Re: exim virus scanning and spam scanning
On Sun, Dec 21, 2003 at 09:09:38AM -0600, hanasaki wrote: whats the difference between amavis-ng and milter and amavisd-new? are some going away? which one do you use for what? or clamscan directly? how can virus scanning be added? clamscan and spam Spam assassin seem to be the norms from googling. the configuration files to integrate with exim are befuddling. the plan is too hook a virus scanner into exim4 from sarge. any thoughts are appreciated. A copy of someone's working exim4 config would be great! how does one integrate the following with exim? And which do you folks recommend for what reasons? SPAM Spamassassin bogofilter VIRUS amavis amavisd-new clamscans Exiscan-ACL (included in exim4-daemon-heavy) + SpamAssassin + clamav See the exiscan-acl documentation and the exim list for configuration details. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CVS server in a user-mode-linux
On Fri, Dec 19, 2003 at 05:46:11PM +0100, Bill Allombert wrote: Hello Debian-security list, I have experimented with running an anonymous CVS server inside user-mode-linux. So far this seems to work well and hopefully should enhance security a bit. The host kernel has the skas patch. I use hostfs to mount only the repositories inside the UML. I have limited the UML memory to 128Mb. Performance are quite sufficient for the server usage since load stay close to 0. The only problem is that the server need write access to the repository in order to create locks (which are directories, IIUC). I have not yet find a way to only allows the server to create locks, but to change nothing else. You can use a separate lock directory by setting LockDir in CVSROOT/config. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CVS server in a user-mode-linux
On Fri, Dec 19, 2003 at 05:46:11PM +0100, Bill Allombert wrote: Hello Debian-security list, I have experimented with running an anonymous CVS server inside user-mode-linux. So far this seems to work well and hopefully should enhance security a bit. The host kernel has the skas patch. I use hostfs to mount only the repositories inside the UML. I have limited the UML memory to 128Mb. Performance are quite sufficient for the server usage since load stay close to 0. The only problem is that the server need write access to the repository in order to create locks (which are directories, IIUC). I have not yet find a way to only allows the server to create locks, but to change nothing else. You can use a separate lock directory by setting LockDir in CVSROOT/config.
Re: clamscan avavis spamassassin with exim4 on sarge
On Sun, Nov 09, 2003 at 12:08:40AM -0600, Hanasaki JiJi wrote: Anyone have/working on integration of these? clam spamc and amavis are installed however, they dont seem to update the /etc/exim4/conf.d of the new packaging system. thank you. exim4-daemon-heavy has the exiscan-acl patch providing clamav and spamassassin processing in your data acl. I don't know if amavis offers anything additional, but the exiscan-acl/clamav/spamassassin combination works well for me. xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: clamscan avavis spamassassin with exim4 on sarge
On Sun, Nov 09, 2003 at 12:08:40AM -0600, Hanasaki JiJi wrote: Anyone have/working on integration of these? clam spamc and amavis are installed however, they dont seem to update the /etc/exim4/conf.d of the new packaging system. thank you. exim4-daemon-heavy has the exiscan-acl patch providing clamav and spamassassin processing in your data acl. I don't know if amavis offers anything additional, but the exiscan-acl/clamav/spamassassin combination works well for me. xn
Re: How efficient is mounting /usr ro?
On Fri, Oct 17, 2003 at 11:01:27AM +0200, Yasar Arman wrote:
Bernd Eckenfels wrote:
In article [EMAIL PROTECTED] you wrote:
A read-only /usr is not a security measure.
Depends on your definition og it-security. It reduces downtime, prevents
some admin and software failures and therefore is a security measure.
I think,
you mean safety, not security.
Safety (eng.) = Sicherheit (german)
Security (eng) = Sicherheit (german)
we have the same problem with english.
$ dict security
2 definitions found
From Webster's Revised Unabridged Dictionary (1913) [web1913]:
Security \Se*curi*ty\, n.; pl. {Securities}. [L. securitas: cf.
F. s['e]curit['e]. See {Secure}, and cf. {Surety}.]
[...]
(c) Freedom from risk; safety.
