Re: Encrypting/emailing logs and configs
On Wednesday, 30 October 2002, at 13:07:31 -0500, Sean McAvoy wrote: > I was looking at configuring a few of my VPN/Firewall systems to send me > daily backups of vital config files, and selected log files. I was > wondering what would be the easiest method of accomplishing this? I was > thinking something along the lines of just tar/bzip and then gpg to > encrypt. What other possibilities are there? And has anyone else setup > something similar? > Maybe the followinf is too ad-hoc for your liking, but should work ok and be reasonably easy to setup, apart from being quite secure IMO. I am thinking about "rsync" over "ssh", initiated from the destination backup server to the "production" VPN/Firewall machine. "rsync" does wonders updating trees of files in an optimal (bytes transferred wise) way. Running over "ssh", provides you with an encrypted (and if using RSA keys authentication) authenticated connection. Sync the times in the backup server and the firewall with (for example) ntp o ntpdate, and create a cron job in the backup server to initiate the backup at a certain time of the day. If both boxes are synchronized, you could also have your iptables firewall on the VPN/firewall box be updated to allow this backup at exactly the time of the day you have configured.* If the backup script, when finished, return the remote firewall ruleset to the original state, your "vulnerability" window will be even shorter. I hope to have explained myself in an understandable way ;-) -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1)
Re: SSH
On Tuesday, 17 December 2002, at 08:42:03 +0800, Patrick Hsieh wrote: > Woody is shipping OpenSSH_3.4p1. Before the security team confirm this > vulnerability and release the upgrade package, is there any way to patch and > repackage the woody openssh? I just can't find the patch against this > vulnerability. > When updated packages are not available as soon as I consider necessary, I use to download the first SRPM (or whatever) package appears from one vendor including the patch, locating it (in the .spec file it should be the last "Patch"), and applying it to the Debian deb-src for the package, and then repackaging it with "dpkg-buildpackage". Maybe this is not the most elegant way to solve the problem, but hope it works ok, and is reasonable easy. Just done it tonight with fetchmail and the recently discovered root remote exploit, awaiting for a version 6.2.0 packaged for unstable :-) Regards. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.20-xfs)
Re: multi eth0:x:y with ifconfig...
On Monday, 17 February 2003, at 17:37:58 +0100, Benoit Lathiere wrote: > I'm using the 'ifconfig' command to manage dynamically my intefaces. > I up and down eth0... but Debian add some eth0:0:2 !!! > If I down all my interfaces and reload /etc/network/intefaces (which is > correct), eth0:x:y are added again !!! > How to radically "remove" these bad interfaces and restart on a clean > config.. ?? > The following is not what you asked for, but maybe if you use a better thought tool, like "ip", for managing your network interfaces and assigned addresses maybe your problems will go away. With "ip address" you assign addresses to interfaces, with no need of artifacts like "virtual interfaces" like eth0:0, eth0:1 and so on. # Add another IP address to the first ethernet device ip address add 1.2.3.4/8 broad + dev eth0 # ...and another one ip address add 100.22.33.44/16 broad + dev eth0 # And now for some results... 2: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:05:1c:09:f2:14 brd ff:ff:ff:ff:ff:ff inet 192.168.1.12/24 brd 192.168.1.255 scope global eth0 inet 100.22.33.44/16 brd 100.22.255.255 scope global eth0 inet 1.2.3.4/8 brd 1.255.255.255 scope global eth0 As you see, no artifacts here, just IP addresses assigned to interfaces. To remove a certain IP address, just subsitute "del" for "add". Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.4.20-xfsip)
Re: VPN performance with tunnelv
