Re: Block 198.175 admins? who are they?
Are you sure that they portscanned you and not someone faking that IP? according to arin: OrgName:Distributed Network Technical Support OrgID: DNTS NetRange: 198.175.98.0 - 198.175.98.255 CIDR: 198.175.98.0/24 NetName:INTEL-IT35 NetHandle: NET-198-175-98-0-1 Parent: NET-198-175-64-0-1 NetType:Reassigned Comment: RegDate:1993-05-12 Updated:1993-05-12 TechHandle: PK6-ARIN TechName: Knight, Paul TechPhone: +1-916-356-2896 TechEmail: [EMAIL PROTECTED] On Tue, 24 Sep 2002 [EMAIL PROTECTED] wrote: I've been just properly scanned and whois is telling 198.175.98.0 is Distributed Network Technical Support (NET-INTEL-IT34), nothing more, who shall I contact then ;) Rene Skoba -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Block 198.175 admins? who are they?
Are you sure that they portscanned you and not someone faking that IP? according to arin: OrgName:Distributed Network Technical Support OrgID: DNTS NetRange: 198.175.98.0 - 198.175.98.255 CIDR: 198.175.98.0/24 NetName:INTEL-IT35 NetHandle: NET-198-175-98-0-1 Parent: NET-198-175-64-0-1 NetType:Reassigned Comment: RegDate:1993-05-12 Updated:1993-05-12 TechHandle: PK6-ARIN TechName: Knight, Paul TechPhone: +1-916-356-2896 TechEmail: [EMAIL PROTECTED] On Tue, 24 Sep 2002 [EMAIL PROTECTED] wrote: I've been just properly scanned and whois is telling 198.175.98.0 is Distributed Network Technical Support (NET-INTEL-IT34), nothing more, who shall I contact then ;) Rene Skoba -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: To test a OpenSSH trojaned server
Well, as I understand it, the trojan run only when you compile the code ... it's not in the sshd program. So, you can only have it if you compiled the code yourself. If so, you can just check the md5 sums from the advisory. -rishi On Mon, 5 Aug 2002, Halil Demirezen wrote: Hi all, Where can i find a code that tests a vulnerable OpenSSH trojaned server. Or if i should write the code, What is this trojan server's specifications? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
mod-ssl and new apache
Does mod_ssl support the new apache yet? -rishi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sshd_config file
I think the Banner tag is meant for text files. I assume you're trying to display some information that changes every so often. I see two ways of doing this: 1) set up a cron job to run every so often and update the file and set the Banner tag to the file. 2) configure sshd to run with TCPwrappers. Then, in inetd (or xinetd), tell it to run a script whenever a connection comes in on port 22. This script will update the Banner file, and then run sshd. Note: If you use ssh a lot, the second option isn't a good one. But maybe you should also consider a static message. Whatever info you want to generate in the Banner field is information that can be leaked out to malicious users. -rishi On Sun, 2 Jun 2002, Ryan Goss wrote: In the sshd_config file using the Banner tag, is there a way that I can load a script or binary that will display a different message at the login screen? If I try: Banner /usr/local/*some binary* I get ?ELF as the text shown at the login (same as if you less a binary). Is there an option I can use where it will execute the binary? --Ryan Goss [EMAIL PROTECTED] Systems Staff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sshd_config file
I think the Banner tag is meant for text files. I assume you're trying to display some information that changes every so often. I see two ways of doing this: 1) set up a cron job to run every so often and update the file and set the Banner tag to the file. 2) configure sshd to run with TCPwrappers. Then, in inetd (or xinetd), tell it to run a script whenever a connection comes in on port 22. This script will update the Banner file, and then run sshd. Note: If you use ssh a lot, the second option isn't a good one. But maybe you should also consider a static message. Whatever info you want to generate in the Banner field is information that can be leaked out to malicious users. -rishi On Sun, 2 Jun 2002, Ryan Goss wrote: In the sshd_config file using the Banner tag, is there a way that I can load a script or binary that will display a different message at the login screen? If I try: Banner /usr/local/*some binary* I get ?ELF as the text shown at the login (same as if you less a binary). Is there an option I can use where it will execute the binary? --Ryan Goss [EMAIL PROTECTED] Systems Staff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipchains rules for dmz??
I looked into shorewall. It doesn't support ipchains, but seawall does. Would you suggest updating to iptables or using seawall? Do you think that Linux 2.4.x is stable yet? If so, which version? I believe that ipchains can do the job and that linux 2.2.20 is stable. I don't have experience in 2.4.x kernels yet, but am willing to look into it if people think that it's as stable as 2.2.20. Are there any security issues with the currentversion of ipchains that is addressed with iptables (I don't mean iptables features like stateful packet filtering -- I mean security vulnerabilities) -rishi On Wed, 29 May 2002, Sami Dalouche wrote: Howabout installing shorewall? (www.shorewall.net) the best iptables script i have ever seen. It's not only the best iptables script you've ever seen, but it's also a nice high-level configuration tool for everything concerning firewalling.. Traffic Shaping, IPSec... Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ipchains rules for dmz??
Does anyone have a set of ipchains rules for a DMZ that doesn't have routable IPs and an internal network that doesn't have routable IPs? I looked on the IPCHAINS HOWTO page, but they don't have a script for this. I haven't seen anything with google either. I'm looking for something like this: Internet (bad) --- firewall --- dmz (192.168.9.*) ^ | +-- internal LAN (good) (10.177.9.*) I would like: bad -- good = nothing but NATed established traffic bad -- dmz = port 80 to web box, port 25 to mail, port 53 ([tu]dp) to DNS), ssh to web box dmz -- good = nothing but NATed traffic dmz -- bad = NATed traffic (allow all for now) good -- bad = NATed traffic (allow all for now) good -- dmz = same as bad -- dmz. All of the scripts I've seen have DMZ as routeable. The biggest problem I have is that good -- dmz because they're both private IP ranges. I thought I could just pass them with something like: ipchains -N good-dmz ipchains -A forward -s $INTERNAL_NET -i $DMZ_INTERFACE -j good-dmz ipchains -A good-dmz -j ACCECPT (this terminology is from the IPCHAINS HOWTO) Any suggestions? Any help? -rishi ___ Linux Users Group at UD mailing list Subscription Management: https://www.lug.udel.edu/cgi-bin/mailman/listinfo/linux Archives : http://www.lug.udel.edu/pipermail/linux/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipchains rules for dmz??
