Re: Bad press related to (missing) Debian security

also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.27.2100 +0200]: > There is a problem with that, namely responsible disclosure. The > team cannot be too big or else the other organisations in the > consortium will object for danger of leakage. > > I think what we

Re: Bad press related to (missing) Debian security

s recognition that it's a problem that needs a solution. So if we all recognise it as a problem, it will solve itself? Wouldn't a ticket system (possibly request-tracker3) be helpful here? -- Please do not send copies of list mail to me; I read the list! .'

Re: Bad press related to (missing) Debian security

ld be needed for some of the innovative approaches I have in mind. Thus, I'd love to hear opinions. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansy

Re: Bad press related to (missing) Debian security

se it. We are working to fix it. The last thing we need now are people complaining and moaning. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansys

Re: Bad press related to (missing) Debian security - action

ms and automate security patch releases > - it's a task for debian-man .. more than what super-man or > bat-man can do people "volunteering" are useless. people actually doing something are not. -- Please do not send copies of list mail to me; I read the list

Re: Bad press related to (missing) Debian security

l these servers with something else because that'll be cheaper than the risk of having them compromised. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://

Re: Bad press related to (missing) Debian security

childhood problems to resolve themselves (read: sarge r1). That said... of course woody is currently also potentially vulnerable. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian develope

Re: safety of encrypted filesystems

also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.17.0944 +0200]: > also sprach Michael Buchholz <[EMAIL PROTECTED]> [2005.06.17.0857 +0200]: > > And also, when you write any block, you have to reencrypt all the > > remaining blocks. > > Yes, don't

taking a break (was: Bad press related to (missing) Debian security)

also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.28.1108 +0200]: > No, he installed Sarge because it was cool back at the time. Yeah so this whole thing has been growing on me a little too much. Sorry for being snappy in the last two posts (to Marek and Alvin). I am going to

Re: Bad press related to (missing) Debian security

wn security updates until we caught up. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better

Re: custom sec updates, was Bad press related to (missing) Debian security

, and how to modify packages and properly integrate them with APT. 0. http://debiansystem.info Cheers, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://deb

Re: Bad press related to (missing) Debian security

also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.28.1215 +0200]: > Unfortunately you are right :-( At this moment there is no secure > Debian distribution. unstable. :) -- Please do not send copies of list mail to me; I read the list! .''`. martin f. kr

Re: Bad press related to (missing) Debian security - action

o me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Re: Bad press related to (missing) Debian security - action

no problem. But giving root access to others is the problem. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian -

Re: [security] Re: Using BIND in a chroot enviro?

also sprach Tim Haynes (on Sun, 01 Jul 2001 05:02:26PM +0100): > In the init.d scripts, you'll find it easiest to rip out the > start-stop-daemon stuff and run the command directly, > /usr/sbin/named -t /etc/bind -u named > unless you're a purist in which case, you tell me how instead ;)

Re: [security] Re: Using BIND in a chroot enviro?

also sprach Dossy (on Sun, 01 Jul 2001 10:10:42PM -0400): > No. IIRC, 53/tcp is also used for DNS queries (not just XFER's) > when the size is larger than the RFC specifies for the UDP-based > payload. Or, some such type of edge-case of the DNS spec. uhm - which is only the case if you slave a

Re: [security] iptables

also sprach GARGIULO Eduardo INGDESI (on Mon, 02 Jul 2001 04:25:57PM -0300): > I was using ipchains, but now I have kernel v2.4.5 with iptables. > I want to know how to monitor masqueraded connections. I mean the > output of > > ipchains -L -M -v > > using iptables. I didn't found it in man ipta

Re: Sudo and Chown?

also sprach Anders Gj?re (on Fri, 13 Jul 2001 10:52:09AM +0200): > do sudo default allow the sudo-user to run every program, > or just the program you spesify? the latter, of course. > how will sudo work if you use the "time" command? > like "time vim /etc/passwd" if you allow time with arbitr

Re: Network File System

also sprach Dan Hutchinson (on Fri, 13 Jul 2001 03:51:49PM -0400): > Does anyone know of a secure network file system > like Active Directories from Microsoft ^ hahahahaha! um. do you read bugtraq or: have you ever administered one of those dreadfully sad