On Monday, 24 February 2003, at 18:39:08 +0100, Ivo Marino wrote: > Now we've connected to this networks some voice over IP phones which we > would like to use through the VPN, the connection works and is securely > encrypted but network performance is quite low. > What is "low" in this context ?. Give numbers, and then we can compare with some other setups. > The two endpoints are build up from Intel PII 266MHz CPUs and have almost > 128 MBs of RAM so I actually don't think the VPN performance could be > directly related with the hardware performance, encryption and decryption > of the VPN data plus routing should not be a problem with this kind of > hardware, am I right? > Just tried a point to point tunnel with FreeS/WAN o nmy switch-based network. On the red corner, mighty AMD XP 1700+ and Linux kernel 2.4.20 with FreeS/WAN (extensions included) patches version 1.99-2, and kernel compiled for AMD Athlon, and a 10/100 PCI card. On the blue corner, a shameful Pentium classis 75 MHz, Linux kernel and FreeS/WAN patches as before, an ISA 10 Mbps card, and kernel compiled for i386. Using 3DES encryption with a 168 bit-long key, I get about 300 KB/s in either way (to or from the Pentium box, not simultaneously). Changing ESP encryption algorithm to AES128 does not seem to change a thing (and it should, this need further investigation on my part). As IPsec seems to be quite heavy as a protocol, and 3DES is the worst performing algorithm know to humans ;-), I would expect you box should perform at least five times mine, that would give more than 1.5 MB/s, or enough to saturate a 10 Mbps Ethernet. Check the following URL for some performance data on recent FreeS/WAN: http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/performance.html#performance Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.4.20-xfsip)
Re: Firewall Logs on Dialup Server
On Friday, 18 April 2003, at 11:16:02 +0200, Horst Pflugstaedt wrote: > What _I_ didn't figure out is, how to stop iptables from logging to > standard-out;M syslog-ng seems only to additionally write it to my > specified file. > After long hours digging the Linux kernel source code, bootparam(7), and dmesg(8), I came to the conclusion that a simple "dmesg -n1" disables kernel's printk output to the active console. For additional information, check bootparam(7) (search for "debug"), dmesg(8) (option "-n") and /usr/src/linux/kernel/printk.c Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.4.20-xfsip)
Re: Secure remote syslogging?
On Wednesday, 23 April 2003, at 16:37:01 -0700,
Jamie Penner wrote:
> or, if using syslog-ng, do this for each logfile type in your config file:
>
> destination syslog { file("/var/log/serverlogs/$HOST/syslog" owner("root")
> group("adm") perm(0640)); };
>
On the syslog-ng side I would suggest considering logging to a remote
SQL database. It is not only possible, but quite simple. I made some
kind of "proof of concept" tests (using a little PERL script to keep the
connection to the MySQL database alive) encrypting the data via SSH
TCP tunnels (using RSA/DSA keys and authorized_kyes restrictions).
The following URL was a good starting point:
http://lists.balabit.hu/pipermail/syslog-ng/2002-April/003249.html
The implementation consisted in syslog-ng logging to a pipe (using a
template for "SQL output"), which is depleted from an ever running PERL
script that executes the SQL sentences in the remote server through a
secure SSH tunnel. The only thing left to do would be some kind of
"sanitization" of the SQL inserts, to avoid potentially harmful "SQL
injections". Tight access controls in the remote database and tables
could mitigate this potential risk (ie. limit the connecting user to
just INSERT permission, and not UPDATE or DELETE).
If someone is interested in the PERL script, here it is (please be kind,
I am a programmer in any way :-). The next two lines is the
configuration needed no the log client side.
destination d_logpipe { pipe("/tmp/pipe" owner("someone") template("\( '$HOST',
'$ISODATE', '$FACILITY', '$PRIORITY', '$MESSAGE' \)\n") ); };
log { source(src); destination(d_logpipe); };