I looked into shorewall. It doesn't support ipchains, but seawall does. Would you suggest updating to iptables or using seawall? Do you think that Linux 2.4.x is stable yet? If so, which version? I believe that ipchains can do the job and that linux 2.2.20 is stable. I don't have experience in 2.4.x kernels yet, but am willing to look into it if people think that it's as stable as 2.2.20. Are there any security issues with the currentversion of ipchains that is addressed with iptables (I don't mean iptables features like stateful packet filtering -- I mean security vulnerabilities) -rishi On Wed, 29 May 2002, Sami Dalouche wrote: Howabout installing shorewall? (www.shorewall.net) the best iptables script i have ever seen. It's not only the best iptables script you've ever seen, but it's also a nice high-level configuration tool for everything concerning firewalling.. Traffic Shaping, IPSec... Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: auth.log
Sounds like you have some cron jobs running every five minutes. Check your /etc/crontab, /etc/cron.d, /etc/crond.daily. See if you can find the jobs that's running every five minutes. If someone was trying to login, it would say which tty they were logging in from, or it would have associated sshd or telnetd log entries ... not just PAM_unix. On Wed, 22 May 2002, Oki DZ wrote: Hi, I have quite many of the following lines in auth.log. bdg:/var/log# tail auth.log May 22 12:55:02 bdg PAM_unix[1477]: (cron) session closed for user root May 22 12:55:02 bdg PAM_unix[1476]: (cron) session closed for user root May 22 13:00:01 bdg PAM_unix[1536]: (cron) session opened for user root by (uid=0) May 22 13:00:02 bdg PAM_unix[1536]: (cron) session closed for user root May 22 13:05:01 bdg PAM_unix[1597]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1596]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1597]: (cron) session closed for user root May 22 13:05:02 bdg PAM_unix[1596]: (cron) session closed for user root May 22 13:10:01 bdg PAM_unix[1633]: (cron) session opened for user root by (uid=0) May 22 13:10:01 bdg PAM_unix[1633]: (cron) session closed for user root Does it mean that somebody has been trying to log in? Thanks in advance, Oki -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: auth.log
Sounds like you have some cron jobs running every five minutes. Check your /etc/crontab, /etc/cron.d, /etc/crond.daily. See if you can find the jobs that's running every five minutes. If someone was trying to login, it would say which tty they were logging in from, or it would have associated sshd or telnetd log entries ... not just PAM_unix. On Wed, 22 May 2002, Oki DZ wrote: Hi, I have quite many of the following lines in auth.log. bdg:/var/log# tail auth.log May 22 12:55:02 bdg PAM_unix[1477]: (cron) session closed for user root May 22 12:55:02 bdg PAM_unix[1476]: (cron) session closed for user root May 22 13:00:01 bdg PAM_unix[1536]: (cron) session opened for user root by (uid=0) May 22 13:00:02 bdg PAM_unix[1536]: (cron) session closed for user root May 22 13:05:01 bdg PAM_unix[1597]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1596]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1597]: (cron) session closed for user root May 22 13:05:02 bdg PAM_unix[1596]: (cron) session closed for user root May 22 13:10:01 bdg PAM_unix[1633]: (cron) session opened for user root by (uid=0) May 22 13:10:01 bdg PAM_unix[1633]: (cron) session closed for user root Does it mean that somebody has been trying to log in? Thanks in advance, Oki -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure/hardened/minimal Debian (or Why is the base system the way it is?)
(we are also not releasing *too* many of these yet, when we do the Ghost licensing fees might be higher than is justified). when Ghost is prohibitive, consider using dd, the standard unix disk dump tool. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Safe to use Mindterm?
Anne Carasik [EMAIL PROTECTED] wrote on 13/05/2002 (17:55) : Security issues? Can you be more specific? There aren't any security issues (yet) with the SSH 2.0 protocol. From what I know, there aren't any issues using mindterm for 2.0 either :) But the Mindterm package in Debian does not support SSH 2.0, this is the point. It supports 1.x only. SSH 1 has two major kinds of security vulns: 1) Bugs in the server daemon. ... These have been mostly resolved and don't really concern the client user 2) Bugs in the design of the protocol. Because ssh1 allows you to deduce how many (unencrypted) bytes of data you are sending in each packet, there are a host of things that make it easier to crack passwords. Additionally, if you use the RC4 cipher, it is trivial to crack one's password. Some interesting articles on this are: http://216.239.35.100/search?q=cache:O38kBECQ9KsC:paris.cs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf+ssh+vulnerabilities+1+byte+password+crackhl=en http://216.239.33.100/search?q=cache:n9qPBRuFs2YC:xforce.iss.net/static/6449.php+ssh+rc4hl=en However, I think another problem you will have is that the newer ssh2 daemons don't run in ssh1 mode (for security reasons), so you won't even be able to connect to them. -rishi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Safe to use Mindterm?
Anne Carasik [EMAIL PROTECTED] wrote on 13/05/2002 (17:55) : Security issues? Can you be more specific? There aren't any security issues (yet) with the SSH 2.0 protocol. From what I know, there aren't any issues using mindterm for 2.0 either :) But the Mindterm package in Debian does not support SSH 2.0, this is the point. It supports 1.x only. SSH 1 has two major kinds of security vulns: 1) Bugs in the server daemon. ... These have been mostly resolved and don't really concern the client user 2) Bugs in the design of the protocol. Because ssh1 allows you to deduce how many (unencrypted) bytes of data you are sending in each packet, there are a host of things that make it easier to crack passwords. Additionally, if you use the RC4 cipher, it is trivial to crack one's password. Some interesting articles on this are: http://216.239.35.100/search?q=cache:O38kBECQ9KsC:paris.cs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf+ssh+vulnerabilities+1+byte+password+crackhl=en http://216.239.33.100/search?q=cache:n9qPBRuFs2YC:xforce.iss.net/static/6449.php+ssh+rc4hl=en However, I think another problem you will have is that the newer ssh2 daemons don't run in ssh1 mode (for security reasons), so you won't even be able to connect to them. -rishi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unknown app ports 32703/32705/32706 logged !
are you running portmapper? If so, you need to look if these ports are mapped to specific things via rpcinfo. Also, you can use lsof for solaris. On Sun, 12 May 2002, dave toh wrote: Hi, A firewall had detected that one of my machine (solaris 2.6) is broadcasting port 32703/32705/32706 every 3 mins and as I understands it, these are unregistered port nos although close to sun rpc. Can anyone help to provide pointers to find out which process is owning the port? I don't think netstat in solaris can do the job as in linux (-npl). Your urgent help is deeply appreciated. rgds, dave _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unknown app ports 32703/32705/32706 logged !
