On Wed, May 08, 2002 at 01:45:32AM +0800, Patrick Hsieh wrote:
>
> But this option seems to bring some side-effect. Is there any
> alternative?
imho the better way is to use syncookie.
problems written on the ip-sysctl documentation are more or less normal.
there's not a very good way to know if
Hello Vincent Hanquez <[EMAIL PROTECTED]>,
But this option seems to bring some side-effect. Is there any
alternative?
tcp_syncookies - BOOLEAN
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
Send out syncookies when the syn backlog queue of a socket
overflow
On Mon, May 06, 2002 at 04:54:09PM -0700, Mike Shepherd wrote:
> Anyway, I realize the Debian Security list was probably not quite the right
> forum to have posted this in, but it was the one I was receiving emails in,
> so I figured what the heck.
I don't think your personal convenience is a
On Tue, May 07, 2002 at 10:26:43PM +0800, Patrick Hsieh wrote:
> Hello list,
>
> Is there anyone having any suggestion to tune the /proc/sys/net/ipv4/*
> to avoid tcp syn flood attack?
there a kernel option "IP: TCP syncookie support" to do that
you can activate it with :
echo 1 > /proc/sys/net/
On Wed, May 08, 2002 at 01:45:32AM +0800, Patrick Hsieh wrote:
>
> But this option seems to bring some side-effect. Is there any
> alternative?
imho the better way is to use syncookie.
problems written on the ip-sysctl documentation are more or less normal.
there's not a very good way to know if
This one time, at band camp, Gary MacDougall said:
> Giacomo,
>
> How about an example!?!
>
> I'm a little surprise as to why you'd point out an exploit and
> not tell people how to fix it...
>
> On Mon, 6 May 2002, Michal Melewski wrote:
>
> > Hello
> > Try to add following lines into your fir
Hello Vincent Hanquez <[EMAIL PROTECTED]>,
But this option seems to bring some side-effect. Is there any
alternative?
tcp_syncookies - BOOLEAN
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
Send out syncookies when the syn backlog queue of a socket
overflo
Hello,
I am creating some server mod-ssl certificates using the script
mod-ssl-makecert.
If I understood, this script each time it is called, creates my ca
certificate, and my server certificate.
I suppose that my ca certificate should be the same for all my servers.
What can i do to not hav
Hello list,
Is there anyone having any suggestion to tune the /proc/sys/net/ipv4/*
to avoid tcp syn flood attack?
After reading Documentation/networking/ip-sysctl.txt, I'd like to change
tcp_syn_retries
tcp_synack_retries
both to "1", does it help? Any suggestion highly appreciated.
--
Patri
On Mon, May 06, 2002 at 04:54:09PM -0700, Mike Shepherd wrote:
> Anyway, I realize the Debian Security list was probably not quite the right forum
>to have posted this in, but it was the one I was receiving emails in, so I figured
>what the heck.
I don't think your personal convenience is a
Giacomo,
How about an example!?!
I'm a little surprise as to why you'd point out an exploit and
not tell people how to fix it...
Thanks,
Gary
-Original Message-
From: Giacomo Mulas [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 07, 2002 3:48 AM
To: Michal Melewski
Cc: debian-security@list
On Tue, May 07, 2002 at 10:26:43PM +0800, Patrick Hsieh wrote:
> Hello list,
>
> Is there anyone having any suggestion to tune the /proc/sys/net/ipv4/*
> to avoid tcp syn flood attack?
there a kernel option "IP: TCP syncookie support" to do that
you can activate it with :
echo 1 > /proc/sys/net
This one time, at band camp, Gary MacDougall said:
> Giacomo,
>
> How about an example!?!
>
> I'm a little surprise as to why you'd point out an exploit and
> not tell people how to fix it...
>
> On Mon, 6 May 2002, Michal Melewski wrote:
>
> > Hello
> > Try to add following lines into your fi
Hello,
I am creating some server mod-ssl certificates using the script
mod-ssl-makecert.
If I understood, this script each time it is called, creates my ca
certificate, and my server certificate.
I suppose that my ca certificate should be the same for all my servers.
What can i do to not have
Hello list,
Is there anyone having any suggestion to tune the /proc/sys/net/ipv4/*
to avoid tcp syn flood attack?
After reading Documentation/networking/ip-sysctl.txt, I'd like to change
tcp_syn_retries
tcp_synack_retries
both to "1", does it help? Any suggestion highly appreciated.
--
Patr
Giacomo,
How about an example!?!
I'm a little surprise as to why you'd point out an exploit and
not tell people how to fix it...
Thanks,
Gary
-Original Message-
From: Giacomo Mulas [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 07, 2002 3:48 AM
To: Michal Melewski
Cc: [EMAIL PROTECTED]
Is there anyone working in/near Coventry in England who can act as a
debian consultant for file server installation/admin.
Thx.
Reply directly to me ... this is out of list topic
--
Easter-eggsSpécialiste GNU/Linux
44-46 rue de l'Ouest - 75014 Pa
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Mon, 6 May 2002, Michal Melewski wrote:
> Hello
> Try to add following lines into your firewall script:
> iptables -A INPUT -p udp -i $DEV -s 0/0 --sport 53 -j ACCEPT
> iptables -A INPUT -p udp -i $DEV -s 0/0 -j DROP
> iptables -A OUTPUT -p udp -i $DEV -d 0/0 --dport 53 -j ACCEPT
this opens a
On Mon, May 06, 2002 at 03:52:21PM +0200, Tim van Erven wrote:
> On Mon, May 06, 2002 at 03:08:45PM +0200, "Bernhard R. Link" <[EMAIL
> PROTECTED]> wrote:
> I disagree. By that reasoning it would be even better if OpenSSH
> double-checked all of PAM's work. That would add bloat to ssh and
> possib
Is there anyone working in/near Coventry in England who can act as a
debian consultant for file server installation/admin.
Thx.
Reply directly to me ... this is out of list topic
--
Easter-eggsSpécialiste GNU/Linux
44-46 rue de l'Ouest - 75014 P
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Mon, 6 May 2002, Michal Melewski wrote:
> Hello
> Try to add following lines into your firewall script:
> iptables -A INPUT -p udp -i $DEV -s 0/0 --sport 53 -j ACCEPT
> iptables -A INPUT -p udp -i $DEV -s 0/0 -j DROP
> iptables -A OUTPUT -p udp -i $DEV -d 0/0 --dport 53 -j ACCEPT
this opens a
23 matches
Mail list logo
