Re: iptables filtering rules

2002-03-25 Thread Christian G. Warden
i'm in the middle of switching from ipchains to iptables right now and i haven't tested my DNAT rules yet, but from what i understand, packets pass through the FORWARD chain in the filter table after the PREROUTING chain in the nat table. see the second paragraph here:

Re: scp and sftp

2002-03-31 Thread Christian G. Warden
the commercial ssh server has an option to chroot to a user's home directory. there are patches available to openssh to do it also, though i don't know if they've been thoroughly audited. check out http://mail.incredimail.com/howto/openssh/ you can make sftp-server the user's shell to only

Re: on potato's proftpd

2002-04-03 Thread Christian G. Warden
On Wed, Apr 03, 2002 at 02:43:10PM -0800, Petro wrote: On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: Release early; release often. bemfont size=7blinkNO/font/em/b Measure twice, cut once. i haven't really been following this thread, but i like analogies as

Re: A question about some network services

2002-04-04 Thread Christian G. Warden
rdate is probably easier to use. ntp requires at least a little configuration, but it is more accurate. xn On Thu, Apr 04, 2002 at 06:56:30PM +0200, eim wrote: First of all thanks to all for responses. On Wed, 2002-04-03 at 20:22, Holger Eitzenberger wrote: On Wed, Apr 03, 2002 at

Re: log the original source ipaddress

2002-04-09 Thread Christian G. Warden
i'm not familiar with rinetd, but if you use netfilter to do dnat the source address will be maintained. just make sure internal boxes hit the webserver directly, on the internal ip, rather than through the external one so they don't get confused by packets coming back directly from the web

Re: PPTP with Encryption

2002-04-30 Thread Christian G. Warden
looks like there's a package for the patch: kernel-patch-mppe - ppp_mppe module for pppd xn On Tue, Apr 30, 2002 at 12:03:09PM -0400, Derek J. Balling wrote: At 8:43 AM -0700 4/30/02, Anne Carasik wrote: Last time I checked, PPTP comes with encryption. All you have to do is configure it.

Re: PPTP with Encryption

2002-04-30 Thread Christian G. Warden
yeah, it's a mess. i spent 2 days trying to get poptop working a few months ago. once i got everything patched and running and could setup a vpn between pptp-linux and pptpd, i still couldn't get win98 to connect to pptpd. i gave up and decided next time i'd try to use ipsec with freeswan.

Re: register_globals in php4

2002-05-09 Thread Christian G. Warden
of the authenticated user. here's an article on secure programming in php: http://www.zend.com/zend/art/art-oertli.php xn On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote: Hello Christian G. Warden [EMAIL PROTECTED], Yes. But when a user type the url something like login.php?id=fakeid

off topic: quoting (was Re: html spam)

2002-05-10 Thread Christian G. Warden
On Fri, May 10, 2002 at 01:04:40PM +0300, Jussi Ekholm wrote: Christian G. Warden [EMAIL PROTECTED] wrote: (Could you please post your reply *below* the quoted text? Top-posting is quite irritating, IMHO) i just want to add a warning about spamassassin. i had it setup for about a week

Re: Configuration problems with pam_smb, mod_auth_pam

2002-05-29 Thread Christian G. Warden
On Wed, May 29, 2002 at 10:05:45AM -0700, Tom Dominico wrote: I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. [...] AuthType

Re: recommendations for FTP server

2003-06-20 Thread Christian G. Warden
On Fri, Jun 20, 2003 at 07:39:28PM +0100, Ian Goodall wrote: Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Last I checked, sftp requires a patch to chroot,

Re: How efficient is mounting /usr ro?

2003-10-17 Thread Christian G. Warden
On Fri, Oct 17, 2003 at 11:01:27AM +0200, Yasar Arman wrote: Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: A read-only /usr is not a security measure. Depends on your definition og it-security. It reduces downtime, prevents some admin and software failures and

Re: clamscan avavis spamassassin with exim4 on sarge

2003-11-09 Thread Christian G. Warden
On Sun, Nov 09, 2003 at 12:08:40AM -0600, Hanasaki JiJi wrote: Anyone have/working on integration of these? clam spamc and amavis are installed however, they dont seem to update the /etc/exim4/conf.d of the new packaging system. thank you. exim4-daemon-heavy has the exiscan-acl patch

Re: CVS server in a user-mode-linux

2003-12-19 Thread Christian G. Warden
On Fri, Dec 19, 2003 at 05:46:11PM +0100, Bill Allombert wrote: Hello Debian-security list, I have experimented with running an anonymous CVS server inside user-mode-linux. So far this seems to work well and hopefully should enhance security a bit. The host kernel has the skas patch. I

Re: exim virus scanning and spam scanning

2003-12-21 Thread Christian G. Warden
On Sun, Dec 21, 2003 at 09:09:38AM -0600, hanasaki wrote: whats the difference between amavis-ng and milter and amavisd-new? are some going away? which one do you use for what? or clamscan directly? how can virus scanning be added? clamscan and spam Spam assassin seem to be the norms

Re: iptables filtering rules

2002-03-25 Thread Christian G. Warden
i'm in the middle of switching from ipchains to iptables right now and i haven't tested my DNAT rules yet, but from what i understand, packets pass through the FORWARD chain in the filter table after the PREROUTING chain in the nat table. see the second paragraph here:

