OpenSSL vs. GnuTLS in Exim
Hi all! I've problems with exim4-daemon-havy and its TLS support (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348046). I suspect that problem is related to GnuTLS, so I want to rebuild exim4 against OpenSSL to check if it will help. Can anyone tell me if there is any security risk to use openssl in exim4 ? Is there any advantage of GnuTLS over OpenSSL ? I'm using OpenSSL based applications (i.e. courier-imap-ssl) for a long time without ANY problems. What was the reason to use GnuTLS in exim ??? -- Jaroslaw Tabor [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: howto block ssh brute-force
Hello! Dnia 12-03-2006, nie o godzinie 04:50 -0300, Felipe Figueiredo napisał(a): Hello, once in a while (say, every two weeks) I get a brute-force login/password scan attempt in my server (i.e., a single ip tries I'm changing ssh port to some high random number. This is quite easy, safe and generally blocks all automatic ssh scanners, but of course will not close the issue in all cases. -- Jaroslaw Tabor [EMAIL PROTECTED]
Re: Security scanner
Dnia 24-01-2006, wto o godzinie 02:47 +0100, Bernd Eckenfels napisał(a): Package: smb-nat Priority: extra Section: admin Thanks! This is exactly what I was looking for... -- Jaroslaw Tabor [EMAIL PROTECTED]
Security scanner
Hi all! Has anyone know a network scanner I can run on Debian to search LAN for unprotected windows shares ? Or maybe something looking for simple passwords ? I'd like to automate discovering stupid users, leaving full access to their C:\. -- Jaroslaw Tabor [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spyware / Adware
Hello Dave! As I see there is a lot of very deep answers, regarding issue. But from regular user point of view, there is NO COMPARISION between windoze and Linux in area of security. I'm working with Linux since 1994, for last 3-4 years I'm working ONLY with Linux (Debian unstable). I think that I'm allowed to say that I have expirience with Linux. And belive me or not: I have never seen any virus, adware, spyware or trojan on my machine. I've notified 2 serious attcks from intruders to one of my publicly available servers - but they failed. It NEVER happends to my workstation. So Dave, you can be really sure, that you can forget about such problems. Of course the others talking about risks have right. There is a risk. And of course there is a risk that on sunny day you will be hitted by lighting. The question is scale. My friend, has installed some time ago fresh Windows 2000 on public server as an experiment. After one night, there was about 100MB of new software installed on this machine with 100% CPU load. You can install Debian on any public machine, and after few months there will be no new software, no new users, and 0% of CPU load. So good luck! Jarek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Spam fights
Hi all! As I see, there ia a lot of issues regarding spam, so I'd like to add something from me:) Because my email was used on many discussion lists, I was receiving sometimes over 100 spam emails per day. A long time ago I've started fighting with them using many different methods. Currently I'm using two methods which are reducing spam to 1-2 per day: spamassassin and sender verification. From my expirience, most of spam was send from non-existing, or ISP-blocked emails, so sender verification has decreased spam radically. In mean time, I've found additional way for spam filtering, but it requires some development. The basic idea is simple and already in use: We are allowing all emails from whitelits. For unknown sender, automated confirmation request is send. If confirmation comes, receiver can decide to put new sender on white or black list (by reply with prepared subject and token). This method has one hole: spamer can use any address from whitelist. To avoid this, the white list should contain list of allowed SMTP servers (source IP addresses) for every email. I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. best regards JT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Spam fights
Hi all! As I see, there ia a lot of issues regarding spam, so I'd like to add something from me:) Because my email was used on many discussion lists, I was receiving sometimes over 100 spam emails per day. A long time ago I've started fighting with them using many different methods. Currently I'm using two methods which are reducing spam to 1-2 per day: spamassassin and sender verification. From my expirience, most of spam was send from non-existing, or ISP-blocked emails, so sender verification has decreased spam radically. In mean time, I've found additional way for spam filtering, but it requires some development. The basic idea is simple and already in use: We are allowing all emails from whitelits. For unknown sender, automated confirmation request is send. If confirmation comes, receiver can decide to put new sender on white or black list (by reply with prepared subject and token). This method has one hole: spamer can use any address from whitelist. To avoid this, the white list should contain list of allowed SMTP servers (source IP addresses) for every email. I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. best regards JT
Re: Server slowdown...
