On Sat, Mar 30, 2002 at 10:24:28PM -0500, Jon McCain wrote:
> I've been playing around with the scp and sftp components of putty and
> noticed what I consider a security hole. Winscp does the same thing.
> The user can change to directories above their home. Is there a way to
> chroot them like
On Sat, Mar 30, 2002 at 10:24:28PM -0500, Jon McCain wrote:
> I've been playing around with the scp and sftp components of putty and
> noticed what I consider a security hole. Winscp does the same thing.
> The user can change to directories above their home. Is there a way to
> chroot them like
Hi Folks,
I wrote a simple step by step howto to help people to setup bind8
chrooted in Debian Potato.
Check it at http://people.debian.org/~pzn/howto/chroot-bind.sh.txt
If you have some comments, please send them to me, so I can improve
the howto. If you don't think the comments will b
Hi,
Which is the best way to create a POP only account? just change the
last field in /etc/passwd to /bin/false?
I want that the user will not be able to do anything on the machine
but retriving mail.
I will enable APOP in qpopper or use some ssl wrapper for POP3, will
disable the plain
Hi,
ssh in potato is set to always try to use reverse DNS lookup. If the
client is not registered in the DNS server, then it gets an answer:
"ssh_exchange_identification: Connection closed by remote host"
I've looked in "man sshd" and "man ssh" and I didn't see any
configuration option whic
Hi,
Which is the best way to create a POP only account? just change the
last field in /etc/passwd to /bin/false?
I want that the user will not be able to do anything on the machine
but retriving mail.
I will enable APOP in qpopper or use some ssl wrapper for POP3, will
disable the plai
Hi,
ssh in potato is set to always try to use reverse DNS lookup. If the
client is not registered in the DNS server, then it gets an answer:
"ssh_exchange_identification: Connection closed by remote host"
I've looked in "man sshd" and "man ssh" and I didn't see any
configuration option whi
On Thu, Dec 27, 2001 at 05:16:16PM +, Merlin wrote:
> On Thursday 27 December 2001 16:46, Benjamin Smith wrote:
> >
> > Because that doesn't solve the original problem of the password being
> > visible on the command line. The environment and the stdin were two
> > suggested ways of passing the
On Thu, Dec 27, 2001 at 02:11:42PM -0200, Pedro Zorzenon Neto wrote:
>
> $tmp=`umask 177; tempfile`;
> fopen (PASS,">$tmp");
> print PASS $password;
> fclose PASS;
> `cat $tmp | myprogram enable $user $ip; rm -f $tmp`;
sorry...
open (PASS,"| my
On Thu, Dec 27, 2001 at 04:46:45PM +0100, David Flatz wrote:
> Pedro Zorzenon Neto said:
> > $ PASS="password" myprogram enable username IP
> >
> > then "myprogram" will read the PASS from the environment.
> > is there anyway a regul
On Thu, Dec 27, 2001 at 05:16:16PM +, Merlin wrote:
> On Thursday 27 December 2001 16:46, Benjamin Smith wrote:
> >
> > Because that doesn't solve the original problem of the password being
> > visible on the command line. The environment and the stdin were two
> > suggested ways of passing th
Hi Friends,
I am developing a software to provide access control to users of a
network.
The gateway has ipchains rules to DENY packets from all 192.168.0.0/16
hosts to the 0.0.0.0/0 world.
If the user (a regular user, not root) does:
$ myprogram enable username password IP
the pr
On Thu, Dec 27, 2001 at 02:11:42PM -0200, Pedro Zorzenon Neto wrote:
>
> $tmp=`umask 177; tempfile`;
> fopen (PASS,">$tmp");
> print PASS $password;
> fclose PASS;
> `cat $tmp | myprogram enable $user $ip; rm -f $tmp`;
sorry...
open (PASS,"| my
On Thu, Dec 27, 2001 at 04:46:45PM +0100, David Flatz wrote:
> Pedro Zorzenon Neto said:
> > $ PASS="password" myprogram enable username IP
> >
> > then "myprogram" will read the PASS from the environment.
> > is there anyway a regul
Hi Friends,
I am developing a software to provide access control to users of a
network.
