RE: execute permissions in /tmp

> Looks that way. I guess I mis-interpreted the grsec docs > (and since I don't have a kernel compiled with TPE, I didn't > test it). It seems that it already does what I suggested it > do: not allow mmap with PROT_EXEC under certain conditions. > (You did make sure that this behaviour isn'

RE: execute permissions in /tmp

> Looks that way. I guess I mis-interpreted the grsec docs > (and since I don't have a kernel compiled with TPE, I didn't > test it). It seems that it already does what I suggested it > do: not allow mmap with PROT_EXEC under certain conditions. > (You did make sure that this behaviour isn'

RE: execute permissions in /tmp

> -Original Message- > From: Peter Cordes [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 16, 2003 9:35 AM > To: debian-security@lists.debian.org > Subject: Re: execute permissions in /tmp > > > On Tue, Jul 15, 2003 at 09:38:45AM +0200, DEFFONTAINES Vincent

RE: execute permissions in /tmp

> -Original Message- > From: Peter Cordes [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 16, 2003 9:35 AM > To: [EMAIL PROTECTED] > Subject: Re: execute permissions in /tmp > > > On Tue, Jul 15, 2003 at 09:38:45AM +0200, DEFFONTAINES Vincent wrote: > &g

RE: execute permissions in /tmp

> On Sun, Jul 13, 2003 at 11:55:45PM -0400, Matt Zimmerman wrote: > > If the user can read files in /tmp, they can execute the > code in them. > > even if the user is a "nobody" that owns no files or > directories and grsecurity, selinux or the like prevents > him/her to execute directly code

RE: execute permissions in /tmp

> On Sun, Jul 13, 2003 at 11:55:45PM -0400, Matt Zimmerman wrote: > > If the user can read files in /tmp, they can execute the > code in them. > > even if the user is a "nobody" that owns no files or > directories and grsecurity, selinux or the like prevents > him/her to execute directly code

RE: a weird script worm uploaded via php with debian 3.0 ?

> While I agree with your observation I feel compelled to > defend his point. > > He said mounting /tmp will stop MOST Trojans. While it might > not stop a trojan planted by a person, it will stop a trojan > planted by a worm (which is what this thread is about) since > the author of the worm

RE: a weird script worm uploaded via php with debian 3.0 ?

> While I agree with your observation I feel compelled to > defend his point. > > He said mounting /tmp will stop MOST Trojans. While it might > not stop a trojan planted by a person, it will stop a trojan > planted by a worm (which is what this thread is about) since > the author of the worm

RE: HELP, my Debian Server was hacked!

Have a look at the coroner toolkit from Dan Farmer and Wietse Venema. Debian packaged : tct It is advised *not* to turn off your box, maybe you can unplug its network... not sure its a good idea even. http://www.fish.com/tct/help-when-broken-into Chosen extract : What to do --- The

RE: Problem with kernel messages

> > Hello > > On a fresh installed Woody, I've a strange Problem: After a > syslogd restart (by hand or logrotate) I lose the kernel > messages. All the ather facilities are well, only kern.* is > missing. > > Klogd is reporting the messages to the display as well, but > syslogd doesn't catc

RE: Problem with kernel messages

> > Hello > > On a fresh installed Woody, I've a strange Problem: After a > syslogd restart (by hand or logrotate) I lose the kernel > messages. All the ather facilities are well, only kern.* is > missing. > > Klogd is reporting the messages to the display as well, but > syslogd doesn't catc

RE: is iptables enough?

> [EMAIL PROTECTED]:~# iptables-save > # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003 > *nat > :PREROUTING ACCEPT [17038:1364291] > :POSTROUTING ACCEPT [1561:131055] > :OUTPUT ACCEPT [7155:558179] > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j REDIRECT > --to-ports 4 >

RE: is iptables enough?

> [EMAIL PROTECTED]:~# iptables-save > # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003 > *nat > :PREROUTING ACCEPT [17038:1364291] > :POSTROUTING ACCEPT [1561:131055] > :OUTPUT ACCEPT [7155:558179] > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j REDIRECT > --to-ports 4 >

RE: is iptables enough?