are you running portmapper? If so, you need to look if these ports are mapped to specific things via rpcinfo. Also, you can use lsof for solaris. On Sun, 12 May 2002, dave toh wrote: Hi, A firewall had detected that one of my machine (solaris 2.6) is broadcasting port 32703/32705/32706 every 3 mins and as I understands it, these are unregistered port nos although close to sun rpc. Can anyone help to provide pointers to find out which process is owning the port? I don't think netstat in solaris can do the job as in linux (-npl). Your urgent help is deeply appreciated. rgds, dave _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: CNAME, iptables and qmail
You need to open port 53 for tcp and udp. Another way you can look at it is to log all packets you DENY (or REJECT) and see what your DNS is trying to do. -rishi On Mon, 6 May 2002, Gary MacDougall wrote: Damn!! I hit send before editing this message. Sorry! Please read this instead of my previous message. ... I'm setting up a Deb (woody) box with qmail and iptables. I've got both installed, both seem be operating fine. Iptables is setup to no allow traffic other than 25, 110 and of course 22 (ssh). The problem I'm running into is iptables is causing e-mail to be NOT be sent (smtp) through the server and I get this message in the /var/logs/qmail/current file: @40003cd6d8d41f84ee7c delivery 47: deferral: CNAME_lookup_failed_temporarily._(#4.4.3)/ When I flush iptables, of course it works and I can send and receive fine (via SMTP and POP3) Anybody know what the deal is? I suspect some DNS ports need to be opened up, but I'm not sure... Any suggestions? Gary --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: webhosting
My imagine: 1. Apache with PHP, and some cgi could be enabled (perl, etc.) 2. FTP for each Apache web Use ssh and scp or sftp instead. 3. Some e-mails for each web (better with webmail+antivir) IMAP or POP3 over SSL ... 4. Primary DNS server for each web Only one DNS server serves all the web domains. Look into chrooting BIND. 5. there will be (for now) only 8 webs (domains) and 21 emails
Re: ssh ip address
see the SSH_CLIENT environment variable. (set | grep SSH) for bash (w/o the parenthesis) (setenv | grep SSH) for tcsh and csh (w/o the parenthesis) Also, look into getting an account with dyndns so you will have a static FQDN but a dynamic IP that can be looked up. -rishi On Tue, 19 Feb 2002, Eduardo J. Gargiulo wrote: Hi all. Is there any way to obtain the IP address of a ssh client and use it on a shell script? I want to put a crontab like ssh server script but I need the IP address i'm connecting from in the shell script and the address is assigned dynamically. thanks ~ejg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh ip address
see the SSH_CLIENT environment variable. (set | grep SSH) for bash (w/o the parenthesis) (setenv | grep SSH) for tcsh and csh (w/o the parenthesis) Also, look into getting an account with dyndns so you will have a static FQDN but a dynamic IP that can be looked up. -rishi On Tue, 19 Feb 2002, Eduardo J. Gargiulo wrote: Hi all. Is there any way to obtain the IP address of a ssh client and use it on a shell script? I want to put a crontab like ssh server script but I need the IP address i'm connecting from in the shell script and the address is assigned dynamically. thanks ~ejg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Emulate real ip's to access intranet hosts from outside
It seems to accomplish the example you posed, you need 2 external IPs. Say they were 1.1.1.1 and 1.1.1.2 for example. Then in DNS you could do: ftp1 - 1.1.1.1 ftp2 - 1.1.1.2 www1 - 1.1.1.1 www2 - 1.1.1.2 And on your firewall do: 1.1.1.1 port 21 - 192.168.0.10 1.1.1.2 port 21 - 192.168.0.50 1.1.1.1 port 80 - 192.168.0.12 1.1.1.2 port 80 - 192.168.0.33 Or, alternatively, you can Virtual host the 2 www ports. But the ftps, if you want them to both be on port 21, need to have to separate IPs. The way I do it at work is use port 21 for anon ftp and another port for registered users ftp. That way the rules look like: 1.1.1.1 port 21 - machine 1 port 21 1.1.1.1 port 2121 - machine 2 port 21 Hope this helps. -rishi On 13 Feb 2002, Ramon Acedo wrote: Hi again! Thanks for your quickly answers, I think I hadn't explained enough clearly in the first mail. The problem is the following: I have a SINGLE public ip with an associated domain. In that host I have a DNS server, mail server, web, etc. The important point is at the DNS. What i'd like to do is that the firewall forward all the packets independently of the destiny port, which can be any, to a host of the intranet with a private ip. The rule for decide which packets go to what host in the intranet is the name that the client refered to. Example: when I do a ftp to ftp.mydomain.net my DNS server would forward the request to the host 192.168.1.10. I'd like to have a map like this: ftp1.mydomain.net --- 192.168.1.10 ftp2.mydomain.net --- 192.168.1.50 www1.mydomain.net --- 192.168.1.12 www2.mydomain.net --- 192.168.1.33 and so on But Actually in the internet all that names lookup to 213.1.2.3 and of course the 192.168.x.x is never seen from the internet I know that apache can manage vhosts and I could redirect to a intranet host all the web traffic coming to www2.mydomain.org, the same can be done with wu-ftp or proftp where u can have multiple domains/dubdomains and have different ftp root directorys depending on the name the client used to contact it, and then I could set that roots pointing to nfs mounted directories of the internal net, but what I'd like is that all the traffic forward would depend on the name used by the client. As I said it's not a port forwarding matter it would be a program which could manage domain name vhosts and do some kind of bridging / forwarding to the intranet depending on the name the client reffered. So the idea is to emulate lots of real ips with just 1 public ip and 1 domain with all the subdomains I'd need. Uh! I hope to have been clear enough this time, my English is not perfect (I'm Spanish) so please let me know if u got the idea, ok? Thanks a lot guys! Ramon Acedo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Emulate real ip's to access intranet hosts from outside
It seems to accomplish the example you posed, you need 2 external IPs. Say they were 1.1.1.1 and 1.1.1.2 for example. Then in DNS you could do: ftp1 - 1.1.1.1 ftp2 - 1.1.1.2 www1 - 1.1.1.1 www2 - 1.1.1.2 And on your firewall do: 1.1.1.1 port 21 - 192.168.0.10 1.1.1.2 port 21 - 192.168.0.50 1.1.1.1 port 80 - 192.168.0.12 1.1.1.2 port 80 - 192.168.0.33 Or, alternatively, you can Virtual host the 2 www ports. But the ftps, if you want them to both be on port 21, need to have to separate IPs. The way I do it at work is use port 21 for anon ftp and another port for registered users ftp. That way the rules look like: 1.1.1.1 port 21 - machine 1 port 21 1.1.1.1 port 2121 - machine 2 port 21 Hope this helps. -rishi On 13 Feb 2002, Ramon Acedo wrote: Hi again! Thanks for your quickly answers, I think I hadn't explained enough clearly in the first mail. The problem is the following: I have a SINGLE public ip with an associated domain. In that host I have a DNS server, mail server, web, etc. The important point is at the DNS. What i'd like to do is that the firewall forward all the packets independently of the destiny port, which can be any, to a host of the intranet with a private ip. The rule for decide which packets go to what host in the intranet is the name that the client refered to. Example: when I do a ftp to ftp.mydomain.net my DNS server would forward the request to the host 192.168.1.10. I'd like to have a map like this: ftp1.mydomain.net --- 192.168.1.10 ftp2.mydomain.net --- 192.168.1.50 www1.mydomain.net --- 192.168.1.12 www2.mydomain.net --- 192.168.1.33 and so on But Actually in the internet all that names lookup to 213.1.2.3 and of course the 192.168.x.x is never seen from the internet I know that apache can manage vhosts and I could redirect to a intranet host all the web traffic coming to www2.mydomain.org, the same can be done with wu-ftp or proftp where u can have multiple domains/dubdomains and have different ftp root directorys depending on the name the client used to contact it, and then I could set that roots pointing to nfs mounted directories of the internal net, but what I'd like is that all the traffic forward would depend on the name used by the client. As I said it's not a port forwarding matter it would be a program which could manage domain name vhosts and do some kind of bridging / forwarding to the intranet depending on the name the client reffered. So the idea is to emulate lots of real ips with just 1 public ip and 1 domain with all the subdomains I'd need. Uh! I hope to have been clear enough this time, my English is not perfect (I'm Spanish) so please let me know if u got the idea, ok? Thanks a lot guys! Ramon Acedo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure Finger Daemon
