Too bad there is no way to do a secure handshake w/ an id/password or
even SecureID cards.
Any way to make the same host name resolve to your IP irreguardless of
what IP is allocted to your box by dhcp?
Haines, Charles Allen wrote:
Well here at WPI, we have to register each and every MAC add
Anything security related that would cause wtmp to be zero'ed out?
--
= http://www.sun.com/service/sunps/jdc/javacenter.pdf=
=www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone =
= ___
Anyone have an interpretation of the below?
[65.26.127.147] = firewall
[192.168.1.1] = firewall
its a two nic system
Nov 2 10:04:49 ICMP message type destination unreachable - bad host
from mkc-65-26-127-147.kc.rr.com [65.26.127.147]
(65.26.127.147->65.26.127.147)
Nov 2 20:47:36 I
I have installed the woody spam package on a woody box and cannot find
the config file to fix the below output in syslog.
Can someone help out w/ this?
Thanks
Nov 9 08:13:16 portal spamd[1290]: Still running as root: user not
specified, not found, or set to root. Fall back to nobody.
spamassassin - Perl-based spam filter using text analysis
+
exim - An MTA (Mail Transport Agent)
[EMAIL PROTECTED] wrote:
how can i block these bastards from korea from spaming me 10 times per day?
--
=
= http://www.s
:
Quoting Hanasaki JiJi ([EMAIL PROTECTED]):
spamassassin - Perl-based spam filter using text analysis
+
exim - An MTA (Mail Transport Agent)
Two great tastes that taste good together!
http://marc.merlins.org/linux/exim/sa.html
The below is from snort running on 192.168.1.200 and talking to
192.168.1.1 Any ideas as to what could be
causing this? I even tried turning off all internal iptables. Nothing
improved.
BAD TRAFFIC & MISC Large UDP Packet
[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
[Classificati
Snort is reporting scans in the alert.log but not the portscan.log
Any thoughts?
The threshholds have been sent really loose and still no output in the log
preprocessor portscan: $HOME_NET 3 8 portscan.log
--
=
= Management is doi
1.8.4-Beta1 Build 91
It also seems to be dying without any reports to syslog
J.H.M. Dassen (Ray) wrote:
On Thu, Nov 28, 2002 at 10:19:24 -0600, Hanasaki JiJi wrote:
Snort is reporting scans in the alert.log but not the portscan.log
Which version? AFAIK the version in woody still has wrong
put in woody? can 2.0 be put in when it comes out?
Simon Kirby wrote:
On Fri, Nov 29, 2002 at 02:01:26PM +0100, Marcel Weber wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hanasaki JiJi schrieb:
| 1.8.4-Beta1 Build 91
|
| It also seems to be dying without any reports to syslog
|
This
Please do send the file. I have put 1.9 in manaully its rocking!
Alfonso Federico Simó wrote:
Hanasaki JiJi wrote:
Snort is reporting scans in the alert.log but not the portscan.log
Any thoughts?
Hi!
Now I *have* my snort reporting scans in the portscan.log in Version
1.8.4-beta1
Below is one of MANY alerts being loged on my internal network. It is a
very small network. how can i find what is causing the bad traffice,
and rectify it?
[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
[Classification: Misc activity] [Priority: 3]
11/29-11:38:11.405389 192.168.1.200 -> 192.16
Does the Woody build of OpenLDAP include SSL and SASL support? How can
the Mozilla addy book be configured to attach via SSL only?
--
=
= Management is doing things right; leadership is doing the =
= right things.- Pet
Rusko wrote:
Quoting Hanasaki JiJi <[EMAIL PROTECTED]>:
Does the Woody build of OpenLDAP include SSL and SASL support? How can
As I know, it doesn't include (experience from Debian sparc).
mARTin
the Mozilla addy book be configured to attach v
Sorry about that Wichert. I pulled the info from:
http://packages.debian.org/stable/net/slapd.html
Wichert Akkerman wrote:
Previously Hanasaki JiJi wrote:
I am CCing the package maintainer for confirmation. Wichert, if this is
indeed the case, please could you add Secure connection support
Hello all,
Just did an apt-get update; apt-get upgrade;apt-get install eterm
the install eterm is issueing the following errors on the .deb's signatures.
The following extra packages will be installed:
libast1 libimlib2 libttf2
The following NEW packages will be installed:
libast1 libimlib2
eterm and feh, on sarge, are reporting invalid archive signatures of
their dependancies.
I have tried the US and Japan mirrors.
Seems there that sarge is broke due to perl versions and a security bug
in perl of sarge and version mismatches? Thats about all I know...
Anyone have more info and a target date for sarge to be stabilized?