Re: aargh... I am being asked to change to SuSE

also sprach Juha J?ykk? (on Mon, 16 Jul 2001 11:03:41AM +0300): > Anyone care to help me: I need some _strong_ points in favour of > Debian, against SuSE. No crap, please. I need to presuade my superiors > to turn from RH to Debian instead of SuSE as they would like to do. I > need strong eviden

Re: aargh... I am being asked to change to SuSE

also sprach Ethan Benson (on Mon, 16 Jul 2001 04:14:51AM -0800): > > this isn't an answer, but install Debian, then change /etc/issue as > > well as /etc/motd to suggest SuSE, and trust me, none of your > > superiors are going to get it :) > > like they would ever login to the machine anyway. wo

Re: Is ident secure?

On Thu, Aug 30, 2001 at 11:14:33PM -0300, Alisson Sellaro wrote: > I was checking my firewall logs and have detected lots of TCP/113 dropped > packets. Checking /etc/services I realized it was ident traffic. What do > you think about such service? Should I let it blocked or should I allow it > wit

Re: Is ident secure?

also sprach Ethan Benson (on Fri, 31 Aug 2001 01:38:45AM -0800): > > honest question: whose business is the name of a user who initiated a > > connection??? identd is a horrible concept and elicits shrieks among > > the security conscious. i do understand that you need it for this and > > that, so

Re: Is ident secure?

also sprach Ethan Benson (on Fri, 31 Aug 2001 01:45:29AM -0800): > identd is for the admin RUNNING the identd, not for the admin making > identd requests, if one of your users is abusing someones network in > some way (attempting to send spam, causing trouble on some irc network > etc) the admin o

Re: Is ident secure?

also sprach Martin Fluch (on Fri, 31 Aug 2001 01:02:58PM +0300): > Consider the following situation: You admin a computer and some user > tries to atack an other computer from this one. Then the admin of > the attacked computer can tell _you_, from which user the attack was > coming, which helps y

Re: Is ident secure?

also sprach Christian Kurz (on Fri, 31 Aug 2001 10:12:31AM +0200): > > honest question: whose business is the name of a user who initiated a > > connection??? > > It can be some sort of help if you have a system with lots of users and > complainments about one. Some admins may be able to send you

Re: Is ident secure?

also sprach Christian Kurz (on Fri, 31 Aug 2001 10:07:05AM +0200): > > I have had a lot of problems running non-Debian software when I > > disable ident. It seems like the licensing daemons expect to find > > What the hell is a licensing daemon? And which package contains this > software in debi

Re: Is ident secure?

also sprach Colin Phipps (on Fri, 31 Aug 2001 11:31:53AM +0100): > Not if configured appropriately. Good identds don't allow reverse ident > scanning anymore. okay, i must admit i didn't know this... > Agreed, leaking UIDs is serious. Which is why modern identds support returning > crypted uids

Re: Is ident secure?

also sprach Ethan Benson (on Fri, 31 Aug 2001 03:30:54AM -0800): > rubbish, if the admin is incompetent enough to be running these things > as root he will have a cracked box regardless of whether identd is > running or not. you have a point, even though there is no need to become offensive! >

Re: Is ident secure?

also sprach Christian Kurz (on Fri, 31 Aug 2001 04:15:55PM +0200): > > process accounting. process accounting. > > Would you care to explain that a bit more and especially compare it with > ident protocol (advantages and disadvantages)? process accounting is simply the kernel keeping track of al

Re: Is ident secure?

also sprach Layne (on Sat, 01 Sep 2001 12:30:54AM -0400): > I'M JUST JOKING .RIGHT. I GOT 80 SPAM MESSAGES YOSTERDAY AND 80 > MORE TODAY I DIDN'T SUBSCRIBE TOWHAT GIVES. THIS IS NUTS. which are clearly my fault, you impersonation of freudian depression. do me a favor and leave the lis

Re: Is ident secure?

also sprach Layne (on Fri, 31 Aug 2001 11:35:12PM -0400): > WEL I GUESS YOU'RE STILL PRETTY FUCKING CLUELESS. I DON'T WANT ANY MORE OF > YOUR USELESS E-MAIL SENT TO THIS GOT IT?? TAKE THE HINT, TAKE A > CLUE unsubscribe then, of you superior being! martin; (greetings fr