The gateway has ipchains rules to DENY packets from all 192.168.0.0/16
hosts to the 0.0.0.0/0 world.
If the user (a regular user, not root) does:
$ myprogram enable username password IP
the p
On Tue, Dec 11, 2001 at 01:46:11PM +0900, Olaf Meeuwissen wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Olaf Meeuwissen <[EMAIL PROTECTED]> wrote:
>
> > I'm maintaining a (small-time) group server for our department. In
> > order to satisfy company policy requirements I need to
On Tue, Dec 11, 2001 at 01:46:11PM +0900, Olaf Meeuwissen wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Olaf Meeuwissen <[EMAIL PROTECTED]> wrote:
>
> > I'm maintaining a (small-time) group server for our department. In
> > order to satisfy company policy requirements I need to
On Sat, Sep 01, 2001 at 01:32:55AM -0500, Steven Barker wrote:
> I don't blame to for being mad. I do blame you for ranting obscenly in
> reply to every message. You may get 50 messages from this list, but 35 of
> them are from you. Please stop flaming everyone and unsubscribe yourself.
I also
On Sat, Sep 01, 2001 at 01:32:55AM -0500, Steven Barker wrote:
> I don't blame to for being mad. I do blame you for ranting obscenly in
> reply to every message. You may get 50 messages from this list, but 35 of
> them are from you. Please stop flaming everyone and unsubscribe yourself.
I also
On Sun, Jul 29, 2001 at 02:13:17PM -0600, Moe Harley wrote:
> Thought i'd ask what the general opinion is on the most secure pop3 daemon.
> I need to install a pop3 damon on my debian machine, but I wanted to get a
> good idea from you guys on which one to install.
Hi Moe,
All POP3 services are
On Sun, Jul 29, 2001 at 02:13:17PM -0600, Moe Harley wrote:
> Thought i'd ask what the general opinion is on the most secure pop3 daemon.
> I need to install a pop3 damon on my debian machine, but I wanted to get a
> good idea from you guys on which one to install.
Hi Moe,
All POP3 services ar
On Fri, Jul 20, 2001 at 12:42:13PM +0100, David Wright wrote:
> Do you mean this package?
>
> "Programmer for Atmel AVR microcontrolers that uses PC parallel port
Yes.
> If so, I'm not sure why you think it needs to be setuid. Just
> chgrp somegroup /dev/lp0 (or whichever port) and put yourself
Hi list,
I wrote a program that needs to run setuid root due to direct hardware
access (Package: avrprog).
This program needs to read data from a file and also write to other file.
I could use some options like this:
$ avrprog -i input.data -o output.data
But I chose to use
On Fri, Jul 20, 2001 at 12:42:13PM +0100, David Wright wrote:
> Do you mean this package?
>
> "Programmer for Atmel AVR microcontrolers that uses PC parallel port
Yes.
> If so, I'm not sure why you think it needs to be setuid. Just
> chgrp somegroup /dev/lp0 (or whichever port) and put yourself
Hi list,
I wrote a program that needs to run setuid root due to direct hardware access
(Package: avrprog).
This program needs to read data from a file and also write to other file.
I could use some options like this:
$ avrprog -i input.data -o output.data
But I chose to use
Hi folks,
Suppose I trust ultimately in my 192.168.1.x users.
To the outside world the only service 'nmap' shows opened is tcp port 22 -> ssh.
So, if 'ssh' has some security bug, people can use this bug to explore my
system. That I know is true.
Now, what I'd like to know...
Is there any way o
Hi folks,
Suppose I trust ultimately in my 192.168.1.x users.
To the outside world the only service 'nmap' shows opened is tcp port 22 -> ssh.
So, if 'ssh' has some security bug, people can use this bug to explore my system. That
I know is true.
Now, what I'd like to know...
Is there any way
body.
Pedro
On Thu, Jun 07, 2001 at 06:57:18PM -0300, Pedro Zorzenon Neto wrote:
> Hi list,
>
>I created a directory /home/pzn/private/ and chmod it go-rwx to put my
> private things.
>Then nobody can see the contents and files of this directory, right? I've
> be
body.
Pedro
On Thu, Jun 07, 2001 at 06:57:18PM -0300, Pedro Zorzenon Neto wrote:
> Hi list,
>
>I created a directory /home/pzn/private/ and chmod it go-rwx to put my private
>things.