Oh..I hear its in a freeze?
Sarge is frozen? and has some security issues becaseu of this?
is this true ?
2003-03-03 05:19:37
H=(cyberproxy.com) [218.22.143.178]
F=<[EMAIL PROTECTED]> rejected RCPT
<[EMAIL PROTECTED]>: Please go away.
2003-03-03 05:19:43
H=(cyberproxy.com) [195.112.112.198]
F=<[EMAIL PROTECTED]> rejected RCPT
<[EMAIL PROTECTED]>: Please
What is OpenAFS vs CODA?
[EMAIL PROTECTED] wrote:
On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote:
Quoting seph ([EMAIL PROTECTED]):
depends what you mean by free. Are you aware of openafs?
http://www.openafs.org
That is of course derived from the IBM Transarc software. Hmmm.
been trying to get the following to work for sometime input is most
appreciated
internet <=25= firewall iptablerule =port#x=> internalSMTPhost
how can the firewall be told to:
take all incoming tcp port 25 traffic and send it to
smtp host on port X
take all outgoin
what package can i research for a store/foward server?
I thought the secure way was not to run anything like that on a
firewall? That is why I am moving this group's exim off the firewall.
Lars Ellenberg wrote:
On Wed, Mar 19, 2003 at 11:26:10PM -0600, Hanasaki JiJi wrote:
been trying t
Arnt some ICMP packets best to allow for effective routing and such?
Josh Carroll wrote:
There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets your dropping can be bad, given a relatively
small upstream link. In theory, one could DoS you
suff
Would you share your opinions on the following setup for daemons?
firewall runs
whois server - gwhois or jwhois?
iptables - firewall
forwards-to/NAT-from internal smtp server
NAT outgoing DNS for internal bind9 server
bind9 - for extern
Working on running a SMTP server inside the firewall that takes incoming
SMTP traffic from outside the firewall. The below rules are not
working. The firewall refuses connections. Any input on what wrong?
Thanks,
internal mailserver = 192.168.1.2
#$PROG -t nat -A PREROUTING -i $NIC_EXTER
Anyway to tell portsentry to remove all routes it added? or to expire
added deny routes after a period of time?
--
=
= Management is doing things right; leadership is doing the =
= right things.- Peter Drucker
Firewall has rules to DNAT incoming traffic to a port on a DMZ box.
how can an iptable rule be written to block some ip addresses before
they get to the rules
iptables -t mangle -A FORWARD
AND
iptables -t nat -A PREROUTING
???
probably just have "paranoid" in your /etc/hosts.deny and its not
allowing hosts that dont have a reverse DNS
USE SUBJECTS IN YOUR EMAIL
Ricardo Sousa wrote:
hi. I'm getting some alerts in my log files, and i getting worry.
The logs are some like this:
...
Apr 8 01:08:37 zeus sshd[9972]: warn
Running the below rules on a firewall. 192.168.1.2 is an SMTP server
inside the firewall.
1. there is one smtp server on the internet that has a connection
timeout from the inside smtp server connecting on port 25.
Telnet host 25 also times out. direct connection from the firewall
works just
The below two sets of rules seem to provide the same functionality, with
the excpetion that the second ruleset results in a timeout from the
192.168.1.2 timing out on connections to some, only some, external hosts
on port 25. What could cause this? How can it be fixed? What is the
difference
1. what is a rootkit?
2. anything "normal" that might result in a wted warning that something
was deleted? output is:
Checking `wted'... 1 deletion(s) between Sat Apr 5 10:33:11 2003 and
Sat Apr 5 10:53:43 2003
3. Checking bindshell reports "warning got bogus unix line. not
infected" what
1. what is a rootkit?
2. anything "normal" that might result in a wted warning that something
was deleted? output is:
Checking `wted'... 1 deletion(s) between Sat Apr 5 10:33:11 2003 and
Sat Apr 5 10:53:43 2003
3. Checking bindshell reports "warning got bogus unix line. not
infected" what doe
You are teh ian login, right?
know anyone at the domain blue99.ex.ac.uk? or anyplace similar?
did you hever create an id of "team1"?
