On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote:
Oh, I guess anyone can say something like Four years without a remote
hole in the default install! on the internet, where anyone is free to
that quote is pure marketing. they don't count the recent ftpd remote
root hole in that
On Sun, Jul 22, 2001 at 08:18:34AM +0200, Matthias Richter wrote:
You need to tell iptables which packages should be logged. For example:
iptables -N log # This table logs and hands package over to delete
iptables -N delete - This table rejects anything
iptables -A INPUT RULE -j log #
On Sun, Jul 22, 2001 at 12:34:50AM -0500, Nathan E Norman wrote:
On Sat, Jul 21, 2001 at 09:28:35PM -0700, Jacob Meuser wrote:
PS We don't give guns to children, do we?
What the hell does this have to do with running services on a freaking
computer connected to the Internet? You are
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote:
WARNING: You have started this car! You are about to drive this car.
That means, you will be moving, what means that accidents could be
harmful for you. Do you really want to proceed?
[Yes] [No][Abort]
On Sat, Jul 21, 2001 at 11:39:36PM -0700, Jacob Meuser wrote:
I think it is quite fitting.
i think is a 21st century varient of Godwin's law developing.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote:
snip
No, I'm simply saying not to start services immediately.
snip
Well, I'm going to wade into this growing flamewar to point out what I think
is a sound idea. The trouble with the current system is that installed
daemons
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote:
WARNING: You have started this car! You are about to drive this car.
That means, you will be moving, what means that accidents could be
harmful for you. Do you really want to proceed?
[Yes] [No][Abort]
On Sun, Jul 22, 2001 at 12:01:55AM -0700, Jacob Meuser wrote:
Well, someone has decided to attack me for using an analogy, so I will
refrain from saying how this doesn't go with what I'm saying.
Oh, grow up. I did not attack you, I questioned the wisdom of
comparing running services on a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jacob == Jacob Meuser [EMAIL PROTECTED] writes:
Jacob What I would like is for packages to not start a service
Jacob immediately upon installation. I don't want the installation of
Jacob packages to put put links in /etc/rc?.d. IF not that, then
On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote:
On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote:
Oh, I guess anyone can say something like Four years without a remote
hole in the default install! on the internet, where anyone is free to
that quote is pure
On Sun, Jul 22, 2001 at 02:03:23AM -0500, Nathan E Norman wrote:
Oh, grow up. I did not attack you, I questioned the wisdom of
comparing running services on a computer to the politically loaded
question of guns.
You are beginning to sound like a troll. - Nathan E Norman
[EMAIL PROTECTED]
On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote:
On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote:
On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote:
Oh, I guess anyone can say something like Four years without a remote
hole in the default install!
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote:
On Sun, Jul 22, 2001 at 12:54:49PM +1000, CaT wrote:
You know. You're right. We should make it as difficult as possible
to install software. Right down to removing makefiles from source
repositories and rot13ing the source
For the last time: I am saying that apt-get install should not immediately
start a service, and it should not install the startup links in /etc/rc?.d.
I could give a rats @$$ about what is Debian's base system. Those aren't
installed with apt-get install anyway. I could give two $#1+$ about
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote:
For the last time: I am saying that apt-get install should not immediately
start a service, and it should not install the startup links in /etc/rc?.d.
Then stick to that.
I could give a rats @$$ about what is Debian's base system.
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote:
For the last time: I am saying that apt-get install should not immediately
start a service, and it should not install the startup links in /etc/rc?.d.
I could give a rats @$$ about what is Debian's base system. Those aren't
On Sun, Jul 22, 2001 at 01:38:23AM -0700, Magus Ba'al wrote:
quoteNo machine is 100% secure, except those machines that do not
exist. Anyone who thinks their box is 100% secure has rocks in their
heads, regardless what OS they are running./quote
Don't mean to sound like an annoyance, but I
On Sun, Jul 22, 2001 at 06:35:34PM +1000, CaT wrote:
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote:
For the last time: I am saying that apt-get install should not immediately
start a service, and it should not install the startup links in /etc/rc?.d.
Then stick to that.