[...]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 07:39:28PM +0100, Ian Goodall wrote: Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Last I checked, sftp requires a patch to chroot, though. xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 07:39:28PM +0100, Ian Goodall wrote: Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Last I checked, sftp requires a patch to chroot, though. xn
Re: Email Virus Scanner
i recently setup mailscanner with mcafee virusscan and have been pretty happy with it. if you describe the nature of the error, i might be able to help you out. xn On Mon, Aug 12, 2002 at 08:00:16PM -0500, Daniel J. Rychlik wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gentlemen, I am wanting to setup a good virus scanner for exim. I tried out mailscanner, but it bombs with an error. I tried to fix the error, but I got frustrated. I would like to use mailscanner or even the santizer. Do you guys have any suggestions or even a preference over one or the other? Sincerely, Daniel J. Rychlik Money does not make the world go round , Gravity does . -BEGIN PGP SIGNATURE- Version: PGP 7.1.1 iQA/AwUBPVhaIOgW0zo5qpEdEQINiwCgy33QLmdqVpjsHy0dh1om2tUt/q8AoJT3 soHEdM9HMqdePuLWBsloImIq =7dW0 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Configuration problems with pam_smb, mod_auth_pam
On Wed, May 29, 2002 at 10:05:45AM -0700, Tom Dominico wrote: I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. [...] AuthType Basic AuthName PUSD Website Admin require valid-user i have no idea how to make apache authenticate against a windows pdc, but i believe AuthType Basic can only be used to authenticate against a local password file, usually generated using htpasswd. see http://httpd.apache.org/docs/howto/auth.html xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Configuration problems with pam_smb, mod_auth_pam
On Wed, May 29, 2002 at 10:05:45AM -0700, Tom Dominico wrote: I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. [...] AuthType Basic AuthName PUSD Website Admin require valid-user i have no idea how to make apache authenticate against a windows pdc, but i believe AuthType Basic can only be used to authenticate against a local password file, usually generated using htpasswd. see http://httpd.apache.org/docs/howto/auth.html xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
off topic: quoting (was Re: html spam)
On Fri, May 10, 2002 at 01:04:40PM +0300, Jussi Ekholm wrote: Christian G. Warden [EMAIL PROTECTED] wrote: (Could you please post your reply *below* the quoted text? Top-posting is quite irritating, IMHO) i just want to add a warning about spamassassin. i had it setup for about a week and it was very good at catching spam, but occasionally it would drive the cpu load into the 20s. Yes, I can say this, as well. My computer swapped twice (so much, that I had to hit MSysRq and boot) because of SA started to investigate pretty big binary mails. Although, fixing the problem is pretty easy; just add 'required_hits = x' in ~/.spamassassin/user_prefs, where 'x' is maybe 5 or something else. This makes SA to stop processing mails further than hits you just specified. i tend to prefer top-posting except when responding point by point between paragraphs. admittedly, it's lazy and encourages excessive quoting, but this just feels awkward. i'll try it out for a few days. maybe it'll grow on me. thanks for the required_hits tip. next time i try SA, i'll read through the docs more thoroughly. xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
off topic: quoting (was Re: html spam)
On Fri, May 10, 2002 at 01:04:40PM +0300, Jussi Ekholm wrote: Christian G. Warden [EMAIL PROTECTED] wrote: (Could you please post your reply *below* the quoted text? Top-posting is quite irritating, IMHO) i just want to add a warning about spamassassin. i had it setup for about a week and it was very good at catching spam, but occasionally it would drive the cpu load into the 20s. Yes, I can say this, as well. My computer swapped twice (so much, that I had to hit MSysRq and boot) because of SA started to investigate pretty big binary mails. Although, fixing the problem is pretty easy; just add 'required_hits = x' in ~/.spamassassin/user_prefs, where 'x' is maybe 5 or something else. This makes SA to stop processing mails further than hits you just specified. i tend to prefer top-posting except when responding point by point between paragraphs. admittedly, it's lazy and encourages excessive quoting, but this just feels awkward. i'll try it out for a few days. maybe it'll grow on me. thanks for the required_hits tip. next time i try SA, i'll read through the docs more thoroughly. xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: register_globals in php4
you must write your application safely. it sounds like you're trying to
prevent a user from changing their userid. after they log in, you could
create a session variable with their userid and only use that session
variable. i still use register_globals=on with my code, but i have the
following code that gets included on every page:
if(!session_is_registered('userid') {
unset($userid);
}
and in my login function, after username and password are verified, i
put the userid in $userid and session_register('userid');
this allows me to always trust that $userid matches the userid of the
authenticated user.
here's an article on secure programming in php:
http://www.zend.com/zend/art/art-oertli.php
xn
On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote:
Hello Christian G. Warden [EMAIL PROTECTED],
Yes. But when a user type the url something like login.php?id=fakeid
Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right?