I'm not sure which are secure. However, if you plan to use any of them, I suggest using tcp-wrappers (tcpd) via inetd (or xinetd). Then edit your hosts.allow file and explicitly allow only certain machines to access your box. Also, consider running whichever finger daemon as a separate user (i.e. finger). Most of the famous exploits of finger are due to the fact that it is often run as root. However, fingerd requires no information that requires root access to the machine. -rishi On 5 Jan 2002, eim wrote: Hello, I'm planing to install a secure finger daemon on one of the public boxes I admin. Well, out there are really many different finger daemons and in the Debian stable tree I can find: * efingerd - Another finger daemon for unix capable of fine-tuning your output. * xfingerd - BSD-like finger daemon with qmail support. * ffingerd - A secure finger daemon * fingerd - Remote user information server. * cfingerd - Configurable and secure finger daemon So I've considered using fingered which should be secure. Often I hear and read about exploited finger daemons which gave the attacker system access so I'm asking on this list help about the F Daemon. Which Finger daemon is *really* secure ? Shouldn't I install this service at all ? Any experiences about compromised systems ? Thanks for any help ! Have a nice time, - Ivo -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure Finger Daemon
I'm not sure which are secure. However, if you plan to use any of them, I suggest using tcp-wrappers (tcpd) via inetd (or xinetd). Then edit your hosts.allow file and explicitly allow only certain machines to access your box. Also, consider running whichever finger daemon as a separate user (i.e. finger). Most of the famous exploits of finger are due to the fact that it is often run as root. However, fingerd requires no information that requires root access to the machine. -rishi On 5 Jan 2002, eim wrote: Hello, I'm planing to install a secure finger daemon on one of the public boxes I admin. Well, out there are really many different finger daemons and in the Debian stable tree I can find: * efingerd - Another finger daemon for unix capable of fine-tuning your output. * xfingerd - BSD-like finger daemon with qmail support. * ffingerd - A secure finger daemon * fingerd - Remote user information server. * cfingerd - Configurable and secure finger daemon So I've considered using fingered which should be secure. Often I hear and read about exploited finger daemons which gave the attacker system access so I'm asking on this list help about the F Daemon. Which Finger daemon is *really* secure ? Shouldn't I install this service at all ? Any experiences about compromised systems ? Thanks for any help ! Have a nice time, - Ivo -- ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Squid security
On another server, which I have squid running and want running, I keep getting accesses from http://service.bfast.com/bfast/serve and someone seems to be accessing web pages late at night when everyone has gone home. Trouble is, the IP addresses that access squid don't have host names (ie. they don't exist) and they keep changing. Is there any way to block access to this and is there a good FAQ, etc. It seems strange though, as the access is every few minutes and the pages accessed have ads involved,while the first person (above) was accessing squid regularly in spurts. Try looking up the addresses in arin.net (american registry of internet numbers). http://www.arin.net/whois/index.html NOTE: This is not the same as networksolutions WHOIS. this site may send you to one of the other registry of internet numbers if the IPs aren't from the US, but you can follow it there. -rishi
RE: Squid security
Another way to do it is setup an automatic proxy script that tells the browser which port on the squid box to go to. Then you can periodically change the port. (Or you can just change to an obscure port and hope less people find it). -rishi On Tue, 4 Dec 2001, Chris Harrison wrote: If the IP address was staying the same, you could easily add a reference to /etc/hosts.deny But since you state that this is not the case it will all be a little trickier. There is no relevance as to whether the IP addresses can resolve into host names or not. I would suggest that the best solution would be to firewall off the ports that squid uses on your box from unauthorized users. How you go about this is dependent on what kernel you are using and where your firewall is. If you need squid to be accessible from the outside world, you may want to consider adding authentication to squid to stop random hippies using your squid/bandwidth instead. I believe this is made possible through ACL (Access control Lists) in the most part. Looking through /etc/squid.conf here shows me that you can make ACL's to limit access to certain IP's by the time of day etc. There is a setting called authenticate_program in my squid.conf file. What it does is supply the authenticate program and a password list for all the valid users. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 5 December 2001 12:21 PM To: Debian Security Subject: Squid security Recently, I had someone trying to browse the web from one of our servers via squid. Luckily, I didn't need squid for this machine, so I took it off and emailed the hostmaster of the domain the person was doing it from..luckily the IP address was the same. i also managed to get the IP address blocked by our ISP. On another server, which I have squid running and want running, I keep getting accesses from http://service.bfast.com/bfast/serve and someone seems to be accessing web pages late at night when everyone has gone home. Trouble is, the IP addresses that access squid don't have host names (ie. they don't exist) and they keep changing. Is there any way to block access to this and is there a good FAQ, etc. It seems strange though, as the access is every few minutes and the pages accessed have ads involved,while the first person (above) was accessing squid regularly in spurts. Thanks Robert.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: home directory permission
How are you creating a new user directory? are you mkdir'ing directly or using a program like useradd? If you are mkdir'ing, change your umask (be aware, this changes the umask of ALL of your newly created files. If you are using useradd, look into the -D option. If you are using some other method, look into the manpages on that method and see how to change the defaults. If you explain how you are creating user accounts, I'm sure someone on the list can tell you how to change the defauls. Also, you could write a small shell script to create the user home directory given the username and group. -rishi On Fri, 30 Nov 2001, [iso-8859-1] teste teste1 wrote: Hi all, Howto modify permission when create a new user, I do not want to change the permissions all time that to add a new user. Default Permission drwxr-sr-x2 teste2 teste2 teste2 best security permission drwx--2 testeteste teste Thanks, Ricardson ___ Yahoo! GeoCities Tenha seu lugar na Web. Construa hoje mesmo sua home page no Yahoo! GeoCities. É fácil e grátis! http://br.geocities.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: shutdown user and accountability
How about Cntrl-Alt-Del? That shuts down a debian box without even logging in. As far as accountablity ... you could do it the old fashioned way and have a sign in sheet ... one stupid policy deserves another. -rishi On 28 Nov 2001, Olaf Meeuwissen wrote: Blake Barnett [EMAIL PROTECTED] writes: On Tue, 2001-11-27 at 18:58, Olaf Meeuwissen wrote: Blake Barnett [EMAIL PROTECTED] writes: Can't you give a group sudo access? If so, just add everyone to a group and give that group sudo /sbin/halt or sudo /sbin/shutdown or both. That's exactly what my sudo setup does right now. The problem is that apparently *everyone* needs to be able to shut down the machine (for reasons that are beyond me). Added accounts on an as needed basis is fine with me, but I don't fancy creating, oh, 250+ password protected accounts just to meet policy. Ok, I guess I didn't understand that the accounts didn't already exist. Is this some sort of kiosk or something? Nope, just a file/web server (but I'm thinking of adding a programming environment (EEK!) for educational purposes) that is in a place that does not allow physical access restrictions (beyond being able to enter the company premises). If you can't wrap the stuff in a script --maybe it needs to be setuid? blech!--, and log it there, then I dunno what to tell ya. Not much use ;-), but thanks anyway! -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [off-topic?] Chrooting ssh/telnet users?
Set the shell for the user in /etc/passwd to a script that chroots and then spawns a shell. -rishi On Fri, 26 Oct 2001, Javier [iso-8859-1] Fernández-Sanguino Peña wrote: I have been asked for this and I was trying to figure out how to do it (would document it later on in the Securing-Debian-Manual). So please, excuse me if you feel this is off-topic. The problem is, how can an admin restrict remote access from a given user (through telnet and/or sshd) in order to limit his moves inside the operating system. Chrooting the daemon is a possibility, but it's not tailored in a per-user basis but globally to all users (besides you need all the tools that users might want to use in the jail). I'm looking more into a jailed enviroment like proftpd's when you sed DefaultRoot ~ (jails the user into his home directory but he's able to use all commands, without having to setup all the libraries in it). AFAIK, pam only allows to limit some user accesses (cores, memory limits..) not users movement in the OS Ideas? Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [off-topic?] Chrooting ssh/telnet users?