> -Original Message- > From: Josh Carroll [mailto:[EMAIL PROTECTED] > Sent: Friday 21 March 2003 08:46 > To: debian-security@lists.debian.org > Subject: Re: is iptables enough? > > > There are a couple of reasons why I use -j DROP > instead of -J REJECT. Firstly, sending responses to >

RE: is iptables enough?

> -Original Message- > From: Josh Carroll [mailto:[EMAIL PROTECTED] > Sent: Friday 21 March 2003 08:46 > To: [EMAIL PROTECTED] > Subject: Re: is iptables enough? > > > There are a couple of reasons why I use -j DROP > instead of -J REJECT. Firstly, sending responses to > packets your dr

RE: question about SSH / IPTABLES

You can 1. Remove the users access to the ssh program (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for allowed outgoing ssh users). 2. Mount /home, /tmp and any other place users might have write access on with the "noexec" switch, so they can only use binaries installed

RE: question about SSH / IPTABLES

You can 1. Remove the users access to the ssh program (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for allowed outgoing ssh users). 2. Mount /home, /tmp and any other place users might have write access on with the "noexec" switch, so they can only use binaries installed

RE: A new Banner for the new Year

Is it http://www.debian.org/banners/ you are talking about? :-) > -Original Message- > From: Jord Swart [mailto:[EMAIL PROTECTED] > Sent: Friday 10 January 2003 16:21 > To: debian-security@lists.debian.org > Subject: Re: A new Banner for the new Year > > > On Friday 10 January 2003 14:

RE: A new Banner for the new Year

Is it http://www.debian.org/banners/ you are talking about? :-) > -Original Message- > From: Jord Swart [mailto:[EMAIL PROTECTED]] > Sent: Friday 10 January 2003 16:21 > To: [EMAIL PROTECTED] > Subject: Re: A new Banner for the new Year > > > On Friday 10 January 2003 14:49, Daniel J.

RE: TCP port 6352?

> -Original Message- > From: Josh Carroll [mailto:[EMAIL PROTECTED] > Sent: Wednesday 8 January 2003 00:30 > To: debian-security@lists.debian.org > Subject: TCP port 6352? > > > Having failed to find any information about TCP port 6352 via > google or /etc/services, I > figured I'd ask

RE: TCP port 6352?

> -Original Message- > From: Josh Carroll [mailto:[EMAIL PROTECTED]] > Sent: Wednesday 8 January 2003 00:30 > To: [EMAIL PROTECTED] > Subject: TCP port 6352? > > > Having failed to find any information about TCP port 6352 via > google or /etc/services, I > figured I'd ask here. I'm see

RE: Need an advise about isolating a host in the DMZ

> Hi > > I have a host in my DMZ that has both anonymous ftp and pop3 > ports open > (this can't be changed). since I really don't trust this setup, I was > thinking about ways to isolate this host so no one who break to this > computer, can access other computers on the DMZ (although other > co

RE: Need an advise about isolating a host in the DMZ

> Hi > > I have a host in my DMZ that has both anonymous ftp and pop3 > ports open > (this can't be changed). since I really don't trust this setup, I was > thinking about ways to isolate this host so no one who break to this > computer, can access other computers on the DMZ (although other > co

RE: pop mail recommendations

I personnally used courrier-pop which did good, but never did I compare it with others. > -Original Message- > From: Ted Roby [mailto:[EMAIL PROTECTED] > Sent: Friday 6 December 2002 11:51 > To: debian-security@lists.debian.org > Subject: pop mail recommendations > > > I have setup exim

RE: pop mail recommendations

I personnally used courrier-pop which did good, but never did I compare it with others. > -Original Message- > From: Ted Roby [mailto:[EMAIL PROTECTED]] > Sent: Friday 6 December 2002 11:51 > To: [EMAIL PROTECTED] > Subject: pop mail recommendations > > > I have setup exim to host my do

RE: IPTables configuration.

klist many). > -Original Message- > From: Tore Nilsson [mailto:[EMAIL PROTECTED] > Sent: Wednesday 4 December 2002 15:19 > To: DEFFONTAINES Vincent > Cc: debian-security@lists.debian.org > Subject: Re: IPTables configuration. > > > Hi! > > The machine is a standalo

RE: IPTables configuration.

x27;t modify the way the firewall works. > -Original Message- > From: Tore Nilsson [mailto:[EMAIL PROTECTED] > Sent: Wednesday 4 December 2002 15:13 > To: DEFFONTAINES Vincent > Cc: debian-security@lists.debian.org > Subject: Re: IPTables configuration. > >

RE: IPTables configuration.

