate support which cannot be tampered with, and to check the integrity of the system you should boot the system from secure media (e.g. a boot CDROM you previously prepared), possibly in single user mode and unconnected from the network. Am I just being paranoid, or is this sort of compromise really possible? oh yes, it is possible. Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
mysql-server local DOS vulnerability
Hi, I found a local DOS vulnerability in the mysql-server package. Since I am not experienced in the field of computer security I have not contacted upstream nor any other security list about the issue and would be happy to get some feedback about the perceived severity of the problem and appropriate action to be taken. mysql has the configuration option max_connect_errors set to 10 in the default install. This means that after ten connection errors (handshake failed) the origin of these connection attempts is blocked from connecting again. This lets any local user that is deliberately creating 10 connect errors block anyone from localhost to connect to the db. The block is not automatically released but requires user interaction from the db admin (mysqladmin flush-hosts). Quick-Fix: Add the following line to the [mysqld] section of my.cnf set-variable= max_connect_errors=9 [see also: http://www.mysql.com/doc/F/L/FLUSH.html] I found this on my woody installation (though maybe not the very latest version) and I guess it is an issue for potato, too, since it can also be found in upstream. I cc'ed the maintainer of mysql-server, Christian Hammers. best regards, Thiemo Nagel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Webserver questions: using samba, avoiding cleartext passwords, co-existing with Windows
Hi, I have a Debian webserver that currently runs SSH, HTTP, and SMTP services. The SMTP service only accepts mail from the local interface. I try to keep my box free of any excess services that might lead to vulnerabilities, or that transmit authentication information via cleartext. I am running into some issues, however, where having only SCP access for file transfer is not convenient. I use rsync over ssh (cygwin) to copy updates from my workstation to the server and the other way round. I wrote all the params to a (very short) shell script. You can even create an icon on your desktop that executes c:\program files\cygwin\bin\bash.exe path_to_script I think this is more convenient that FTP, too. cu, Thiemo Nagel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Windows ftp clients for ftpd-ssl (OpenBSD)
hi ya david you can use ssh for windows to do secure ftp to debian or bsd* found out pftp didnt support mput * ... o well highlight, drag-n-drop works http://www.Linux-Sec.net/SSH/ssh.windows.txt - use ssh clients from ssh.com or putty or your favorite i heard tom-dick-harry using it... c ya alvin On 18 Apr 2002, David Stanaway wrote: Hi, I was wondering if anyone could recommend freeish windows clients that support ssl ( in.ftpd -z secure ). I have tried FileZilla (Which is GPL'ed but a little flakey, at least on Win98) but it seems to have problems establishing the data socket in either normal, or passive mode. Cheers... -- David Stanaway -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Webserver questions: using samba, avoiding cleartext passwords, co-existing with Windows
There is a Explorer-like interface to PuTTY's scp command. Maybe an option. Don't have much experience with this, I personally use some mini-shell-scripts attached to the sendto-menue for uploading. http://www.i-tree.org/ixplorer.htm Cheers, Marcel --On Donnerstag, 18. April 2002 17:34 -0700 John Morris [EMAIL PROTECTED] wrote: Samba and encrypted passwords. The encrpyted passwords should be default on later Windows boxes, but may require registry edits on older Windows OSes. Fast, easy, and secure. Windows Netbios SMB traffic should probably already be firewalled in and out,(If not, seriously consider it), but you can always run Samba tcpwrapped, and so forth. Samba is good, and IMHO the right choice for sharing files (and some other stuff too) to Windows. - John [EMAIL PROTECTED] On Thu, 18 Apr 2002, Tom Dominico wrote: I have a Debian webserver that currently runs SSH, HTTP, and SMTP services. The SMTP service only accepts mail from the local interface. I try to keep my box free of any excess services that might lead to vulnerabilities, or that transmit authentication information via cleartext. I am running into some issues, however, where having only SCP access for file transfer is not convenient. For example, all workstations here are running some version of Windows. I have yet to run across Windows applications that have SCP support built-in, though. I have instances where I would like to be able to upload/download files from the server to my text editor, synchronize directories between a workstation and the server, etc. My options are generally only FTP, or using windows shares. I hesitate to install FTP because of the issues with cleartext passwords being transmitted, as well as potential vulnerabilities in the FTP daemon. I understand that some daemons now support SSL for encryption, but I do not know if running a FTP server is really a wise idea or not, even with SSL. I am debating installing samba on the webserver, and setting it up to use encrypted passwords. I would not allow guest usage of any shares. This would make it much easier for me to do development and other tasks on the server via my Windows workstation. However, I do not know if I would be making a large mistake, security-wise, by doing this. We have an external firewall, and I would think I could firewall off samba traffic, so that only internal users would even have access, and even then it would be protected with an encrypted password. I am curious to see what the users of this list would suggest. It seems that I could do the following: 1) Install samba, and connect to the webserver via shares from my workstation. 