I think the only way to accomplish a chroot IS to include all the files in the jail that the user needs. -rishi On 26 Oct 2001, Paul Fleischer wrote: On Fri, 2001-10-26 at 15:51, Rishi L Khan wrote: Set the shell for the user in /etc/passwd to a script that chroots and then spawns a shell. -rishi Hmmm, That wouldn't work as intended - since the jailed environment would have to contain all files/libraries the user needs to get his work done. On Fri, 26 Oct 2001, Javier [iso-8859-1] Fernández-Sanguino Peña wrote: Chrooting the daemon is a possibility, but it's not tailored in a per-user basis but globally to all users (besides you need all the tools that users might want to use in the jail). I'm looking more into a jailed enviroment like proftpd's when you sed DefaultRoot ~ (jails the user into his home directory but he's able to use all commands, without having to setup all the libraries in it). Unfortunately, I can't see how this should be done. The reason it works with proftpd is because it has those common commands builtin and does not depend on the files being in the jail. However, how would you use ls which resides in /bin/ls, if you are jailed into /home/username ?? As I see it, it cannot be done (though it would be nice) -- Paul Fleischer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [off-topic?] Chrooting ssh/telnet users?
Set the shell for the user in /etc/passwd to a script that chroots and then spawns a shell. -rishi On Fri, 26 Oct 2001, Javier [iso-8859-1] Fern?ndez-Sanguino Pe?a wrote: I have been asked for this and I was trying to figure out how to do it (would document it later on in the Securing-Debian-Manual). So please, excuse me if you feel this is off-topic. The problem is, how can an admin restrict remote access from a given user (through telnet and/or sshd) in order to limit his moves inside the operating system. Chrooting the daemon is a possibility, but it's not tailored in a per-user basis but globally to all users (besides you need all the tools that users might want to use in the jail). I'm looking more into a jailed enviroment like proftpd's when you sed DefaultRoot ~ (jails the user into his home directory but he's able to use all commands, without having to setup all the libraries in it). AFAIK, pam only allows to limit some user accesses (cores, memory limits..) not users movement in the OS Ideas? Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [off-topic?] Chrooting ssh/telnet users?
I think the only way to accomplish a chroot IS to include all the files in the jail that the user needs. -rishi On 26 Oct 2001, Paul Fleischer wrote: On Fri, 2001-10-26 at 15:51, Rishi L Khan wrote: Set the shell for the user in /etc/passwd to a script that chroots and then spawns a shell. -rishi Hmmm, That wouldn't work as intended - since the jailed environment would have to contain all files/libraries the user needs to get his work done. On Fri, 26 Oct 2001, Javier [iso-8859-1] Fern?ndez-Sanguino Pe?a wrote: Chrooting the daemon is a possibility, but it's not tailored in a per-user basis but globally to all users (besides you need all the tools that users might want to use in the jail). I'm looking more into a jailed enviroment like proftpd's when you sed DefaultRoot ~ (jails the user into his home directory but he's able to use all commands, without having to setup all the libraries in it). Unfortunately, I can't see how this should be done. The reason it works with proftpd is because it has those common commands builtin and does not depend on the files being in the jail. However, how would you use ls which resides in /bin/ls, if you are jailed into /home/username ?? As I see it, it cannot be done (though it would be nice) -- Paul Fleischer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: protecting against buffer overflow.
You can setup logcheck and cron to check every minute for suspcious log entries (as you define them) and have them emailed to you. Additionally, you can edit the logcheck.sh file and have it notify you anyway you like. -rishi On 15 Sep 2001, Russell Speed wrote: Thanks, I will add that line. This box only acts as a firewall and access for my home network, so there isn't much on it. I'm just considering the idea of editing the pertinent scripts to accomplish that and was wondering if some tried but found the task too daunting. I guess for backdoors it's really just the current daemons I run right? I rebuilt my modules and checked the daemons timestamps. What's a good piece of software to monitor for system accesses? Something that could send an e-mail the minute it happened would be great. I'd still like to have ssh access from the Internet. I could handle being notified everytime I tripped the software from outside since it doesn't happen often. Should I report the IP to RBL or something like that? Russell On Sat, 2001-09-15 at 13:17, Alberto Gonzalez Iniesta wrote: On Sat, Sep 15, 2001 at 12:51:26PM -0400, Russell Speed wrote: Should I remove /bin/sh for something less obvious as a general protection from buffer overflows? Most shell scripts running on your server call #!/bin/sh, so removing it will get you in lots of trouble ;-) Just try: $ grep \/bin\/sh /etc/init.d/* If your software is up-to-date buffer overflows shouldn't be a problem. If you're running Potato, make sure you've this line in /etc/apt/sources.list: deb http://security.debian.org stable/updates main contrib non-free And keep it updated upgraded Also, if you think your machine was compromised, check for backdoors, modified binaries, etc... Changing passwords may not be enough -- Alberto Gonzalez Iniesta [EMAIL PROTECTED] Give Me Liberty or Give Me Death (Patrick Henry) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: '(no
consider using tripwire on your computers in the future. This way you can create a database of md5sums of all important programs and store them on a disk in your drawer. Then you'll know what was hacked and what wasn't. -rishi On 15 Sep 2001, Momchil Velikov wrote: Dimitri == Dimitri Maziuk [EMAIL PROTECTED] writes: Dimitri In linux.debian.security, you wrote: I am curious if the following is an example of a buffer overflow. I noticed this in my syslog - and the following day had someone logged in from an IP I'm not aware of. I changed the passwords - and added an entry to the input chain to block the IP, but am wondering what other things I should do? Should I remove /bin/sh for something less obvious as a general protection from buffer overflows? Dimitri If you suspect your machine was r00ted, Dimitri 1. Take it off the net _now_. Dimitri 2. If you want to do a post-mortem, boot from known good CD or plug Dimitrithe hd into a known good box. Dimitri 3. Post mortem or not, wipe everything out (as in fdisk) and reinstall Dimitrifrom scratch. Frankly, this looks a bit too harsh. Of course, it depends on the importance of the machine and the data on it. Dimitri The reason is that the intruder could install hacked versions of utilities Dimitri like ps, ls, lsmod etc. that won't show backdoor processes and hacked files, Dimitri and/or a kernel module that does the same at OS level. Your logs may have Dimitri been sanitized, too. You cannot trust any program on a r00ted box. ^ In theory, yes. In practice, one can (marginally) trust some of the programs, e.g. is it likely that a rootkit has changed ``tar'' ? Or ``apt-get'' ? Or ``tcsh'' ? You can use ``tar'' to find out if ``ls'' was changed. Use ``echo'' to list directories and compare with ``ls'' and ``find''. Use ``tcsh'' builtin ``ls-F''. I guess there are other means to detect a rootkit, described somewhere on the web. (Hopefully, mozilla is not cracked to conceive such information :-) Regards, -velco -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: protecting against buffer overflow.