>Then nobody can see the contents and files of this directory, right? I've
>be
4096 Mai 16 09:54 private
...
$ locate private | grep "/home/pzn/private"
the whole contents of my private dir suddenly appears here...
Why doesn't locate/updatedb saves the permissions?
Thanks in advance,
Pedro
--
Pedro Zorzenon Neto <htt
pzn 4096 Mai 16 09:54 private
...
$ locate private | grep "/home/pzn/private"
the whole contents of my private dir suddenly appears here...
Why doesn't locate/updatedb saves the permissions?
Thanks in advance,
Pedro
--
Pedro
On Fri, Jun 01, 2001 at 09:21:19AM +0200, Philipp Schulte wrote:
> I was thinking of bad memory that might cause this behaviour.
Helping about checking memory:
Install package 'hwtools'
Put a blank, formatted floppy disk in /dev/fd0 (or fd1)
# cp usr/lib/hwtools/memtest86.bin /dev/fd0
Rebo
On Fri, Jun 01, 2001 at 09:21:19AM +0200, Philipp Schulte wrote:
> I was thinking of bad memory that might cause this behaviour.
Helping about checking memory:
Install package 'hwtools'
Put a blank, formatted floppy disk in /dev/fd0 (or fd1)
# cp usr/lib/hwtools/memtest86.bin /dev/fd0
Reb
On Tue, May 29, 2001 at 12:07:47PM +0100, Tim Haynes wrote:
> sudo netstat -plan | grep LIST
just a small note: if your LC enviroment variables are set to other language,
you may need to change LIST for other word. (in pt_BR is OUÇA)
--
Pedro Zorzenon Neto &l
On Tue, May 29, 2001 at 12:07:47PM +0100, Tim Haynes wrote:
> sudo netstat -plan | grep LIST
just a small note: if your LC enviroment variables are set to other language, you may
need to change LIST for other word. (in pt_BR is OUÇA)
--
Pedro Zorzenon Neto &l
the user of the Trojan altered the port it uses.
>
> Nick Nanos
>
> - -----Original Message-
> From: Pedro Zorzenon Neto [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, April 11, 2001 10:07 AM
> To: debian-security@lists.debian.org
> Subject: ipchains log (62459 UDP port
the user of the Trojan altered the port it uses.
>
> Nick Nanos
>
> - -----Original Message-
> From: Pedro Zorzenon Neto [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 11, 2001 10:07 AM
> To: [EMAIL PROTECTED]
> Subject: ipchains log (62459 UDP port)
>
>
&
Hi,
I'd like to know to which service these packets belong. I got if from ipchains
kernel log in my machine:
Apr 11 12:43:10 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
205.188.153.99:4000 200.183.58.81:62459 L=93 S=0x00 I=8195 F=0x4000 T=240 (#12)
Apr 11 12:43:22 milho kernel: Packet
Hi,
I'd like to know to which service these packets belong. I got if from ipchains kernel
log in my machine:
Apr 11 12:43:10 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
205.188.153.99:4000 200.183.58.81:62459 L=93 S=0x00 I=8195 F=0x4000 T=240 (#12)
Apr 11 12:43:22 milho kernel: Packet
I'd say to block all the ports you don't need to be available to the world.
Just leave opened the essencial ports you need to provide services.
Try nmap to see your opened ports.
On Thu, Apr 05, 2001 at 12:57:24PM -0700, Brandon High wrote:
> Does anyone have a recommendation of ports that should
I'd say to block all the ports you don't need to be available to the world.
Just leave opened the essencial ports you need to provide services.
Try nmap to see your opened ports.
On Thu, Apr 05, 2001 at 12:57:24PM -0700, Brandon High wrote:
> Does anyone have a recommendation of ports that shoul
Hi all,
I have a computer with potato that is a gateway for my intranet. It has real
IP, while the intranet has 192.168.1.x IP's.
Several services are running on it but I'd like only ssh, ntp and https to be
available to the outside world.
So, I thought this ipchains rules could help:
Chain in
Hi all,
I have a computer with potato that is a gateway for my intranet. It has real IP, while
the intranet has 192.168.1.x IP's.