How do I avoid users affecting the system by changing the variable
values in the URL directly? If not, is there any way to protect myself
from malicious url injection attack?
On Thu, 9 May 2002 09:51:02 -0700
Christian G. Warden [EMAIL PROTECTED] wrote:
one of the php lists is probably a better forum for this question, but
in short, register_globals=off means that if you want to use the id
variable passed in the query string by the browser, you would access it as
$HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info
at http://www.php.net/manual/en/language.variables.predefined.php
xn
On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
Hello list,
php4.1 recommends to set register_globals=off in php.ini to make php
more strict. My question is, if I turn off register_globals, what will
happen if any malicious user just try to modify the variable values in
the url? Say,
http://www.domain.com/xxx.php?id=3sex=female
Does it work if user just change the value in the URL directly and send
the url directly to web server?
How can we avoid the malicious attack by directly http GET/POST with
modified parameter values to make possible system error or compromise?
--
Patrick Hsieh [EMAIL PROTECTED]
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
--
Patrick Hsieh [EMAIL PROTECTED]
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: register_globals in php4
one of the php lists is probably a better forum for this question, but in short, register_globals=off means that if you want to use the id variable passed in the query string by the browser, you would access it as $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info at http://www.php.net/manual/en/language.variables.predefined.php xn On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote: Hello list, php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3sex=female Does it work if user just change the value in the URL directly and send the url directly to web server? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: register_globals in php4
you must write your application safely. it sounds like you're trying to
prevent a user from changing their userid. after they log in, you could
create a session variable with their userid and only use that session
variable. i still use register_globals=on with my code, but i have the
following code that gets included on every page:
if(!session_is_registered('userid') {
unset($userid);
}
and in my login function, after username and password are verified, i
put the userid in $userid and session_register('userid');
this allows me to always trust that $userid matches the userid of the
authenticated user.
here's an article on secure programming in php:
http://www.zend.com/zend/art/art-oertli.php
xn
On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote:
Hello Christian G. Warden [EMAIL PROTECTED],
Yes. But when a user type the url something like login.php?id=fakeid
Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right?
How do I avoid users affecting the system by changing the variable
values in the URL directly? If not, is there any way to protect myself
from malicious url injection attack?
On Thu, 9 May 2002 09:51:02 -0700
Christian G. Warden [EMAIL PROTECTED] wrote:
one of the php lists is probably a better forum for this question, but
in short, register_globals=off means that if you want to use the id
variable passed in the query string by the browser, you would access it as
$HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info
at http://www.php.net/manual/en/language.variables.predefined.php
xn
On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
Hello list,
php4.1 recommends to set register_globals=off in php.ini to make php
more strict. My question is, if I turn off register_globals, what will
happen if any malicious user just try to modify the variable values in
the url? Say,
http://www.domain.com/xxx.php?id=3sex=female
Does it work if user just change the value in the URL directly and send
the url directly to web server?
How can we avoid the malicious attack by directly http GET/POST with
modified parameter values to make possible system error or compromise?