Ian Goodall wrote:
I am running a debian woody server and when I checked the last users
yesterday I a large number of logins in the list. On running the command
to
I have a nat postrouting rule that passes traffice from the outside
world to an internal host to handle port 80 (webserver)
there are also rules to drop certain source addresses yet these
addresses are still coming through
how can they be dropped?
thanks
I have the below rules in my firewall. the http server is inside the
firewall on 192.168.1.2:80
people can hit it fine from the outside
squid is running on the firewall
inside can browser ouside via squid just fine
inside cannot browse the outside address
Any th
: Hanasaki JiJi [mailto:[EMAIL PROTECTED]
Sent: Thursday, 5 June 2003 2:42 PM
To: List - Debian Security
Subject: question squid + firewall + http server inside firewall
I have the below rules in my firewall. the http server is inside the
firewall on 192.168.1.2:80
people can hit it fine
The below log entries are from tcpspy in syslog. What do they mean?
they are from the firewall which is running a transparent squid proxy
and iptables.
noone inside the firewall could have hit those external IPs for any reason.
thanks
Jul 26 17:02:15 portal tcpspy[330]: disconnect: user prox
the iptables rules from firehol have suddeny started reporting:
NEW TCP w/o SYN
coming from from the port 8080 squid proxy on a firewall to an internal
host.
What could case this all of a sudden?
Thanks
How do i find out what is using those ports?
netstat -natl | grep 799
tcp0 0 192.168.1.200:799
192.168.1.1:2049ESTABLISHED
below returns no output
lsof -i tcp:799
Nothing is using the port but it is in netstat
Yes NFS is running.. thoguht NFS was UDP not TCP
netstat -natlp shows the process as "-"
a process of "-" huh?
the pid0 issue loooks like:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217525
Michael Stone wrote:
On Sat, Nov 08, 2003 at 10:25:43AM -0600,
Anyone have/working on integration of these?
clam spamc and amavis are installed however, they dont seem to update
the /etc/exim4/conf.d of the new packaging system.
thank you.
Thus the reason for posting to this list. the command was run as root.
Does the following theory seem plausable?
This is a kernel process for nfs over tcp
Ingo Strüwing wrote:
Hanasaki JiJi wrote:
How do i find out what is using those ports?
netstat -natl | grep 799
tcp0
Tiger was installed on Sarge. After the first couple audit emails, the
emails have stopped.
i have a firewwall with 2 nics .. its running iptables. the outside
nic forwards port 80 to an internal webserver on an internal ip. this
works great. if an internal host hits the external ip. traffic does
not go to the internal web server. if an external host hits the
external ip traffic
Too bad there is no way to do a secure handshake w/ an id/password or
even SecureID cards.
Any way to make the same host name resolve to your IP irreguardless of
what IP is allocted to your box by dhcp?
Haines, Charles Allen wrote:
Well here at WPI, we have to register each and every MAC addres
Anything security related that would cause wtmp to be zero'ed out?
--
= http://www.sun.com/service/sunps/jdc/javacenter.pdf=
=www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone =
=
Anyone have an interpretation of the below?
[65.26.127.147] = firewall
[192.168.1.1] = firewall
its a two nic system
Nov 2 10:04:49 ICMP message type destination unreachable - bad host
from mkc-65-26-127-147.kc.rr.com [65.26.127.147]
(65.26.127.147->65.26.127.147)
Nov 2 20:47:36 ICMP messa
I have installed the woody spam package on a woody box and cannot find
the config file to fix the below output in syslog.
Can someone help out w/ this?
Thanks
Nov 9 08:13:16 portal spamd[1290]: Still running as root: user not
specified, not found, or set to root. Fall back to nobody.
--
To
spamassassin - Perl-based spam filter using text analysis
+
exim - An MTA (Mail Transport Agent)
[EMAIL PROTECTED] wrote:
how can i block these bastards from korea from spaming me 10 times per day?
--
=
= http://www.sun.com/s
Sure are.. I am just getting going with SA. Anyone able to help me
update exim4.conf to do the follow?
- bounce the spam back like it failed to deliver
- send a copy to the target user
- send a copy to some other address, in additionto the above
Rick Moen wrote:
Quoting Hanasaki JiJi ([EMAIL
Snort is reporting scans in the alert.log but not the portscan.log
Any thoughts?
The threshholds have been sent really loose and still no output in the log
preprocessor portscan: $HOME_NET 3 8 portscan.log
--
=
= Management is doin
1.8.4-Beta1 Build 91
It also seems to be dying without any reports to syslog
J.H.M. Dassen (Ray) wrote:
On Thu, Nov 28, 2002 at 10:19:24 -0600, Hanasaki JiJi wrote:
Snort is reporting scans in the alert.log but not the portscan.log
Which version? AFAIK the version in woody still has wrong
in woody? can 2.0 be put in when it comes out?
Simon Kirby wrote:
On Fri, Nov 29, 2002 at 02:01:26PM +0100, Marcel Weber wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hanasaki JiJi schrieb:
| 1.8.4-Beta1 Build 91
|
| It also seems to be dying without any reports to syslog
|
This also
Please do send the file. I have put 1.9 in manaully its rocking!