Re: Is ident secure?

also sprach Layne (on Fri, 31 Aug 2001 11:04:30PM -0400): > MARTIN FONDLES YOUNG BOYS. which one? martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck -- "and no one sings me lullabies, and no one makes me close my eyes, and

Re: HARASS ME MORE.........

also sprach Bud Rogers (on Sat, 01 Sep 2001 07:13:06AM -0500): > I put him in a filter. Every mail I receive from him gets forwarded back to > him and to postmaster and abuse at his ISP. I don't think he'll be around > long. i think all this started because i auto-reply to micro$oft users, te

Re: HARASS ME MORE.........

also sprach Bud Rogers (on Sat, 01 Sep 2001 07:58:12AM -0500): > > i think all this started because i auto-reply to micro$oft users, > > telling them about www.vcnet.com/bms and www.unix-vs-nt.org and he > > didn't like that :) > > Martin, you may have set him off but I don't think you're respons

Re: Is ident secure?

also sprach Lupe Christoph (on Sat, 01 Sep 2001 12:40:44PM +0200): > > also sprach Layne (on Fri, 31 Aug 2001 11:04:30PM -0400): > > > MARTIN FONDLES YOUNG BOYS. > > which one? > Which Martin or which boy? *-O boys is plural. so syntactically speaking the one can only refer to martin. but hey, i

Re: HARASS ME MORE.........

also sprach Noah L. Meyerhans (on Sat, 01 Sep 2001 12:00:28PM -0400): > Please don't do that. That's an incredibly rude practice. The people > never asked for your opinion on operating systems or Microsoft. What > about those who use a Windows mailer at their job and have no choice to > do othe

Re: firewall

also sprach Alvin Oga (on Mon, 10 Sep 2001 09:08:51AM -0700): > for the firewall ... > - it should be running a "secure linux/bsd distro" > and only ipchains > ( some might wanna run dns on it too...but... ipchains/iptables is really just not a firewall. it's a packet fil

Re: GPG fingerprints

also sprach Tim Haynes (on Mon, 17 Sep 2001 05:05:27PM +0100): > Unless I'm well mistaken, of course... But I'd never trust a key whose > fingerprint had turned up in public before. that's a little ridiculous, isn't it, given that i can use my gpg to view the fingerprint of your public key, which

Re: chroot

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2001.10.04 09:48:08+0600]: > What can I do, if my programm working in a chrooted enviroment > and using filesystem /proc.I use chroot ant mount all /proc filesystem in > chrooting enviroment. > Can I mount part of /proc. with 2.4.x kernels: mount --bi

Re: Hi :>

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2001.10.18 15:02:19-0400]: > Please let me know also, > because I have been getting empty messages from root too snort in stable and in testing seems to do this out of the box. however, the UID *is* weird... -- martin; (greetings from the he

Re: Hi :>

* Tom Breza <[EMAIL PROTECTED]> [2001.10.18 21:26:17+0100]: > but I don't have a snort, and this message I got second times, first time > I benn to busy and just ignore, but that seems to be repeat... what time? if 6am'ish, then try all you cron.daily scripts by hand and see which one emails you

2.4.12 ???

is stock (non Debian) 2.4.12 now secure or not? i am getting confused. if it isn't, where can i find patches for it to make it secure? sorry to be asking so blatantly, but i don't have much time to worry about my private systems these days. please help. -- martin; (greetings from t

Re: Firewall Related Question

* eim <[EMAIL PROTECTED]> [2001.10.22 12:44:03+0200]: > Is this a good choice ? or should I put another machine in my > Network, between the Gateway and the Servers, which acts as Firewall ? what's a firewall for you? a packet filter? you can surely install a packet filter on every box. iptables

Re: question about something, but don't know if it exists...