--
Patrick Hsieh [EMAIL PROTECTED]
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
--
Patrick Hsieh [EMAIL PROTECTED]
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: html spam
i just want to add a warning about spamassassin. i had it setup for about a week and it was very good at catching spam, but occassionally it would drive the cpu load into the 20s. i didn't spend any time trying to track down the problem. i was using procmail to send all my mail through SA so maybe using the milter solution would work better, but i'd be careful about installing it on a busy mail server. xn On Wed, May 08, 2002 at 08:06:53AM +0300, Jussi Ekholm wrote: Thomas Buhk [EMAIL PROTECTED] wrote: If you don't want any spam, it's up to *you*. i don't think so. i think spam is a problem *all* have! That's true, fair enough. But in the end, if you don't wanna receive any spam, you should set up good Procmail recipes. Or, the easy way; install SpamAssassin. :-) It is *really* good, I have to emphasize it again and again. If I'd be whining to every mailing list I've subscribed to (believe me, there are *many*), I would still receive tons of spam, no matter how politely I would've been asking. As I said, after installing this marvellous software, the amount of spam that comes *through* has dropped to almost zero. You really should consider installing it. a first step would be if mailinglist (this include) drop any html mail. next step could be to remove those with 'unsubscibe' in the subject ; Well, again -- before I set up SA, I had Procmail recipe, which would kill all mails with Content-type: text/html and also all mails with subject 'unsubscribe'. This worked fine -- for me, at least. I recommend visiting URL: http://www.spamassassin.org and setting it up. My spam problems have ended after installing it. can't say anything about it. the url was refused by the host... Umm, something weird is going on in your end, because I can access the site with no trouble at all. Try adding a trailing slash to that URL, if it would help? Pretty weird indeed, because I just pasted that URL I wrote and am looking at the page right now... -- Jussi Ekholm [EMAIL PROTECTED] | GNU/Linux user number 269376 http://erppimaa.cjb.net/~ekhowl/ | ICQ UIN:156057281 ekh on IRCnet| GnuPG Public Key ID: 1410081E -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
looks like there's a package for the patch: kernel-patch-mppe - ppp_mppe module for pppd xn On Tue, Apr 30, 2002 at 12:03:09PM -0400, Derek J. Balling wrote: At 8:43 AM -0700 4/30/02, Anne Carasik wrote: Last time I checked, PPTP comes with encryption. All you have to do is configure it. I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. Not unless the packaged pptpd/ppp has something else, from the poptop.org page: # Available PPPD patch allows Windows compatible encryption and authentication (MSCHAPv2 and MPPE 40-128 bit RC4 encryption) So it seems like theres SOMETHING I need to add to pppd to get encryption to work with it, and (from my reading) it seems like there's a patch that also needs to go in the kernel to make that pppd change work as well. D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
yeah, it's a mess. i spent 2 days trying to get poptop working a few months ago. once i got everything patched and running and could setup a vpn between pptp-linux and pptpd, i still couldn't get win98 to connect to pptpd. i gave up and decided next time i'd try to use ipsec with freeswan. good luck, xn On Tue, Apr 30, 2002 at 01:20:21PM -0400, Derek J. Balling wrote: looks like there's a package for the patch: kernel-patch-mppe - ppp_mppe module for pppd Except that that patch is against 2.4.0 There's a lot of disjointed pieces, and not all of them seem to be maintained or kept current: o pptpd - which seems to (now) not require any special effort o pppd needs to be patched or include support for mppe o kernel needs to be patched or include support for mppe And that very chaos is what led me to ask if anyone has more current info on how to make this work? ;-) D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
looks like there's a package for the patch: kernel-patch-mppe - ppp_mppe module for pppd xn On Tue, Apr 30, 2002 at 12:03:09PM -0400, Derek J. Balling wrote: At 8:43 AM -0700 4/30/02, Anne Carasik wrote: Last time I checked, PPTP comes with encryption. All you have to do is configure it. I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. Not unless the packaged pptpd/ppp has something else, from the poptop.org page: # Available PPPD patch allows Windows compatible encryption and authentication (MSCHAPv2 and MPPE 40-128 bit RC4 encryption) So it seems like theres SOMETHING I need to add to pppd to get encryption to work with it, and (from my reading) it seems like there's a patch that also needs to go in the kernel to make that pppd change work as well. D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
yeah, it's a mess. i spent 2 days trying to get poptop working a few months ago. once i got everything patched and running and could setup a vpn between pptp-linux and pptpd, i still couldn't get win98 to connect to pptpd. i gave up and decided next time i'd try to use ipsec with freeswan. good luck, xn On Tue, Apr 30, 2002 at 01:20:21PM -0400, Derek J. Balling wrote: looks like there's a package for the patch: kernel-patch-mppe - ppp_mppe module for pppd Except that that patch is against 2.4.0 There's a lot of disjointed pieces, and not all of them seem to be maintained or kept current: o pptpd - which seems to (now) not require any special effort o pppd needs to be patched or include support for mppe o kernel needs to be patched or include support for mppe And that very chaos is what led me to ask if anyone has more current info on how to make this work? ;-) D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: log the original source ipaddress