2) Try to install FTP with SSL functionality, and perhaps firewall it off for internal use only. 3) Do none of the above and use an SCP client to manually transfer things back and forth when necessary. In a nutshell, I am wondering what the best way is to co-exist with Windows on the desktop, while still running a relatively secure server. My other question relates to cleartext passwords. I am writing some web-based administrative tools to allow selected users to update sections of the website, without having to know how to code. Using a simple htpasswd scheme, passwords are sent out in cleartext. I am concerned that anyone with a sniffer could then gain access to those passwords. I work in a school district, and some of these kids are very clever, and have a lot of time on their hands. Is there a way to encrypt htpasswd traffic, or is there another solution I should examine? I greatly appreciate any advice. Tom Dominico District Technology Coordinator Parlier Unified School District -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Webserver questions: using samba, avoiding cleartext passwords, co-existing with Windows
Look at winscp ( http://winscp.vse.cz if I recall correctly ). It's a scp client that can be easily used by end users. Best bet is to use winscp 2, as that has drag and drop with explorer. Mark Marcel Hicking wrote: There is a Explorer-like interface to PuTTY's scp command. Maybe an option. Don't have much experience with this, I personally use some mini-shell-scripts attached to the sendto-menue for uploading. http://www.i-tree.org/ixplorer.htm Cheers, Marcel --On Donnerstag, 18. April 2002 17:34 -0700 John Morris [EMAIL PROTECTED] wrote: Samba and encrypted passwords. The encrpyted passwords should be default on later Windows boxes, but may require registry edits on older Windows OSes. Fast, easy, and secure. Windows Netbios SMB traffic should probably already be firewalled in and out,(If not, seriously consider it), but you can always run Samba tcpwrapped, and so forth. Samba is good, and IMHO the right choice for sharing files (and some other stuff too) to Windows. - John [EMAIL PROTECTED] On Thu, 18 Apr 2002, Tom Dominico wrote: I have a Debian webserver that currently runs SSH, HTTP, and SMTP services. The SMTP service only accepts mail from the local interface. I try to keep my box free of any excess services that might lead to vulnerabilities, or that transmit authentication information via cleartext. I am running into some issues, however, where having only SCP access for file transfer is not convenient. For example, all workstations here are running some version of Windows. I have yet to run across Windows applications that have SCP support built-in, though. I have instances where I would like to be able to upload/download files from the server to my text editor, synchronize directories between a workstation and the server, etc. My options are generally only FTP, or using windows shares. I hesitate to install FTP because of the issues with cleartext passwords being transmitted, as well as potential vulnerabilities in the FTP daemon. I understand that some daemons now support SSL for encryption, but I do not know if running a FTP server is really a wise idea or not, even with SSL. I am debating installing samba on the webserver, and setting it up to use encrypted passwords. I would not allow guest usage of any shares. This would make it much easier for me to do development and other tasks on the server via my Windows workstation. However, I do not know if I would be making a large mistake, security-wise, by doing this. We have an external firewall, and I would think I could firewall off samba traffic, so that only internal users would even have access, and even then it would be protected with an encrypted password. I am curious to see what the users of this list would suggest. It seems that I could do the following: 1) Install samba, and connect to the webserver via shares from my workstation. 2) Try to install FTP with SSL functionality, and perhaps firewall it off for internal use only. 3) Do none of the above and use an SCP client to manually transfer things back and forth when necessary. In a nutshell, I am wondering what the best way is to co-exist with Windows on the desktop, while still running a relatively secure server. My other question relates to cleartext passwords. I am writing some web-based administrative tools to allow selected users to update sections of the website, without having to know how to code. Using a simple htpasswd scheme, passwords are sent out in cleartext. I am concerned that anyone with a sniffer could then gain access to those passwords. I work in a school district, and some of these kids are very clever, and have a lot of time on their hands. Is there a way to encrypt htpasswd traffic, or is there another solution I should examine? I greatly appreciate any advice. Tom Dominico District Technology Coordinator Parlier Unified School District -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
what is means ?