Hello! W liście z pon, 12-04-2004, godz. 02:00, Joe Bouchard pisze: In a meeting at work (I'm part of the IT group at a large corporation) someone mentioned a particular kind of network hardware which would stop working correctly after a while. We have a pretty busy network with broadcasts and what not, and apparently this device would croak after x number of packets, perhaps 2^32 or something. The time frame was a few weeks for the device to get to that point. I'm almost sure that this is software problem. The machine is working without hardware changes for years, and it didn't happend before. The only changes I did, are software updates (from debian-security) and kernel upgrade after last holes were discovered. regards JT.
Server slowdown...
Hello! I''ve strange problem with one of my servers. From time to time (once per 2-3 months), something strange happends, and server starts working very slow. What is strange, CPU load (from top) is about 5%, but response time for network services is extremly high. Usually gives timeout. After reboot, everything is working perfect. The question is where to start investigation. Can someone suggest some tool, to record statistics of CPU, Network, IO(drives) in correlation with processes ? Due to the fact, that problem occurs for all services, I suspect kernel (2.2.26) problem, but how to extract it? I see that 2.2.27pre1 has some fixes for tcp keepalive bug, and tcp seq nr wrapping bug. Can it be related ? reagrds JT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Server slowdown...
Hello! I''ve strange problem with one of my servers. From time to time (once per 2-3 months), something strange happends, and server starts working very slow. What is strange, CPU load (from top) is about 5%, but response time for network services is extremly high. Usually gives timeout. After reboot, everything is working perfect. The question is where to start investigation. Can someone suggest some tool, to record statistics of CPU, Network, IO(drives) in correlation with processes ? Due to the fact, that problem occurs for all services, I suspect kernel (2.2.26) problem, but how to extract it? I see that 2.2.27pre1 has some fixes for tcp keepalive bug, and tcp seq nr wrapping bug. Can it be related ? reagrds JT
Big VPN
Hi all! I know that this list isn't the best place to ask, but I'm reding this list for years. I hope You will forgive me :) I'm looking for good linux (debian of course) based solution for VPN connecting about 100 LANs. The solution should be stable, easy for implementation and easy for management. I've some expirience with VPNs based on PPTPd, but not so big. I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If I understand this solution right there is no authentication at all. So every one can connect to the LANs if he will spoof IP. I need something better, because I cannot trust to LAN users. To avoid that, I have idea, to use some kind of secure DNS, which will answer only to authorized peers, but I don't know how to do it. Finally, the questions: Did someone sucessfully build such network ? If yes, how? Do You know any other VPN solution for this problem? If my idea isn't so bad, how to add secure authentication for OE solution. Is there any solution to easily manage keys in so big network, if I will choice freeswan (or other) without OE ? best regards Jarek PS: Sorry, for my poor english, I'm not a native speaker. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Big VPN
Hi all! I know that this list isn't the best place to ask, but I'm reding this list for years. I hope You will forgive me :) I'm looking for good linux (debian of course) based solution for VPN connecting about 100 LANs. The solution should be stable, easy for implementation and easy for management. I've some expirience with VPNs based on PPTPd, but not so big. I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If I understand this solution right there is no authentication at all. So every one can connect to the LANs if he will spoof IP. I need something better, because I cannot trust to LAN users. To avoid that, I have idea, to use some kind of secure DNS, which will answer only to authorized peers, but I don't know how to do it. Finally, the questions: Did someone sucessfully build such network ? If yes, how? Do You know any other VPN solution for this problem? If my idea isn't so bad, how to add secure authentication for OE solution. Is there any solution to easily manage keys in so big network, if I will choice freeswan (or other) without OE ? best regards Jarek PS: Sorry, for my poor english, I'm not a native speaker.
