Re: bind squid to interface
* Michael West [EMAIL PROTECTED] [26-03-03 15:16]: I would like to bind squid to a specific interface. Look at /etc/squid.conf: # NETWORK OPTIONS # - # TAG: http_port # Usage: port # hostname:port # 1.2.3.4:port # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, then Squid binds the socket to that specific # address. This replaces the old 'tcp_incoming_address' # option. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # The default port number is 3128. # # If you are running Squid in accelerator mode, then you # probably want to listen on port 80 also, or instead. # # The -a command line option will override the *first* port # number listed here. That option will NOT override an IP # address, however. # # You may specify multiple socket addresses on multiple lines. # #Default: http_port 127.0.0.1:3128 HTH Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: bind squid to interface
* Michael West [EMAIL PROTECTED] [26-03-03 15:16]: I would like to bind squid to a specific interface. Look at /etc/squid.conf: # NETWORK OPTIONS # - # TAG: http_port # Usage: port # hostname:port # 1.2.3.4:port # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, then Squid binds the socket to that specific # address. This replaces the old 'tcp_incoming_address' # option. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # The default port number is 3128. # # If you are running Squid in accelerator mode, then you # probably want to listen on port 80 also, or instead. # # The -a command line option will override the *first* port # number listed here. That option will NOT override an IP # address, however. # # You may specify multiple socket addresses on multiple lines. # #Default: http_port 127.0.0.1:3128 HTH Jens
Re: chkrootkit and LKM
* Jacques Lav!gnotte [EMAIL PROTECTED] [07-03-03 14:05]: Bonjour... When running chkrootkit from a shell logged on the machine I get : Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE. Are there knownes 'false positive' ? I had this too. Search on google for chkrootkit lkm. Nothing to worry about. Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
* Bernard Lheureux [EMAIL PROTECTED] [10-02-03 22:53]: About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? ?? $ apt-cache show stunnel Package: stunnel Priority: optional Section: non-US Installed-Size: 220 Maintainer: Paolo Molaro [EMAIL PROTECTED] Architecture: i386 Version: 3.22-1 Depends: openssl, libc6 (= 2.2.4-4), libssl0.9.6, libwrap0, netbase Filename: pool/non-US/main/s/stunnel/stunnel_3.22-1_i386.deb Size: 59638 MD5sum: 1eec76ba161820c1900ce603fd103dff Description: Universal SSL tunnel for network daemons The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup them to communicate with clients over secure SSL channel. . stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
* Bernard Lheureux [EMAIL PROTECTED] [10-02-03 22:53]: About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? ?? $ apt-cache show stunnel Package: stunnel Priority: optional Section: non-US Installed-Size: 220 Maintainer: Paolo Molaro [EMAIL PROTECTED] Architecture: i386 Version: 3.22-1 Depends: openssl, libc6 (= 2.2.4-4), libssl0.9.6, libwrap0, netbase Filename: pool/non-US/main/s/stunnel/stunnel_3.22-1_i386.deb Size: 59638 MD5sum: 1eec76ba161820c1900ce603fd103dff Description: Universal SSL tunnel for network daemons The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup them to communicate with clients over secure SSL channel. . stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code.