On Sun, Jul 22, 2001 at 12:44:19AM -0800, Ethan Benson wrote:
what part of `don't install the service if you don't need it/don't
know how to configure it' don't you understand?
And when, during the installation, or regular use of Debain, is that
message ever displayed to the user?
[EMAIL
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote:
Please, quote me on where I have contradicted that.
Right below.
Nothing is contradicting that.
If you only wanted to talk about apt-get you should've stuck to it.
Then I'm to ignore all other questions and ideas, as well personal
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote:
On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote:
I mentioned that OpenBSD has a policy of not starting services by
default. Ethan Benson went off on how OpenBSD is rubbish. As
no i said the claim that OpenBSD starts no
Alright, I said I was bowing out, but I will reply to this last email.
In my first post, I may not have been completely clear. I said that
OpenBSD doesn't start services that are insecure. Now, we all know
that no service is totally secure, so that statement is somewhat of
an oxymoron.
I wasn't going to jump in on this thread/flamewar, but since I have been
bouncing on D in the mailer a lot more than normal the last couple days, I
feel like one more post won't hurt... so here's two cents worth.
First, I want to encourage list posters in the future to reconsider voicing
On Sun, 22 Jul 2001, Steven Barker wrote:
I think that there should be a way to install a debian server packages
without having the installation scripts start the server. This need not be
default, but it should be possible.
Why should anyone want to install a server without letting it run?
On Sun, 22 Jul 2001, Jacob Meuser wrote:
What I would like is for packages to not start a service immediately
upon installation.
Though I do not understand this, I do not want to argue again, see my
other post...
I don't want the installation of packages to
put put links in /etc/rc?.d.
Jacob Meuser [EMAIL PROTECTED] writes:
Still not the point. I'm talking about services being enabled, either
by default, or by apt-get.
[...]
ftpd is not enabled by default.
So imagine someone looking for a ftp-server, and, as it happens to be
the case, finds one, say, per locate, in
Exactly. It is more of a special case to *not* want a server to start
at boot rather than the other way around. To those who think that
apt-get install apache is too easy, then why is apt-get remove apache
too hard?
-Rob
On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote:
On
On Sunday 22 July 2001 11:17 am, Rob VanFleet wrote:
If you're upgrading for
security and bug fixes, you use upgrade.
apt-get remove junkbuster wwwoffle --purge
Not so hard to me.
Have you ever bothered to lower your message priority in debconf?
dpkg-reconfigure debconf. Choose 'low'.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bernhard == Bernhard R Link [EMAIL PROTECTED] writes:
Bernhard On public streets or public places, you are not
Bernhard allowed. Otherwise you are allowed without licence.
True. And I think that most of us won't care if people have insecure
If you're upgrading for
security and bug fixes, you use upgrade.
In michael's defense, take this entry from the apt-get mapage:
dist-upgrade
dist-upgrade, in addition to performing the func
tion of upgrade, also intelligently handles chang
On Sun, 22 Jul 2001, Steven Barker wrote:
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote:
snip
No, I'm simply saying not to start services immediately.
snip
Well, I'm going to wade into this growing flamewar to point out what I think
is a sound idea. The trouble with
Dear Debian Security:
I have a problem configuring apache + mod_ssl on debian.
I already have installed apache and mod-ssl from debian site (potato), and in apache
error log, I got:
[Mon Jul 23 11:07:10 2001] [notice] Apache/1.3.9 (Unix) Debian/GNU mod_ssl/2.4.10
OpenSSL/0.9.4 PHP/4.0.3pl1
On Sun, Jul 22, 2001 at 07:28:31PM -0500, Kenneth Pronovici wrote:
If you're upgrading for
security and bug fixes, you use upgrade.
In michael's defense, take this entry from the apt-get mapage:
dist-upgrade
dist-upgrade, in addition to performing the func
On Sat, Jul 21, 2001 at 08:21:09PM -0700, Nicole Zimmerman wrote:
last i used OpenBSD (2.6) it started portmap and identd by default at
the very least, maybe fingerd too i don't remember for sure.
The difference is, those were not exploitable.
And they are on debian?