Several services are running on it but I'd like only ssh, ntp and https to be
available to the outside world.
So, I thought this ipchains rules could help:
Chain i
e's account information in one
> location, and share it across the machines.
>
> -rishi
>
> On Mon, 19 Mar 2001, Pedro Zorzenon Neto wrote:
>
> > Hi,
> >
> > I'd like anyone to be able to use the local keyboard of some machines to
> > telnet/ssh t
Hi,
I'd like anyone to be able to use the local keyboard of some machines to
telnet/ssh to any other machine and use their account on the other machine.
A simple solution would be create one acount for user "anyone" without
password and restrict its login with rbash to use just telnet/ssh
e's account information in one
> location, and share it across the machines.
>
> -rishi
>
> On Mon, 19 Mar 2001, Pedro Zorzenon Neto wrote:
>
> > Hi,
> >
> > I'd like anyone to be able to use the local keyboard of some machines to
>telnet/ssh to a
Hi,
I'd like anyone to be able to use the local keyboard of some machines to telnet/ssh
to any other machine and use their account on the other machine.
A simple solution would be create one acount for user "anyone" without password and
restrict its login with rbash to use just telnet/ss
Hi Steve,
About sending plain text password and files with telnet and ftp:
uninstall your 'telnetd' and 'ftp server' and install 'ssh'
ssh is real secure and has two usefull commands:
'ssh' is a substitute for telnet
and 'scp' is not the same thing, but substitutes ftp with some adva
Hi Steve,
About sending plain text password and files with telnet and ftp:
uninstall your 'telnetd' and 'ftp server' and install 'ssh'
ssh is real secure and has two usefull commands:
'ssh' is a substitute for telnet
and 'scp' is not the same thing, but substitutes ftp with some advan
Hi Duane,
from 'man ssh' you can find some answer:
As a third authentication method, ssh supports RSA based authentication.
The scheme is based on public-key cryptography: there are cryptosystems
where encryption and decryption are done using separate keys, and it is
not possi
Hi Duane,
from 'man ssh' you can find some answer:
As a third authentication method, ssh supports RSA based authentication.
The scheme is based on public-key cryptography: there are cryptosystems
where encryption and decryption are done using separate keys, and it is
not poss
doc for doing this.
>
> --Henry
>
> On Tue, 2 Jan 2001, Pedro Zorzenon Neto wrote:
>
> > On Tue, Jan 02, 2001 at 10:20:26AM -0800, Tom Marshall wrote:
> > > Can you use FTP to put precompiled ssh and scp binaries on the machine?
> > > $HOME/bin is usually a
doc for doing this.
>
> --Henry
>
> On Tue, 2 Jan 2001, Pedro Zorzenon Neto wrote:
>
> > On Tue, Jan 02, 2001 at 10:20:26AM -0800, Tom Marshall wrote:
> > > Can you use FTP to put precompiled ssh and scp binaries on the machine?
> > > $HOME/bin is usually a good
On Tue, Jan 02, 2001 at 10:20:26AM -0800, Tom Marshall wrote:
> Can you use FTP to put precompiled ssh and scp binaries on the machine?
> $HOME/bin is usually a good place. I've done this before with some success.
>
> ---
> The most effective Windows NT remote management tool? A car.
>
The remot
> Another idea would be to use a small perl client/server modell with
> Crypt::CBC and IDEA...
To use perl is a good idea.
I could create a perl script that encrypts the files with a public key and
send them to me by e-mail. So, I can put it in cron and receive the files
periodically.
Some h
Hi all,
Happy New Year!
I have some database files on a remote computer that I'd like to transfer to
home, and I need to send them encrypted.
I know how to use gnupg and scp and they would work fine, but the other
computer does't have them installed. I sent an email to [EMAIL PROTECTED]
On Tue, Jan 02, 2001 at 10:20:26AM -0800, Tom Marshall wrote:
> Can you use FTP to put precompiled ssh and scp binaries on the machine?
> $HOME/bin is usually a good place. I've done this before with some success.
>
> ---
> The most effective Windows NT remote management tool? A car.
>
The remo
> Another idea would be to use a small perl client/server modell with
> Crypt::CBC and IDEA...
