Re: services installed and running out of the box
Javier Fernández-Sanguino Peña schrieb: On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote: For starters, I think portmap, rpc.statd, and inetd should not run by default. Not running a mail server (or perhaps only running one on the loopback interface) would be nice, too. A mail server is needed since many programs (cron or checksecurity, for example) make use of it to forward information to the administrator. Grepping /var/log seems more effective to me, than searching mails. Whoever wants mails can use logcheck and this way decide more precisely, what he wants to receive. So I don't know, if it should be the default install, but at least an option during the install procedure to get rid of an MTA and simply use syslog for all messages would be nice. I saw more than one system with hundreds of root mails waiting to be read, but nobody cared. And if the default remains installing an MTA, why must it be a fully featured beast and not only a plain ssmtp (or whatever program you prefer to simply use the smarthost principle)? If there is an administrator, then there normally is a central smtp-server, too. BTW, FreeBSD is just introducing this possibility in its install mechanism. Ciao Siegbert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: services installed and running out of the box
Javier Fernández-Sanguino Peña schrieb: On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote: For starters, I think portmap, rpc.statd, and inetd should not run by default. Not running a mail server (or perhaps only running one on the loopback interface) would be nice, too. A mail server is needed since many programs (cron or checksecurity, for example) make use of it to forward information to the administrator. Grepping /var/log seems more effective to me, than searching mails. Whoever wants mails can use logcheck and this way decide more precisely, what he wants to receive. So I don't know, if it should be the default install, but at least an option during the install procedure to get rid of an MTA and simply use syslog for all messages would be nice. I saw more than one system with hundreds of root mails waiting to be read, but nobody cared. And if the default remains installing an MTA, why must it be a fully featured beast and not only a plain ssmtp (or whatever program you prefer to simply use the smarthost principle)? If there is an administrator, then there normally is a central smtp-server, too. BTW, FreeBSD is just introducing this possibility in its install mechanism. Ciao Siegbert
Re: PTRACE Fixed?
Hi, Here you'll find a kernel source tree patched against the PTrace bug: ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-sourc e-2.4.20_2.4.20-3woody.3_all.deb I always install my kernel-sources by hand, but out of curiosity, could I get this by means of apt? # apt-cache search kernel-source kernel-source-2.2.22 - Linux kernel source for version 2.2.22 kernel-source-2.4.10 - Linux kernel source for version 2.4.10 kernel-source-2.4.14 - Linux kernel source for version 2.4.14 kernel-source-2.4.16 - Linux kernel source for version 2.4.16 kernel-source-2.4.17 - Linux kernel source for version 2.4.17 kernel-source-2.4.17-hppa - Linux kernel source for version 2.4.17 on HPPA kernel-source-2.4.17-ia64 - Linux kernel source for version 2.4.17 on IA-64 kernel-source-2.4.18 - Linux kernel source for version 2.4.18 kernel-source-2.4.18-hppa - Linux kernel source for version 2.4.18 on HPPA freeswan - IPSEC utilities for FreeSWan # Why ist the above mentioned package not listed in apt-cache? If I would apt-get install some-available-debian-kernel-source-package, would this imply any security patches or just the unpatched stock kernel-sources? The output of apt-cache, doesn't indicate this. Ciao Siegbert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
Hi, Here you'll find a kernel source tree patched against the PTrace bug: ftp://ftp.debian.org/debian/pool/main/k/kernel-source-2.4.20/kernel-sourc e-2.4.20_2.4.20-3woody.3_all.deb I always install my kernel-sources by hand, but out of curiosity, could I get this by means of apt? # apt-cache search kernel-source kernel-source-2.2.22 - Linux kernel source for version 2.2.22 kernel-source-2.4.10 - Linux kernel source for version 2.4.10 kernel-source-2.4.14 - Linux kernel source for version 2.4.14 kernel-source-2.4.16 - Linux kernel source for version 2.4.16 kernel-source-2.4.17 - Linux kernel source for version 2.4.17 kernel-source-2.4.17-hppa - Linux kernel source for version 2.4.17 on HPPA kernel-source-2.4.17-ia64 - Linux kernel source for version 2.4.17 on IA-64 kernel-source-2.4.18 - Linux kernel source for version 2.4.18 kernel-source-2.4.18-hppa - Linux kernel source for version 2.4.18 on HPPA freeswan - IPSEC utilities for FreeSWan # Why ist the above mentioned package not listed in apt-cache? If I would apt-get install some-available-debian-kernel-source-package, would this imply any security patches or just the unpatched stock kernel-sources? The output of apt-cache, doesn't indicate this. Ciao Siegbert
Re: [SECURITY] [DSA 245-1] New dhcp3 packages fix potential network flood
Hi, I dont't quite understand the consequences of the above DSA posted by Martin Schulze earlier this day on Debian Security Announcements. When the problem is the dhcp-relay, why is then the dhcp3 package upgraded for Debian and not the dhcp3-relay package? If you only install the dhcp3 package, you simply don't have dhcp-relay, so how does this fit to this DSA? Thanks in advance for any clarification. Ciao Siegbert
Re: [SECURITY] [DSA 149-2] New glibc packages fix
Wolfram Gloger discovered that the bugfix from DSA 149-1 unintentially replaced potential integer overflows in connection with malloc() with more likely divisions by zero. This called for an update. As nearly everything is linked to glibc, does this require a reboot to be sure? Or is switching to runlevel 1 then back enough? Ciao Siegbert
Re: [SECURITY] [DSA 159-1] New Python packages fix insecure temporary file use
Hi, after an apt-get update on my potato box, the following happens: wurm:~# apt-get upgrade Reading Package Lists... Done Building Dependency Tree... Done The following packages have been kept back python-base python-tk 0 packages upgraded, 0 newly installed, 0 to remove and 2 not upgraded. wurm:~# Why are the new python packages kept back? Ciao Siegbert
Re: [SECURITY] [DSA 159-1] New Python packages fix insecure temporary file use
Hi Matt, Ah, I missed the part where you said this was a potato system. It looks like you are installing woody security updates on a potato system. You probably have a line like this: deb http://security.debian.org/ stable/updates main in /etc/apt/sources.list. Since Debian 3.0 (woody) is now 'stable', you are getting the wrong security updates. You can either upgrade to woody (recommended), or change this line to read: deb http://security.debian.org/ potato/updates main so that you will receive updates for potato when they are available. You're right, that line pointed to stable instead of potato. Thanks a lot for your help and time. :-) Ciao Siegbert
Re: debian-security-announce-$lang@lists?