Alfonso Federico Simó wrote:
Hanasaki JiJi wrote:
Snort is reporting scans in the alert.log but not the portscan.log
Any thoughts?
Hi!
Now I *have* my snort reporting scans in the portscan.log in Version
1.8.4-beta1
Below is one of MANY alerts being loged on my internal network. It is a
very small network. how can i find what is causing the bad traffice,
and rectify it?
[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
[Classification: Misc activity] [Priority: 3]
11/29-11:38:11.405389 192.168.1.200 -> 192.168
Does the Woody build of OpenLDAP include SSL and SASL support? How can
the Mozilla addy book be configured to attach via SSL only?
--
=
= Management is doing things right; leadership is doing the =
= right things.- Pete
Rusko wrote:
Quoting Hanasaki JiJi <[EMAIL PROTECTED]>:
Does the Woody build of OpenLDAP include SSL and SASL support? How can
As I know, it doesn't include (experience from Debian sparc).
mARTin
the Mozilla addy book be configured to attach v
Sorry about that Wichert. I pulled the info from:
http://packages.debian.org/stable/net/slapd.html
Wichert Akkerman wrote:
Previously Hanasaki JiJi wrote:
I am CCing the package maintainer for confirmation. Wichert, if this is
indeed the case, please could you add Secure connection support
Hello all,
Just did an apt-get update; apt-get upgrade;apt-get install eterm
the install eterm is issueing the following errors on the .deb's signatures.
The following extra packages will be installed:
libast1 libimlib2 libttf2
The following NEW packages will be installed:
libast1 libimlib2
eterm and feh, on sarge, are reporting invalid archive signatures of
their dependancies.
I have tried the US and Japan mirrors.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Seems there that sarge is broke due to perl versions and a security bug
in perl of sarge and version mismatches? Thats about all I know...
Anyone have more info and a target date for sarge to be stabilized?
Oh..I hear its in a freeze?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subje
Sarge is frozen? and has some security issues becaseu of this?
is this true ?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
2003-03-03 05:19:37
H=(cyberproxy.com) [218.22.143.178]
F=<[EMAIL PROTECTED]> rejected RCPT
<[EMAIL PROTECTED]>: Please go away.
2003-03-03 05:19:43
H=(cyberproxy.com) [195.112.112.198]
F=<[EMAIL PROTECTED]> rejected RCPT
<[EMAIL PROTECTED]>: Please g
What is OpenAFS vs CODA?
[EMAIL PROTECTED] wrote:
On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote:
Quoting seph ([EMAIL PROTECTED]):
depends what you mean by free. Are you aware of openafs?
http://www.openafs.org
That is of course derived from the IBM Transarc software. Hmmm. Some
w
been trying to get the following to work for sometime input is most
appreciated
internet <=25= firewall iptablerule =port#x=> internalSMTPhost
how can the firewall be told to:
take all incoming tcp port 25 traffic and send it to
smtp host on port X
take all outgoing t
what package can i research for a store/foward server?
I thought the secure way was not to run anything like that on a
firewall? That is why I am moving this group's exim off the firewall.
Lars Ellenberg wrote:
On Wed, Mar 19, 2003 at 11:26:10PM -0600, Hanasaki JiJi wrote:
been trying t
Arnt some ICMP packets best to allow for effective routing and such?
Josh Carroll wrote:
There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets your dropping can be bad, given a relatively
small upstream link. In theory, one could DoS you
suffic
Would you share your opinions on the following setup for daemons?
firewall runs
whois server - gwhois or jwhois?
iptables - firewall
forwards-to/NAT-from internal smtp server
NAT outgoing DNS for internal bind9 server
bind9 - for external dns
Working on running a SMTP server inside the firewall that takes incoming
SMTP traffic from outside the firewall. The below rules are not
working. The firewall refuses connections. Any input on what wrong?
Thanks,
internal mailserver = 192.168.1.2
#$PROG -t nat -A PREROUTING -i $NIC_EXTERN
Anyway to tell portsentry to remove all routes it added? or to expire
added deny routes after a period of time?