i'm not familiar with rinetd, but if you use netfilter to do dnat the source address will be maintained. just make sure internal boxes hit the webserver directly, on the internal ip, rather than through the external one so they don't get confused by packets coming back directly from the web server. something like this should work: /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 80 \ -j DNAT --to-destination $WEBSERVER:80 /sbin/iptables -A FORWARD -p tcp -d $WEBSERVER --destination-port 80 -j ACCEPT xn On Wed, Apr 10, 2002 at 11:01:25AM +0700, N. A. Hilal wrote: dear, i have webserver (running on localnet rfc1918) stay behind a firewall (using rinetd for redirecting), the apache's log read all access from the internal interface's firewall instead of the original source address. any idea how can i log the original source ipaddress's anyone who access my webserver even i use redirecting..? thx, N. A. Hilal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: log the original source ipaddress
i'm not familiar with rinetd, but if you use netfilter to do dnat the source address will be maintained. just make sure internal boxes hit the webserver directly, on the internal ip, rather than through the external one so they don't get confused by packets coming back directly from the web server. something like this should work: /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 80 \ -j DNAT --to-destination $WEBSERVER:80 /sbin/iptables -A FORWARD -p tcp -d $WEBSERVER --destination-port 80 -j ACCEPT xn On Wed, Apr 10, 2002 at 11:01:25AM +0700, N. A. Hilal wrote: dear, i have webserver (running on localnet rfc1918) stay behind a firewall (using rinetd for redirecting), the apache's log read all access from the internal interface's firewall instead of the original source address. any idea how can i log the original source ipaddress's anyone who access my webserver even i use redirecting..? thx, N. A. Hilal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question about some network services
rdate is probably easier to use. ntp requires at least a little configuration, but it is more accurate. xn On Thu, Apr 04, 2002 at 06:56:30PM +0200, eim wrote: First of all thanks to all for responses. On Wed, 2002-04-03 at 20:22, Holger Eitzenberger wrote: On Wed, Apr 03, 2002 at 09:16:03AM +0200, Emmanuel Lacour wrote: 'time' is RFC 868, a pre-NTP time synchronization protocol. It just sends the time as a 32-bit int, where: The time is the number of seconds since 00:00 (midnight) 1 January 1900 GMT, such that the time 1 is 12:00:01 am on 1 January 1900 GMT; this base will serve until the year 2036. I think it sends it big-endian, but I'm not sure. Is it used by the old rdate tools? Old rdate tools ? I use them regulary to update my servers with the current time, is it more convenient to install an NTP server on my local network ? Thanks. Indeed. It's quite usefull if you don't have a NTP server at hand, e. g. behind a firewall. It's not ok if you need accuracy of less than 1 sec. /Holger -- ++ GnuPG Key - http://www.t-online.de/~holger.eitzenberger ++ -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org/~eim http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question about some network services
rdate is probably easier to use. ntp requires at least a little configuration, but it is more accurate. xn On Thu, Apr 04, 2002 at 06:56:30PM +0200, eim wrote: First of all thanks to all for responses. On Wed, 2002-04-03 at 20:22, Holger Eitzenberger wrote: On Wed, Apr 03, 2002 at 09:16:03AM +0200, Emmanuel Lacour wrote: 'time' is RFC 868, a pre-NTP time synchronization protocol. It just sends the time as a 32-bit int, where: The time is the number of seconds since 00:00 (midnight) 1 January 1900 GMT, such that the time 1 is 12:00:01 am on 1 January 1900 GMT; this base will serve until the year 2036. I think it sends it big-endian, but I'm not sure. Is it used by the old rdate tools? Old rdate tools ? I use them regulary to update my servers with the current time, is it more convenient to install an NTP server on my local network ? Thanks. Indeed. It's quite usefull if you don't have a NTP server at hand, e. g. behind a firewall. It's not ok if you need accuracy of less than 1 sec. /Holger -- ++ GnuPG Key - http://www.t-online.de/~holger.eitzenberger ++ -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org/~eim http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 02:43:10PM -0800, Petro wrote: On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: Release early; release often. bemfont size=7blinkNO/font/em/b Measure twice, cut once. i haven't really been following this thread, but i like analogies as much as the next person, so how's this: if you don't have a tape measure, cut large and sand down as needed. xn -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 02:43:10PM -0800, Petro wrote: On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: Release early; release often. bemfont size=7blinkNO/font/em/b Measure twice, cut once. i haven't really been following this thread, but i like analogies as much as the next person, so how's this: if you don't have a tape measure, cut large and sand down as needed. xn -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