* Bryan Andersen <[EMAIL PROTECTED]> [2001.11.06 05:23:05-0600]: > Another possibility would be to have them replace the hubs with > switches, this assumes you are using twisted pair, not thin net > or thick net. which is not secure due to arp flooding. i'll happily give you a POP3 account ove

Re: Mutt & tmp files

* Craig Dickson <[EMAIL PROTECTED]> [2001.11.15 10:28:33-0800]: > Also note that root owns sendmail, or whatever MTA you're using. If he > really wants to read your mail, it would be much easier for him to do it > by configuring the MTA to silently copy him on all your messages, so all > this conc

Re: Mutt & tmp files

* Bryan Andersen <[EMAIL PROTECTED]> [2001.11.15 12:51:01-0600]: > B... Wrong. > > If you don't trust root, your hosed. Root can change the app so he > has your keys... Root can also change the tty drivers so they are > all silently logged. There is no way to secure it fully unless you

Re: Mutt & tmp files

* vdongen <[EMAIL PROTECTED]> [2001.11.15 19:30:35+0100]: > accualy, root can also read you gpg key. > so a simple copy of you mail and a gpg decoding using your key would be > much easyer except there is a passphrase! which can be obtained with a hacked version of mutt or gpg, obviously... > r

Re: Root is God? (was: Mutt & tmp files)

* Mathias Gygax <[EMAIL PROTECTED]> [2001.11.16 15:06:54+0100]: > > well, i thought this is the definition of root. > > no. with LIDS you can protect files and syscalls even from root. in my > setup, root cannot even write to his own home directory. ... which root can change at convenience. this

Re: Root is God? (was: Mutt & tmp files)

* Mathias Gygax <[EMAIL PROTECTED]> [2001.11.16 14:36:30+0100]: > > > > Root is God. Anything you do on the system is potentially visible to > > > > root. > > this is, with the right patches applied, not true. ^^ > can very fine tune the setup. f

Re: Mutt & tmp files

* Wade Richards <[EMAIL PROTECTED]> [2001.11.15 22:17:39-0800]: > This is the sort of absolutist nonsense that gives security experts a > bad name. After all, anyone armed with a chainsaw can cut through a > solid oak door in a matter of hours, so why bother installing a deadbolt > on your door?

Re: Root is God? (was: Mutt & tmp files)

* Mathias Gygax <[EMAIL PROTECTED]> [2001.11.18 17:58:46+0100]: > > excellent. you know what i did: i just remove the root:0:... line from > > /etc/passwd and /etc/shadow. now i can't be root. that must be perfect > > security. yeah! > > before you shout, think twice. this is READ-only on my syst

Re: Root is God? (was: Mutt & tmp files)

* Mathias Gygax <[EMAIL PROTECTED]> [2001.11.18 17:59:29+0100]: > > thanks, you just made me laugh! > you set lamer detector to orange. alright, so my first step is to scale back and *not* flame. i am sorry for posting my sarcastic comment. i shall now try to sum up my points. we have been talki

Re: [OT] resctrict ssh to localnet for some users but not for others.

* op <[EMAIL PROTECTED]> [2001.11.27 10:23:57+0100]: > I specify the users in /ets/ssh/sshd_config who are allowed to connect via > ssh. But I'd like some more control. I'd like to control which subnets user x > can connect from. Some should be allowed to connect from anywhere but some > shoul

Re: [OT] resctrict ssh to localnet for some users but not for others.

* Wichert Akkerman <[EMAIL PROTECTED]> [2001.11.27 12:23:04+0100]: > The @HOST bit may be new in OpenSSH 3 though. yes. and it can't take a network, so you'd have to enter one entry per user/machine permutation... -- martin; (greetings from the heart of the sun.) \ echo mailt

Re: iptables with a linux bridge

* Giacomo Mulas <[EMAIL PROTECTED]> [2001.11.28 18:11:40+0100]: > > I've installed a linux bridge with 2.4.14 kernel and the > > bridge-utils packages > > I am VERY interested, since I administer a transparent firewall > myself. My firewall uses proxy arp (I implemented it in the old > 2.2.x kern

Re: iptables with a linux bridge

* Jeremy T. Bouse <[EMAIL PROTECTED]> [2001.11.28 09:07:53-0800]: > If I'm not mistaken I believe the bridging code runs before > the firewall code so the bridging by-passes the firewall filters > completely... Please if I'm incorrect in this would someone care to > correct me but that is w

Re: iptables with a linux bridge

okay, so i read the FAQ, they are possible. but they don't make sense. in fact, i will argue that as soon as you employ netfilter or ipchains on a linux bridge, you don't have a bridge anymore! you won't have a packet filter or router either, but it's not going to be a bridge as it concerns itse