#!/usr/bin/perl -w
# We read line after line from a "pipe" and from them we generate SQL
# sentences to insert the log entries in the remote database.
# José Luis Domingo López <[EMAIL PROTECTED]>
## Overview
# "syslog-ng" is configured to log all system events to a named pipe
# previously created via "mkfifo". Each log entre is formated through a
# "syslog-ng" "template" to generate a pseudo-SQL insert on the remote
# database. But we are using a SSH tunnel (-L mode), so we connect to
# the local IP address, not the remote server's.
#
## Implementation details
# - First, open an SQL connection to the remote MySQL database (via the
# local tunnel endpoint), and keep it open while running
# - Open read-only the pipe where syslog-ng logs system events, and
# keep reading line by line until EOF or program end
# - Each line read from the pipe is the base of a SQL insertion sentence
# into the remote MySQL database.
# NOTE: libdbd-mysql-perl is necessary for this script
use strict;
use Mysql;
my $host="127.0.0.1";
my $database="logs";
my $user="joseluis";
my $password="joseluis";
my $query="";
my $error=0;
my $errmsg;
my $sth;
my $dbh = Mysql->connect($host, $database, $user, $password);
if ( ! $dbh ) {
$errmsg= Mysql->errmsg();
die "Unable to connect with the remote database, error: $errmsg\n";
};
open ( LOGPIPE, "< /tmp/pipe" );
while ( my $log = ) {
$query="INSERT INTO logs.testbox (host,time,facility,priority,message)
VALUES ";
$query=$query . $log ;
$sth = $dbh->query($query);
$error = Mysql->errno;
$errmsg= Mysql->errmsg();
#if ( $error != 0 ) {
#die "Insertion failed: $errmsg\n";
#};
};
close ( LOGPIPE );
Hope it helps.
--
Jose Luis Domingo Lopez
Linux Registered User #189436 Debian Linux Sid (Linux 2.5.68)
Re: ipsec setkey and 2.4.21 kernel
On Thursday, 02 October 2003, at 17:37:17 +1000, Mark Devin wrote: > -- > And here is the errors setkey produces: > -- > # setkey -f /etc/ipsec.conf > The result of line 6: Invalid argument. > The result of line 9: Invalid argument. > -- > I was having exactly the same problem you report until I realized my ipsec-tools package (from Debian Sid) was not recompiled against my current running kernel version. Once I "apt-get source ipsec-tools", changed "debian/rules" to point to my current running kernel headers, problems with tunnel mode IPsec went away. Trasnport mode tunnels worked OK without recomipling, though. Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test6-mm4-lirc)
Re: What's the best for VPN?
On Sunday, 16 November 2003, at 13:06:20 +0100, Teófilo Ruiz Suárez wrote: > Is it possible to use IPsec with that configuration using Opportunistic > Encryption?. > I don't think that Opportunistic Encryption (OE) is the key here, but some way for the "VPN gateway" at your office premises to authenticate you wherever you may connect from. I think the simplest way to achieve this is to use certificate-based authentication, via X5.09 certificates. Set up a Certification Authority (CA) on your gateway, issue a cert for your portable computer, and instruct your IPsec implementations to authenticate based on this. Greetings, -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test9-mm3)
Re: IPSec WinXP interop
On Wednesday, 24 December 2003, at 00:49:31 +, Antony Gelberg wrote: > When I try to log in, I get "Error 792: The L2TP connection attempt > failed because security negotiation timed out." I don't get any > "verifying username..." message. > Why do you need freeswan if you are trying to set up L2TP tunnels from the Windows box to your Linux box ?. FreeS/WAN is an implementation of the IPsec protocol suite, and as far as I know WXP has support by default for it, so maybe you could have better luck with this standard protocol than with the less one L2TP. > Any insight would be much appreciated. I must admit I'm still a little > unclear how the whole idea works, but I believe that IPSec receives the > connection, then calls l2tpd, which starts ppp. I can post more config > / debug if needed. > I could be way mistaken, but L2TP and IPsec (FreeS/WAN and others) are completely different and independent tunneling mechanisms, and so there is no mix between them. Configure just L2TP XOR IPsec. Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0)
Re: suspicious smbd connections
On Wednesday, 24 December 2003, at 15:33:54 +0100, outsider wrote: > But I have a dynamic IP. Every time I boot my system I get another > IP-address. > There is no end of viruses, worms, and people with too much free time and too little brain under their hulls out there. So having a dynamic IP address is in no way equivalent to "scan free" or "intrussion attempt free". It just makes people interested in breaking into your boxes more difficult to know your IP address of the day, but automated viruses, worms and such will cover the whole Internet address space whether you want it or not :-( Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0)
Re: IPSec WinXP interop
On Thursday, 25 December 2003, at 04:32:10 +0100, cd wrote: > but tunnel ipsec in l2tp is quite normal. You need it to turn around the nat > problem of ipsec. > Or just use "NAT traversal" support for IPsec, implemented in commercial and free IPsec stacks alike. FreeS/WAN has (unofficial ?) NAT traversal support, as well as native Linux kernel 2.6.x IPsec implementation if you use FreeS/WAN for the IKE daemon. Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0)
Re: another kernel vulnerability
On Monday, 05 January 2004, at 17:21:52 +0100,
Teófilo Ruiz Suárez wrote:
> What about 2.6? Is it fixed anyhow?