To correctly audit your configuration, I need an output of "/sbin/iptables -L -n -v" The mere "/sbin/iptables -L [-n]" is not sufficient to me, cause it won't reveal the per interface filters. Vincent > -Original Message- > From: Tore Nilsson [mailto:[EMAIL PROTECTED] > Sent: Wednesday

RE: IPTables configuration.

klist many). > -Original Message- > From: Tore Nilsson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday 4 December 2002 15:19 > To: DEFFONTAINES Vincent > Cc: [EMAIL PROTECTED] > Subject: Re: IPTables configuration. > > > Hi! > > The machine is a standalone web server. I'

RE: IPTables configuration.

x27;t modify the way the firewall works. > -Original Message- > From: Tore Nilsson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday 4 December 2002 15:13 > To: DEFFONTAINES Vincent > Cc: [EMAIL PROTECTED] > Subject: Re: IPTables configuration. > > > Hi! > &

RE: IPTables configuration.

To correctly audit your configuration, I need an output of "/sbin/iptables -L -n -v" The mere "/sbin/iptables -L [-n]" is not sufficient to me, cause it won't reveal the per interface filters. Vincent > -Original Message- > From: Tore Nilsson [mailto:[EMAIL PROTECTED]] > Sent: Wednesda

RE: Intrusion Attempts

>From what you are posting, I cannot deduct you were attacked with accuracy. It might be a peer to peer badly configured (or written) software, maybe some network performance auditing tool trying to {ping/tcpping/udpping} random IPs on the net (yeah, some really do that and attempt an icmp reply t

RE: Intrusion Attempts

>From what you are posting, I cannot deduct you were attacked with accuracy. It might be a peer to peer badly configured (or written) software, maybe some network performance auditing tool trying to {ping/tcpping/udpping} random IPs on the net (yeah, some really do that and attempt an icmp reply t

RE: Execute binaries from an encrypted file system

> From: Haim Ashkenazi [mailto:[EMAIL PROTECTED] > > When making an encrypted file system (AES on both occasion) everything > works great except I can't run binaries (or even shell scripts without > running "bash

RE: Execute binaries from an encrypted file system

> From: Haim Ashkenazi [mailto:[EMAIL PROTECTED]] > > When making an encrypted file system (AES on both occasion) everything > works great except I can't run binaries (or even shell scripts without > running "bash

RE: Bypassing proxies

> > > Wondering if some people know of some "content-aware" > proxies/filters, to > > attempt to block [some of] those dangerous products (apart > from maintaining > > a black-list...) > > Since the traffic is encrypted, content filtering > will not trigger. > Thats true for HTTPS, not HTTP.

RE:

> -Original Message- > From: Fadel [mailto:[EMAIL PROTECTED] > Sent: Tuesday 19 November 2002 16:05 > To: "debian-security@lists.debian.org"@plutao.siteplanet.com.br > Subject: > > > Hi there, > > I got a trouble in my network while trying to block Kazaa. > I tried to drop port 1214 w

RE: Bypassing proxies

> -Original Message- > From: Phillip Hofmeister [mailto:[EMAIL PROTECTED] > Sent: Tuesday 19 November 2002 15:30 > To: DEFFONTAINES Vincent > Cc: debian-security@lists.debian.org > Subject: Re: Bypassing proxies > > > On Tue, 19 Nov 2002 at 02:48:04PM +0100,

RE: Bypassing proxies

> > > Wondering if some people know of some "content-aware" > proxies/filters, to > > attempt to block [some of] those dangerous products (apart > from maintaining > > a black-list...) > > Since the traffic is encrypted, content filtering > will not trigger. > Thats true for HTTPS, not HTTP.

