ruption helping an attacker accours.
I agree. If you are looking for this kind of security, your best bet
is to set the immutable bit on all of your system files. That will
ensure that only a reboot in single user mode will allow these files
to be changed. (Make sure you set immutable the system b
ruption helping an attacker accours.
I agree. If you are looking for this kind of security, your best bet
is to set the immutable bit on all of your system files. That will
ensure that only a reboot in single user mode will allow these files
to be changed. (Make sure you set immutable the system b
0 *:www *:* LISTEN
> ...
>
> Where does one go from here?
It involves link removal, but if you remove all of the thttpd links in
/etc/rc?.d except one K link (doesn't matter which one), thttpd will
not start even if you upgrade the package.
--
Ted Cabeen
Sr. Systems/Network Administrator
Impulse Internet Services
0 *:www *:* LISTEN
> ...
>
> Where does one go from here?
It involves link removal, but if you remove all of the thttpd links in
/etc/rc?.d except one K link (doesn't matter which one), thttpd will
not start even if you upgrade the package.
--
Ted Cabeen
Sr. Systems/Network Administrator
Impulse Internet Services
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
l link. That way the update-rc.d
script will know that the program has already been installed and will
not change anything. When you remove all of the links, it has no way
of knowing that the program was already installed and the admin
removed the links, so it restores them all.
--
Ted Cabeen
Syst
l link. That way the update-rc.d
script will know that the program has already been installed and will
not change anything. When you remove all of the links, it has no way
of knowing that the program was already installed and the admin
removed the links, so it restores them all.
--
Ted Cabeen
Syst
odules/mod_tls.html
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
--
Ted Cabeen
Systems/Network Administrator
Impulse Internet Services
odules/mod_tls.html
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
--
Ted Cabeen
Systems/Network Administrator
Impulse Internet Services
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
running a version of ssh
with security patches backported and aren't vulnerable to the known
exploits agains OpenSSH 3.4 and the like.
Still, the Debian part of the version string should be user-customizable.
--
Ted Cabeen
Systems/Network Administrator
Impulse Internet Services
running a version of ssh
with security patches backported and aren't vulnerable to the known
exploits agains OpenSSH 3.4 and the like.
Still, the Debian part of the version string should be user-customizable.
--
Ted Cabeen
Systems/Network Administrator
Impulse Internet Services
--
could snoop on other users's scripts, session
>> >files, etc.
>> >
>> >Something like:
>> >
>>
>> I suggest you look up the suEXEC Apache module, it seems to do exactly
>> what you want.
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL
could snoop on other users's scripts, session
>> >files, etc.
>> >
>> >Something like:
>> >
>>
>> I suggest you look up the suEXEC Apache module, it seems to do exactly
>> what you want.
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL
.0.X), but spamassasin needs perl
>>5.6
Spamassassin doesn't require 5.6. I'm running it with 5.005 right now.
- --
Ted Cabeen http://www.pobox.com/~secabeen[EMAIL
PROTECTED]
Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED]
&
In message <[EMAIL PROTECTED]>, Tim van Erven writes:
>On Sun, Dec 08, 2002 at 12:29:09PM -0200, Henrique de Moraes Holschuh <[EMAIL
>PROTECTED]
>ian.org> wrote:
>> On Sat, 07 Dec 2002, Tim van Erven wrote:
>>> Inspired by a recent thread on this list I decided to set up a
>>> mailserver with pop3
In message <[EMAIL PROTECTED]>, Tim van Erven writes:
>On Sun, Dec 08, 2002 at 12:29:09PM -0200, Henrique de Moraes Holschuh ian.org> wrote:
>> On Sat, 07 Dec 2002, Tim van Erven wrote:
>>> Inspired by a recent thread on this list I decided to set up a
>>> mailserver with pop3 access over ssl. It's
little bit of overkill for a small site, but all in all, it's a fine
recommendation. If we disregarded software that has had problems in the
past, sendmail would be dead and buried by now.
- --
Ted Cabeen http://www.pobox.com/~secabeen[EMAIL
PROTECTED]
Check Websi
little bit of overkill for a small site, but all in all, it's a fine
recommendation. If we disregarded software that has had problems in the
past, sendmail would be dead and buried by now.
- --
Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED]
Check Websi
rs because they are adding features instead of
standing still. However, the underlying design concepts of qmail are quite
solid, which is why postfix uses a similar architecture.
That said, they're both very good mail servers, just with slightly different
focuses.
- --
Ted Cabeen
rs because they are adding features instead of
standing still. However, the underlying design concepts of qmail are quite
solid, which is why postfix uses a similar architecture.
That said, they're both very good mail servers, just with slightly different
focuses.
- --
Ted Cabeen
y useful for this kind of thing.
http://www.abuse.net/howwork.html
- --
Ted Cabeen http://www.pobox.com/~secabeen[EMAIL
PROTECTED]
Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED]
"I have taken all knowledge to be my province."
f you want to be excessively paranoid,
you'll want a rule that re-assembles any fragments. I have a I85fragments.rul
file that does this. Here's the relevant line:
$IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -f
- --
Ted Cabeen http://www.pobox.com/~secabeen[E
broadcast packets. If you want to be excessively paranoid,
you'll want a rule that re-assembles any fragments. I have a I85fragments.rul
file that does this. Here's the relevant line:
$IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -f
- --
Ted Cabeen http://www.pobox.com/~se
he data, and
may allow the connection to get through the firewall. Of course, this will
break any users that are also behind a firewall, but it's very difficult to
run ftp between two machines that are protected by a firewall, unless one of
the machines' firewall is really smart WRT ftp
he data, and
may allow the connection to get through the firewall. Of course, this will
break any users that are also behind a firewall, but it's very difficult to
run ftp between two machines that are protected by a firewall, unless one of
the machines' firewall is really smart WRT ftp
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message <[EMAIL PROTECTED]>, Petro writes:
>On Wed, Feb 13, 2002 at 09:39:02PM -0800, Ted Cabeen wrote:
>> You shouldn't use the update-rc.d script to remove init.d scripts. If
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message <[EMAIL PROTECTED]>, Petro writes:
>On Wed, Feb 13, 2002 at 09:39:02PM -0800, Ted Cabeen wrote:
>> You shouldn't use the update-rc.d script to remove init.d scripts. If
In message <[EMAIL PROTECTED]>, Stefan Srdic writes:
> My system is my desktop and my server. The machine is
>connected to the internet and I use my own IPTables script to protect my
>network.
>
>I've used the update-rc.d script to remove the inetd init scripts from all
>runlevels. But, I still
In message <02021309001300.00464@NodeFilter>, Stefan Srdic writes:
> My system is my desktop and my server. The machine is
>connected to the internet and I use my own IPTables script to protect my
>network.
>
>I've used the update-rc.d script to remove the inetd init scripts from all
>runlevels
In message <[EMAIL PROTECTED]>, John Gal
t writes:
>That still works? I thought mail-abuse.org was going subscription...
Yeah, they went subscription, but they provide that as a service to the
net. It checks the machine you telnet from, so it's not really subject to
much abuse.
>>You can telnet
In message <[EMAIL PROTECTED]>, John Gal
t writes:
>That still works? I thought mail-abuse.org was going subscription...
Yeah, they went subscription, but they provide that as a service to the
net. It checks the machine you telnet from, so it's not really subject to
much abuse.
>>You can telne
obably be set to off. A debconf questio=
n of =
"low" priority would probably also be a good thing.
- -- =
Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED]
e.net =
Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED]
x.com
"I h
obably be set to off. A debconf questio=
n of =
"low" priority would probably also be a good thing.
- -- =
Ted Cabeen http://www.pobox.com/~secabeented@impuls=
e.net =
Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@pobo=
x.com
"I have
=
desktop images. If you run xscreensaver-demo, it's in the options tab. =
=46rom my brief look, none of the xlockmore modes grab the screen.
- -- =
Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED]
e.net =
Check Website or Keyserver for PGP/GPG Key BA0
=
desktop images. If you run xscreensaver-demo, it's in the options tab. =
=46rom my brief look, none of the xlockmore modes grab the screen.
- -- =
Ted Cabeen http://www.pobox.com/~secabeented@impuls=
e.net =
Check Website or Keyserver for PGP/GPG Key BA0349D2
y off-topic, but FYI, you can download a nightly sna=
pshot
of your complete CVS repository from sourceforge at the following URL:
http://cvs.sourceforge.net/cvstarballs/projectname-cvsroot.tar.gz
- -- =
Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED]
e.net =
Check Website
y off-topic, but FYI, you can download a nightly sna=
pshot
of your complete CVS repository from sourceforge at the following URL:
http://cvs.sourceforge.net/cvstarballs/projectname-cvsroot.tar.gz
- -- =
Ted Cabeen http://www.pobox.com/~secabeented@impuls=
e.net =
Check Website or Ke
things so that the links are as you say.
>
>When you say: leave one kill link; Do you just leave the kill link in
>rc6.d or do you put a kill link in every one of rc1.d - rc6.d, or
>doesn't it matter so long as there is at least one.
It doesn't matter as long as there is at l
things so that the links are as you say.
>
>When you say: leave one kill link; Do you just leave the kill link in
>rc6.d or do you put a kill link in every one of rc1.d - rc6.d, or
>doesn't it matter so long as there is at least one.
It doesn't matter as long as there is at
n at
the next reboot. The correct way to turn off a service is to remove all of
the links except for one Kill link. That way the service won't start and
won't be restarted when the service is upgraded.
- --
Ted Cabeen http://www.pobox.com/~secabeen[EMAIL
PROT
I15lospoof.def. It also
blocks and logs packets coming from external interfaces claiming to be from an
internal address in the /etc/ipmasq/rules/I70masq.def file. The ipmasq
firewall is very careful about blocking these sorts of attacks. The only
change I make to its default operation is to lo
n at
the next reboot. The correct way to turn off a service is to remove all of
the links except for one Kill link. That way the service won't start and
won't be restarted when the service is upgraded.
- --
Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROT
tc/ipmasq/rules/I15lospoof.def. It also
blocks and logs packets coming from external interfaces claiming to be from an
internal address in the /etc/ipmasq/rules/I70masq.def file. The ipmasq
firewall is very careful about blocking these sorts of attacks. The only
change I make to its default o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message <[EMAIL PROTECTED]>, Wichert Akkerman writes:
>Previously Ted Cabeen wrote:
>> However, thinking about it, this doesn't work. If you're editing as root,
>> you
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message <[EMAIL PROTECTED]>, Wichert Akkerman writes:
>Previously Ted Cabeen wrote:
>> However, thinking about it, this doesn't work. If you're editing as root, you
>> ca
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message <[EMAIL PROTECTED]>, Ted Cabeen writes:
>In message <[EMAIL PROTECTED]>, Mike Renfro writes:
>>> A lazy sysadmin, not thinking through the ramifications, might put
>
t;
>and it looks like nvi still supports the secure options mentioned
>there.
Vim also supports something similar, either by prepending r to the executable
name (rvim) or adding the -Z flag.
- --
Ted Cabeen http://www.pobox.com/~secabeen[EMAIL
PROTECTED]
Check Web
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message <[EMAIL PROTECTED]>, Ted Cabeen writes:
>In message <20011129165355.A15543@ch208h>, Mike Renfro writes:
>>> A lazy sysadmin, not thinking through the ramifications, m
i-wuerzburg.de
>
>and it looks like nvi still supports the secure options mentioned
>there.
Vim also supports something similar, either by prepending r to the executable
name (rvim) or adding the -Z flag.
- --
Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED]
fix security bugs in stable rather than upgrade to a newer version. That
could be confusing your sysadmin. The CRC bug was patched in debian as of
ssh version 1.2.3-9.2. You can look at the changelog in
/usr/share/doc/ssh/changelog.Debian.gz for specific information.
--
Ted Cabeen
fix security bugs in stable rather than upgrade to a newer version. That
could be confusing your sysadmin. The CRC bug was patched in debian as of
ssh version 1.2.3-9.2. You can look at the changelog in
/usr/share/doc/ssh/changelog.Debian.gz for specific information.
--
Ted Cabeen
GA+ 80x25
>Oct 1 08:07:50 taurus kernel: Calibrating delay loop... 198.66 BogoMIPS
>Oct 1 08:07:50 taurus kernel: Memory: 47272k/49152k available (744k kernel
>code, 412k reserved, 684k data, 40k init)
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
: colour VGA+ 80x25
>Oct 1 08:07:50 taurus kernel: Calibrating delay loop... 198.66 BogoMIPS
>Oct 1 08:07:50 taurus kernel: Memory: 47272k/49152k available (744k kernel
>code, 412k reserved, 684k data, 40k init)
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAI
etbase
dependency on netkit-inetd, but I can't really seem to tell why. I've looked
at his posts on debian-devel and in the BTS, but I haven't found a good
justification for the dependency yet. If anyone does know Anthony's reasons,
I'd like to hear them.
--
Ted Cabeen
In message <[EMAIL PROTECTED]>, Quietman writes:
>On Tue, Jun 19, 2001 at 01:25:17PM -0500, Ted Cabeen wrote:
>> >It's true that uninstalling it (in potato, anyway) is not worth all the
>> >effort. But you can definitely disable it. I have "K20inetd"
etbase
dependency on netkit-inetd, but I can't really seem to tell why. I've looked
at his posts on debian-devel and in the BTS, but I haven't found a good
justification for the dependency yet. If anyone does know Anthony's reasons,
I'd like to hear them.
--
Ted Cabeen
y well understood by now.
>
>It's true that uninstalling it (in potato, anyway) is not worth all the
>effort. But you can definitely disable it. I have "K20inetd" links in
>all my /etc/rc?.d directories where I don't want to run inetd.
Unfortunately, you ca
dating daily. :)
They don't. If you leave any /etc/rc?.d links in place (I use a harmless K??
link), then any upgrade of that package will never re-enable the service.
Check out the man page for update-rc.d for more information. I think
update-inetd has a similar functionality.
--
T
In message <[EMAIL PROTECTED]>, Quietman writes:
>On Tue, Jun 19, 2001 at 01:25:17PM -0500, Ted Cabeen wrote:
>> >It's true that uninstalling it (in potato, anyway) is not worth all the
>> >effort. But you can definitely disable it. I have "K20inetd"
y well understood by now.
>
>It's true that uninstalling it (in potato, anyway) is not worth all the
>effort. But you can definitely disable it. I have "K20inetd" links in
>all my /etc/rc?.d directories where I don't want to run inetd.
Unfortunately, you ca
proliferation rather than have a drastic change to policy. This combination
of ease-of-use with the eternal vigilance of the security team is what gives
debian the enviable reputation of security and ease-of-use that it has today.
--
Ted Cabeen http://www.pobox.com/~secabeen [
dating daily. :)
They don't. If you leave any /etc/rc?.d links in place (I use a harmless K??
link), then any upgrade of that package will never re-enable the service.
Check out the man page for update-rc.d for more information. I think
update-inetd has a similar functionality.
--
T
age
proliferation rather than have a drastic change to policy. This combination
of ease-of-use with the eternal vigilance of the security team is what gives
debian the enviable reputation of security and ease-of-use that it has today.
--
Ted Cabeen http://www.pobox.com/~secabeen [
In message <[EMAIL PROTECTED]>, Christian Hammers writes:
>Hello
>
>> >"is debian protected beforeconnecting from remote hosts to address
>> >127.0.0.0/8 ?"
>
>On Sat, Mar 10, 2001 at 08:52:08AM -0600, Ted Cabeen wrote:
>> Ummm, the kernel
In message <[EMAIL PROTECTED]>, Jim Breton writes:
>On Fri, Mar 09, 2001 at 10:09:13PM -0600, Ted Cabeen wrote:
>> Actually we trap illegal packets like this one in I15lospoof.def.
>>
>> :#: Deny and log all packets trying to come in from a 127.0.0.0/8 address
>&
In message <[EMAIL PROTECTED]>, Christian Hammers writes:
>Hello
>
>> >"is debian protected beforeconnecting from remote hosts to address
>> >127.0.0.0/8 ?"
>
>On Sat, Mar 10, 2001 at 08:52:08AM -0600, Ted Cabeen wrote:
>> Ummm, the kernel
In message <[EMAIL PROTECTED]>, Jim Breton writes:
>On Fri, Mar 09, 2001 at 10:09:13PM -0600, Ted Cabeen wrote:
>> Actually we trap illegal packets like this one in I15lospoof.def.
>>
>> :#: Deny and log all packets trying to come in from a 127.0.0.0/8 address
>&
NAL; do
$IPFWADM -I -a deny -W $i -S 127.0.0.1/255.0.0.0 -o
done
fi
;;
ipchains)
$IPCHAINS -A input -j DENY -i ! lo -s 127.0.0.1/255.0.0.0 -l
;;
netfilter)
$IPTABLES -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0
;;
esac
Although there is a final deny rule, thi
NAL; do
$IPFWADM -I -a deny -W $i -S 127.0.0.1/255.0.0.0 -o
done
fi
;;
ipchains)
$IPCHAINS -A input -j DENY -i ! lo -s 127.0.0.1/255.0.0.0 -l
;;
netfilter)
$IPTABLES -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0
;;
esac
Although there is a final deny rule, thi
s best if you have a whole partition to copy. However,
it's much faster than the cpio/tar approach. cpio and tar is good for
piping through ssh. :)
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
Check Website or Keyserver for PGP/GPG Key BA0349D2 [EM
s best if you have a whole partition to copy. However,
it's much faster than the cpio/tar approach. cpio and tar is good for
piping through ssh. :)
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
Check Website or Keyserver for PGP/GPG Key BA0349D2 [EM
y lawyer about this)
This isn't a problem with an easy techincal solution. Policy is the way to
go here.
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED]
"I have taken all knowledge to
y lawyer about this)
This isn't a problem with an easy techincal solution. Policy is the way to
go here.
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED]
"I have taken all knowledge to
ny?
>
>no. there are none. and won't be
Is this official policy? If so, what should I do with the mirror I run here
at the UofC? (I can lock it to local users only, like the non-US tree)
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
Check Web
re any?
>
>no. there are none. and won't be
Is this official policy? If so, what should I do with the mirror I run here
at the UofC? (I can lock it to local users only, like the non-US tree)
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
Check Web
to get anything.
>
>Is security.debian.org mirrored anywhere?
Yup. debian.uchicago.edu/debian-security updated last night cleanly. Enjoy!
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED]
"I
to get anything.
>
>Is security.debian.org mirrored anywhere?
Yup. debian.uchicago.edu/debian-security updated last night cleanly. Enjoy!
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED]
"I
wire? I use bzip2 for
compression, which helps somewhat, but I still have to cut out way too much.
I really should get that remote tripwire system setup.
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
Check Website or finger for PGP/GPG Public Key [EMAIL
orted
>by glibc (and, thus, PAM) is 128 bytes long.
Are the MD5 passwords affected by the max=8 setting in the pam.d/passwd
entry, or does it ignore them?
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
Check Website or finger for PGP Public Key[EMAIL P
78 matches
Mail list logo