Hi all. In output of 'w' command I saw something like that: --cut-- root 7073 0.0 0.0 1240 636 ?S11:09 0:05 in.telnetd: some.host.in.my.domain --cut-- Correct address I replaced with some.host.in.my.domain. Is root is logging to this mashine by telnet ??? Regards, Marcin B. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what is means ?
On Sex 19 Abr 2002 09:05, Marcin Bednarz wrote: | Hi all. | | In output of 'w' command I saw something like that: | | --cut-- | root 7073 0.0 0.0 1240 636 ?S11:09 0:05 in.telnetd: | some.host.in.my.domain --cut-- | | Correct address I replaced with some.host.in.my.domain. | Is root is logging to this mashine by telnet ??? Clearly yes. In my opinion you should disable telnet and use ssh. Once i left telnet open after installing a server, and the next day i found a rootkit inside it. Telnet suckz badly. -- Sidnei da Silva (dreamcatcher) [EMAIL PROTECTED] X3ng Web Technology http://www.x3ng.com.br GNU/Linux user 257852 Debian GNU/Linux 3.0 (Sid) 2.4.19-pre6-ben0 ppc It is easier to change the specification to fit the program than vice versa. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: what is means ?
Telnet suckz badly. How do you know it was exploited via telnetd? I can think of a lot of services more readibly exploitable then telnet. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what is means ? + rootkits..
Hi al. On Fri, 19 Apr 2002, Sidnei da Silva wrote: Clearly yes. In my opinion you should disable telnet and use ssh. Once i left telnet open after installing a server, and the next day i found a rootkit inside it. Telnet suckz badly. How to protect against rootkis ? Is it some kind of trojan wich working with root priviledges ? Why some people says that eg. tripwire doesn't discover it ? Regards, Marcin B. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: what is means ? + rootkits..
How to protect against rootkis ? Keep your system up to date, do not run unrelaibale software, do not give accounts to people you do not trust. Is it some kind of trojan wich working with root priviledges ? Basically, yes. It is typically a kit you drop on the system via a remote root exploit, which replaces binaries, and tries to mask itself. Why some people says that eg. tripwire doesn't discover it ? Then they dont know what they are saying, i would say that Tripwire / AIDE / such will be 100% efficient in detecting kits _PROVIDING_ that your database is current, and is stored in a tamper-proof location... and ofcource you actually use and update teh IDS database. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what is means ?
In output of 'w' command I saw something like that: --cut-- root 7073 0.0 0.0 1240 636 ?S11:09 0:05 in.telnetd: some.host.in.my.domain --cut-- Correct address I replaced with some.host.in.my.domain. Is root is logging to this mashine by telnet ??? Maybe, but probably not. If you had done a px axfl (output trimmed below) and looked at process 7073 and its children, you probably would have seen something like this: UID PID PPID PRI NI VSZ RSS TTYTIME COMMAND 0 322 1 0 0 2028 740? 0:02 /usr/sbin/inetd 0 9308 322 0 0 1492 712? 0:00 \_ in.telnetd 481 9309 9308 10 0 2248 1300 pts/6 0:00 \_ -bash in.telnetd may be run with root privs, in order to set up the login environment for the user. It does not mean that someone is telnetting in as root. By default in testing, in.telnetd runs as user telnetd (uid 103) rather than root. --Joe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what is means ? + rootkits..
On Fri, Apr 19, 2002 at 02:47:08PM +0200, Jan Johansson wrote: Why some people says that eg. tripwire doesn't discover it ? Then they dont know what they are saying, i would say that Tripwire / AIDE / such will be 100% efficient in detecting kits _PROVIDING_ that your database is current, and is stored in a tamper-proof location... and ofcource you actually use and update teh IDS database. I've heard of, but not confirmed the existence of, a root kit that is not detected by Tripwire and other intrusion detection software. It does this by keeping a backup of the original utility (eg. ls, ps, etc.) and then provides either it's own utility or the original depending on how it is opened (eg. if by ld.so, open trojan, else open original). I think that as long as the source of the open system call can be determined, a carefully crafted root-kit might be able remain undetected as long as the system is running tainted code. I think the only way to be sure that a utility such as tripwire works is to run it on an untainted system (ie. boot from known good floppy/CD before running the software). Am I just being paranoid, or is this sort of compromise really possible? Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: what is means ? + rootkits..