It seems
On Sat, Jul 21, 2001 at 10:34:56PM -0500, Dana J. Laude wrote:
On Sat, Jul 21, 2001 at 06:27:00PM -0700 Jacob Meuser wrote:
IMHO, no distribution is secure out of the box. Hell,
even OpenBSD has had major blunders in their lastest
release. Security is, after all... an ongoing issue
that
Microsoft Windows is not really bad, if you know how to admin it.
However, Microsoft give this on its web site:
http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTZAK.
asp
Oh my god... Zero Administration ?
Luckily, Debian is asking their administrator check for security
On 20010721.2117, Jacob Meuser said ...
On Sat, Jul 21, 2001 at 08:21:09PM -0700, Nicole Zimmerman wrote:
last i used OpenBSD (2.6) it started portmap and identd by default at
the very least, maybe fingerd too i don't remember for sure.
The difference is, those were not
On 20010721.2117, Jacob Meuser said ...
On Sat, Jul 21, 2001 at 08:21:09PM -0700, Nicole Zimmerman wrote:
last i used OpenBSD (2.6) it started portmap and identd by default at
the very least, maybe fingerd too i don't remember for sure.
The difference is, those were not
On Sat, Jul 21, 2001 at 07:52:02PM -0700, Jacob Meuser wrote:
And whose going to teach them? Certainly not an OS that makes it as
easy as 'apt-get install apache' !
Well, your solution of making it more obfuscated and difficult will
cause even more of a problem.
On Sat, Jul 21, 2001 at 09:28:35PM -0700, Jacob Meuser wrote:
PS We don't give guns to children, do we?
What the hell does this have to do with running services on a freaking
computer connected to the Internet? You are beginning to sound like a
troll.
HINT: It's difficult to kill someone with
On Sat, Jul 21, 2001 at 06:27:00PM -0700, Jacob Meuser wrote:
On Sat, Jul 21, 2001 at 04:32:32PM -0800, Ethan Benson wrote:
Not really what I was getting at. I was saying this is TOO EASY.
I'm saying that Debian doesn't do a good enough job of warning
people about doing these things. I'm
On Sat, Jul 21, 2001 at 04:39:48PM -0800, Ethan Benson wrote:
fool me once, shame on you, fool me twice shame on me.
Fool me twice?
Our hospital is building a network and needs special software. The
only software we found usefull runs under Win. We would have installed
linux, but we are nearly
What does syslog recognize as iptables log messages? I tried
putting iptable.* in syslog.conf, but I'm not seeing messages.
thanks,
jc
--
Jeff CoppockNortel Networks
Systems Engineerhttp://nortelnetworks.com
Major Accts.Santa Clara, CA
On Sat, Jul 21, 2001 at 10:59:08PM -0700, Jeff Coppock wrote:
IIRC it uses kernel facility per default and configurable log level (via
--log-level) But I'd suggest checking into ULOG-target in the
patch-o-matic[1].
What does syslog recognize as iptables log messages? I tried
putting
Jeff Coppock wrote on Sat Jul 21, 2001 at 10:59:08PM:
What does syslog recognize as iptables log messages? I tried
putting iptable.* in syslog.conf, but I'm not seeing messages.
You need to tell iptables which packages should be logged. For example:
iptables -N log # This table logs and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin == Martin Bieder [EMAIL PROTECTED] writes:
Martin WARNING: You have started this car! You are about to drive this
Martin car. That means, you will be moving, what means that accidents
Martin could be harmful for you. Do you really want to
On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote:
Oh, I guess anyone can say something like Four years without a remote
hole in the default install! on the internet, where anyone is free to
that quote is pure marketing. they don't count the recent ftpd remote
root hole in that
On Sun, Jul 22, 2001 at 08:18:34AM +0200, Matthias Richter wrote:
You need to tell iptables which packages should be logged. For example:
iptables -N log # This table logs and hands package over to delete
iptables -N delete - This table rejects anything
iptables -A INPUT RULE -j log #
On Sun, Jul 22, 2001 at 12:34:50AM -0500, Nathan E Norman wrote:
On Sat, Jul 21, 2001 at 09:28:35PM -0700, Jacob Meuser wrote:
PS We don't give guns to children, do we?
What the hell does this have to do with running services on a freaking
computer connected to the Internet? You are
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote:
WARNING: You have started this car! You are about to drive this car.