I'm not really sure if this is the right place for the language discussion. I believe that everybody on this list at least understands English good enough to be able to get the message and understand the English announcements. Why would someone subscribe to a list she can't follow? And those who will participate in the discussion at least write English well enough to get their message across. Those people don't need translated announcements. So we have to think for those, who aren't able to follow this discussion, too. I think as a system administrator, one is out of luck if one can't follow the English announcements anyway. [snip] I dislike this attitude No English, no IT. In many states school systems aren't good enough or English is not taught as first foreign language. As a side note: I personally know Germans and foreign Chinese students here in Germany working in this business, whose English skills wouldn`t allow reading complicated DSAs. And if timing is really such a big issue, a generic email warning, saying that an issue has been discovered, where the English announcement can be found and where and/or when the translate announcement will appear on a webpage, would suffice. The difference between web pages and mailing lists is, that you get the mail as soon as possible, whereas you must check the web pages manually. Time consuming, annoying, therefore probably an inferior solution. Don't get me wrong. I really appreciate the high level of commitment in the community, but there are probably places where those resources could be better used. If there are people available that can translate the email, then these people can instead translate the announcement and place it on the webpage. The valid point here is, that human resources in this project are limited. So everything depends on some people willing to do the work. But the original idea nevertheless is good, to enable people reading security announcements as fast as possible in a language, they can understand. I can't estimate, if there are enough volunteers already available to get things working. Introducing these lists, with no mails send afterwards, would really be counterproductive. If those knowing the translators who are already involved think, that there are enough volunteers, go for it, IMHO. Ciao Siegbert
Re: debian-security-announce-$lang@lists?
Jens wrote: I think as a system administrator, one is out of luck if one can't follow the English announcements anyway. Siegbert wrote: [snip] I dislike this attitude No English, no IT. In many states school systems aren't good enough or English is not taught as first foreign language. As a side note: I personally know Germans and foreign Chinese students here in Germany working in this business, whose English skills wouldn`t allow reading complicated DSAs. Jens wrote: Please don't get me wrong. I am not promoting an elite circle of selbstbeweihraeuchernden Goettern as you Germans call it, that distinguishes itself by the fact that they are able to speak English. I would support anything that would open this topic to a broader community. But for the reasons I stated I do not believe that a translated list will help much in this matter. In fact English is not my first foreign language either; it is not even my second foreign language. But I decided to learn enough of it to participate here, not because I like the language so much but because I found I could not get around without it. I was really surprised (in a positive way) to hear from these German and Chinese linux administrators that are doing well without being able to understand english DSA's. I am really wondering how they do it, because I could not do it. Maybe the different opinions here are on one side based on the assumption that Debian is for the professionals only. IMHO, that's wrong. The people I talk about with the lack of English knowledge are in the IT business, but they aren't sysadmins. But they own debian boxes for private use (DSL-router, firewall, ...) and yes, it was me, who recommended Debian. Was it wrong doing so, should I have sent them to Suse or Mandrake instead? I don't check the English skills before I install a box for a friend, so the assumption that every Debian installation refers to an English speaking box owner is simply wrong, too. BTW, Lehmann's book store sells a specially crafted Debian CD set here in Germany with German installation documentation. I'm sure similar things exist in other countries, too. But we all know, that even private boxes should be as secure as possible to prevent misuse, which also affects professionally maintained systems. So any effort to strengthen security on all Debian boxes spread over the world is much appreciated. If there would be international debian-security-announce lists, we could simply reach more people, as we could advise them on install time to subscribe to a security list with a language they understand. So information will make its way through to them. Relying on them, to check regularly some web sites is suboptimal, as we all know this simply won't work in everyday's life. So if there are volunteers, who will do the work, I really can't see any downside. If there aren't, drop this idea. That's it, IMHO. Ciao Siegbert P.S.: Of course, it is much easier to be able to speak English; but this world is imperfect both security and education wise. :-)
sshd attack?
Hello, I get about 100 log entries of the following pattern: Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation attack: network attack detected What´s this? How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? Thanks in advance Siegbert