Re: iptables with a linux bridge

* Simon Murcott <[EMAIL PROTECTED]> [2001.11.29 16:31:12+1300]: > One point you are missing is that it is possible using this kind of > configuration to create a firewall where you cannot address any of it's > external interfaces. So how can you do an intrusion attack on a firewall > that you cann

Re: iptables with a linux bridge

* Attila Nagy <[EMAIL PROTECTED]> [2001.11.29 14:30:56+0100]: > > a firewall needs to have IP routing capabilities to be able to enforce > > rules (same for a packet filter), > ? > A proxy firewall doesn't need to have IP routing capabilities (eg. > forwarding packet between interfaces). And a pro

Re: VI wrapper for SUDO? - another bad way ??

* William R. Ward <[EMAIL PROTECTED]> [2001.11.29 18:00:40-0800]: > Question: Is it generally considered secure enough to sudo a bash > script like your sucpaliases? Or should a C equivalent be written > instead? no. especially not the quick'n'dirty version that alvin posted. i am not criticizin

Re: iptables with a linux bridge

* Wichert Akkerman <[EMAIL PROTECTED]> [2001.12.02 12:59:38+0100]: > Wrong :). Someone (forgot his name unfortunately) already implemented > this. If you ask on the netfilter list they should be able to point > you to the right patch. oh my, everyone is misunderstanding my non-important, trivial

Re: iptables with a linux bridge

* Wichert Akkerman <[EMAIL PROTECTED]> [2001.12.02 22:30:02+0100]: > Why is a filtering bridge no longer a bridge? It does not route, it > does not change packets, it just selectively does not pass some on. > A broken bridge maybe from a strict standpoint, but still a bridge. because it's filteri

Re: VI wrapper for SUDO? - another bad way ??

* William R Ward <[EMAIL PROTECTED]> [2001.12.04 10:48:19-0800]: > Right; but assumin gone takes care of this kind of issue, is there > anything inherently unsafe about running shell scripts through sudo? > I understand that there are risks of race conditions with setuid shell > scripts, and so th

Re: iptables with a linux bridge

* Wichert Akkerman <[EMAIL PROTECTED]> [2001.12.03 00:57:48+0100]: > It filters based on packet content that just happens to be IP > information. Just like the u32 filter, except the syntax is easier. > It still bridges. i guess you are right. my only problem is that a bridge does MAC/SNAP and is

Re: snorting bridges? [ Was: Re: iptables with a linux bridge ]

* Rens Houben <[EMAIL PROTECTED]> [2001.12.03 13:02:50+0100]: > Anyways, I've been following this thread and wondering: Is there any > reason why snort would or would not work with a bridge? snort is a tool that primarily assesses ip, tcp, and application level protocols. if you run it on a bridg

Re: Securing bind..

also sprach P Prince <[EMAIL PROTECTED]> [2001.12.30.1846 +0100]: > The eaisest and most failsafe way to secure bind is to install djbdns. you are kidding me, right? the question was how to secure bind. the asker wasn't in need of other religious beliefs. while i strongly believe that djb is a r

Re: IP accounting per user

also sprach Matthias Juchem <[EMAIL PROTECTED]> [2002.01.06.1914 +0100]: > Does Debian (potato or woody) have tools to account IP traffic per user? iptables, as others have suggested. AFAIK, the recommended method of doing this is to create a chain for every user or group of users that you inte

Re: IP accounting per user

(i have started a thread on this on debian-isp btw.) also sprach Matthias Juchem <[EMAIL PROTECTED]> [2002.01.07.0244 +0100]: > There is one problem with this: the module that matches user IDs > can only be used in the OUTPUT chain (as said in the netfilter how-to). oh man, this sucks! > The b

Re: IP accounting per user

also sprach Matthias Juchem <[EMAIL PROTECTED]> [2002.01.07.0244 +0100]: > The big problem are the ssh shell accounts. The user can start almost any > program that listens on a socket. You wouldn't have log files from this > program and you can only account the outgoing traffic with iptables. wel

poppassd

alright, my users don't know how to do shell, and they can't change passwords. now, i just upgraded to squirrelmail (upgraded because i had IMP before, barf!), which has a plugin to change the password. it's TLS encrypted, so not too much of a problem, but in testing out poppassd, the underlying p