You can setup logcheck and cron to check every minute for suspcious log entries (as you define them) and have them emailed to you. Additionally, you can edit the logcheck.sh file and have it notify you anyway you like. -rishi On 15 Sep 2001, Russell Speed wrote: Thanks, I will add that line. This box only acts as a firewall and access for my home network, so there isn't much on it. I'm just considering the idea of editing the pertinent scripts to accomplish that and was wondering if some tried but found the task too daunting. I guess for backdoors it's really just the current daemons I run right? I rebuilt my modules and checked the daemons timestamps. What's a good piece of software to monitor for system accesses? Something that could send an e-mail the minute it happened would be great. I'd still like to have ssh access from the Internet. I could handle being notified everytime I tripped the software from outside since it doesn't happen often. Should I report the IP to RBL or something like that? Russell On Sat, 2001-09-15 at 13:17, Alberto Gonzalez Iniesta wrote: On Sat, Sep 15, 2001 at 12:51:26PM -0400, Russell Speed wrote: Should I remove /bin/sh for something less obvious as a general protection from buffer overflows? Most shell scripts running on your server call #!/bin/sh, so removing it will get you in lots of trouble ;-) Just try: $ grep \/bin\/sh /etc/init.d/* If your software is up-to-date buffer overflows shouldn't be a problem. If you're running Potato, make sure you've this line in /etc/apt/sources.list: deb http://security.debian.org stable/updates main contrib non-free And keep it updated upgraded Also, if you think your machine was compromised, check for backdoors, modified binaries, etc... Changing passwords may not be enough -- Alberto Gonzalez Iniesta [EMAIL PROTECTED] Give Me Liberty or Give Me Death (Patrick Henry) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: firewall
If you're not using sunrpc or lpd, I would turn them off. The way I do it is turn off the services (/etc/init.d/portmap stop; /etc/init.d/lpd stop) and then edit /etc/init.d/lpd and /etc/init.d/portmap and add a line near the top that says exit 0 (w/o quotes) so that when you restart, they don't come back. Also, if you don't need telnet, turn that off by commenting out the line starting with telnet in the /etc/inetd.conf file. Then restart inetd or send a kill -HUP to it. Addtionally, your firewall should filter all incoming tcp connection requests except the ones you want to keep (like ssh, etc). I'm not sure how to do that in iptables, because I use ipchains. -rishi On Mon, 10 Sep 2001, Tom Breza wrote: Hi I been installing firewall on iptables, and I have few questions, my situation is beet specyfic I am connecetd to internet somthing like this --+ +--+ my network|---+eth0 Router ppp0++ISP Firewall+--INTERNET | |with iptables | - + +--+ I put the firwall on iptables on router, Linux box with debian but I can scan only via nmap from inside network or from router interfaces ppp0 to see what ports I have open, but my question is When I scan that way nmap -v -sS -O ppp0(I give IP address) then I heve some port open, shoud I make them filtered?! my open ports are Service| Port| State -- ssh| 22 | Open telnet | 23 | Open smtp | 25 | Open domain | 53 | Open pop-3 | 110 | Open sunrpc | 111 | Open printer| 515 | Open kdm|1024 | Open netstat -anp return this . router:/home/tom# netstat -anp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:10240.0.0.0:* LISTEN 509/rpc.mountd tcp0 0 0.0.0.0:515 0.0.0.0:* LISTEN 491/lpd tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN 485/inetd tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN 97/portmap tcp0 0 10.16.34.56:53 0.0.0.0:* LISTEN 447/named tcp0 0 192.168.253.254:53 0.0.0.0:* LISTEN 447/named tcp0 0 127.0.0.1:530.0.0.0:* LISTEN 447/named tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 517/sshd tcp0 0 0.0.0.0:23 0.0.0.0:* LISTEN 485/inetd tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN 485/inetd tcp0 0 192.168.253.254:22 192.168.253.20:2209 ESTABLISHED 12226/sshd tcp0 0 192.168.253.254:22 192.168.253.20:1666 ESTABLISHED 2544/sshd udp0 0 0.0.0.0:10240.0.0.0:* 447/named udp0 0 0.0.0.0:20490.0.0.0:* - udp0 0 0.0.0.0:10260.0.0.0:* - udp0 0 0.0.0.0:10270.0.0.0:* 509/rpc.mountd udp0 0 10.16.34.56:53 0.0.0.0:* 447/named udp0 0 192.168.253.254:53 0.0.0.0:* 447/named udp0 0 127.0.0.1:530.0.0.0:* 447/named udp0 0 0.0.0.0:111 0.0.0.0:* 97/portmap Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 380447/named /var/run/ndc unix 6 [ ] DGRAM332435/syslogd /dev/log unix 2 [ ACC ] STREAM LISTENING 546491/lpd /dev/printer unix 2 [ ] DGRAM781540/pppd unix 2 [ ] DGRAM538491/lpd unix 2 [ ] DGRAM434460/diald unix 2 [ ] DGRAM378447/named what shoud I do? How can I close for example lpd ? or sunrpc ? shoud I block all this port by giving specyfic IP ? in man for nmap is writen: ... Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. if I will make filtered somehow?! can I still connect to my router via ssh? orother way? what is your advice? any sugestion will be greatfull :) siaraX -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: firewall
If you're not using sunrpc or lpd, I would turn them off. The way I do it is turn off the services (/etc/init.d/portmap stop; /etc/init.d/lpd stop) and then edit /etc/init.d/lpd and /etc/init.d/portmap and add a line near the top that says exit 0 (w/o quotes) so that when you restart, they don't come back. Also, if you don't need telnet, turn that off by commenting out the line starting with telnet in the /etc/inetd.conf file. Then restart inetd or send a kill -HUP to it. Addtionally, your firewall should filter all incoming tcp connection requests except the ones you want to keep (like ssh, etc). I'm not sure how to do that in iptables, because I use ipchains. -rishi On Mon, 10 Sep 2001, Tom Breza wrote: Hi I been installing firewall on iptables, and I have few questions, my situation is beet specyfic I am connecetd to internet somthing like this --+ +--+ my network|---+eth0 Router ppp0++ISP Firewall+--INTERNET | |with iptables | - + +--+ I put the firwall on iptables on router, Linux box with debian but I can scan only via nmap from inside network or from router interfaces ppp0 to see what ports I have open, but my question is When I scan that way nmap -v -sS -O ppp0(I give IP address) then I heve some port open, shoud I make them filtered?! my open ports are Service| Port| State -- ssh| 22 | Open telnet | 23 | Open smtp | 25 | Open domain | 53 | Open pop-3 | 110 | Open sunrpc | 111 | Open printer| 515 | Open kdm|1024 | Open netstat -anp return this . router:/home/tom# netstat -anp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:10240.0.0.0:* LISTEN 509/rpc.mountd tcp0 0 0.0.0.0:515 0.0.0.0:* LISTEN 491/lpd tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN 485/inetd tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN 97/portmap tcp0 0 10.16.34.56:53 0.0.0.0:* LISTEN 447/named tcp0 0 192.168.253.254:53 0.0.0.0:* LISTEN 447/named tcp0 0 127.0.0.1:530.0.0.0:* LISTEN 447/named tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 517/sshd tcp0 0 0.0.0.0:23 0.0.0.0:* LISTEN 485/inetd tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN 485/inetd tcp0 0 192.168.253.254:22 192.168.253.20:2209 ESTABLISHED 12226/sshd tcp0 0 192.168.253.254:22 192.168.253.20:1666 ESTABLISHED 2544/sshd udp0 0 0.0.0.0:10240.0.0.0:* 447/named udp0 0 0.0.0.0:20490.0.0.0:* - udp0 0 0.0.0.0:10260.0.0.0:* - udp0 0 0.0.0.0:10270.0.0.0:* 509/rpc.mountd udp0 0 10.16.34.56:53 0.0.0.0:* 447/named udp0 0 192.168.253.254:53 0.0.0.0:* 447/named udp0 0 127.0.0.1:530.0.0.0:* 447/named udp0 0 0.0.0.0:111 0.0.0.0:* 97/portmap Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 380447/named /var/run/ndc unix 6 [ ] DGRAM332435/syslogd /dev/log unix 2 [ ACC ] STREAM LISTENING 546491/lpd /dev/printer unix 2 [ ] DGRAM781540/pppd unix 2 [ ] DGRAM538491/lpd unix 2 [ ] DGRAM434460/diald unix 2 [ ] DGRAM378447/named what shoud I do? How can I close for example lpd ? or sunrpc ? shoud I block all this port by giving specyfic IP ? in man for nmap is writen: ... Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. if I will make filtered somehow?! can I still connect to my router via ssh? orother way? what is your advice? any sugestion will be greatfull :) siaraX -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: That Layne incident (possibly useful information, not just whining!)
