Hello,
it now it was a couple of days ago but I've to concern
another time to in this case a compromised woody system.
chkrootkit found nothing but rkhunter found quite a lot:
/bin/login /bin/su /usr/bin/locate /usr/sbin/useradd /usr/sbin/usermod
/usr/sbin/vip
All these binaries have been alert
On Fri, Nov 05, 2004 at 03:10:00PM +, Baruch Even wrote:
> On Fri, 2004-11-05 at 12:49, Jan Minar wrote:
> > --- iptables-1.2.6a.ORIG/iptables.8 Fri Nov 5 12:28:43 2004
> > +++ iptables-1.2.6a-local.0/iptables.8 Fri Nov 5 12:47:14 2004
> > @@ -521,7 +521,12 @@
> > supporting this featur
On Fri, Nov 05, 2004 at 05:57:18PM +, Baruch Even wrote:
>On Fri, 2004-11-05 at 17:13, George Georgalis wrote:
>> On Fri, Nov 05, 2004 at 03:04:34PM +, Baruch Even wrote:
>>
>> >ESTABLISHED,RELATED
>> >NEW
>> >INVALID
>> >pick two to cover the spectrum of attacks.
>>
>> Why not all three
On Fri, Nov 05, 2004 at 03:04:34PM +, Baruch Even wrote:
> On Fri, 2004-11-05 at 14:27, martin f krafft wrote:
> You have three categories into which all sessions go:
> ESTABLISHED,RELATED
> NEW
> INVALID
> pick two to cover the spectrum of attacks.
>
> If you don't check for NEW, a SYN packet
On Fri, 2004-11-05 at 17:13, George Georgalis wrote:
> On Fri, Nov 05, 2004 at 03:04:34PM +, Baruch Even wrote:
>
> >ESTABLISHED,RELATED
> >NEW
> >INVALID
> >pick two to cover the spectrum of attacks.
>
> Why not all three in this order...
>
> INVALID -j REJECT
> ESTABLISHED,RELATED -j ACCE
On Fri, Nov 05, 2004 at 03:04:34PM +, Baruch Even wrote:
>ESTABLISHED,RELATED
>NEW
>INVALID
>pick two to cover the spectrum of attacks.
Why not all three in this order...
INVALID -j REJECT
ESTABLISHED,RELATED -j ACCEPT
NEW -j ACCEPT (if allowed)
I'm thinking PREROUTING is the best table (c
I want to restrict access to a set of machines to all users to local
access only. Effectively, I only want to allow login and kdm access,
unless the user is a meember of group 'remote', in which case s/he
should also be able to use ssh, cron, and other PAM-using software.
I think this has to be do
On Fri, 2004-11-05 at 12:49, Jan Minar wrote:
> On Fri, Nov 05, 2004 at 11:29:21AM +, Baruch Even wrote:
> > On Thu, 2004-11-04 at 18:41, martin f krafft wrote:
> > > What's the point of matching state NEW *and* SYN packets? Just SYN
> > > packets should suffice.
> >
> > This comes from the fa
On Fri, 2004-11-05 at 13:06, Stefan Fritsch wrote:
> Hi!
>
> On Friday 05 November 2004 12:27, Baruch Even wrote:
> > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL SYN -j ACCEPT
> >
> > Please dont do that!
>
On Fri, 2004-11-05 at 14:27, martin f krafft wrote:
> also sprach Baruch Even <[EMAIL PROTECTED]> [2004.11.05.1229 +0100]:
> > This comes from the fact that the NEW state of Netfilter only
> > means that this is the first time this connection is seen by the
> > firewall. What you really want is the
On Fri, 2004-11-05 at 12:03, Florian Weimer wrote:
> * Jan Minar:
>
> >>Is this a serious problem?
> >
> > Maybe. It is a very serious bug.
>
> Actually, it's a feature because some TCP extensions use SYN+FIN ("TCP
> for Transactions" or something like that).
TTCP is a dead proposal, it bri
Please do not CC me on list replies. It's in the header, it's in my
signature, it's in the list policy.
also sprach Baruch Even <[EMAIL PROTECTED]> [2004.11.05.1229 +0100]:
> This comes from the fact that the NEW state of Netfilter only
> means that this is the first time this connection is seen b
Hi!
On Friday 05 November 2004 12:27, Baruch Even wrote:
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL SYN -j ACCEPT
>
> Please dont do that!
> You can use SYN,ACK,FIN,RST SYN to check for illegal flags.
Sho
On Fri, Nov 05, 2004 at 11:29:21AM +, Baruch Even wrote:
> On Thu, 2004-11-04 at 18:41, martin f krafft wrote:
> > also sprach Luis Pérez Meliá <[EMAIL PROTECTED]> [2004.11.04.1848 +0100]:
> > > iptables -A INPUT -m state --state NEW -p tcp --tcp-flags
> > > ALL SYN -j ACCEPT
>
* Jan Minar:
>>Is this a serious problem?
>
> Maybe. It is a very serious bug.
Actually, it's a feature because some TCP extensions use SYN+FIN ("TCP
for Transactions" or something like that).
The real, nasty bug was in stacks that accepted SYN+RST as a regular
SYN, easily passing through t
On Thu, 2004-11-04 at 18:41, martin f krafft wrote:
> also sprach Luis Pérez Meliá <[EMAIL PROTECTED]> [2004.11.04.1848 +0100]:
> > iptables -A INPUT -m state --state NEW -p tcp --tcp-flags
> > ALL SYN -j ACCEPT
>
> What's the point of matching state NEW *and* SYN packets? Just SYN
On Thu, 2004-11-04 at 17:48, Luis Pérez Meliá wrote:
> I'm using iptables.
>
> In my rules I have this:
> .
> .
> .
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL SYN -j ACCE
17 matches
Mail list logo