Re: How to find process causing periodic DEST_UNREACH replies?

also sprach Balazs Javor <[EMAIL PROTECTED]> [2002.01.09.2130 +0100]: > Recently I've installed some IP logging packages like ippl. > A few days ago a lot of ICMP - destination unreachable - bad port > messages started showing up comming from my DSL router. are you behind a firewall? what's the e

Re: poppassd

also sprach Micah Anderson <[EMAIL PROTECTED]> [2002.01.10.0127 +0100]: > Potato has 1.2-14 as its latest for poppasswd... I agree that > v1.8-ceti would be a better solution, especially considering the > security issues you cited. What does it take to get this version into > the security updates?

Re: How to find process causing periodic DEST_UNREACH replies?

also sprach Balazs Javor <[EMAIL PROTECTED]> [2002.01.09.2329 +0100]: > Anyway just in case I misinterpreted something... > I live in Switzerland, and I have a ZyXEL Prestige 642R DSL > router connected to the ADSL line, which performs some NAT and > firewalling. The I connect my PCs through an et

Re: I've been hacked by DevilSoul

also sprach Alan Aldrich <[EMAIL PROTECTED]> [2002.01.11.0502 +0100]: > Not sure what all it did, but really played havoc with SSH and some other > networking components and is keeping my aventail authentication server from > honoring socks requests. > Can someone help undo whatever it did or poin

Re: I've been hacked by DevilSoul

also sprach Angus D Madden <[EMAIL PROTECTED]> [2002.01.11.0649 +0100]: > agreed. full disk format and reinstall from backup is the only secure > option. unless you are running something like tripwire there is no way > to tell what the intruder did, and even then ... ... if, only if, you have t

Re: I've been hacked by DevilSoul

also sprach Preben Randhol <[EMAIL PROTECTED]> [2002.01.11.1543 +0100]: > This is not safe at all if you mean reinstall programs too. You should > reinstall programs from the net/CD distro and update all programs that > has security fixes. yeah sorry, i meant that actually. reinstall debian from

Re: I've been hacked by DevilSoul

also sprach Ricardo B <[EMAIL PROTECTED]> [2002.01.11.1804 +0100]: > There is no need for a rootkit to reboot the machine in order to hide himself. > He can be loaded as a kernel module and then hide all traces of its presence in > the system, by overriding the proper system calls and /proc info.

Re: I've been hacked by DevilSoul

also sprach Noah L. Meyerhans <[EMAIL PROTECTED]> [2002.01.11.2240 +0100]: > Oh, it certainly can! knark is a perfect example of a kernel module to > do just this. (knark is Swedish for "drugged".) It allows files, > processes, network connections, and network interface promiscuity to be > *com

Re: Hacked too?

also sprach éÇÏÒØ âÁÌÕÓÏ× <[EMAIL PROTECTED]> [2002.01.11.2316 +0100]: > I have run chkrootkit and get > "Checking `bindshell'... INFECTED (PORTS: 31337)" > What I need to do? reinstall. no, really! unless this is a non-productive system, in which case you are free to try to remove it. but once

Re: default security

also sprach Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> [2002.01.15.1316 +0100]: > > Debian being what it is, are there any reasons why the debian bind > > package should not be chroot as the default instalation? > > RTFM. That is: > >http://www.debian.org/doc/manuals/securing-debi

Re: Help with Firewall section in the Debian Security Manual

also sprach Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> [2002.01.16.1522 +0100]: > Can anyone volunteer? i might... > - a section host-oriented on how to setup firewall rules as a "last > line of defense" (that's the one I have started writting) talking, > basicly, on Debian-specific issu

Re: Help with Firewall section in the Debian Security Manual

also sprach Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> [2002.01.16.1905 +0100]: > On Wed, Jan 16, 2002 at 04:19:31PM +0100, martin f krafft wrote: > > > > got ya. i'll think about it. deadlines? > > None really. However, less than a month would be

allowing users to change passwords

i need to provide a way for my users to change their password on my machines. however, most of them are too stupid for the console. so i played with poppassd, and it might end up being my option, but today i had another idea. so without having given it much though, i'll ask you: what would speak