Maybe that's the same trick that got him on the list in the first place... -rishi On Sun, 2 Sep 2001, Wade Richards wrote: Hi Everyone, On Sat, 01 Sep 2001 22:36:44 MDT, John Galt writes: Yeah, but when's the last time you heard from him? Methinks that he got hit by a clue-by-four or is otherwise incommunicado... I can't be 100% sure, but I think I know how we were rid of Layne. First of all, it was obvious from his posting that he didn't want to be removed from the list, he wanted to e-mail obscenities in reply to each message he received (he even said I don't want to have to click anywhere to be removed, you ##%#$#^# should remove me, or something to that effect). Telling him how to unsubscribe was simply feeding the troll. I sent Layne a polite message explaining how to remove himself from the list. The subject of the message was unsubscribe, and the Reply-to header of the message was [EMAIL PROTECTED]. A assume that Layne replied to my mail with yet another string of insults. I also assume that Layne was not smart enough to notice that the Reply-to: field was set to someone other than me. I assume that the list-processing software at [EMAIL PROTECTED] is smart enough to unsubscribe someone if the subject is Re: unsubscribe instead of just unsubscribe. As I said, I'm not 100% sure it was my trick that got rid of Layne, but his messages did stop very shortly after I did this. So now everyone has a new trick to use the next time some 14-year-old gets subscribed to a mailing list and wants to demonstrate his power by annoying everyone. --- Wade PS: Yes, I know that this mail is full of assumptions pretending to be facts. They're all educated guesses. If you happen to *know* that one of my guesses is wrong, please let me know. If you have a different guess, then we can disagree quietly. -- /\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign| Wade Richards --- [EMAIL PROTECTED] X - NO HTML/RTF in e-mail | Fight SPAM! Join CAUCE. / \ - NO Word docs in e-mail | See http://www.cauce.org/ for details. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: That Layne incident (possibly useful information, not just whining!)
Maybe that's the same trick that got him on the list in the first place... -rishi On Sun, 2 Sep 2001, Wade Richards wrote: Hi Everyone, On Sat, 01 Sep 2001 22:36:44 MDT, John Galt writes: Yeah, but when's the last time you heard from him? Methinks that he got hit by a clue-by-four or is otherwise incommunicado... I can't be 100% sure, but I think I know how we were rid of Layne. First of all, it was obvious from his posting that he didn't want to be removed from the list, he wanted to e-mail obscenities in reply to each message he received (he even said I don't want to have to click anywhere to be removed, you ##%#$#^# should remove me, or something to that effect). Telling him how to unsubscribe was simply feeding the troll. I sent Layne a polite message explaining how to remove himself from the list. The subject of the message was unsubscribe, and the Reply-to header of the message was [EMAIL PROTECTED]. A assume that Layne replied to my mail with yet another string of insults. I also assume that Layne was not smart enough to notice that the Reply-to: field was set to someone other than me. I assume that the list-processing software at [EMAIL PROTECTED] is smart enough to unsubscribe someone if the subject is Re: unsubscribe instead of just unsubscribe. As I said, I'm not 100% sure it was my trick that got rid of Layne, but his messages did stop very shortly after I did this. So now everyone has a new trick to use the next time some 14-year-old gets subscribed to a mailing list and wants to demonstrate his power by annoying everyone. --- Wade PS: Yes, I know that this mail is full of assumptions pretending to be facts. They're all educated guesses. If you happen to *know* that one of my guesses is wrong, please let me know. If you have a different guess, then we can disagree quietly. -- /\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign| Wade Richards --- [EMAIL PROTECTED] X - NO HTML/RTF in e-mail | Fight SPAM! Join CAUCE. / \ - NO Word docs in e-mail | See http://www.cauce.org/ for details. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: kernel: NAT: 0 dropping untracked packet c1aa2300 1 10.20.30.132 - 62.142.131.12
I think he's right ... Also, 169.254.x.x is indicative of a windows machine that is looking for DHCP but doesn't get it. So, it's probably NAT's outside of your network. -rishi On Sat, 31 Mar 2001, Aaron Dewell wrote: I assume that is on the ethernet side facing the ISP? Or that you have one ethernet card and all traffic is going there? Cable modem? (read: shared media) My bet would be that someone else is doing NAT as well, and you are seeing their packets too (probably because they are using only one card as well), but your box doesn't know about their NATd box, so it complains. You could add a rule to PREROUTING that drops anything from 10/8 that you aren't using, then you probably wouldn't see those messages anymore. Aaron On Sat, 31 Mar 2001, Martin Fluch wrote: Hello, I have the following problem. A few days before I compiled my 2.4.2 kernel with support for NAT in order to get a computer of a friend of mine connected to the internet (we had to masquerade his computer since my ISP has fixed the internet connection to the MAC address of my network card, but that's an other story). The whole thing went ok, but there is one thing which puzzles me. From the begining I got ever once in a while a message of the following type in my logs: Mar 31 13:50:17 seneca kernel: NAT: 0 dropping untracked packet c1ecc980 1 10.20.30.132 - 62.142.131.12 Ok, that might happen I thought (and I am anything else but a expert in this NAT stuff, so I realy don't know, what this message means, but as long as it happend only seldom I didn't care much about it). But yesterday the appareance of these messages started to increase and today its realy anoying. So I'm realy wondering, what's going on here? Especialy offten the source address 10.20.30.132 is mentioned, once in a while (but seldom) there are other addresses outside the local network, for example 169.254.27.17 (About my network: My IP is 62.142.131.26, the gateway is 62.142.131.1) I've attached the gnuziped part of kern.log from the last reboot on (45 min containing about 300 messages). Perhaps somebody has a clue, what is going on here in the network? Thank you in advance, Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: anyone using telnet
I when you say "their account" do you mean they have an account on the machine you're seeting up accounts for? Or is this machine some kind of "public kiosk" where anyone can get on? Allowing anyone to telnet in is a BAD idea. That means a script kiddie from Belguim can telnet in. If you want to set up a public setup, make a username and password, and just post it. Also, this doesn't require the telnet or ssh daemon to be running (unless you need them for something else). Another solution is use NIS and have everyone's account information in one location, and share it across the machines. -rishi On Mon, 19 Mar 2001, Pedro Zorzenon Neto wrote: Hi, I'd like anyone to be able to use the local keyboard of some machines to telnet/ssh to any other machine and use their account on the other machine. A simple solution would be create one acount for user "anyone" without password and restrict its login with rbash to use just telnet/ssh. Also disallow ftp for user "anyone". Do you think this is a good solution? Does it opens some security hole? Thanks, Pedro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: anyone using telnet