>
It seems to be fixed in 2.6.1-rc2, as Linus said. But the fix seems to
be temporary while kernel gurus and the people in charge of libc agree
on a better solution.
http://marc.theaimsgroup.com/?l=linux-kernel&m=107332772321771&w=2
>From patch-2.6.1-rc2.bz2:
diff -Nru a/mm/mremap.c b/mm/mremap.c
--- a/mm/mremap.c Mon Jan 5 22:49:37 2004
+++ b/mm/mremap.c Mon Jan 5 22:49:37 2004
@@ -315,6 +315,10 @@
old_len = PAGE_ALIGN(old_len);
new_len = PAGE_ALIGN(new_len);
+ /* Don't allow the degenerate cases */
+ if (!(old_len | new_len))
+ goto out;
+
/* new_addr is only valid if MREMAP_FIXED is specified */
if (flags & MREMAP_FIXED) {
if (new_addr & ~PAGE_MASK)
Greetings.
--
Jose Luis Domingo Lopez
Linux Registered User #189436 Debian Linux Sid (Linux 2.6.1-rc1)
Re: postfix in qmail out proftpd in pureftpd
On Wednesday, 02 October 2002, at 19:19:50 +0200, WebMaster wrote: > there is a .deb for postfix and not for qmail? > (qmail is more secure than postfix) > Redistribution terms for qmail prevent it from being packaged in binary form whenever the binary is not the exact result of a compilation from the original sources the author releases. You can't change the resulting binary in any form or shape, but you can't modify the layout of files on the filesystem neither. The Debian Policy says some things must go somewhere, so qmail is not available as a .deb as a precompiled binary. BUT you can get it officially from non-free: apt-get install qmail-src And compile it and create the resulting "debianized" .deb with just: build-qmail and a couple of simple answers to simple questions. The same goes for ucspi-tcp, djbdns and daemontools, all from Daniel J. Bernstein, if memory serves. > there is a .deb for proftpd and not for pureftpd? > (pureftpd is more secure than proftpd) > There are no official pureftpd packages for a very simple reason: nobody took the software and made a Debian package from it, taking responsibility for it, its releases, bugs, complaints, updates, etc. That is, "a nice pureftpd software looks for a Debian maintainer still not under loads of work, for a long, stable, relationship" :-) Hope to be right :) -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: postfix in qmail out proftpd in pureftpd
On Wednesday, 02 October 2002, at 20:21:26 +0200, jernej horvat wrote: > so to you a reward is proof of security ? :-] > At least not for me. But a reward offered 5 years ago that not only hasn't been awarded, but even has not even been asked for, maybe is a proof of a piece of software without grave bugs in 5 years. Facts are facts, opinions are worthless ;-) PS: flames no, please, if you would like DJB burn in an eternal flame, please choose a better place to vent. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Encrypting/emailing logs and configs
On Wednesday, 30 October 2002, at 13:07:31 -0500, Sean McAvoy wrote: > I was looking at configuring a few of my VPN/Firewall systems to send me > daily backups of vital config files, and selected log files. I was > wondering what would be the easiest method of accomplishing this? I was > thinking something along the lines of just tar/bzip and then gpg to > encrypt. What other possibilities are there? And has anyone else setup > something similar? > Maybe the followinf is too ad-hoc for your liking, but should work ok and be reasonably easy to setup, apart from being quite secure IMO. I am thinking about "rsync" over "ssh", initiated from the destination backup server to the "production" VPN/Firewall machine. "rsync" does wonders updating trees of files in an optimal (bytes transferred wise) way. Running over "ssh", provides you with an encrypted (and if using RSA keys authentication) authenticated connection. Sync the times in the backup server and the firewall with (for example) ntp o ntpdate, and create a cron job in the backup server to initiate the backup at a certain time of the day. If both boxes are synchronized, you could also have your iptables firewall on the VPN/firewall box be updated to allow this backup at exactly the time of the day you have configured.* If the backup script, when finished, return the remote firewall ruleset to the original state, your "vulnerability" window will be even shorter. I hope to have explained myself in an understandable way ;-) -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH
On Tuesday, 17 December 2002, at 08:42:03 +0800, Patrick Hsieh wrote: > Woody is shipping OpenSSH_3.4p1. Before the security team confirm this > vulnerability and release the upgrade package, is there any way to patch and > repackage the woody openssh? I just can't find the patch against this > vulnerability. > When updated packages are not available as soon as I consider necessary, I use to download the first SRPM (or whatever) package appears from one vendor including the patch, locating it (in the .spec file it should be the last "Patch"), and applying it to the Debian deb-src for the package, and then repackaging it with "dpkg-buildpackage". Maybe this is not the most elegant way to solve the problem, but hope it works ok, and is reasonable easy. Just done it tonight with fetchmail and the recently discovered root remote exploit, awaiting for a version 6.2.0 packaged for unstable :-) Regards. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.20-xfs) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: multi eth0:x:y with ifconfig...
