Re: evolution
On Thu, 26 Jun 2003, Martynas Domarkas wrote: > Hi, it's me again and I have another stupid question: my evolution > mailer in a short period of time repeatedly tries connect to some > strange hosts: > > > tcp 0 1 192.168.0.1:33931 205.156.51.200:80 SYN_SENT > 4055/evolution-exec > > tcp 0 1 192.168.0.1:33932 206.14.209.40:80 SYN_SENT > 4055/evolution-exec > > tcp 0 1 192.168.0.1:33933 63.236.73.20:80 SYN_SENT > 4055/evolution-exec > > There are a LOT of connetcions: ~700 in a 5 minutes. I did not find any > configuration options with that hosts. > > What could it be? Well judging from the names I'd think you have the weather and news features of the summary page enabled. $ host 205.156.51.200 200.51.156.205.in-addr.arpa domain name pointer tgftp.nws.noaa.gov. $ host 206.14.209.40 40.209.14.206.in-addr.arpa domain name pointer www.salon.com. $ host 63.236.73.20 Host 20.73.236.63.in-addr.arpa not found: 3(NXDOMAIN) Grx HdV
Re: Passwordless Authentication (was Re: How to reduce sid security)
On Fri, 1 Aug 2003, Kjetil Kjernsmo wrote: > On Friday 01 August 2003 04:10, Peter Cordes wrote: > > You should use ssh-keygen to create a keypair on each machine, and > > copy the public key from the machine you generated it on to the other > > machine. This allows quick passwordless authentication. > > I've tried to do this many times, but I've failed... Is there a Very > Verbose Guide to Passwordless Authentication with SSH somewhere...? :-) Hai Kjetil, I just finished such a beast... If you can read Dutch you can use my pages right now [1]. They explain all this in excruciating detail. OpenSSH and SSH.com interoperability and setting up ssh-agent are explained too. Some scripts are provided to automate all this. On the other hand, if you can wait 'til after the weekend I'll translate those pages to English for you (and anyone else who'd like to use them of course). [1] http://huizen.dto.tudelft.nl/devries/security/ssh2_pubkey_auth_config.nl.html Grx HdV
Re: Passwordless Authentication (was Re: How to reduce sid security)
On Tue, 12 Aug 2003, [iso-8859-1] An?bal Monsalve Salazar wrote: > What's the URL of the English version? Well, I just finished translating the iptables page and hope to have this one ready at the end of the day. The would be about 18:00 CEST (+0200). It will be available at http://huizen.dto.tudelft.nl/devries/security/ssh2_pubkey_auth_config.html Sorry for the delay. Things have been quite busy around here the last few days. Lots of things going on to keep one running at the moment with that nasty RPC business and WU-FTP keeping up it's reputation once again... Grx HdV
Re: Passwordless Authentication (was Re: How to reduce sid security)
On Tue, 12 Aug 2003, [iso-8859-1] An?bal Monsalve Salazar wrote: > What's the URL of the English version? It took me a bit longer than I had expected, but I just finished the translation. You can read it here: http://huizen.dto.tudelft.nl/devries/security/ssh2_pubkey_auth_config.html Grx HdV
Re: certificate server
On Tue, 4 Nov 2003, rico wrote: > Hello > > Do you know if exist a package that implements a certificate server (PKI) for > debian, and where I can find it? You might want to take a look at pyca, it is apt-get installable. Another package I know of is openCA (www.openca.org), but that is not in the packages list. Grx HdV
Re: Firewall script
On Sat, 29 Nov 2003, Luc MAIGNAN wrote: > I need to configure a IPTABLES-based Linux-Box with a Woody installed. Has > anyone a example of a such script to help me ? Hi Luc, You might find my page on setting up iptables helpful. You can find it at http://huizen.dto.tudelft.nl/devries/security/iptables_example.html It provides a ruleset which I think is sufficient for most situations and shows how to activiate it through the pre-up and post-down instructions in /etc/network/interfaces. The ruleset and the initialization script are extensively documented so you should have no trouble figuring out how it all works. HTH, Grx HdV
RE: blocking AXFR record query
