November 1999 - openSUSE Security - openSUSE Mailing Lists

SSH Authentication
by Joao Reis 18 Nov '02

18 Nov '02

Hi! I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password. In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. This second solution is a good solution or that brings other security problems ? Thanks. -- Farewell. "Keep your friends close, but your enemies closer." "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------

2 1

multi-services server securing
by Gediminas Grigas 16 Aug '00

16 Aug '00

Hello there, I feel erroneusly (?) secure after .host.denyed in.telnetd and in.sshd from everywhere except one pc, which is denying all exept keyboard. I belive that if i can keep hosts.deny and hosts.allow files safe, and from time to time patch most actual security holes i`ll be conditionaly safe. Em i wrong? Probably I do. I just cant imaginate how system can be cracked in lower stage, so that is my problem. I heard that inetd is very insecure, and some peoples using tcpd (or soundlike). I run harden_suse, but was forced to answer 8/10 to no, as my server should provide a lot of public services, and have world writible directories as well. And thats right - this script was developed not for systems like mine one. However i`ll run SuSE-firewall-3.0 script, to make my system even stronger. But thats all. I dont know what can i do else. I should keep folowing services open: httpd; smptd; pop3d; ftpd; snmpd; named; inetd; sshd; nscd. So if you know how to keep them at minimal risk, or know some holes at those, i would be very gratefull for any info and/or tips. I dont ask to do work for me - link to good manual would be nice too. By the way i have SuSE 6.3 (2.2.13). Thanks in advice. Sincerely Yours, Gediminas Grigas mailto:gedas@kryptis.lt

5 5

ssh-authtication
by Security Webmaster OKDesign oHG 06 Dec '99

06 Dec '99

Hi folks, umm, I have a small problem. When setting up our server, I tried to get the best security as possible. Maybe I changed some config-file to fit our needs to allow ssh-logins only from specified users.(But I have no idea which file this was :-(( ) Now I want to allow another user to login using ssh. I made ssh-keygen for this user, entered the password, copied identity.pub to authorized_keys in the .ssh-directory. But when trying to login via ssh, servers sends permission denied. What else must be done ? TIA ---Stephan

3 2

portscanning and high ports
by Chris Reeves 03 Dec '99

03 Dec '99

Hi all, I have been portscanned a number of times recently by the same computer. I've used a combination of nslookup and finger and have the name of the culprit. It is being dealt with. This has prompted me to look even more closely at my firewalling. Ports <1024 are OK, as they are totally blocked, but those >1023 are pretty much open. Although virtually every single service is commented out in inetd.conf, I still want to block and log any connect attempts to 'special' ports. At the moment, these are the high numbered ports I block: 1433 Microsoft SQL 2049 NFS 5432 PostgreSQL 5999:6010 X-Windows 7100 X Font Server 12345:12346 NetBus 31337 Back Orifice I was having a look at the high numbered ports that he was scanning, and was wondering what the significance of these ports was (I couldn't see anything in /etc/services). By the way, the following are the high numbered ports that he tried to scan, have any ideas what they are used for? 5190 5191 5192 5193 5631 5632 5800 5900 8000 8010 8080 9100 25867 31787 33333 And finally, are there any other high numbered ports that you think could be potentially damaging (eg webmin - which port is that on)? Even if I'm not running that service, I would still like to know which ones pose a security threat so that I can block them anyway (in case I'm playing and start webmin, for example, without realilsing it). Is it generally considered safe to open up most high numbered ports? What do the people on these lists do? Do you close them all and open some, or open all and close some (all meaning all ports >1023)? One last question - I keep on coming around to this one every so often. If someone wants to connect to me using ICQ, they connect to a port >1023. I am assuming that ICQ doesn't have a daemon or anything listening on every possible port, so how does it know when another ICQ user is trying to connect? This isn't an ICQ specific question - I'm just using it as an example - it could apply to any remotely opened connection to a port >1023. How is this handled (how does the computer know whether ICQ should handle the connect attempt or whether it should be handled by some other process)? Thanks in advance, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\

