Hello everyone
Thanks for yours opinions. Yes, I know that AppArmor is
available in Debian. That's good. It's just fine, that there
is a possibilities to choose between SELinux and AppArmor.
Unfortunately, I can help only with creating profiles for a
various applications. For now, I'm trying to
Hello everyone,
Michael web site with a statistic I've watching for time to
time. Also *Debian* Hardening wiki page I studied a couple of
time.
*>*
*There is a lintian check for setuid binaries (...) **>*
* There isn't really any group effort tackling or monitoring **>*
* the assortment of useful
Hi Moritz,
90 percent of the hardening via '*dpkg-buildflags*'? That's
a good information. I'd hoped, that the majority of all base
packages and that's security-sensitive will be protected
well. It's really a huge satisfaction.
One more thing - does Debian include something like e.g.
Ubuntu or op
Hello everyone,
Before Wheezy release we could find a web site, which
contained notices about update as many packages as
possible to use security hardening build flags via
'dpkg-buildflags'. Also, there could be found a note about
packages that should have build flags enabled before
the Wheezy rel
Hi Rolf.
>> *The information about connections is stored in
*
*>> /proc/net/ip_conntrack. The maximum connections
*
*>> (...) in /proc/sys/net/ipv4/netfilter/ip_conntrack_max*
I checked these values and it looks this way;
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
55740
# cat /proc/net/
; On 2013-04-10, at 11:34 AM, Daniel Curtis wrote:
>
> > Hi Mr Rolf
> >
> > Okay, I will check these values; /proc/net/ip_conntrack etc.
> > Generally it is normal, that there are INVALID connections, right?
> >
> > Yes, I'm seeing this syslog tag. Should I remove it from my iptables
> > script (e.g. -j LOG --log-prefix etc.)?
>
>
Hi Mr Rolf
Okay, I will check these values; /proc/net/ip_conntrack etc.
Generally it is normal, that there are INVALID connections, right?
Yes, I'm seeing this syslog tag. Should I remove it from my iptables
script (e.g. -j LOG --log-prefix etc.)?
Hi andika.
Another INVALID packet description. I read a lot of
information and I don't know what is the truth. Frankly,
the first time I see a description, which concerns RAM memory.
So, I have a 1 GB of RAM memory. Just for example; free -m
command result;
used: 640, free: 230
and top command;
Hi
As we know iptables INVALID state means, that
the packet is associated with no known connection,
right? So, if I have a lot of INVALID entries in my
log files, does it means, that something is wrong?
Hidden process etc.?
An example of logged entries;
t4 kernel: [18776.221378] [INVALID in] IN=
Hi Mr Edwin
Yes, I have this rule and is responsible for the
established/related connections. This rule is almost
at the very end of the INPUT chain.
*>> (...) before the rule that logs/drops your packets?*
Do you mean those strange packages mentioned in the first
mail, right? Frankly, not; This
Hi Mr Erwan
Let's summarize: these logs are normal and are not
something... *bad*. Even if there are many IP's connections
(*INVALID*) probes.
I understand, that I should have not contact with the servers.
Okay, but if those servers are providing e.g. a website, which
I visit? How to avoid them? I
Hi Mr Erwan
So, everything is okay? Even these strange logs
mentioned earlier? I'm still curious about this rule;
*SYN,RST, ACK,FIN, PSH,URG, SYN,RST,ACK,
FIN,PSH,URG*
What do you mean by writing, that I should not contact servers?
Best regards!
Hi Mr Mestnik
I'm just curious why Debian does not publish updated versions
of the packages as soon as possible. Especially, when it comes
to the security updates. Other distributions are doing it much faster.
Personally, I do not like to use the applications that I know, it is
vulnerable.
As I a
Hi
Whether the Iceweasel 10.0.11 ESR package can be updated a little faster due
to several security issues? On January 8 Mozilla published about 20
Security Advisories[1]. Many distributions already have updated Firefox to
the
latest 18 and 10.0.12 ESR versions[2]. According to the website for
dev
Hi Mr Cyril,
Thank you for pointing out this website. I completely forgot
about it and definitely, I should look there first, before writing
a message here.
I did not look over this web site (Changlelog for 3.2.X) for a long
time, because for now, I am still using a linux-2.6 on all of my systems.
Hi,
Kernel 3.7 is officially out. This Linux release includes many improvements
practically in every aspect. Many changes also concerns security. Very
interesting are: Cryptographically-signed kernel modules and - long awaited
-
symlink and hardlink restrictions (already in Linux 3.6), but it brok
> > (...) so a good umask may be set there for init.
>
Hi, and a good setting for umask is? I know that it depends
on many things, but what do you think?
Cheers
Hi Thijs! Okay now everything is clear. Regards!
Hi,
Thank You, I should look there first (Security Tracker). But I see,
that two of three CVE's are marked as 'vulnerable' for all branches;
stable, testing and unstable. Frankly, only first CVE is Fixed for Squeeze.
It is normal?
Regards!
Hi,
I would like to inform about a new stack-based buffer overflow
vulnerability for MySQL. The following CVEs have been assigned
to track this MySQL vulnerability:
CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday
CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday
CVE-20
20 matches
Mail list logo