On Wed, 28 Jan 2004, James Miller wrote: > If memory serves.. AXFR is a zone transfer... So, at your firewall, would > want to only allowing TCP queries from your backup (secondary, > trinary..etc.) dns servers (on the outside of your firewall) and limit > everyone else to UDP queries. I am no BIND expert, but please do not block TCP 53 unless you want to drop about 20% (might be another percentage at your site) of all valid lookups too! There is a long-standing myth that DNS traffic is UDP only (excepting zone transfers). THIS IS NOT TRUE. I am sorry, I can't help you with the BIND specific stuff. Grx HdV
Re: evolution
On Thu, 26 Jun 2003, Martynas Domarkas wrote: > Hi, it's me again and I have another stupid question: my evolution > mailer in a short period of time repeatedly tries connect to some > strange hosts: > > > tcp 0 1 192.168.0.1:33931 205.156.51.200:80 SYN_SENT > 4055/evolution-exec > > tcp 0 1 192.168.0.1:33932 206.14.209.40:80 SYN_SENT > 4055/evolution-exec > > tcp 0 1 192.168.0.1:33933 63.236.73.20:80 SYN_SENT > 4055/evolution-exec > > There are a LOT of connetcions: ~700 in a 5 minutes. I did not find any > configuration options with that hosts. > > What could it be? Well judging from the names I'd think you have the weather and news features of the summary page enabled. $ host 205.156.51.200 200.51.156.205.in-addr.arpa domain name pointer tgftp.nws.noaa.gov. $ host 206.14.209.40 40.209.14.206.in-addr.arpa domain name pointer www.salon.com. $ host 63.236.73.20 Host 20.73.236.63.in-addr.arpa not found: 3(NXDOMAIN) Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Passwordless Authentication (was Re: How to reduce sid security)
On Fri, 1 Aug 2003, Kjetil Kjernsmo wrote: > On Friday 01 August 2003 04:10, Peter Cordes wrote: > > You should use ssh-keygen to create a keypair on each machine, and > > copy the public key from the machine you generated it on to the other > > machine. This allows quick passwordless authentication. > > I've tried to do this many times, but I've failed... Is there a Very > Verbose Guide to Passwordless Authentication with SSH somewhere...? :-) Hai Kjetil, I just finished such a beast... If you can read Dutch you can use my pages right now [1]. They explain all this in excruciating detail. OpenSSH and SSH.com interoperability and setting up ssh-agent are explained too. Some scripts are provided to automate all this. On the other hand, if you can wait 'til after the weekend I'll translate those pages to English for you (and anyone else who'd like to use them of course). [1] http://huizen.dto.tudelft.nl/devries/security/ssh2_pubkey_auth_config.nl.html Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Passwordless Authentication (was Re: How to reduce sid security)
On Tue, 12 Aug 2003, [iso-8859-1] Aníbal Monsalve Salazar wrote: > What's the URL of the English version? Well, I just finished translating the iptables page and hope to have this one ready at the end of the day. The would be about 18:00 CEST (+0200). It will be available at http://huizen.dto.tudelft.nl/devries/security/ssh2_pubkey_auth_config.html Sorry for the delay. Things have been quite busy around here the last few days. Lots of things going on to keep one running at the moment with that nasty RPC business and WU-FTP keeping up it's reputation once again... Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Passwordless Authentication (was Re: How to reduce sid security)
On Tue, 12 Aug 2003, [iso-8859-1] Aníbal Monsalve Salazar wrote: > What's the URL of the English version? It took me a bit longer than I had expected, but I just finished the translation. You can read it here: http://huizen.dto.tudelft.nl/devries/security/ssh2_pubkey_auth_config.html Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: certificate server
On Tue, 4 Nov 2003, rico wrote: > Hello > > Do you know if exist a package that implements a certificate server (PKI) for > debian, and where I can find it? You might want to take a look at pyca, it is apt-get installable. Another package I know of is openCA (www.openca.org), but that is not in the packages list. Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall script
On Sat, 29 Nov 2003, Luc MAIGNAN wrote: > I need to configure a IPTABLES-based Linux-Box with a Woody installed. Has > anyone a example of a such script to help me ? Hi Luc, You might find my page on setting up iptables helpful. You can find it at http://huizen.dto.tudelft.nl/devries/security/iptables_example.html It provides a ruleset which I think is sufficient for most situations and shows how to activiate it through the pre-up and post-down instructions in /etc/network/interfaces. The ruleset and the initialization script are extensively documented so you should have no trouble figuring out how it all works. HTH, Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: blocking AXFR record query