--
=
= Management is doing things right; leadership is doing the =
= right things.- Peter Drucker
I have a nat postrouting rule that passes traffice from the outside
world to an internal host to handle port 80 (webserver)
there are also rules to drop certain source addresses yet these
addresses are still coming through
how can they be dropped?
thanks
--
To UNSUBSCRIBE, email to [EMAIL PRO
I have the below rules in my firewall. the http server is inside the
firewall on 192.168.1.2:80
people can hit it fine from the outside
squid is running on the firewall
inside can browser ouside via squid just fine
inside cannot browse the outside address
Any thought/input would be apprecia
: Hanasaki JiJi [mailto:[EMAIL PROTECTED]
Sent: Thursday, 5 June 2003 2:42 PM
To: List - Debian Security
Subject: question squid + firewall + http server inside firewall
I have the below rules in my firewall. the http server is inside the
firewall on 192.168.1.2:80
people can hit it fine from the outside
The below log entries are from tcpspy in syslog. What do they mean?
they are from the firewall which is running a transparent squid proxy
and iptables.
noone inside the firewall could have hit those external IPs for any reason.
thanks
Jul 26 17:02:15 portal tcpspy[330]: disconnect: user proxy
the iptables rules from firehol have suddeny started reporting:
NEW TCP w/o SYN
coming from from the port 8080 squid proxy on a firewall to an internal
host.
What could case this all of a sudden?
Thanks
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Con
How do i find out what is using those ports?
netstat -natl | grep 799
tcp0 0 192.168.1.200:799
192.168.1.1:2049ESTABLISHED
below returns no output
lsof -i tcp:799
Nothing is using the port but it is in netstat
--
To UNSUBSCRIBE, email
Anyone have/working on integration of these?
clam spamc and amavis are installed however, they dont seem to update
the /etc/exim4/conf.d of the new packaging system.
thank you.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Thus the reason for posting to this list. the command was run as root.
Does the following theory seem plausable?
This is a kernel process for nfs over tcp
Ingo Strüwing wrote:
Hanasaki JiJi wrote:
How do i find out what is using those ports?
netstat -natl | grep 799
tcp0 0
Yes NFS is running.. thoguht NFS was UDP not TCP
netstat -natlp shows the process as "-"
a process of "-" huh?
the pid0 issue loooks like:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217525
Michael Stone wrote:
On Sat, Nov 08, 2003 at 10:25:43AM -0600,
Tiger was installed on Sarge. After the first couple audit emails, the
emails have stopped.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
i have a firewwall with 2 nics .. its running iptables. the outside
nic forwards port 80 to an internal webserver on an internal ip. this
works great. if an internal host hits the external ip. traffic does
not go to the internal web server. if an external host hits the
external ip traffic
Any input on the below syslog entry from Samba in Woody? Thank you.
nmbd[2009]: ^I^IFS 40009a03 (Samba 2.2.3a-6 for Debian)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
()
^IWORKGROUP(1) current master browser = FRED-LAPTOP2
Arthur de Jong wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Tue, 17 Sep 2002, Hanasaki JiJi wrote:
>
>
>>Any input on the below syslog entry from Samba in Woody? Thank you.
>>
>>nmbd[2009]:
computer1 and computer2 nfs mount home dirs
from server1
all can ssh to each other
computer1 and computer2 can scp to/from server1
computer1 and computer2 cannot scp to/from eachother
Any thoughts? Could this be related to the nfs mounting of home dirs?
Thanks
If the output is being read correctly ... It looks like something to do
with ??RSA?? Incidently, a Win2000 system running WinSCP works fine
with all computer1/computer2/server1 without any errors.
Teun Vink wrote:
On Wed, 21 Aug 2002, Hanasaki JiJi wrote:
computer1 and computer2 nfs
Hello all, I am running Debian Woody on two systems. Could someone help
me understand what is causing the below? scp between the systems is
failing.
Thank you
===
debug1: next auth method to try is password
SNIP password:
debug1: ssh-userauth2 successful: method password
d
computer1 and computer2
- both run woody
- both have the same /etc/resolve.con
- both have the same ssh config
ssh from 1 to 2 - no problems
ssh from 2 to 1 - sshd reports a failed reverse dns lookup
host [ip of computer1] - works on all systems
Any ideas as to why compu
They match.
Will Aoki wrote:
On Sun, Aug 25, 2002 at 10:32:54AM -0500, Hanasaki JiJi wrote:
computer1 and computer2
- both run woody
- both have the same /etc/resolve.con
- both have the same ssh config
ssh from 1 to 2 - no problems
ssh from 2 to 1 - sshd reports a
Any input on the below syslog entry from Samba in Woody? Thank you.
nmbd[2009]: ^I^IFS 40009a03 (Samba 2.2.3a-6 for Debian)
()
^IWORKGROUP(1) current master browser = FRED-LAPTOP2
Arthur de Jong wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 17 Sep 2002, Hanasaki JiJi wrote:
Any input on the below syslog entry from Samba in Woody? Thank you.
nmbd[2009]: ^I^IFS 40009a03 (Samba 2.2.3a-6 for Debian)
Did you
91 matches
Mail list logo