That means, you will be moving, what means that accidents could be
harmful for you. Do you really want to proceed?
[Yes] [No][Abort]
On Sat, Jul 21, 2001 at 11:39:36PM -0700, Jacob Meuser wrote:
I think it is quite fitting.
i think is a 21st century varient of Godwin's law developing.
--
Ethan Benson
http://www.alaska.net/~erbenson/
pgp4AnOA3mFuw.pgp
Description: PGP signature
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote:
snip
No, I'm simply saying not to start services immediately.
snip
Well, I'm going to wade into this growing flamewar to point out what I think
is a sound idea. The trouble with the current system is that installed
daemons
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote:
WARNING: You have started this car! You are about to drive this car.
That means, you will be moving, what means that accidents could be
harmful for you. Do you really want to proceed?
[Yes] [No][Abort]
On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote:
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote:
snip
No, I'm simply saying not to start services immediately.
snip
...
I think that there should be a way to install a debian server packages
without having
On Sun, Jul 22, 2001 at 12:01:55AM -0700, Jacob Meuser wrote:
Well, someone has decided to attack me for using an analogy, so I will
refrain from saying how this doesn't go with what I'm saying.
Oh, grow up. I did not attack you, I questioned the wisdom of
comparing running services on a
On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote:
On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote:
I think that there should be a way to install a debian server packages
without having the installation scripts start the server. This need not be
default, but it
On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote:
On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote:
Oh, I guess anyone can say something like Four years without a remote
hole in the default install! on the internet, where anyone is free to
that quote is pure
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jacob == Jacob Meuser [EMAIL PROTECTED] writes:
Jacob What I would like is for packages to not start a service
Jacob immediately upon installation. I don't want the installation of
Jacob packages to put put links in /etc/rc?.d. IF not that, then
On Sun, Jul 22, 2001 at 02:03:23AM -0500, Nathan E Norman wrote:
Oh, grow up. I did not attack you, I questioned the wisdom of
comparing running services on a computer to the politically loaded
question of guns.
You are beginning to sound like a troll. - Nathan E Norman
[EMAIL PROTECTED]
On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote:
On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote:
On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote:
Oh, I guess anyone can say something like Four years without a remote
hole in the default install!
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote:
On Sun, Jul 22, 2001 at 12:54:49PM +1000, CaT wrote:
You know. You're right. We should make it as difficult as possible
to install software. Right down to removing makefiles from source
repositories and rot13ing the source
On Sun, Jul 22, 2001 at 01:32:00AM -0600, Hubert Chan wrote:
I'm not sure that would be an effective warning, and it may even be
confusing to people, as it does not indicate that there is a potential
security risk, but just tells them to read the security pages.
Hmmm, silly me referenced
For the last time: I am saying that apt-get install should not immediately
start a service, and it should not install the startup links in /etc/rc?.d.
I could give a rats @$$ about what is Debian's base system. Those aren't
installed with apt-get install anyway. I could give two $#1+$ about
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote:
For the last time: I am saying that apt-get install should not immediately
start a service, and it should not install the startup links in /etc/rc?.d.
Then stick to that.
I could give a rats @$$ about what is Debian's base system.
-Original Message-
From: CaT [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 22, 2001 1:11 AM
To: Jacob Meuser
Cc: debian-security@lists.debian.org
Subject: Re: red worm amusement
quoteNo machine is 100% secure, except those machines that do not
exist. Anyone who thinks their box is 100%
On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote:
that quote is pure marketing.
Marketing? OpenBSD has about as much of an adversising dept as does
Debian. None.
that quote is still marketing, its backed up by excuses and lawyerly
nitpicking, not real fact.
And so the
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote:
For the last time: I am saying that apt-get install should not immediately
start a service, and it should not install the startup links in /etc/rc?.d.
I could give a rats @$$ about what is Debian's base system. Those aren't
On Sun, Jul 22, 2001 at 01:38:23AM -0700, Magus Ba'al wrote:
quoteNo machine is 100% secure, except those machines that do not
exist. Anyone who thinks their box is 100% secure has rocks in their
heads, regardless what OS they are running./quote
Don't mean to sound like an annoyance, but I
On Sun, Jul 22, 2001 at 06:35:34PM +1000, CaT wrote:
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote:
For the last time: I am saying that apt-get install should not immediately
start a service, and it should not install the startup links in /etc/rc?.d.