RE:

> -Original Message- > From: Fadel [mailto:[EMAIL PROTECTED]] > Sent: Tuesday 19 November 2002 16:05 > To: "[EMAIL PROTECTED]"@plutao.siteplanet.com.br > Subject: > > > Hi there, > > I got a trouble in my network while trying to block Kazaa. > I tried to drop port 1214 with this rule:

Bypassing proxies

Some companies sell products such as this : http://www.symmetrypro.com/FaB.htm that any clueless user can install with the help of 3 mouse clicks on their dektop. It autodetects proxy settings, creates an HTTP tunnel through corporate proxy to software editor companyserver, so you can read your em

RE: Bypassing proxies

> -Original Message- > From: Phillip Hofmeister [mailto:[EMAIL PROTECTED]] > Sent: Tuesday 19 November 2002 15:30 > To: DEFFONTAINES Vincent > Cc: [EMAIL PROTECTED] > Subject: Re: Bypassing proxies > > > On Tue, 19 Nov 2002 at 02:48:04PM +0100, DEFFONTAINES V

Bypassing proxies

Some companies sell products such as this : http://www.symmetrypro.com/FaB.htm that any clueless user can install with the help of 3 mouse clicks on their dektop. It autodetects proxy settings, creates an HTTP tunnel through corporate proxy to software editor companyserver, so you can read your em

FW: errorlists

> -Original Message- > From: Jan Eringa [mailto:[EMAIL PROTECTED] > Sent: Tuesday 12 November 2002 15:11 > To: DEFFONTAINES Vincent > Subject: Re: errorlists > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > www.phrack.org is also a good place

RE: errorlists

Did you check the Secure-Programs-Howto ? It is a very good document http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/index.html Hope this helps Vincent > -Original Message- > From: Peter Ondraska [mailto:[EMAIL PROTECTED] > Sent: Tuesday 12 November 2002 14:48 > To: debian-security@lis

FW: errorlists

> -Original Message- > From: Jan Eringa [mailto:jan.eringa@;orbian.com] > Sent: Tuesday 12 November 2002 15:11 > To: DEFFONTAINES Vincent > Subject: Re: errorlists > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > www.phrack.org is also a good

RE: errorlists

Did you check the Secure-Programs-Howto ? It is a very good document http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/index.html Hope this helps Vincent > -Original Message- > From: Peter Ondraska [mailto:ondraska@;dcs.fmph.uniba.sk] > Sent: Tuesday 12 November 2002 14:48 > To: [EMAIL P

Multiple SSL Virtualhosts on Apache 1.3

Greetings, I managed to create several Virtualhosts on a apache-ssl (1.3) server (same IP, same port, several names). The "trick" is to use the same Certificate for every Virtualhost, which will of course generate a warning on browsers, due to certificate not matching most of the sites names. Bu

Multiple SSL Virtualhosts on Apache 1.3

Greetings, I managed to create several Virtualhosts on a apache-ssl (1.3) server (same IP, same port, several names). The "trick" is to use the same Certificate for every Virtualhost, which will of course generate a warning on browsers, due to certificate not matching most of the sites names. Bu

RE: Closing ports...

As mentionned before in this thread, you definetely can specify junbkbuster it should listen only on one address (ie 127.0.0.1, or whichever). On privoxy (which is an evolution of junkbuster, but present only in sid (?)) I have this in /etc/privoxy/config : listen-address 127.0.0.1:8118 I can't r

RE: Setting up a mail server

> Many of these user accounts will no doubt be sending and > receiving email > from dial-up accounts, which limits the ability to deny service on a > per-IP basis. Suggestions for security, with pointers, please? I > already plan on SSL, I'm asking I guess more about open relay > issues in > t

RE: cryptoloop confusion

It seems to me, you need not only the patch-int , but also the loop patch, which can be found at ftp://ftp.kernel.org/pub/linux/crypto/v2.4/testing/loop-hvr-2.4.18.0.patch You have to use it else the cryptoloop compile part fails. Why the loop patch is not included in the patch-int patch, I do not