Re: Packets to 224.0.1.24 (II)
* P. Ook p..ook@lycos.es [10-10-02 01:35]: I've just installed a Woody Debian box with an ipchains firewall and I can see a lot of syslog entries (3 entries per hour) like this: 8 Oct 9 22:18:25 myhost kernel: Packet log: input - eth0 PROTO=17 a.b.c.d:42 224.0.1.24:42 L=47 S=0x00 I=27053 F=0x T=2 (#19) 8 Can anyone explain me why are my machine trying to send packets to 224.0.1.24(MICROSOFT-DS.MCAST.NET)? May be it's due to a package I've installed in this machine? Do you have Windows-Hosts in your network? http://support.microsoft.com/default.aspx?scid=kb;en-us;Q151761 WINS Server Sends IGMP Packets on Startup When you start up the Windows Internet Name Service (WINS) on Windows NT, it automatically sends IGMP packets to multicast address 224.0.1.24 HTH Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Packets to 224.0.1.24 (II)
* P. Ook p..ook@lycos.es [10-10-02 01:35]: I've just installed a Woody Debian box with an ipchains firewall and I can see a lot of syslog entries (3 entries per hour) like this: 8 Oct 9 22:18:25 myhost kernel: Packet log: input - eth0 PROTO=17 a.b.c.d:42 224.0.1.24:42 L=47 S=0x00 I=27053 F=0x T=2 (#19) 8 Can anyone explain me why are my machine trying to send packets to 224.0.1.24(MICROSOFT-DS.MCAST.NET)? May be it's due to a package I've installed in this machine? Do you have Windows-Hosts in your network? http://support.microsoft.com/default.aspx?scid=kb;en-us;Q151761 WINS Server Sends IGMP Packets on Startup When you start up the Windows Internet Name Service (WINS) on Windows NT, it automatically sends IGMP packets to multicast address 224.0.1.24 HTH Jens
Re: Can a daemon listen only on some interfaces?
At 15:06 08.12.01, you wrote: I do want sshd to listen on all (0.0.0.0) but I would like to find a way to make it only accept connection attempts for a certain user from the internet but still allow several other users to connect from the LAN. I do know how to make it accept connections for only certain users - by using the AllowUsers config item in /etc/ssh/sshd_config. But this allows all the users specified, to connect on all interfaces ssh listens on, which is not what I want ideally. What would be better, is to allow several from the LAN to connect but only one (me) from the internet. This doesn't seem possible from my reading so far. Oh well. If you log in with RSAkey authentication, you can set the 'from' option in the $HOME/.ssh/authorized_keys file. $man sshd AUTHORIZED_KEYS FILE FORMAT .. from=pattern-list Specifies that in addition to RSA authentication, the canonical name of the remote host must be present in the comma-separated list of patterns (`*' and `?' serve as wildcards). The list may also contain patterns negated by prefixing them with `!'; if the canonical host name matches a negated pattern, the key is not ac- cepted. But I don't know how to manage it with password authentication, but keys are any more secure for internet connections. HTH Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can a daemon listen only on some interfaces?
At 15:06 08.12.01, you wrote: I do want sshd to listen on all (0.0.0.0) but I would like to find a way to make it only accept connection attempts for a certain user from the internet but still allow several other users to connect from the LAN. I do know how to make it accept connections for only certain users - by using the AllowUsers config item in /etc/ssh/sshd_config. But this allows all the users specified, to connect on all interfaces ssh listens on, which is not what I want ideally. What would be better, is to allow several from the LAN to connect but only one (me) from the internet. This doesn't seem possible from my reading so far. Oh well. If you log in with RSAkey authentication, you can set the 'from' option in the $HOME/.ssh/authorized_keys file. $man sshd AUTHORIZED_KEYS FILE FORMAT .. from=pattern-list Specifies that in addition to RSA authentication, the canonical name of the remote host must be present in the comma-separated list of patterns (`*' and `?' serve as wildcards). The list may also contain patterns negated by prefixing them with `!'; if the canonical host name matches a negated pattern, the key is not ac- cepted. But I don't know how to manage it with password authentication, but keys are any more secure for internet connections. HTH Jens
Re: FTP and security
At 09:05 09.11.01, you wrote: In this case I use (and suggest to use) pscp which is a win32 implementation of scp (secure copy). It uses a ssh connection to upload or download. Unfortunatly it uses no gui and has to run from cmd or command. Take a look at Secure-iXplorer http://www.i-tree.org/ixplorer.htm, it's a GUI for pscp, you can drag'n drop your files very comfortably. It works ok here. Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: FTP and security