Re: scp and sftp

2002-03-31 Thread Christian G. Warden
the commercial ssh server has an option to chroot to a user's home directory. there are patches available to openssh to do it also, though i don't know if they've been thoroughly audited. check out http://mail.incredimail.com/howto/openssh/ you can make sftp-server the user's shell to only allow

Re: on potato's proftpd

2002-04-03 Thread Christian G. Warden
On Wed, Apr 03, 2002 at 02:43:10PM -0800, Petro wrote: On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: Release early; release often. bemfont size=7blinkNO/font/em/b Measure twice, cut once. i haven't really been following this thread, but i like analogies as much

Re: A question about some network services

2002-04-04 Thread Christian G. Warden
rdate is probably easier to use. ntp requires at least a little configuration, but it is more accurate. xn On Thu, Apr 04, 2002 at 06:56:30PM +0200, eim wrote: First of all thanks to all for responses. On Wed, 2002-04-03 at 20:22, Holger Eitzenberger wrote: On Wed, Apr 03, 2002 at

Re: log the original source ipaddress

2002-04-10 Thread Christian G. Warden
i'm not familiar with rinetd, but if you use netfilter to do dnat the source address will be maintained. just make sure internal boxes hit the webserver directly, on the internal ip, rather than through the external one so they don't get confused by packets coming back directly from the web

Re: PPTP with Encryption

2002-04-30 Thread Christian G. Warden
looks like there's a package for the patch: kernel-patch-mppe - ppp_mppe module for pppd xn On Tue, Apr 30, 2002 at 12:03:09PM -0400, Derek J. Balling wrote: At 8:43 AM -0700 4/30/02, Anne Carasik wrote: Last time I checked, PPTP comes with encryption. All you have to do is configure it. I

Re: PPTP with Encryption

2002-04-30 Thread Christian G. Warden
yeah, it's a mess. i spent 2 days trying to get poptop working a few months ago. once i got everything patched and running and could setup a vpn between pptp-linux and pptpd, i still couldn't get win98 to connect to pptpd. i gave up and decided next time i'd try to use ipsec with freeswan.

Re: html spam

2002-05-08 Thread Christian G. Warden
i just want to add a warning about spamassassin. i had it setup for about a week and it was very good at catching spam, but occassionally it would drive the cpu load into the 20s. i didn't spend any time trying to track down the problem. i was using procmail to send all my mail through SA so

Re: register_globals in php4

2002-05-09 Thread Christian G. Warden
one of the php lists is probably a better forum for this question, but in short, register_globals=off means that if you want to use the id variable passed in the query string by the browser, you would access it as $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info at

Re: register_globals in php4

2002-05-09 Thread Christian G. Warden
of the authenticated user. here's an article on secure programming in php: http://www.zend.com/zend/art/art-oertli.php xn On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote: Hello Christian G. Warden [EMAIL PROTECTED], Yes. But when a user type the url something like login.php?id=fakeid

off topic: quoting (was Re: html spam)

2002-05-10 Thread Christian G. Warden
On Fri, May 10, 2002 at 01:04:40PM +0300, Jussi Ekholm wrote: Christian G. Warden [EMAIL PROTECTED] wrote: (Could you please post your reply *below* the quoted text? Top-posting is quite irritating, IMHO) i just want to add a warning about spamassassin. i had it setup for about a week

Re: Configuration problems with pam_smb, mod_auth_pam

2002-05-29 Thread Christian G. Warden
On Wed, May 29, 2002 at 10:05:45AM -0700, Tom Dominico wrote: I am attempting to configure our Debian webserver, running Apache, to use our Windows PDC when authenticating for secure web access. I have followed instructions that I found on the web, but I am having trouble. [...] AuthType

Re: Email Virus Scanner

2002-08-12 Thread Christian G. Warden
i recently setup mailscanner with mcafee virusscan and have been pretty happy with it. if you describe the nature of the error, i might be able to help you out. xn On Mon, Aug 12, 2002 at 08:00:16PM -0500, Daniel J. Rychlik wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gentlemen,

Re: recommendations for FTP server

2003-06-20 Thread Christian G. Warden
On Fri, Jun 20, 2003 at 07:39:28PM +0100, Ian Goodall wrote: Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Last I checked, sftp requires a patch to chroot,

Re: clamscan avavis spamassassin with exim4 on sarge

2003-11-09 Thread Christian G. Warden
On Sun, Nov 09, 2003 at 12:08:40AM -0600, Hanasaki JiJi wrote: Anyone have/working on integration of these? clam spamc and amavis are installed however, they dont seem to update the /etc/exim4/conf.d of the new packaging system. thank you. exim4-daemon-heavy has the exiscan-acl patch

Re: CVS server in a user-mode-linux

2003-12-19 Thread Christian G. Warden
On Fri, Dec 19, 2003 at 05:46:11PM +0100, Bill Allombert wrote: Hello Debian-security list, I have experimented with running an anonymous CVS server inside user-mode-linux. So far this seems to work well and hopefully should enhance security a bit. The host kernel has the skas patch. I