To use perl is a good idea.
I could create a perl script that encrypts the files with a public key and send them
to me by e-mail. So, I can put it in cron and receive the files periodically.
Some h
Hi all,
Happy New Year!
I have some database files on a remote computer that I'd like to transfer to home,
and I need to send them encrypted.
I know how to use gnupg and scp and they would work fine, but the other computer
does't have them installed. I sent an email to root@remote_compu
I forgot one thing about all this...
All about the restricted bash could be useless if you forget to
lock the ftp acount of the restricted users.
You can avoid them to edit and create shell scripts inside their
telnet session, but if you forget to lock their ftp session ...
they could p
I forgot one thing about all this...
All about the restricted bash could be useless if you forget to
lock the ftp acount of the restricted users.
You can avoid them to edit and create shell scripts inside their
telnet session, but if you forget to lock their ftp session ...
they could
Francois Cerbelle wrote:
> Le Wed, Nov 15, 2000 at 12:59:44PM -0200, Pedro Zorzenon Neto ecrit :
> >I changed in /etc/passwd
> > home directory of my restricted users to: /usr/local/bin/restricted
> > users's shell to: /bin/rbash
> >And created .bashrc .
Francois Cerbelle wrote:
> Le Wed, Nov 15, 2000 at 12:59:44PM -0200, Pedro Zorzenon Neto ecrit :
> >I changed in /etc/passwd
> > home directory of my restricted users to: /usr/local/bin/restricted
> > users's shell to: /bin/rbash
> >And created .bashrc .
s:+ a16 C++()>$ UL>$ P--- L++>++$ E+ W+(-) N+ o? K?
> w---()
> !O !M !V PS+(++)>+ PE-(--) Y+>+ PGP t+>++ !5 X-- R>++ tv(+) b+(++) DI(+) D++
> G>+++ e--> h! !r y>+++
> --END GEEK CODE BLOCK--
>
> On Tue, 14 Nov 2000, Jochen Striep
d- s:+ a16 C++()>$ UL>$ P--- L++>++$ E+ W+(-) N+ o? K? w---()
> !O !M !V PS+(++)>+ PE-(--) Y+>+ PGP t+>++ !5 X-- R>++ tv(+) b+(++) DI(+) D++
> G>+++ e--> h! !r y>+++
> --END GEEK CODE BLOCK--
>
> On Tue, 14 Nov 2000, Jochen Striepe wrot
Hi, all
I put /bin/rbash as the default shell (in /etc/passwd) for some users that
I just want them to use a restricted login.
When the user logs in, rbash is being executed and the restricted login is
working well. But, if the user executes 'bash', everything becames unrestricted.
How can
Hi, all
I put /bin/rbash as the default shell (in /etc/passwd) for some users that
I just want them to use a restricted login.
When the user logs in, rbash is being executed and the restricted login is
working well. But, if the user executes 'bash', everything becames unrestricted.
How ca
is no
> show-password option specified.
>
> su to root, then try:
> cd /etc/ppp
> egrep -r "\-password" .
>
> to find any relevant settings.
>
> HTH.
>
> -chet
>
> -
> yet he has sorcery
>
> On Fri, 3 Nov 2000, Pedro Zorzenon
is no
> show-password option specified.
>
> su to root, then try:
> cd /etc/ppp
> egrep -r "\-password" .
>
> to find any relevant settings.
>
> HTH.
>
> -chet
>
> -
> yet he has sorcery
>
> On Fri, 3 Nov 2000, Pedro Zorzenon
On Fri, Nov 03, 2000 at 04:50:27PM +1100, Ian wrote:
> Hi,
>
> I have a slink->potato->woody server, and I am a little concerned about the
> permissions some of the log files in /var/log have.
>
> There are too many to list, but here are some:
> -rw-r--r--1 root root 8232348 Nov 3
On Fri, Nov 03, 2000 at 04:50:27PM +1100, Ian wrote:
> Hi,
>
> I have a slink->potato->woody server, and I am a little concerned about the
>permissions some of the log files in /var/log have.
>
> There are too many to list, but here are some:
> -rw-r--r--1 root root 8232348 Nov 3
71 matches
Mail list logo