On Monday, 17 February 2003, at 17:37:58 +0100, Benoit Lathiere wrote: > I'm using the 'ifconfig' command to manage dynamically my intefaces. > I up and down eth0... but Debian add some eth0:0:2 !!! > If I down all my interfaces and reload /etc/network/intefaces (which is > correct), eth0:x:y are added again !!! > How to radically "remove" these bad interfaces and restart on a clean > config.. ?? > The following is not what you asked for, but maybe if you use a better thought tool, like "ip", for managing your network interfaces and assigned addresses maybe your problems will go away. With "ip address" you assign addresses to interfaces, with no need of artifacts like "virtual interfaces" like eth0:0, eth0:1 and so on. # Add another IP address to the first ethernet device ip address add 1.2.3.4/8 broad + dev eth0 # ...and another one ip address add 100.22.33.44/16 broad + dev eth0 # And now for some results... 2: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:05:1c:09:f2:14 brd ff:ff:ff:ff:ff:ff inet 192.168.1.12/24 brd 192.168.1.255 scope global eth0 inet 100.22.33.44/16 brd 100.22.255.255 scope global eth0 inet 1.2.3.4/8 brd 1.255.255.255 scope global eth0 As you see, no artifacts here, just IP addresses assigned to interfaces. To remove a certain IP address, just subsitute "del" for "add". Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.4.20-xfsip) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: VPN performance with tunnelv
On Monday, 24 February 2003, at 18:39:08 +0100, Ivo Marino wrote: > Now we've connected to this networks some voice over IP phones which we > would like to use through the VPN, the connection works and is securely > encrypted but network performance is quite low. > What is "low" in this context ?. Give numbers, and then we can compare with some other setups. > The two endpoints are build up from Intel PII 266MHz CPUs and have almost > 128 MBs of RAM so I actually don't think the VPN performance could be > directly related with the hardware performance, encryption and decryption > of the VPN data plus routing should not be a problem with this kind of > hardware, am I right? > Just tried a point to point tunnel with FreeS/WAN o nmy switch-based network. On the red corner, mighty AMD XP 1700+ and Linux kernel 2.4.20 with FreeS/WAN (extensions included) patches version 1.99-2, and kernel compiled for AMD Athlon, and a 10/100 PCI card. On the blue corner, a shameful Pentium classis 75 MHz, Linux kernel and FreeS/WAN patches as before, an ISA 10 Mbps card, and kernel compiled for i386. Using 3DES encryption with a 168 bit-long key, I get about 300 KB/s in either way (to or from the Pentium box, not simultaneously). Changing ESP encryption algorithm to AES128 does not seem to change a thing (and it should, this need further investigation on my part). As IPsec seems to be quite heavy as a protocol, and 3DES is the worst performing algorithm know to humans ;-), I would expect you box should perform at least five times mine, that would give more than 1.5 MB/s, or enough to saturate a 10 Mbps Ethernet. Check the following URL for some performance data on recent FreeS/WAN: http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/performance.html#performance Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.4.20-xfsip) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ipsec setkey and 2.4.21 kernel
On Thursday, 02 October 2003, at 17:37:17 +1000, Mark Devin wrote: > -- > And here is the errors setkey produces: > -- > # setkey -f /etc/ipsec.conf > The result of line 6: Invalid argument. > The result of line 9: Invalid argument. > -- > I was having exactly the same problem you report until I realized my ipsec-tools package (from Debian Sid) was not recompiled against my current running kernel version. Once I "apt-get source ipsec-tools", changed "debian/rules" to point to my current running kernel headers, problems with tunnel mode IPsec went away. Trasnport mode tunnels worked OK without recomipling, though. Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test6-mm4-lirc) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What's the best for VPN?