I've heard of, but not confirmed the existence of, a root kit that is not detected by Tripwire and other intrusion detection software. It does this by keeping a backup of the original utility (eg. ls, ps, etc.) and then provides either it's own utility or the original depending on how it is opened (eg. if by ld.so, open trojan, else open original). Am I just being paranoid, or is this sort of compromise really possible? There is a reason that tripwire and aide are normally compiled as statical binaries. And frankly, just copying the file will trigger teh IDS, since it can use inode/sector location as one of the fingerprints. Personally i (pretty much) do the following: Install system from a known safe source, as well as applicable patches. Then we install AIDE. And set up a decent log set. Then we copy the AIDE binary aswell as the initial database to a media such as CD-ROM, which we then keep mounted in a CD unit. Now, run AIDE check periodically (nightly) against that db. And all is well. When i patch the system, just make sure the AIDE check is clean before the upgrade. Do the patches, do a new AIDE database and do an incremental burn of the CD. Then keep that routine up. That, and keeping the kernel monolithical to prevent the module type exploits, and you have a pretty good setup. Add to this logging of key elements to an old matrix printer.. Good luck in manipulating those logs remotely. Frankly, i would actually like to see how to taint such a system... Now, a fun thought would be to use a mirrored disk on either shared SCSI or fiber scsi for the system. Then break the mirror, mount one disk to a secure system and run the analyze from there, thereby bypassing ALL elements of the original object. (Okay, overkill). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: what is means ? + rootkits..
Am I just being paranoid, or is this sort of compromise really possible? And also: If the IDS was there first it would trigger on the modified kernel/module/library (or whatever) since it has to differ between the last check _before_ the infection and the first check _after_ infection. Now, if the exploit was there first, the IDS is a moot point alltogether. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what is means ? + rootkits..
On Fri, 19 Apr 2002, Patrick Maheral wrote: I've heard of, but not confirmed the existence of, a root kit that is not detected by Tripwire and other intrusion detection software. It does this by keeping a backup of the original utility (eg. ls, ps, etc.) and then provides either it's own utility or the original depending on how it is opened (eg. if by ld.so, open trojan, else open original). any root kit based upon kernel modules can do that. Search for knark with Google... I think that as long as the source of the open system call can be determined, a carefully crafted root-kit might be able remain undetected as long as the system is running tainted code. I think the only way to be sure that a utility such as tripwire works is to run it on an untainted system (ie. boot from known good floppy/CD before running the software). Yes, you are correct. To be safe, you need to keep the tripwire database on a separate support which cannot be tampered with, and to check the integrity of the system you should boot the system from secure media (e.g. a boot CDROM you previously prepared), possibly in single user mode and unconnected from the network. Am I just being paranoid, or is this sort of compromise really possible? oh yes, it is possible. Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
mysql-server local DOS vulnerability
Hi, I found a local DOS vulnerability in the mysql-server package. Since I am not experienced in the field of computer security I have not contacted upstream nor any other security list about the issue and would be happy to get some feedback about the perceived severity of the problem and appropriate action to be taken. mysql has the configuration option max_connect_errors set to 10 in the default install. This means that after ten connection errors (handshake failed) the origin of these connection attempts is blocked from connecting again. This lets any local user that is deliberately creating 10 connect errors block anyone from localhost to connect to the db. The block is not automatically released but requires user interaction from the db admin (mysqladmin flush-hosts). Quick-Fix: Add the following line to the [mysqld] section of my.cnf set-variable= max_connect_errors=9 [see also: http://www.mysql.com/doc/F/L/FLUSH.html] I found this on my woody installation (though maybe not the very latest version) and I guess it is an issue for potato, too, since it can also be found in upstream. I cc'ed the maintainer of mysql-server, Christian Hammers. best regards, Thiemo Nagel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]