Then stick to that.
On Sun, Jul 22, 2001 at 12:44:19AM -0800, Ethan Benson wrote:
what part of `don't install the service if you don't need it/don't
know how to configure it' don't you understand?
And when, during the installation, or regular use of Debain, is that
message ever displayed to the user?
[EMAIL
On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote:
On Sun, Jul 22, 2001 at 06:35:34PM +1000, CaT wrote:
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote:
For the last time: I am saying that apt-get install should not immediately
start a service, and it should not
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote:
Please, quote me on where I have contradicted that.
Right below.
Nothing is contradicting that.
If you only wanted to talk about apt-get you should've stuck to it.
Then I'm to ignore all other questions and ideas, as well personal
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote:
On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote:
I mentioned that OpenBSD has a policy of not starting services by
default. Ethan Benson went off on how OpenBSD is rubbish. As
no i said the claim that OpenBSD starts no
Alright, I said I was bowing out, but I will reply to this last email.
In my first post, I may not have been completely clear. I said that
OpenBSD doesn't start services that are insecure. Now, we all know
that no service is totally secure, so that statement is somewhat of
an oxymoron. However,
I wasn't going to jump in on this thread/flamewar, but since I have been
bouncing on D in the mailer a lot more than normal the last couple days, I
feel like one more post won't hurt... so here's two cents worth.
First, I want to encourage list posters in the future to reconsider voicing
their
On Sun, 22 Jul 2001, Steven Barker wrote:
I think that there should be a way to install a debian server packages
without having the installation scripts start the server. This need not be
default, but it should be possible.
Why should anyone want to install a server without letting it run?
On Sun, 22 Jul 2001, Jacob Meuser wrote:
What I would like is for packages to not start a service immediately
upon installation.
Though I do not understand this, I do not want to argue again, see my
other post...
I don't want the installation of packages to
put put links in /etc/rc?.d.
Jacob Meuser [EMAIL PROTECTED] writes:
Still not the point. I'm talking about services being enabled, either
by default, or by apt-get.
[...]
ftpd is not enabled by default.
So imagine someone looking for a ftp-server, and, as it happens to be
the case, finds one, say, per locate, in
Iam new to Debian and this is my first post to the debian-security
mailinglist, having read this threath i realy aint seeing anybody pointing
out that it is the Sysadmin who makes the machine secure, it's not an OS
what makes a machine secure, it's the admin behind it.
I use a broad range of
On Sun, Jul 22, 2001 at 07:59:47AM -0500, chandler wrote:
Similarly, after a recent apt-get dist-upgrade (intended to grab security
updates only,
Then why did you dist-upgrade? I think it's pretty self-explanatory
that if you're upgrading from one distribution to another (like from
stable to
Exactly. It is more of a special case to *not* want a server to start
at boot rather than the other way around. To those who think that
apt-get install apache is too easy, then why is apt-get remove apache
too hard?
-Rob
On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote:
On
On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote:
On Sun, 22 Jul 2001, Steven Barker wrote:
I think that there should be a way to install a debian server packages
without having the installation scripts start the server. This need not be
default, but it should be
On Sunday 22 July 2001 11:17 am, Rob VanFleet wrote:
If you're upgrading for
security and bug fixes, you use upgrade.
apt-get remove junkbuster wwwoffle --purge
Not so hard to me.
Have you ever bothered to lower your message priority in debconf?
dpkg-reconfigure debconf. Choose 'low'.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bernhard == Bernhard R Link [EMAIL PROTECTED] writes:
Bernhard On public streets or public places, you are not
Bernhard allowed. Otherwise you are allowed without licence.
True. And I think that most of us won't care if people have insecure
boxes,
On Sun, 22 Jul 2001, Steven Barker wrote:
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote:
snip
No, I'm simply saying not to start services immediately.
snip
Well, I'm going to wade into this growing flamewar to point out what I think
is a sound idea. The trouble with
85 matches
Mail list logo