Re: Fwd: Re: [ox-en] Walther
Hello all! I've just received over 20 mails with Walther in subject. No one from them is related to debian security issues. Is is OK ? I'm receving daily hundreds of mails, and I like to have them sorted by real subject. best regards Jarek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: Re: [ox-en] Walther
Hello all! I've just received over 20 mails with Walther in subject. No one from them is related to debian security issues. Is is OK ? I'm receving daily hundreds of mails, and I like to have them sorted by real subject. best regards Jarek
Re: Keeping files away from users
W licie z czw, 05-06-2003, godz. 07:30, Luis Gomez - InfoEmergencias pisze: Hello! We'd like to protect that content, so that even if someone unplugs the machine and connects the HD to another Linux box, they can't access that information. Of course it's difficult to do, but we think there might be a possibility to achieve success. You have to understand that giving to someone physical access to the machine, You are in fact giving him all. All the software solutions to protect the contents could be just simply disassembled. So You can only make it more difficult i.e. by rewriting filesystem so it wont be understandable by other machines, changing boot code or doing something simmilar. But this solution has two sides: It will be much more difficult to support such device. If You want to protect Your code, You can use some kind of hardware keys to decrypt executables on the fly. Of course this is still not the perfect solution, because someone, can sniff decoded code and use it later. If You want be sure that no one will take out You code, You should implement some kind of autodestruction ( H2SO4, TNT, C4, small nuclear bomb etc...) which will destroy HDD (or all device), when someone will try to open the box. And please think about Open Source - this is also the way to make money. And You don't need to wory about the code securiy. Anyway good luck!!! -- Jaroslaw Tabor [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Keeping files away from users
W liście z czw, 05-06-2003, godz. 07:30, Luis Gomez - InfoEmergencias pisze: Hello! We'd like to protect that content, so that even if someone unplugs the machine and connects the HD to another Linux box, they can't access that information. Of course it's difficult to do, but we think there might be a possibility to achieve success. You have to understand that giving to someone physical access to the machine, You are in fact giving him all. All the software solutions to protect the contents could be just simply disassembled. So You can only make it more difficult i.e. by rewriting filesystem so it wont be understandable by other machines, changing boot code or doing something simmilar. But this solution has two sides: It will be much more difficult to support such device. If You want to protect Your code, You can use some kind of hardware keys to decrypt executables on the fly. Of course this is still not the perfect solution, because someone, can sniff decoded code and use it later. If You want be sure that no one will take out You code, You should implement some kind of autodestruction ( H2SO4, TNT, C4, small nuclear bomb etc...) which will destroy HDD (or all device), when someone will try to open the box. And please think about Open Source - this is also the way to make money. And You don't need to wory about the code securiy. Anyway good luck!!! -- Jaroslaw Tabor [EMAIL PROTECTED]
Encrypted Ethernet ?
Hello! Does someone know, if there is a solution to use Debian (or, in general Linux ) as encryptor for Ethernet ? I'd like to use two computers connected by unsafe ethernet as secure tunnel between two LANs. It means, that such device have to be transparent for all IP traffic (or may be for all Ethernet traffic?). regards Jarek Tabor -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Encrypted Ethernet ?
Hello! Does someone know, if there is a solution to use Debian (or, in general Linux ) as encryptor for Ethernet ? I'd like to use two computers connected by unsafe ethernet as secure tunnel between two LANs. It means, that such device have to be transparent for all IP traffic (or may be for all Ethernet traffic?). regards Jarek Tabor
RE: Virtual Networking between Debian and Microsoft Windows systems
Hello! I did something like this, using sshd on Debian and portforwarder on windows. Portforwarder is able to forward any number of locat ports to remote machine over secure ssh tunel. I did it only for few services (POP3 and SMTP) but it should also works for any other services. Best regards JT.