Re: Where to install the firewall scripts

Nicolas Boullis <[EMAIL PROTECTED]> writes: [snip] >> # Drop spoofed packets >> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0 What about outgoing spoofed packets? They didn't get dropped in this script at all. It's only a selfish half-hearted firewall if all it does is to protect

Re: Where to install the firewall scripts

Nicolas Boullis <[EMAIL PROTECTED]> writes: [snip] >> # Drop spoofed packets >> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0 What about outgoing spoofed packets? They didn't get dropped in this script at all. It's only a selfish half-hearted firewall if all it does is to protect

Re: Intrusion Attempts

Matthias Hentges <[EMAIL PROTECTED]> writes: [snip] >> I've just explained over on comp.os.linux.security why portsentry is a >> lousy idea, but to summarize: >> >> a) "dynamic" means nothing when the packets shouldn't have permeated to >> user-space at all; >> >> b) risk of auto-DoS if someone

Re: Intrusion Attempts

Matthias Hentges <[EMAIL PROTECTED]> writes: [snip] >> I've just explained over on comp.os.linux.security why portsentry is a >> lousy idea, but to summarize: >> >> a) "dynamic" means nothing when the packets shouldn't have permeated to >> user-space at all; >> >> b) risk of auto-DoS if someone

Re: Intrusion Attempts

Ariel Graneros <[EMAIL PROTECTED]> writes: > On Tue, 3 Dec 2002 21:19:28 EST [EMAIL PROTECTED] wrote: > >> Hi. Can you help me. Who do I report the above to. I have 2 firewalls >> running and tonight I was attacked from the same address 172 times in >> less than an hour. These people want banning

Re: Intrusion Attempts

Ariel Graneros <[EMAIL PROTECTED]> writes: > On Tue, 3 Dec 2002 21:19:28 EST [EMAIL PROTECTED] wrote: > >> Hi. Can you help me. Who do I report the above to. I have 2 firewalls >> running and tonight I was attacked from the same address 172 times in >> less than an hour. These people want banning

Re: test of non-subscribed user

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > (Aside: I do that by having a line href="mailto:[EMAIL PROTECTED]"> in many web pages, and that > works excellently, this address is harvested and spammed, and when that > happens, the intention is that subsequent mail is stopped. This markup > may no

Re: test of non-subscribed user

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > (Aside: I do that by having a line href="mailto:[EMAIL PROTECTED]";> in many web pages, and that > works excellently, this address is harvested and spammed, and when that > happens, the intention is that subsequent mail is stopped. This markup > may n

Re: "Latest libpcap & tcpdump sources from tcpdump.org contain a trojan"

Steve Suehring <[EMAIL PROTECTED]> writes: > You are correct insofar as it triggers at compile time for libpcap, the > configure script to be exact. I grabbed a copy of the trojan'ed libpcap > and compiled it in a sandbox machine. You can do a strings of the > compiled libpcap.a and grep for 1963.

Re: "Latest libpcap & tcpdump sources from tcpdump.org contain atrojan"

Steve Suehring <[EMAIL PROTECTED]> writes: > You are correct insofar as it triggers at compile time for libpcap, the > configure script to be exact. I grabbed a copy of the trojan'ed libpcap > and compiled it in a sandbox machine. You can do a strings of the > compiled libpcap.a and grep for 1963.

Re: spam

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: >> Anyone got any HOWTOs for this with exim? :) > > Isn't this just about what Marc does with Exim and Spamassassin...? > http://marc.merlins.org/linux/exim/sa.html He's even got Exim-4 debs with > this stuff there. Or was it something else you had in mi

Re: spam

Vasarhelyi asd Daniel <[EMAIL PROTECTED]> writes: > I'm not sure what you want to do, but if you want to filter spam, you > shouldn't multiply it. Notifying target user and sending a copy to other > ppl is quite unnecessary and waste of bandwidth. Trying to notify the > sender may be unnecessary t

Re: spam

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: >> Anyone got any HOWTOs for this with exim? :) > > Isn't this just about what Marc does with Exim and Spamassassin...? > http://marc.merlins.org/linux/exim/sa.html He's even got Exim-4 debs with > this stuff there. Or was it something else you had in mi

Re: spam

Vasarhelyi asd Daniel <[EMAIL PROTECTED]> writes: > I'm not sure what you want to do, but if you want to filter spam, you > shouldn't multiply it. Notifying target user and sending a copy to other > ppl is quite unnecessary and waste of bandwidth. Trying to notify the > sender may be unnecessary t

Re: AIDE Information Overload

[EMAIL PROTECTED] (Dion Mendel) writes: > I'm not providing an answer, but rather asking another question on this > topic. > > Which files do people exclude when using integrity checkers (e.g. > aide/tripwire etc)? > > Under normal system use, certain files do change (e.g. /etc/mtab, That does? M

Re: AIDE Information Overload

Arthur de Jong <[EMAIL PROTECTED]> writes: > On Tue, 22 Oct 2002, Kjetil Kjernsmo wrote: > >> I'd like to ask what people do with their AIDE output at times when a >> lot of things change on their system? >> >> I've gone through the AIDE configuration, and I feel like having >> configured it well,

Re: AIDE Information Overload

[EMAIL PROTECTED] (Dion Mendel) writes: > I'm not providing an answer, but rather asking another question on this > topic. > > Which files do people exclude when using integrity checkers (e.g. > aide/tripwire etc)? > > Under normal system use, certain files do change (e.g. /etc/mtab, That does? M

Re: AIDE Information Overload

Arthur de Jong <[EMAIL PROTECTED]> writes: > On Tue, 22 Oct 2002, Kjetil Kjernsmo wrote: > >> I'd like to ask what people do with their AIDE output at times when a >> lot of things change on their system? >> >> I've gone through the AIDE configuration, and I feel like having >> configured it well,

Re: Having been open relay for a moment

Anton Zinoviev <[EMAIL PROTECTED]> writes: >1. The spammers continue attempts to use lml.bas.bg as a relay. As a >result exim generates about 50Mb log files per hour. How I can stop >exim from logging messages like " refused relay to ..."? Any patterns in the attackers? One of the

Re: Having been open relay for a moment

Anton Zinoviev <[EMAIL PROTECTED]> writes: >1. The spammers continue attempts to use lml.bas.bg as a relay. As a >result exim generates about 50Mb log files per hour. How I can stop >exim from logging messages like " refused relay to ..."? Any patterns in the attackers? One of th

Re: Report on last cmd

Oi You two. Sort it out offline once and for all, will you? I've getting thoroughly pissed off with the debian-* mailing lists; a month or two ago d-secure was actively pro-spam, now there's nothing but off- topic crap. Makes me wonder why I bother reading it, looking for things to respond to, ma

Re: Report on last cmd

Oi You two. Sort it out offline once and for all, will you? I've getting thoroughly pissed off with the debian-* mailing lists; a month or two ago d-secure was actively pro-spam, now there's nothing but off- topic crap. Makes me wonder why I bother reading it, looking for things to respond to, m

Re: ssh upgrade problems (potato)

Simon Young <[EMAIL PROTECTED]> writes: > On Fri, Sep 27, 2002 at 10:10:16AM -0400, don wrote: >> >> if its a local machine you could dpkg --purg the old ssh then just do >> your install > > Yes indeed. > > I could do that, and it would probably work. In fact, this is most likely > what I'll end

Re: ssh upgrade problems (potato)

Simon Young <[EMAIL PROTECTED]> writes: > On Fri, Sep 27, 2002 at 10:10:16AM -0400, don wrote: >> >> if its a local machine you could dpkg --purg the old ssh then just do >> your install > > Yes indeed. > > I could do that, and it would probably work. In fact, this is most likely > what I'll end

Re: icmp: type-#69 (catched that bastard)

martin f krafft <[EMAIL PROTECTED]> writes: > also sprach Tim Haynes <[EMAIL PROTECTED]> [2002.09.15.1812 +0200]: >> I can't name one, but that doesn't say an awful lot. Googling for `ICMP >> "type 69"' doesn't lead to any obvious result

Re: icmp: type-#69 (catched that bastard)

Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> writes: [snip] >> OK. Either we have asymmetric routing or that packet is spoofed from >> something that's really 17 hops away in order to get your network (hence >> the broadcast) to attack a box that's really 19 hops away. Or the box is >> emitting do

Re: icmp: type-#69 (catched that bastard)

Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> writes: [snip] >> How many hops away is the supposed source if you traceroute to it and how >> does that compare to the 17 the above would imply? > > How did you work the 17 out? I assume that the box's OS is setting to the nearest power of two by defa

Re: icmp: type-#69 (catched that bastard)

Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> writes: > On Sun, 15 Sep 2002, Tim Haynes wrote: > >> Could you include a complete `tcpdump -X' on one or two of the packets, >> maybe make a series of them available for download in libpcap form so I >> can oogl

Re: icmp: type-#69

Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> writes: > I noticed (among the more common icmp: echo request) these odd icmp > types. The external net, my firewall is connected to, is plagued by > smurf-attacks from various sources. So I have tcpdump watching. > > Of what I gather, this icmp-type sh

Re: Fwd: bugtraq.c httpd apache ssl attack

Wichert Akkerman <[EMAIL PROTECTED]> writes: > Previously Phillip Hofmeister wrote: >> I am using RedHat 7.3 with Apache 1.3.23. Someone used the >> program "bugtraq.c" to explore an modSSL buffer overflow to get access to >> a shell. The attack creates a file named "/tmp/.bugtraq.c" and compile

Re: Mail delivery errors...

Jussi Ekholm <[EMAIL PROTECTED]> writes: > I was just wondering if anyone else is getting this kind of mail delivery > errors from debian-security, although the mails still go through. I've > been getting at least three of these already: > > | Date: Sat, 3 Aug 2002 14:10:00 +0300 > | From: [EMAIL

Re: Spam handling (Re: Your Confirmation Required)

martin f krafft <[EMAIL PROTECTED]> writes: >> I'll stop automatically filtering when the rule is no longer being >> actively proven. >> >> No way is 15 spams in 24hrs acceptable. Deal with it. > > There's no point in bouncing to Razor2. go ahead and filter to /dev/null. > that's acceptable. I s

Re: Your Confirmation Required

Paolo Pedaletti <[EMAIL PROTECTED]> writes: > I have phoned to ALESSANDRO MARTINELLI (+39 06 93953072) from: > > whois Italyminutes.it > [snip] > his secretary has said that the server will shut down as soon as > possible and he is non resposible of this spam. > > If it will continue to spam I'll

Re: Didn't we have that whole spam discussion last week?

[EMAIL PROTECTED] writes: >> Alexander Thoma: >> > italyminutes.it -> *plonk* >> > >> > Who the f**k is readding the list to this sh*t ?!?!?!? >> >> I doubt anyone has readded the list :) It's just a spamming monkey that >> is spamming several debian lists, how about having some more active >> b

Re: Spam handling (Re: Your Confirmation Required)

martin f krafft <[EMAIL PROTECTED]> writes: > also sprach Tim Haynes <[EMAIL PROTECTED]> [2002.07.18.1241 +0200]: >> 3. I've added a procmail rule here locally so that all mails From: >>.*italy.*minute get automatically reported to Razor2. > > Could yo

Re: Spam handling (Re: Your Confirmation Required)

Rad0s-³aw Gajewski <[EMAIL PROTECTED]> writes: > 1. Tim Haynes is an idiot that doesn't know that normal action > for confirmation required is (if not SHOULD BE) replying an > e-mail, and how is it that i got this confirmation message from > your list?? How you (un)su

Spam handling (Re: Your Confirmation Required)

Three things: 1. Rad0s-?aw is an idiot for pasting the whole spam email again; 2. these things should be blocked at source within debian, as someone suggested *yesterday*; 3. I've added a procmail rule here locally so that all mails From: .*italy.*minute get automatically reported to Razor

Re: Good Day -- RR and rbl

Phillip Hofmeister <[EMAIL PROTECTED]> writes: > On Tue, Jul 02, 2002 at 02:29:22PM -0500, John Goerzen wrote: > >> No, it's a perfectly valid reason. Just because other admins do not >> perfectly mirror your opinions does not mean that they are stupid. Not >> only that, but there are a number of

Re: Good Day

"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: > I don't agree with the policy of rejecting mail due to a lack of a > reverse DNS entry. However, rfc-ignorant.org runs several nice > blacklists, including ip-whois, which I subscribe to. This blacklist > contains netblocks for which no valid whois

Re: [d-security] Re: DSA-134-1

Wichert Akkerman <[EMAIL PROTECTED]> writes: > Previously Christian Hammers wrote: > > > Don't be too hard to him, if he'd pointed out that only default BSD is > > vulnerable it would not have been too hard to find the exploit before > > everybody had updated. > > He could have mentioned ssh prot

Re: PermitRootLogin enabled by default

John Galt <[EMAIL PROTECTED]> writes: > that's what happened--the EPIC hole gave user. monkey.org (Dug Song) was > using standard security practice at that point, it's just for > convenience's sake, the user had a few things screened, including a > rootshell, probably because of the traditional Co

Re: PermitRootLogin enabled by default

Sebastian Rittau <[EMAIL PROTECTED]> writes: > On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote: > > > IMHO, we'd better set it to no. I always thought it was much better. Is > > there any landscape in which you may want to allow direct root login to > > your host? >

Re: changing umask

Julián Muñoz <[EMAIL PROTECTED]> writes: > I would like to know if changing default umask to 077 in /etc/profile > will cause me problem to install and update new packages. > > Or then, must I go back to 022 ? > > I see no reference to umask in the packaging how-to. So in general, the > permissi

Re: Things to watch on my server

"vdongen" <[EMAIL PROTECTED]> writes: > You could run logcheck, which instead of reading the logs mails you > entries that are "unusual" or "attempted break ins" OK, my thoughts: a) use syslog-ng to filter firewall events into a separate firewall.log; b) use fwlogwatch to generate HTML tables of

Re: secure file transfer (again)

Alf B Lervåg <[EMAIL PROTECTED]> writes: > ssh is already up and running on the servers, so I'm figuring that the > sftp server shouldn't be too hard to get running. Problem is making > things easy to use for our students. (Guess this falls in under the sftp > client question.) | zsh/scr 11:36A

Re: Uh-oh. Cracked allready. I think...

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > >The fact they don't show up when you do a local scan confirms this. > >These services aren't running on your machine. > > So, what you're saying is that all this alarm is for no good reason...? > There has been no l337 h4X0rz trying to get into my bo

Re: Uh-oh. Cracked allready. I think...

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > >The fact they don't show up when you do a local scan confirms this. > >These services aren't running on your machine. > > So, what you're saying is that all this alarm is for no good reason...? > There has been no l337 h4X0rz trying to get into my b

Re: Uh-oh. Cracked allready. I think...

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > On 24 May 2002, Tim Haynes wrote: > > >Unfortunately, the only way to examine all the files on the disk/s is to > >reboot the box off clean r/o media (read: rescue CD), mount them r/o, > >and examine them by hand.

Re: Uh-oh. Cracked allready. I think...

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > Thanks for all the responses. > > I realize it's pretty bold trying put a box on the net without having > extensive admin experience beforehand. But I think I'm learning fast, and > I hope I'll be able to do it without placing any burden on the rest o

Re: Uh-oh. Cracked allready. I think...

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > On 24 May 2002, Tim Haynes wrote: > > >Unfortunately, the only way to examine all the files on the disk/s is to > >reboot the box off clean r/o media (read: rescue CD), mount them r/o, > >and examine them by hand.

Re: Uh-oh. Cracked allready. I think...

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > Thanks for all the responses. > > I realize it's pretty bold trying put a box on the net without having > extensive admin experience beforehand. But I think I'm learning fast, and > I hope I'll be able to do it without placing any burden on the rest

Re: Uh-oh. Cracked allready. I think...

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > To address this first: It is the gnutella server that causes alarm, so is > there anything I could have done that would install gnutella but escape > my attention? I certainly never did apt-get install gnutella (I tried > apt-get remove gnutella yester

Re: Uh-oh. Cracked allready. I think...

Kjetil Kjernsmo <[EMAIL PROTECTED]> writes: > To address this first: It is the gnutella server that causes alarm, so is > there anything I could have done that would install gnutella but escape > my attention? I certainly never did apt-get install gnutella (I tried > apt-get remove gnutella yeste

Re: What this named log means?

César Augusto Seronni Filho <[EMAIL PROTECTED]> writes: > this messages happened on my messages file: > > named[487]: lame server on '146.73.163.200.in-addr.arpa' (in > '73.163.200.in-add.arpa'?): 200.199.252.68#53 > > what this lame server means?

Re: What this named log means?

César Augusto Seronni Filho <[EMAIL PROTECTED]> writes: > this messages happened on my messages file: > > named[487]: lame server on '146.73.163.200.in-addr.arpa' (in > '73.163.200.in-add.arpa'?): 200.199.252.68#53 > > what this lame server means?

Re: Iptables config

Laurent Luyckx <[EMAIL PROTECTED]> writes: [snip] > > i get "cant conect to smtp service" when trying to mail > > try by rejecting port 113 requests with : > > iptables -I INPUT -p tcp -s 0/0 --dport 113 -i eth0 -j REJECT If you're going to use -j REJECT for a TCP packet, you really ought to u

Re: Iptables config

Laurent Luyckx <[EMAIL PROTECTED]> writes: [snip] > > i get "cant conect to smtp service" when trying to mail > > try by rejecting port 113 requests with : > > iptables -I INPUT -p tcp -s 0/0 --dport 113 -i eth0 -j REJECT If you're going to use -j REJECT for a TCP packet, you really ought to

Re: Big ICMP with don't Fragment bit

Thorsten Kruschel <[EMAIL PROTECTED]> writes: > has anybody an Idea how to create an ICMP Packet with size of 1500 and > don't Fragment bit set? Or how to filter such Packets generally with > IPChains? > > I've the Problem, that a Maschine cancels the external connection some > times. No entrys i

Re: Big ICMP with don't Fragment bit

Thorsten Kruschel <[EMAIL PROTECTED]> writes: > has anybody an Idea how to create an ICMP Packet with size of 1500 and > don't Fragment bit set? Or how to filter such Packets generally with > IPChains? > > I've the Problem, that a Maschine cancels the external connection some > times. No entrys

Re: A question about some network services

Anne Carasik <[EMAIL PROTECTED]> writes: >> The question of what to do with these ports comes up every once in a >> while on this list. Some people prefer to leave them on, others turn >> them off. I don't think there's ever been an exploit that involves these >> ports, as the code is quite simple

Re: A question about some network services

Anne Carasik <[EMAIL PROTECTED]> writes: >> The question of what to do with these ports comes up every once in a >> while on this list. Some people prefer to leave them on, others turn >> them off. I don't think there's ever been an exploit that involves these >> ports, as the code is quite simpl

Re: Unusual logging

[EMAIL PROTECTED] writes: > Packet log: input DENY eth0 PROTO=1 yyy.y.yy.yy:3 xxx.xx.xxx.xxx:13 L=56 > S=0x00 I=29688 F=0x T=244 (#30) > > It's the :13 part that I found unusual, A little research has revealed > that it may be an attempt to fingerprint our system to see what is > available. I

Re: Unusual logging

[EMAIL PROTECTED] writes: > Packet log: input DENY eth0 PROTO=1 yyy.y.yy.yy:3 xxx.xx.xxx.xxx:13 L=56 > S=0x00 I=29688 F=0x T=244 (#30) > > It's the :13 part that I found unusual, A little research has revealed > that it may be an attempt to fingerprint our system to see what is > available. I

Re: IP chains logs to console

[EMAIL PROTECTED] writes: [snip] > and set user = root group = adm on the file and the DENY messages are > still logged to disk and the console. I've got plenty of disk space. > > I found two threads via Google (June '02 and Sept. '02) where people were > having the same problem, but neither thre

Re: IP chains logs to console

[EMAIL PROTECTED] writes: [snip] > and set user = root group = adm on the file and the DENY messages are > still logged to disk and the console. I've got plenty of disk space. > > I found two threads via Google (June '02 and Sept. '02) where people were > having the same problem, but neither thr

Re: Stupid Question - Proxy Internals

Josh Frick <[EMAIL PROTECTED]> writes: [snip] >>Something to be aware of is that having two firewalls of the same flavour >>will not buy you any more security. If a crack/exploit works on one then >>it will work on the other. Try replacing one of them with another OS and >>firewall solution. > > E

Re: Stupid Question - Proxy Internals

Josh Frick <[EMAIL PROTECTED]> writes: [snip] >>Something to be aware of is that having two firewalls of the same flavour >>will not buy you any more security. If a crack/exploit works on one then >>it will work on the other. Try replacing one of them with another OS and >>firewall solution. > >

Re: webhosting

Sven Hoexter <[EMAIL PROTECTED]> writes: [snip] >> I'm still under the impression that it's quite possible to do a >> reasonably secure bind install. Bind9 has some nice security-related >> features, and a completely rewritten codebase (as opposed to bind8). I'm >> not sure what insecurities you'd

Re: webhosting

Sven Hoexter <[EMAIL PROTECTED]> writes: [snip] >> I'm still under the impression that it's quite possible to do a >> reasonably secure bind install. Bind9 has some nice security-related >> features, and a completely rewritten codebase (as opposed to bind8). I'm >> not sure what insecurities you'

Re: root's home world readable (part 24 of 24)

Unusual System Events =-=-=-=-=-=-=-=-=-=-= Feb 1 04:58:15 sunbird uservd[19110]: call connected Feb 1 04:58:15 sunbird uservd/check[19109]: uservd[535] is running Feb 1 04:58:15 sunbird uservd[19110]: call connected Feb 1 04:58:15 sunbird uservd/check[19109]: uservd[535] is running >From ro

Re: root's home world readable (part 24 of 24)

Unusual System Events =-=-=-=-=-=-=-=-=-=-= Feb 1 04:58:15 sunbird uservd[19110]: call connected Feb 1 04:58:15 sunbird uservd/check[19109]: uservd[535] is running Feb 1 04:58:15 sunbird uservd[19110]: call connected Feb 1 04:58:15 sunbird uservd/check[19109]: uservd[535] is running >From r

Re: Port 113 (auth) accept or deny?

Brandon High <[EMAIL PROTECTED]> writes: >> >> should I open(accept) or close(deny, perhaps reject?) the port 113??? >> > >> >I've got it closed on my machines. I don't know what you might need it >> >for. >> >> We've been through at least once, haven't we? *sigh* Obligatory link:

Re: Port 113 (auth) accept or deny?

Brandon High <[EMAIL PROTECTED]> writes: >> >> should I open(accept) or close(deny, perhaps reject?) the port 113??? >> > >> >I've got it closed on my machines. I don't know what you might need it >> >for. >> >> We've been through at least once, haven't we? *sigh* Obligatory link:

Re: These 'roots' are bugging me.

Steve Mickeler <[EMAIL PROTECTED]> writes: > Its neither a debian or linux problem. > > ports below 1024 are priviledged ports which can only be bound to by the > super user. > > just like apache starts as root, but then spawns child processes as a non > root user, the same thing is done with bind

Re: These 'roots' are bugging me.

Steve Mickeler <[EMAIL PROTECTED]> writes: > Its neither a debian or linux problem. > > ports below 1024 are priviledged ports which can only be bound to by the > super user. > > just like apache starts as root, but then spawns child processes as a non > root user, the same thing is done with bin

Re: root's home world readable

"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: > On Mon, Jan 21, 2002 at 09:45:50PM +, Tim Haynes wrote: > > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that >> > case? Clearly there are individual files that you don'

Re: root's home world readable

"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: >> I have changed /root to 0700 on all my installations because I am running >> mysql server. It hasn't broken anything. > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that > case? Clearly there are individual files that you do

Re: root's home world readable

"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: > On Mon, Jan 21, 2002 at 09:45:50PM +, Tim Haynes wrote: > > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that >> > case? Clearly there are individual files that you don'

Re: root's home world readable

"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: >> I have changed /root to 0700 on all my installations because I am running >> mysql server. It hasn't broken anything. > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that > case? Clearly there are individual files that you d

Re: FTP Bounce scan

Dries Kimpe <[EMAIL PROTECTED]> writes: > Today, I saw in the snort logs the following: > (removed ip & date to get it in 78-col format) > > 193.189.224.13:21 -> ip:58153 UNKNOWN *2*A**S* RESERVEDBITS > 193.189.224.13:42940 -> ip:113 SYN 12S* RESERVEDBITS > 193.189.224.13:42941 -> ip:58154 U

Re: FTP Bounce scan

Dries Kimpe <[EMAIL PROTECTED]> writes: > Today, I saw in the snort logs the following: > (removed ip & date to get it in 78-col format) > > 193.189.224.13:21 -> ip:58153 UNKNOWN *2*A**S* RESERVEDBITS > 193.189.224.13:42940 -> ip:113 SYN 12S* RESERVEDBITS > 193.189.224.13:42941 -> ip:58154

Re: [2] Mailserver HDD organization

[EMAIL PROTECTED] writes: > now i have tried postfix and exim and i like both. But wich is more > secure? any body some knowledge about that? [snip] I thought both had had security-related fixes recently. Find one that you like more than the other, benchmark it yourself, test how readily you can

Re: [2] Mailserver HDD organization

[EMAIL PROTECTED] writes: > now i have tried postfix and exim and i like both. But wich is more > secure? any body some knowledge about that? [snip] I thought both had had security-related fixes recently. Find one that you like more than the other, benchmark it yourself, test how readily you can

Re: udp 32768

Jeff Teitel <[EMAIL PROTECTED]> writes: > When I do a 'netstat -l' I get (among a bunch of stuff that looks OK): > > mail:# netstat -l > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign AddressState > udp0 0 *:32768

Re: [Deb-SEC]oddball ssh remote passwd question

David Ehle <[EMAIL PROTECTED]> writes: > Hello all, > if you do: > ssh [EMAIL PROTECTED] password What is `password'? > ssh will have you authenticate to host, and then bring up the password > change prompt > (current) UNIX password: > on the remote machine. > > BUT when you start typing, the

Re: udp 32768

Jeff Teitel <[EMAIL PROTECTED]> writes: > When I do a 'netstat -l' I get (among a bunch of stuff that looks OK): > > mail:# netstat -l > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign AddressState > udp0 0 *:32768

Re: [Deb-SEC]oddball ssh remote passwd question

David Ehle <[EMAIL PROTECTED]> writes: > Hello all, > if you do: > ssh [EMAIL PROTECTED] password What is `password'? > ssh will have you authenticate to host, and then bring up the password > change prompt > (current) UNIX password: > on the remote machine. > > BUT when you start typing, th

Re: Debian security being trashed in Linux Today comments

Colin Phipps <[EMAIL PROTECTED]> writes: > On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote: > > "...it took the Debian Security Team an average of 35 days to fix >> security-related vulnerabilites." >> >> An average based upon a very long tail is highly misleading. Please >> quote the

Re: default security

Tarjei <[EMAIL PROTECTED]> writes: > Hmm. Here's a suggestion. > > - This idea is based on the asumtion that espesially serversystems need > good security. *All* installed boxes need adequate securing. Linux worms would not propagate if it weren't for a critical mass of idiots running unpatched d

Re: default security

Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> writes: > On Tue, Jan 15, 2002 at 10:21:00AM +0100, Tarjei wrote: > > > >> > >> >I recall there being discussion a while back about packaging chroot >> >bind. I don't know whether or not anything came of it at all. There is >> > >> Debian being

Re: Debian security being trashed in Linux Today comments

Colin Phipps <[EMAIL PROTECTED]> writes: > On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote: > > "...it took the Debian Security Team an average of 35 days to fix >> security-related vulnerabilites." >> >> An average based upon a very long tail is highly misleading. Please >> quote th

Re: default security

Tarjei <[EMAIL PROTECTED]> writes: > Hmm. Here's a suggestion. > > - This idea is based on the asumtion that espesially serversystems need > good security. *All* installed boxes need adequate securing. Linux worms would not propagate if it weren't for a critical mass of idiots running unpatched

Re: default security

Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> writes: > On Tue, Jan 15, 2002 at 10:21:00AM +0100, Tarjei wrote: > > > >> > >> >I recall there being discussion a while back about packaging chroot >> >bind. I don't know whether or not anything came of it at all. There is >> > >> Debian being

Re: Debian security being trashed in Linux Today comments

"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: > On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: > > So perhaps Debian security is only as good as the package maintainers? >> I'm sure most maintainers do care and do investigate bugs I probably >> just had a bad experience. > > That

Re: Debian security being trashed in Linux Today comments

"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: > On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: > > So perhaps Debian security is only as good as the package maintainers? >> I'm sure most maintainers do care and do investigate bugs I probably >> just had a bad experience. > > Tha

Re: Don't panic (ssh)

"Craigsc" <[EMAIL PROTECTED]> writes: > How do you disable ssh1 protocol with the current > ssh on potato ?> I don't think you have to. See . Or have I really been so asleep as not to notice a major "thou shalt not use ssh1 even though we applied all

Re: Debian security being trashed in Linux Today comments

Adam Warner <[EMAIL PROTECTED]> writes: > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB > > Someone with better knowledge of all the facts might want to comment on > the claim that "Debian is always the last to fix security holes" and the > tag team follow up "I've been fi

Re: Don't panic (ssh)

"Craigsc" <[EMAIL PROTECTED]> writes: > How do you disable ssh1 protocol with the current > ssh on potato ?> I don't think you have to. See . Or have I really been so asleep as not to notice a major "thou shalt not use ssh1 even though we applied all

Re: Debian security being trashed in Linux Today comments

Adam Warner <[EMAIL PROTECTED]> writes: > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB > > Someone with better knowledge of all the facts might want to comment on > the claim that "Debian is always the last to fix security holes" and the > tag team follow up "I've been f

Re: Exim mail

[EMAIL PROTECTED] (Brian P. Flaherty) writes: > Josh <[EMAIL PROTECTED]> writes: > > > hmmm, im a bit of a newbie here, but how do you bind a > > daemon, eg telnetd to a certain nic? > > Try running xinetd, if you aren't already. In each service block, you can > use the 'bind' option, which ties

  1   2   3   >