On Sunday, 16 November 2003, at 13:06:20 +0100, Teófilo Ruiz Suárez wrote: > Is it possible to use IPsec with that configuration using Opportunistic > Encryption?. > I don't think that Opportunistic Encryption (OE) is the key here, but some way for the "VPN gateway" at your office premises to authenticate you wherever you may connect from. I think the simplest way to achieve this is to use certificate-based authentication, via X5.09 certificates. Set up a Certification Authority (CA) on your gateway, issue a cert for your portable computer, and instruct your IPsec implementations to authenticate based on this. Greetings, -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test9-mm3) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IPSec WinXP interop
On Wednesday, 24 December 2003, at 00:49:31 +, Antony Gelberg wrote: > When I try to log in, I get "Error 792: The L2TP connection attempt > failed because security negotiation timed out." I don't get any > "verifying username..." message. > Why do you need freeswan if you are trying to set up L2TP tunnels from the Windows box to your Linux box ?. FreeS/WAN is an implementation of the IPsec protocol suite, and as far as I know WXP has support by default for it, so maybe you could have better luck with this standard protocol than with the less one L2TP. > Any insight would be much appreciated. I must admit I'm still a little > unclear how the whole idea works, but I believe that IPSec receives the > connection, then calls l2tpd, which starts ppp. I can post more config > / debug if needed. > I could be way mistaken, but L2TP and IPsec (FreeS/WAN and others) are completely different and independent tunneling mechanisms, and so there is no mix between them. Configure just L2TP XOR IPsec. Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: suspicious smbd connections
On Wednesday, 24 December 2003, at 15:33:54 +0100, outsider wrote: > But I have a dynamic IP. Every time I boot my system I get another > IP-address. > There is no end of viruses, worms, and people with too much free time and too little brain under their hulls out there. So having a dynamic IP address is in no way equivalent to "scan free" or "intrussion attempt free". It just makes people interested in breaking into your boxes more difficult to know your IP address of the day, but automated viruses, worms and such will cover the whole Internet address space whether you want it or not :-( Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IPSec WinXP interop
On Thursday, 25 December 2003, at 04:32:10 +0100, cd wrote: > but tunnel ipsec in l2tp is quite normal. You need it to turn around the nat > problem of ipsec. > Or just use "NAT traversal" support for IPsec, implemented in commercial and free IPsec stacks alike. FreeS/WAN has (unofficial ?) NAT traversal support, as well as native Linux kernel 2.6.x IPsec implementation if you use FreeS/WAN for the IKE daemon. Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: another kernel vulnerability
On Monday, 05 January 2004, at 17:21:52 +0100,
Teófilo Ruiz Suárez wrote:
> What about 2.6? Is it fixed anyhow?
>
It seems to be fixed in 2.6.1-rc2, as Linus said. But the fix seems to
be temporary while kernel gurus and the people in charge of libc agree
on a better solution.
http://marc.theaimsgroup.com/?l=linux-kernel&m=107332772321771&w=2
>From patch-2.6.1-rc2.bz2:
diff -Nru a/mm/mremap.c b/mm/mremap.c
--- a/mm/mremap.c Mon Jan 5 22:49:37 2004
+++ b/mm/mremap.c Mon Jan 5 22:49:37 2004
@@ -315,6 +315,10 @@
old_len = PAGE_ALIGN(old_len);
new_len = PAGE_ALIGN(new_len);
+ /* Don't allow the degenerate cases */
+ if (!(old_len | new_len))
+ goto out;
+
/* new_addr is only valid if MREMAP_FIXED is specified */
if (flags & MREMAP_FIXED) {
if (new_addr & ~PAGE_MASK)
Greetings.
--
Jose Luis Domingo Lopez
Linux Registered User #189436 Debian Linux Sid (Linux 2.6.1-rc1)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: telnetd vulnerability from BUGTRAQ
On Friday, 24 September 2004, at 16:15:09 -0600, s. keeling wrote: > Is anyone still using telnet when there's ssh? Why? I wouldn't even > use it inside my own firewalled LAN. ssh is just better. > Yes, many people have a curious sense of "computer security". They ask for mega-cool (and MEGA expensive) hardware commercial firewalls but keep on using telnet to access remote boxes (even using "root" or similarly privileges accounts). Maybe customers just ask for what we are offering them, and there seems to be little market (in money terms) for SSH implementations, so they are told about the needs of "high-end" firewalls and IDS, but not warned about simpler, cheaper and more important things like not using telnet (or even r-commands). Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.9-rc1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: telnetd vulnerability from BUGTRAQ
On Saturday, 25 September 2004, at 10:34:43 -0500, hanasaki wrote: > When IPSEC is being used, telnet works the same; however is secure > because it, like all traffic, is sent over a transparent tunnel. > But an IPsec tunnel encrypts traffic just between the tunnel endpoints. But this need not to be the full path between the telnet client and server, so anyone sniffing (for example) on your destination LAN will get you usernames and passwords easily. Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.9-rc1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail relay attempts
On Thursday, 29 August 2002, at 16:57:09 +0100, Dale Amon wrote: > > I'll add another one to that: I started using syslogd-sql, which is a > > modified version of "the" syslog 1.4.1 that also allows logging to a > > MySQL database. I hope it is a step in the right direction to use > > advances SQL queries in order to support analyzation of logfiles. Any > > opinions on that from the more experiences ones on this list? :) > > It would be nice, but I don't know if syslog-ng supports > it... it might, I just don't remember seeing it the last time > I read the manual. > As far as the documentation says, there is no out-of-the-box support in syslogng to log remotely to an SQL database. However, maybe destination type program() could be useful: when syslogng starts and sees a program() destination, it forks a copy of the program and keeps it open to send (via stdin) log strings that the program should dispose of properly. This program can be a 50-line PERL script, but I don't know if this ad-hoc solution could be deemed solid enough for a production system (I didn't try it myself). -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1)
Re: postfix in qmail out proftpd in pureftpd
On Wednesday, 02 October 2002, at 19:19:50 +0200, WebMaster wrote: > there is a .deb for postfix and not for qmail? > (qmail is more secure than postfix) > Redistribution terms for qmail prevent it from being packaged in binary form whenever the binary is not the exact result of a compilation from the original sources the author releases. You can't change the resulting binary in any form or shape, but you can't modify the layout of files on the filesystem neither. The Debian Policy says some things must go somewhere, so qmail is not available as a .deb as a precompiled binary. BUT you can get it officially from non-free: apt-get install qmail-src And compile it and create the resulting "debianized" .deb with just: build-qmail and a couple of simple answers to simple questions. The same goes for ucspi-tcp, djbdns and daemontools, all from Daniel J. Bernstein, if memory serves. > there is a .deb for proftpd and not for pureftpd? > (pureftpd is more secure than proftpd) > There are no official pureftpd packages for a very simple reason: nobody took the software and made a Debian package from it, taking responsibility for it, its releases, bugs, complaints, updates, etc. That is, "a nice pureftpd software looks for a Debian maintainer still not under loads of work, for a long, stable, relationship" :-) Hope to be right :) -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1)
Re: postfix in qmail out proftpd in pureftpd
On Wednesday, 02 October 2002, at 20:21:26 +0200, jernej horvat wrote: > so to you a reward is proof of security ? :-] > At least not for me. But a reward offered 5 years ago that not only hasn't been awarded, but even has not even been asked for, maybe is a proof of a piece of software without grave bugs in 5 years. Facts are facts, opinions are worthless ;-) PS: flames no, please, if you would like DJB burn in an eternal flame, please choose a better place to vent. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1)