the commercial ssh server has an option to chroot to a user's home directory. there are patches available to openssh to do it also, though i don't know if they've been thoroughly audited. check out http://mail.incredimail.com/howto/openssh/ you can make sftp-server the user's shell to only allow sftp access. xn On Sat, Mar 30, 2002 at 10:24:28PM -0500, Jon McCain wrote: I've been playing around with the scp and sftp components of putty and noticed what I consider a security hole. Winscp does the same thing. The user can change to directories above their home. Is there a way to chroot them like you can in an ftp config file? I don't see anything in the sshd config files. If you can't, how can I disable the scp functionality? I'm not talking about scp from the linux box. The users don't have shell access so that's not a problem. I'm referring to remote people using a scp client to access my linux machine. You can disable sftp ability by removing the sftp-server program but the scp server part seems to be part of sshd. I did not see anything about this issue on the openssh web site. Anybody got any suggestions? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
the commercial ssh server has an option to chroot to a user's home directory. there are patches available to openssh to do it also, though i don't know if they've been thoroughly audited. check out http://mail.incredimail.com/howto/openssh/ you can make sftp-server the user's shell to only allow sftp access. xn On Sat, Mar 30, 2002 at 10:24:28PM -0500, Jon McCain wrote: I've been playing around with the scp and sftp components of putty and noticed what I consider a security hole. Winscp does the same thing. The user can change to directories above their home. Is there a way to chroot them like you can in an ftp config file? I don't see anything in the sshd config files. If you can't, how can I disable the scp functionality? I'm not talking about scp from the linux box. The users don't have shell access so that's not a problem. I'm referring to remote people using a scp client to access my linux machine. You can disable sftp ability by removing the sftp-server program but the scp server part seems to be part of sshd. I did not see anything about this issue on the openssh web site. Anybody got any suggestions? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables filtering rules
i'm in the middle of switching from ipchains to iptables right now and i haven't tested my DNAT rules yet, but from what i understand, packets pass through the FORWARD chain in the filter table after the PREROUTING chain in the nat table. see the second paragraph here: http://netfilter.samba.org/documentation/HOWTO//packet-filtering-HOWTO-9.html xn On Mon, Mar 25, 2002 at 10:46:45PM +0100, Andras GALAMBOSI wrote: Hello all, sorry to disturb you with this silly question. I am sure, that it is obvius to all list members (except me ;) scenario: intranet (10.10.1.x) with win clients (NT 2k), gateway (Debian GNU/Linux potato with kernel 2.4.18 + iptables). NAT is used for requests from intranet to Internet. this works fine. Web mailserver is behind the firewall, so I needed to set up portforwarding. dnat is used for this. this works fine. as the webserver is an ii$, I am sure, that some firewall rules must be set up for these two ports. The access.log shows, that is a MUST: GET /scripts/root.exe?/c+dir HTTP/1.0 GET /MSADC/root.exe?/c+dir HTTP/1.0 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 ... so on... I'm sure, that it's just a script kiddie, but, on the other hand, it's just m$ product. Q: how to set up filtering rules, if a PREROUTING dnat rule has been set up before? the packet never comes to the INPUT. nor to the FORWARD, doesn't it? I really do not want to set up another firewall onto that win2k server. TIA, gaan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables filtering rules
i'm in the middle of switching from ipchains to iptables right now and i haven't tested my DNAT rules yet, but from what i understand, packets pass through the FORWARD chain in the filter table after the PREROUTING chain in the nat table. see the second paragraph here: http://netfilter.samba.org/documentation/HOWTO//packet-filtering-HOWTO-9.html xn On Mon, Mar 25, 2002 at 10:46:45PM +0100, Andras GALAMBOSI wrote: Hello all, sorry to disturb you with this silly question. I am sure, that it is obvius to all list members (except me ;) scenario: intranet (10.10.1.x) with win clients (NT 2k), gateway (Debian GNU/Linux potato with kernel 2.4.18 + iptables). NAT is used for requests from intranet to Internet. this works fine. Web mailserver is behind the firewall, so I needed to set up portforwarding. dnat is used for this. this works fine. as the webserver is an ii$, I am sure, that some firewall rules must be set up for these two ports. The access.log shows, that is a MUST: GET /scripts/root.exe?/c+dir HTTP/1.0 GET /MSADC/root.exe?/c+dir HTTP/1.0 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 ... so on... I'm sure, that it's just a script kiddie, but, on the other hand, it's just m$ product. Q: how to set up filtering rules, if a PREROUTING dnat rule has been set up before? the packet never comes to the INPUT. nor to the FORWARD, doesn't it? I really do not want to set up another firewall onto that win2k server. TIA, gaan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