I when you say their account do you mean they have an account on the machine you're seeting up accounts for? Or is this machine some kind of public kiosk where anyone can get on? Allowing anyone to telnet in is a BAD idea. That means a script kiddie from Belguim can telnet in. If you want to set up a public setup, make a username and password, and just post it. Also, this doesn't require the telnet or ssh daemon to be running (unless you need them for something else). Another solution is use NIS and have everyone's account information in one location, and share it across the machines. -rishi On Mon, 19 Mar 2001, Pedro Zorzenon Neto wrote: Hi, I'd like anyone to be able to use the local keyboard of some machines to telnet/ssh to any other machine and use their account on the other machine. A simple solution would be create one acount for user anyone without password and restrict its login with rbash to use just telnet/ssh. Also disallow ftp for user anyone. Do you think this is a good solution? Does it opens some security hole? Thanks, Pedro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Allow FTP in, but not shell login
The way i'd do it is set the last field of the /etc/shadow (the shell field) to /usr/bin/false. -rishi On Tue, 13 Mar 2001, Kenneth Pronovici wrote: Hello - I'm not sure exactly where to look for this information, so if I should RTFM, just point me toward the right one. I have a situation where I've volunteered to host a few webpages for some users. They're at a university and are having problems getting timely access to their organizational websites on their school's server. Anyway, I'm happy to be the host, but I want these people to be able to FTP in ONLY, without interactive access. I want to do this specifically for a set of users, not for all users on the machine. My feeling is that PAM supports this somehow, but I'm not sure where to start. Anyone have any suggestions? Thanks for the help. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Allow FTP in, but not shell login
The way i'd do it is set the last field of the /etc/shadow (the shell field) to /usr/bin/false. -rishi On Tue, 13 Mar 2001, Kenneth Pronovici wrote: Hello - I'm not sure exactly where to look for this information, so if I should RTFM, just point me toward the right one. I have a situation where I've volunteered to host a few webpages for some users. They're at a university and are having problems getting timely access to their organizational websites on their school's server. Anyway, I'm happy to be the host, but I want these people to be able to FTP in ONLY, without interactive access. I want to do this specifically for a set of users, not for all users on the machine. My feeling is that PAM supports this somehow, but I'm not sure where to start. Anyone have any suggestions? Thanks for the help. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ The phrase, 'Happy as a clam' has never really held much meaning for me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NTP security
Maybe use tcp wrappers? That's how I'd do it. -rishi On Sat, 10 Mar 2001, Jamie Heilman wrote: Piotr Tarnowski wrote: If not can I limit allowed clients somehow ? (I noticed that DENY on ipchains to others than my reference external server limits ntptrace usage). To the best of my knowledge you can't natively (in the application) control access at the transport level, which is unfortunate. You can at the protocol level however. Get the NTP documentation and read about the authentication options and the access control options. To control access at the transport level you will have to use firewalling rules. -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway."-Holly -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NTP security
Maybe use tcp wrappers? That's how I'd do it. -rishi On Sat, 10 Mar 2001, Jamie Heilman wrote: Piotr Tarnowski wrote: If not can I limit allowed clients somehow ? (I noticed that DENY on ipchains to others than my reference external server limits ntptrace usage). To the best of my knowledge you can't natively (in the application) control access at the transport level, which is unfortunate. You can at the protocol level however. Get the NTP documentation and read about the authentication options and the access control options. To control access at the transport level you will have to use firewalling rules. -- Jamie Heilman http://audible.transient.net/~jamie/ I was in love once -- a Sinclair ZX-81. People said, No, Holly, she's not for you. She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway.-Holly -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: how secure is mail and ftp and netscape/IE???
I use the iXplorer and putty. This does GUI scp, but it looks like GUI ftp. On Wed, 21 Feb 2001, Adam Spickler wrote: What about if you are going from a Windows box to a *nix box. Is there any way to do secure ftp transfers. Mail, for me is no problem. I ssh into my machines and use Mutt to deal with email. ...adam On Wed, Feb 21, 2001 at 05:29:11PM -0300, Pedro Zorzenon Neto wrote: Hi Steve, About sending plain text password and files with telnet and ftp: uninstall your 'telnetd' and 'ftp server' and install 'ssh' ssh is real secure and has two usefull commands: 'ssh' is a substitute for telnet and 'scp' is not the same thing, but substitutes ftp with some advantages read their manuals and compare. Bye Pedro On Wed, Feb 21, 2001 at 03:13:43PM -0500, Steve Rudd wrote: Hello! Steve here, Well I am one of the family now! My server is Debian 2.2r2. A benign hacker got me. All he seemed to do was overwrite my root index.html page and notify the hackers watchdog group to take responsibility for the act! I have some security questions: 1. How secure is it checking email with eudora pro, given they have not yet got ssh or any other system that is secure? Since outlook has ssh, is it worth switching for that? I use a separate user and password for mail and ftp. 2. Cute ftp is not secure yet, but should be soon. 3. Using netscape to port to private sections of the website: www.abc.com:1020/systemconfig/index.html (for example) I am asked for a user name and password via netscape/IE === Ok all these things are really transmitting my user name and password via plain text with no encryption. If I have sudo installed and a sniffer comes along, they have root access very easily! Should I be concerned about using email, ftp and IE ? Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] - Adam Spickler Whaddu LLC. http://www.whaddu.com WebHosting and Design/Development Unlimited - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure install
I use: gtar cf . - | ssh target "gtar xvpB -" -rishi On Sat, 17 Feb 2001, Nathan E Norman wrote: On Sat, Feb 17, 2001 at 06:21:04PM +0100, Carel Fellinger wrote: On Sat, Feb 17, 2001 at 02:49:03PM +0100, Thor wrote: ... Speak for cloning a single partition then i suggest a simple 'cp -ax /mount_point_of_original_parition /mount_point_of_target_partiton' the 'a' stand for archive (recursive and same permission) and with the 'x' the copy don't go out the indicated filesystem. you can find the same suggestion in How-To/Large-Disk The disadvantage of this command is that it doesn't preserve hardlinks. So you can end up using a lot more diskspace than before, as I learned the hardway when moving my debian mirror to a new disk:) To avoid this problem use "find . | cpio -padm /target" -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure install
I use: gtar cf . - | ssh target gtar xvpB - -rishi On Sat, 17 Feb 2001, Nathan E Norman wrote: On Sat, Feb 17, 2001 at 06:21:04PM +0100, Carel Fellinger wrote: On Sat, Feb 17, 2001 at 02:49:03PM +0100, Thor wrote: ... Speak for cloning a single partition then i suggest a simple 'cp -ax /mount_point_of_original_parition /mount_point_of_target_partiton' the 'a' stand for archive (recursive and same permission) and with the 'x' the copy don't go out the indicated filesystem. you can find the same suggestion in How-To/Large-Disk The disadvantage of this command is that it doesn't preserve hardlinks. So you can end up using a lot more diskspace than before, as I learned the hardway when moving my debian mirror to a new disk:) To avoid this problem use find . | cpio -padm /target -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton