Hi
This problem has happened to me on both RedHat and Mandrake (sorry... :)
) so I guess it's not distribution specific but a common one. I'm going
to set it now in woody and I want to know if I can solve this (or is it
a "feature").
When making an encrypted file system (AES on both occasion) eve
Hi
This problem has happened to me on both RedHat and Mandrake (sorry... :)
) so I guess it's not distribution specific but a common one. I'm going
to set it now in woody and I want to know if I can solve this (or is it
a "feature").
When making an encrypted file system (AES on both occasion) eve
Thanx, you gave me the idea to solve this. I forgot that I've added the
user option in '/etc/fstab' (stupid me). "user" implies noexec, so you
have to add exec after the user option.
Bye
On Mon, 2002-11-25 at 14:32, DEFFONTAINES Vincent wrote:
> > From: Haim Ash
Hi
I have a host in my DMZ that has both anonymous ftp and pop3 ports open
(this can't be changed). since I really don't trust this setup, I was
thinking about ways to isolate this host so no one who break to this
computer, can access other computers on the DMZ (although other
computers should be
On Wed, 2002-12-18 at 15:11, Blars Blarson wrote:
> In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
> >create a second DMZ, but that would cost me the lost of three ip's, so
> >I'm trying to figure out ways to isolate him without putting it in
> >another subnet.
>
> There's no need to use
Thanx, everybody.
As always you've been a great help :)
Bye
--
Haim
On Sat, 2002-12-21 at 13:24, Glen Mehn wrote:
> Nick Boyce wrote:
> > >
> pureftpd rocks. It's built to support most of the ftp commands, and has
> super simple configuration.
Actually I've already selected vsftpd. since I only need it for
anonymous ftp (it's going to be a mirror for GNU, sunfreew
Hi
I have setup a firewall with 4 legs as follows:
* One leg goes to the router (cisco).
* Second leg goes to a switch connected to the internal network
(10.20...).
* The third and fourth legs are both for the dmz. one goes to a
switch with many dmz host
thanx everybody, there are some interesting links here.
Bye
--
Haim
wow, that's a lot of reading stuff...
thanx, again
--
Haim
Hi
A friend just asked me this question and I got curious. say I'm equipped with a
linux laptop and some knowledge, I can walk into a company that uses NIS, find
out the settings (NISDOMAIN, free ip address, etc...) and join their domain.
now I can login as root on my computer, su to any user a
Thanx for the input everybody, I think that from now on I will at least
recommend to my clients about using ldap instead.
Bye
--
Haim
Hi
After reading the responses for my email about NIS security, I was convinced
that it's time to learn about ldap w/kerberos. In the ldap-howto's I've read
there were references to kerberos by MIT and hemidal. looking in my aptitude
list I saw a lot of packages with different versions of kerbe
that's a start. thanx
Bye
--
Haim
On Sat, 22 Mar 2003 06:24:02 -0300
Eduardo Rocha Costa <[EMAIL PROTECTED]> wrote:
> Hi, first of all sorry my poor English I'll try my best.
>
> I have the following scheme in my lab:
>
> INTERNET --- firewall --- local network
>
> I have real ip's for all computers in the lab, so I don't need
On Thu, 24 Apr 2003 19:32:01 +0200
Kay-Michael Voit <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: MD5
>
> DCE> for (1) I guess you can put the binaries in a read-only medium
> DCE> and run them from there, like a CD-ROM or a write-protected
> DCE> floppy/flash-medium.
>
Hi
Does anybody knows about this?,
http://www.secunia.com/advisories/8786/
Bye
--
Haim
On Fri, 16 May 2003 15:54:57 +0200
Adam ENDRODI <[EMAIL PROTECTED]> wrote:
> On Fri, May 16, 2003 at 01:04:09PM +0300, Haim Ashkenazi wrote:
> >
> > Does anybody knows about this?,
> > http://www.secunia.com/advisories/8786/
>
> It has been fixed for two weeks
On Fri, 16 May 2003 17:53:08 +0200
Adam ENDRODI <[EMAIL PROTECTED]> wrote:
> On Fri, May 16, 2003 at 05:35:37PM +0300, Haim Ashkenazi wrote:
> > On Fri, 16 May 2003 15:54:57 +0200
> > Adam ENDRODI <[EMAIL PROTECTED]> wrote:
> >
> > > On Fri, May 16, 2003
On Friday 27 June 2003 05:48, Linux wrote:
> My problem is that I don't know HOW I should put in the various rules in
> ipmasq => Which makes me look for something simpler or some examples or
> tips.
>
> What I want to do is open up for incoming mail and http to be able to
> access my mailserver a
Hi
I've read an article about FreeBSD which made me read some parts of the
FreeBSD docuemtations. in the firewall section there is a short description
about proxy firewalls. I've made some more searching and found a "free"
product called "TIS" which provide this functionality (which I thought was
Hi
I've read an article about FreeBSD which made me read some parts of the
FreeBSD docuemtations. in the firewall section there is a short description
about proxy firewalls. I've made some more searching and found a "free"
product called "TIS" which provide this functionality (which I thought was
[EMAIL PROTECTED] wrote:
> The point of a protocol-proxy is that you want to provide services to
> the outside world, but you don't trust your server software to be robust
> against protocol-level attacks (buffer overflows, primarily). Since one
> of the points of Debian is to fix bugs in software,
Javier Fernández-Sanguino Peña wrote:
> Also, Checkpoint is not a proxy firewall (but it is starting to become
> like one with this new 'Application Intelligence' stuff)
well, as I said I know very little about that, but someone told me that some
commercial firewalls work at the application level (
Hi
I want to allow a lot of users to be able to upload/download fies, with the
following restrictions:
1. encrypted (ssh/ssl)
2. key based authentication, no password!!!
3. preferebly without the option for login (if used with scp, sftp)
4. chroot
The obvious way was using sftp, but woody doesn'
Yogesh Sharma wrote:
> Hi,
>
> I am not if I got your question correct but here how my setup is:
>
> FTP access disabled
> Running sshd which only supports certificate based auth
> I copied my public certificate in my home dir
> Now I can do sftp using certificates. So I don't have to type passw
thanx, everyone.
I've downloaded and compiled scponly from unstable and it looks very nice.
Bye
--
Haim
Haim Ashkenazi wrote:
> Hi
>
> I want to allow a lot of users to be able to upload/download fies, with
> the following restrictions:
>
> 1. encrypted (
Yogesh Sharma wrote:
> Can't SSH run in chroot ?
sorry, I made a mistake... I've meant that it allows shell login while I
wanted to disable it.
Bye
--
Haim
Dariush Pietrzak wrote:
>> > Can't SSH run in chroot ?
>> sorry, I made a mistake... I've meant that it allows shell login while I
>> wanted to disable it.
> Well... if you don't want shell logins you can't use hacks like scp/sftp,
> but you can use restricted shell like scponly.
> I'd recommend
Hi
I've got a server at our ISP's server farm which rebooted last night. I've
contact my ISP and no one there did nothing, also it wasn't a power failure
because the reboot is written in '/var/log/syslog':
...
ov 26 22:26:16 ns-ilweb1 init: Switching to runlevel: 6
Nov 26 22:26:19 ns-ilweb1 qmail
François TOURDE wrote:
> Le 12383ième jour après Epoch,
> Haim Ashkenazi écrivait:
>
>> Hi
>>
>> I've got a server at our ISP's server farm which rebooted last night.
>> I've contact my ISP and no one there did nothing, also it wasn't a power
Anthony DeRobertis wrote:
> On Thu, 2003-11-27 at 07:59, Haim Ashkenazi wrote:
>
>> ...
>> ov 26 22:26:16 ns-ilweb1 init: Switching to runlevel: 6
>> Nov 26 22:26:19 ns-ilweb1 qmail: 1069878379.427182 status: exiting
>> Nov 26 22:26:20 ns-ilweb1 ntpd[32551]: ntpd
Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
>>> ov 26 22:26:16 ns-ilweb1 init: Switching to runlevel: 6
>
>> FYI, that looks like it may be a keyboard Ctrl-Alt-Del. Here is what one
>> looks like in syslog:
>
> the "switching to runlevel 6" is the important part. this is c
François TOURDE wrote:
> Le 12386ième jour après Epoch,
> Andrew Pollock écrivait:
>
>> On Sun, Nov 30, 2003 at 12:51:45AM +0200, Haim Ashkenazi wrote:
>>> Bernd Eckenfels wrote:
>>>
>>> >
>>> > BTW: i recommend you disable CAD :)
&
Hi
I have a client that have an exchange server inside the LAN and he wants to
access the web interface from the world. I thought I'll put a transparent
proxy server on the DMZ. apt-cache search proxy gave a few options but
except squid (which is a little overkill for this) I don't know any of the
Dale Amon wrote:
> On Wed, Dec 31, 2003 at 03:05:43PM +0100, Richard Atterer wrote:
>> On Wed, Dec 31, 2003 at 11:33:02AM +0200, Haim Ashkenazi wrote:
>> > I have a client that have an exchange server inside the LAN and he
>> > wants to access the web interface from th
thanx everybody for your input. you gave me some good ideas.
Bye
--
Haim
E&Erdem wrote:
> Hi,
> I've just installed woody on a laptop, and i want to encrypt my home
> directory.
>
> I've searched, but couldn't find kernel patch for bf2.4. Is there a
> patch for this or i have to change kernel.
>
> Which steps i have to take.
If I'm not misteken, you have to download
Hi
I'm running a web (ssl) server with several virtual domains. at the moment
they are name based (non-ip) which of course produce a warning in the
user's browser when he try to connect to a host that is not the default one
(key). I've looked in the documentation and found that ssl doesn't support
Haim Ashkenazi wrote:
> Hi
>
> I'm running a web (ssl) server with several virtual domains. at the moment
> they are name based (non-ip) which of course produce a warning in the
> user's browser when he try to connect to a host that is not the default
> o
Michael Stone wrote:
> On Wed, Mar 24, 2004 at 06:14:52PM +0100, Elmar S. Heeb wrote:
>>Well, actually there is a solution: use wild cards in the name of the
>>keys. You can make the certificate for *.mycompany.com for several web
>>sites within mycompany.com,
>
> That's probably not particularl
Adrian 'Dagurashibanipal' von Bidder wrote:
> On Thursday 25 March 2004 10.12, Haim Ashkenazi wrote:
>> [...] decided to buy certificate from
>> versign [...]
>
> [ok, this goes offtopic.sorry.]
>
> You sure about that? Verisign is the company who break DNS
seph wrote:
>> I've checked the wildcard in the server name and it seem to work on
>> win2k and above, so I guess I'll stick to that.
>
> It may have changed, but when I looked into this several years ago,
> win2k didn't support star certs.
well, I checked with updated version (all the service pa
Hi
This problem has happened to me on both RedHat and Mandrake (sorry... :)
) so I guess it's not distribution specific but a common one. I'm going
to set it now in woody and I want to know if I can solve this (or is it
a "feature").
When making an encrypted file system (AES on both occasion) eve
Hi
This problem has happened to me on both RedHat and Mandrake (sorry... :)
) so I guess it's not distribution specific but a common one. I'm going
to set it now in woody and I want to know if I can solve this (or is it
a "feature").
When making an encrypted file system (AES on both occasion) eve
Thanx, you gave me the idea to solve this. I forgot that I've added the
user option in '/etc/fstab' (stupid me). "user" implies noexec, so you
have to add exec after the user option.
Bye
On Mon, 2002-11-25 at 14:32, DEFFONTAINES Vincent wrote:
> > From: Haim Ash
Hi
I have a host in my DMZ that has both anonymous ftp and pop3 ports open
(this can't be changed). since I really don't trust this setup, I was
thinking about ways to isolate this host so no one who break to this
computer, can access other computers on the DMZ (although other
computers should be
On Wed, 2002-12-18 at 15:11, Blars Blarson wrote:
> In article <1040204536.12811.100.camel@parker> [EMAIL PROTECTED] writes:
> >create a second DMZ, but that would cost me the lost of three ip's, so
> >I'm trying to figure out ways to isolate him without putting it in
> >another subnet.
>
> There'
Thanx, everybody.
As always you've been a great help :)
Bye
--
Haim
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Sat, 2002-12-21 at 13:24, Glen Mehn wrote:
> Nick Boyce wrote:
> > >
> pureftpd rocks. It's built to support most of the ftp commands, and has
> super simple configuration.
Actually I've already selected vsftpd. since I only need it for
anonymous ftp (it's going to be a mirror for GNU, sunfreew
Hi
I have setup a firewall with 4 legs as follows:
* One leg goes to the router (cisco).
* Second leg goes to a switch connected to the internal network
(10.20...).
* The third and fourth legs are both for the dmz. one goes to a
switch with many dmz host
thanx everybody, there are some interesting links here.
Bye
--
Haim
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
wow, that's a lot of reading stuff...
thanx, again
--
Haim
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Hi
A friend just asked me this question and I got curious. say I'm equipped with a linux
laptop and some knowledge, I can walk into a company that uses NIS, find out the
settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login
as root on my computer, su to any user a
Thanx for the input everybody, I think that from now on I will at least recommend to
my clients about using ldap instead.
Bye
--
Haim
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Hi
After reading the responses for my email about NIS security, I was convinced that it's
time to learn about ldap w/kerberos. In the ldap-howto's I've read there were
references to kerberos by MIT and hemidal. looking in my aptitude list I saw a lot of
packages with different versions of kerbe
that's a start. thanx
Bye
--
Haim
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Sat, 22 Mar 2003 06:24:02 -0300
Eduardo Rocha Costa <[EMAIL PROTECTED]> wrote:
> Hi, first of all sorry my poor English I'll try my best.
>
> I have the following scheme in my lab:
>
> INTERNET --- firewall --- local network
>
> I have real ip's for all computers in the lab, so I don't need
On Friday 27 June 2003 05:48, Linux wrote:
> My problem is that I don't know HOW I should put in the various rules in
> ipmasq => Which makes me look for something simpler or some examples or
> tips.
>
> What I want to do is open up for incoming mail and http to be able to
> access my mailserver a
Hi
I've read an article about FreeBSD which made me read some parts of the
FreeBSD docuemtations. in the firewall section there is a short description
about proxy firewalls. I've made some more searching and found a "free"
product called "TIS" which provide this functionality (which I thought was
Hi
I've read an article about FreeBSD which made me read some parts of the
FreeBSD docuemtations. in the firewall section there is a short description
about proxy firewalls. I've made some more searching and found a "free"
product called "TIS" which provide this functionality (which I thought was
[EMAIL PROTECTED] wrote:
> The point of a protocol-proxy is that you want to provide services to
> the outside world, but you don't trust your server software to be robust
> against protocol-level attacks (buffer overflows, primarily). Since one
> of the points of Debian is to fix bugs in software,
Javier Fernández-Sanguino Peña wrote:
> Also, Checkpoint is not a proxy firewall (but it is starting to become
> like one with this new 'Application Intelligence' stuff)
well, as I said I know very little about that, but someone told me that some
commercial firewalls work at the application level (
Hi
I want to allow a lot of users to be able to upload/download fies, with the
following restrictions:
1. encrypted (ssh/ssl)
2. key based authentication, no password!!!
3. preferebly without the option for login (if used with scp, sftp)
4. chroot
The obvious way was using sftp, but woody doesn'
Yogesh Sharma wrote:
> Hi,
>
> I am not if I got your question correct but here how my setup is:
>
> FTP access disabled
> Running sshd which only supports certificate based auth
> I copied my public certificate in my home dir
> Now I can do sftp using certificates. So I don't have to type passw
thanx, everyone.
I've downloaded and compiled scponly from unstable and it looks very nice.
Bye
--
Haim
Haim Ashkenazi wrote:
> Hi
>
> I want to allow a lot of users to be able to upload/download fies, with
> the following restrictions:
>
> 1. encrypted (
Yogesh Sharma wrote:
> Can't SSH run in chroot ?
sorry, I made a mistake... I've meant that it allows shell login while I
wanted to disable it.
Bye
--
Haim
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Dariush Pietrzak wrote:
>> > Can't SSH run in chroot ?
>> sorry, I made a mistake... I've meant that it allows shell login while I
>> wanted to disable it.
> Well... if you don't want shell logins you can't use hacks like scp/sftp,
> but you can use restricted shell like scponly.
> I'd recommend
Hi
I've got a server at our ISP's server farm which rebooted last night. I've
contact my ISP and no one there did nothing, also it wasn't a power failure
because the reboot is written in '/var/log/syslog':
...
ov 26 22:26:16 ns-ilweb1 init: Switching to runlevel: 6
Nov 26 22:26:19 ns-ilweb1 qmail
François TOURDE wrote:
> Le 12383ième jour après Epoch,
> Haim Ashkenazi écrivait:
>
>> Hi
>>
>> I've got a server at our ISP's server farm which rebooted last night.
>> I've contact my ISP and no one there did nothing, also it wasn't a power
Anthony DeRobertis wrote:
> On Thu, 2003-11-27 at 07:59, Haim Ashkenazi wrote:
>
>> ...
>> ov 26 22:26:16 ns-ilweb1 init: Switching to runlevel: 6
>> Nov 26 22:26:19 ns-ilweb1 qmail: 1069878379.427182 status: exiting
>> Nov 26 22:26:20 ns-ilweb1 ntpd[32551]: ntpd
Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
>>> ov 26 22:26:16 ns-ilweb1 init: Switching to runlevel: 6
>
>> FYI, that looks like it may be a keyboard Ctrl-Alt-Del. Here is what one
>> looks like in syslog:
>
> the "switching to runlevel 6" is the important part. this is c
François TOURDE wrote:
> Le 12386ième jour après Epoch,
> Andrew Pollock écrivait:
>
>> On Sun, Nov 30, 2003 at 12:51:45AM +0200, Haim Ashkenazi wrote:
>>> Bernd Eckenfels wrote:
>>>
>>> >
>>> > BTW: i recommend you disable CAD :)
&
Hi
I have a client that have an exchange server inside the LAN and he wants to
access the web interface from the world. I thought I'll put a transparent
proxy server on the DMZ. apt-cache search proxy gave a few options but
except squid (which is a little overkill for this) I don't know any of the
Dale Amon wrote:
> On Wed, Dec 31, 2003 at 03:05:43PM +0100, Richard Atterer wrote:
>> On Wed, Dec 31, 2003 at 11:33:02AM +0200, Haim Ashkenazi wrote:
>> > I have a client that have an exchange server inside the LAN and he
>> > wants to access the web interface from th
thanx everybody for your input. you gave me some good ideas.
Bye
--
Haim
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
E&Erdem wrote:
> Hi,
> I've just installed woody on a laptop, and i want to encrypt my home
> directory.
>
> I've searched, but couldn't find kernel patch for bf2.4. Is there a
> patch for this or i have to change kernel.
>
> Which steps i have to take.
If I'm not misteken, you have to download
Hi
I'm running a web (ssl) server with several virtual domains. at the moment
they are name based (non-ip) which of course produce a warning in the
user's browser when he try to connect to a host that is not the default one
(key). I've looked in the documentation and found that ssl doesn't support
Haim Ashkenazi wrote:
> Hi
>
> I'm running a web (ssl) server with several virtual domains. at the moment
> they are name based (non-ip) which of course produce a warning in the
> user's browser when he try to connect to a host that is not the default
> o
Michael Stone wrote:
> On Wed, Mar 24, 2004 at 06:14:52PM +0100, Elmar S. Heeb wrote:
>>Well, actually there is a solution: use wild cards in the name of the
>>keys. You can make the certificate for *.mycompany.com for several web
>>sites within mycompany.com,
>
> That's probably not particularl
Adrian 'Dagurashibanipal' von Bidder wrote:
> On Thursday 25 March 2004 10.12, Haim Ashkenazi wrote:
>> [...] decided to buy certificate from
>> versign [...]
>
> [ok, this goes offtopic.sorry.]
>
> You sure about that? Verisign is the company who break DNS
seph wrote:
>> I've checked the wildcard in the server name and it seem to work on
>> win2k and above, so I guess I'll stick to that.
>
> It may have changed, but when I looked into this several years ago,
> win2k didn't support star certs.
well, I checked with updated version (all the service pa
Hi
for a few days now I see in the logs of my firewall (debian/stable)
entries about someone trying to connect to my SSH server with several
users (root, test, mysql, etc..) without success. today I saw an entry
which alarmed me:
Oct 31 14:37:17 coltrane sshd[17927]: Bad protocol version identific
On Sun, 31 Oct 2004 17:16:48 +0200, Haim Ashkenazi wrote:
[...]
> I downloaded and run the latest version (0.44) and the output is ok. also,
> I downloaded and run rkhunter and the output is also ok. if it wasn't for
> the logs on the server I would be relaxed, but it still both
On Sun, 31 Oct 2004 16:59:12 +0100, Arthur de Jong wrote:
> On Sun, 2004-10-31 at 17:16 +0200, Haim Ashkenazi wrote:
>> for a few days now I see in the logs of my firewall (debian/stable)
>> entries about someone trying to connect to my SSH server with several
>> users (r
85 matches
Mail list logo