At 18:00 09.11.01, you wrote: When I tried iXplorer, it didn't look to have ssh2 support. I'd prefer to use ssh2 support, WinSCP allows you to select, but it seems to crash when uploading lots and/or big files. It DOES complete, but you can't see it's progress, etc. With iXplorer 0.17 you can use a putty saved session and so you get ssh2 support. If you want support for ssh2-keys you have to download one of the developer-snapshots of putty (putty,plink,pscp,pageant and puttygen) and generate your ssh2-keys with the new puttygen. Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: FTP and security
At 09:05 09.11.01, you wrote: In this case I use (and suggest to use) pscp which is a win32 implementation of scp (secure copy). It uses a ssh connection to upload or download. Unfortunatly it uses no gui and has to run from cmd or command. Take a look at Secure-iXplorer http://www.i-tree.org/ixplorer.htm, it's a GUI for pscp, you can drag'n drop your files very comfortably. It works ok here. Jens
Re: FTP and security
At 18:00 09.11.01, you wrote: When I tried iXplorer, it didn't look to have ssh2 support. I'd prefer to use ssh2 support, WinSCP allows you to select, but it seems to crash when uploading lots and/or big files. It DOES complete, but you can't see it's progress, etc. With iXplorer 0.17 you can use a putty saved session and so you get ssh2 support. If you want support for ssh2-keys you have to download one of the developer-snapshots of putty (putty,plink,pscp,pageant and puttygen) and generate your ssh2-keys with the new puttygen. Jens
Re: Security Update
At 22:21 13.10.01, Mark Rompies wrote: what commands should i type from the console to update the security fixes for a/any package(s)? Could i use apt-get? Just add the line deb http://security.debian.org/ potato/updates main contrib non-free to your /etc/apt/sources.list, then apt-get update apt-get upgrade that's all Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security Update
At 22:21 13.10.01, Mark Rompies wrote: what commands should i type from the console to update the security fixes for a/any package(s)? Could i use apt-get? Just add the line deb http://security.debian.org/ potato/updates main contrib non-free to your /etc/apt/sources.list, then apt-get update apt-get upgrade that's all Jens
Re: File transfer using ssh
At Thu, 23 Aug 2001 17:18, Curt Howland wrote: One point: All the Windows scp clients I've tried so far are password based, and my server allows only RSA key access, so they don't work. Take a look at Secure-iXplorer http://www.i-tree.org/ixplorer.htm It's a front end for the Secure Shell (SSH) Copy PSCP thats a part of Putty. With Pageant and the Putty saved session option there's no problem to deal with RSA keys. And you have a GUI to copy files from and to a SSH host very comfortably. Jens
Re: non-US security fixes URL
At 16:42 19.07.01, you wrote: What might be the URL/apt-get sources.list line for security fixes of the non-US packages? Taken from the latest Debian Weekly News - July 18th, 2001 Newbie Tip-of-the-week Are you security-conscious? Good! Here's how you can use apt-get to keep your potato system up-to-date with the latest security patches: in /etc/apt/sources.list include those lines deb http://security.debian.org/debian-security potato/updates main contrib non- free deb http://security.debian.org/debian-non-US potato/non-US main contrib non-fre e deb http://security.debian.org potato/updates main contrib non-free Thereafter, a quick apt-get update apt-get upgrade is all you need to keep the gremlins at bay. HTH Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: non-US security fixes URL
At 16:42 19.07.01, you wrote: What might be the URL/apt-get sources.list line for security fixes of the non-US packages? Taken from the latest Debian Weekly News - July 18th, 2001 Newbie Tip-of-the-week Are you security-conscious? Good! Here's how you can use apt-get to keep your potato system up-to-date with the latest security patches: in /etc/apt/sources.list include those lines deb http://security.debian.org/debian-security potato/updates main contrib non- free deb http://security.debian.org/debian-non-US potato/non-US main contrib non-fre e deb http://security.debian.org potato/updates main contrib non-free Thereafter, a quick apt-get update apt-get upgrade is all you need to keep the gremlins at bay. HTH Jens