On Wed, 28 Jan 2004, James Miller wrote: > If memory serves.. AXFR is a zone transfer... So, at your firewall, would > want to only allowing TCP queries from your backup (secondary, > trinary..etc.) dns servers (on the outside of your firewall) and limit > everyone else to UDP queries. I am no BIND expert, but please do not block TCP 53 unless you want to drop about 20% (might be another percentage at your site) of all valid lookups too! There is a long-standing myth that DNS traffic is UDP only (excepting zone transfers). THIS IS NOT TRUE. I am sorry, I can't help you with the BIND specific stuff. Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: hosts deny, alow
On Mon, 11 Feb 2002 [EMAIL PROTECTED] wrote: > 1. i try to configure in hosts.deny : > > ALL:[EMAIL PROTECTED] Hi Aku, To deny all incoming connections for tcpwrapped ports it is sufficient to have this line in your /etc/hosts.deny file: ALL: ALL The endpoint construct isn't necessary for what you seem to want. > and try in hosts.allow : > > ALL : 202.xxx.xxx.xx1, 202.xxx.xxx.xx2 > > But when i try from 202.xxx.xxx.xx1 and 202.xxx.xxx.xx2 the message > is Connection closed by remote host. > > how to configure in close all and allow from > that ip? Well, if you want to allow all types of connections from those two IPs that should do it. You just have to state the ip numbers separated by spaces and/or comma's according to the manpage (see man hosts_access). Which is what you seem to do (assuming those x's aren't really in there... `;-) However I strongly suggest you open only those ports that you need instead of all of them, but you can do that after things are working the way you want it. Of course even if tcp_wrapper gives you access the deamon doesn't have to do so too... So, maybe it's not the wrapper that's denying you access. If you think your hosts.deny and hosts.allow files are fine, then maybe it's good to make sure the deamon accepts your connections. > 2. I try to close port 111 in services and give # on port sunrpc > 111/tcp, and inetd but > allways be open. You don't block access by commenting lines in the services file. There's two locations you can do that: the file /etc/inetd.conf and the files in the directory /etc/init.d. Those are the ones that control your inetd processes and your deamons. To stop portmapper you can add "exit 0" on it's own line at the top of the file /etc/init.d/portmap, immediately after the commentsheader. If you want to disable portmapper only for a specific runlevel, then you can also rename the appropriate symlink in /etc/rc[23].d/ HTH -- J.A. de Vries aka HdV Delft University of Technology Computing Centre Email: [EMAIL PROTECTED]
Re: hosts deny, alow
On Mon, 11 Feb 2002 [EMAIL PROTECTED] wrote: > Of course even if tcp_wrapper gives you access the deamon doesn't > have to do so too... So, maybe it's not the wrapper that's denying you > access. If you think your hosts.deny and hosts.allow files are fine, > then maybe it's good to make sure the deamon accepts your connections. Upon reading this I thought this could be confusing. What I meant to say was that after your connection is accepted by the tcp_wrapper it also has to be accepted by the process listening to that port. That could be a inetd process (in.telnetd or something like that for example), but also a tcp_wrapper enabled daemon (like ssh). So, if you are sure that your hosts.allow and hosts.deny files are as you want them then maybe it's wise to make sure the config file for the process listening to the port you're trying to connect to is OK. I wasted an hour once by only looking at the hosts files, and forgetting about the config file... Mind you, chances are it's just something in the hosts.allow file. So make sure they are as they should be. man host_access will be very helpful when configuring the tcp_wrapper. Grx HdV -- Support bacteria - they're the only culture some people have. J.A. de Vries aka HdV Delft University of Technology Computing Centre Email: [EMAIL PROTECTED] Email: [EMAIL PROTECTED]