Re: allowing users to change passwords

also sprach Steve Mickeler <[EMAIL PROTECTED]> [2002.01.18.0010 +0100]: > If they are using mindterm, then they are already in a browser, which > means you might as well just have them use a form via ssl to change their > password via poppassd. yes, but did you see my recent posts on poppassd and

enforcing strong passwords

libpam-cracklib is nice, but how do i get PAM to enforce at least one upper case letter, and at least on of {symbol,digit}? also, are there any PAM programmer cracks here? i have a program here [1] that registers with PAM as the passwd service, but since it runs as root, it ignore libpam-cracklib

Re: enforcing strong passwords

also sprach Phillip Hofmeister <[EMAIL PROTECTED]> [2002.01.18.1951 +0100]: > I am not quite sure why you would want root's attempts to fail. root > (I assume you) should know a good password from a bad one when you set > it. The system will generally warn you that the passwd that you are > sett

Re: enforcing strong passwords

also sprach Christian Jaeger <[EMAIL PROTECTED]> [2002.01.19.0130 +0100]: > You could just use the cracklib yourself before accepting the > password and feeding it to the passwd command. I'm doing it this way. but that wouldn't solve my problem. it wouldn't enforce digits and/or symbols. crackli

Re: su - user question

also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.19.2304 +0100]: > Firstly the servers are physically secure and there is no relevant issue > about having a local root console open for administration purposes. mh. no comment. sure, if physical access would be available, no box is secure. but

Re: su - user question

also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.19.2304 +0100]: > The question I have is if I "su - username" and then browse the web, > etc. is it impossible for a remote user who managed to gain access to > that user session to become root by exiting out of the user account? an addition: y

Re: [ot] how to create a user that can't log in?

also sprach Nathan E Norman <[EMAIL PROTECTED]> [2002.01.20.2105 +0100]: > What I'm wondering is if PAM or some other mechanism can be used to > prevent a user from logging in via a network connection. It looks > like people here don't know; that's fine, I'll continue researching. i don't know w

Re: su - user question

also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.20.0245 +0100]: > If the use of switch user has remote security implications I want to > be able to understand them. The same as I want to be able to > understand if leaving a root console open has remote security > implications. Don't worry abo

Re: Mail server anti-virus software?

also sprach Antropov Anton <[EMAIL PROTECTED]> [2002.01.21.1231 +0100]: > > Also, which mailserver would you recommend? (I have to learn one > > anyway.) > I'd recommend QMail. Why? - Read some mailing lists... And this is commonly > the question of religion. and i'd recommend postfix. tryin

Re: su - user question

also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]: > Martin, it's a server in my spare room :-) The only person installing a > backdoor on the server would be an unlawful intruder. Or a cat who can > type ;-) Your points are well taken and I would follow the same security > pract

securid logins

assuming i have SecurID tokens with licenses, can i make linux authenticate based on these *without* the use of external or commercial software (like ACE/Server)? any experience anyone? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"

Re: Re: [ot] how to create a user that can't log in?

also sprach Phillip Hofmeister <[EMAIL PROTECTED]> [2002.01.21.1511 +0100]: > Please, everyone flame me if this is a blatant security hole consider yourself flamed. > Make your [setuid] shell script secure, non-interuptable good luck. there is *a lot* of insecurity in a shell script. yo

the su - user thread

this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or may not have been, be, or will be applicable to Debian Linux or Linux in general. you have been warned. properly. http://www.aerasec.de/security/index.html?id=ae-200201-053&lang=en -- martin; (greetings from th

Re: su - user question

also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2304 +0100]: > > as sad as it sounds, unlawful intruders happen. this being a true > > story, i have 11 machines in my spare room, and my house was broken > > in once. the *only* thing the intruder did was reboot one of the > > machines (that

Re: su - user question

also sprach Dave Kline <[EMAIL PROTECTED]> [2002.01.21.2340 +0100]: > Woah, that does sound a little far-fetched. I am assuming there is a > little more to this story? I would think most *physical* intruders > would try to nab DVD players, valuables, and money, not wander into a > spare room and

Re: su - user question

also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2307 +0100]: > Federico, are you saying that if you su - to a user account (from root) > and then start X that you are running X as root? If so that is a major > problem. no, he actually says that with exec, you should theoretically be more

<    1   2   3   4   5   >