4 4

AW: [suse-security] Possible Hack attack ?
by Stefan Becker 01 Dec '99

01 Dec '99

Hi everybody, There has been alot of talk about portscans. What utility are you using to detect a portscan. Do I NEED a firewall before I can detect a portscan on the machine. Could someone please point me to utility / package to simply detect such a portscan and send a mail to me (the Network Admin). thanks, Stefan Becker LUFA Speyer becker(a)lufa-sp.vdlufa.de > Right. But, as as my log-files show, in many cases an attack follows the port > scan. > > I _always_ contact the gateway admin if I find a port scan, and, in some cases, > they find out that somebody intruded in their systems. > > So I think it is helpful to inform admins about port scans that come from their > systems. It's one way to avoid attacks followed by port scans. > > Regards, > > Martin

8 7

SuSE Security Announcement - new security tools
by marc＠suse.de 01 Dec '99

01 Dec '99

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Announcement of new security tools from SuSE ______________________________________________________________________________ Please note, that that we provide this information on an "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. _____________________________________________________________________________ Tools developed by SuSE (all open source) and included in SuSE 6.3 : SuSE FTP Proxy - The first program of the SuSE Proxy Suite. A secure FTP proxy with support for SSL, LDAP, command restriction, active and passive FTP support, and much more. RPM: fwproxy.rpm, fwproxys.rpm (SSL - not in the US version) SuSE Firewall - The new firewall script from SuSE, rewritten from scratch. Autodetection of interface information, masquerading, autoprotection of services, protection from internal networks, fail-close design and easy to configure. RPM: firewals.rpm Harden SuSE - A special script for hardening a SuSE Linux 5.3 - 6.3. By answering 9 questions, the system is reconfigured very tightly. e.g. disabling insecure network services, removing suid/sgid/world-writable permissions which are not critical. RPM: hardsuse.rpm SuSE Secumod - This loadable kernel module enhances the security of the system by adding a symlink/hardlink/pipe protection, procfs protection, trusted path execution and capabilities. RPM: secumod.rpm SuSE Secchk - These are cron scripts which run daily, weekly and monthly to check the security of the system and compare them to the last run. RPM: seccheck.rpm Yast-1 - New administration menu for setting password aging, authentication fail delay and logging of logins + failures. RPM: yast.rpm SuSE auditdisk - Please note that this tool is in beta phase! This tool generates a bootdisk with checksum data and all binaries etc. needed to automaticaly verify file checksums upon booting. This way it can't be subverted by lkm's like a standard e.g. tripwire installation. WWW: http://www.suse.de/~marc - not included on SuSE 6.3 yet Watch out for updates of these tools on our WWW or FTP update sites. Although these are tools developed by SuSE, they (should) work on any Linux distributions with little problems. New tools included in the SuSE Linux distribution (not created by SuSE): FreeS/WAN - IPSEC implementation to build secure VPN tunnels via public networks. RPM: freeswan.rpm (not in the US version) GNU Privacy Guard - A free pgp-like tool for secure (not limited to email) communication. Frontends are also included. RPM: gpg (not in the US version) Nessus - A very good network security scanner! RPM: nessus plus tmpwatch, arpwatch, plug, sslwrap, the newest nmap and more. "Old" packages include: john, saint, cipe, pgp, scanlogd, ssh, tripwire, etc. ______________________________________________________________________________ General information on SuSE Linux: http://www.suse.com You can find updates on our ftp-Server: ftp://ftp.suse.com/pub/suse/i386/update for Intel processors ftp://ftp.suse.com/pub/suse/axp/update for Alpha processors or try the following web pages for a list of mirrors: http://www.suse.com/ftp_new.html Our webpage for patches: http://www.suse.de/en/support/download/updates/ Our webpage for security announcements: http://www.suse.de/security If you want to report vulnerabilities, please contact security(a)suse.de ______________________________________________________________________________ SuSE has got two free security mailing list services to which any interested party may subscribe: suse-security(a)suse.com - moderated and for general/linux/SuSE security discussions. All SuSE security announcements are send to this list. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe to the list, send a message to: <suse-security-subscribe(a)suse.com> To remove your address from the list, send a message to: <suse-security-unsubscribe(a)suse.com> Send mail to the following for info and FAQ for this list: <suse-security-info(a)suse.com> <suse-security-faq(a)suse.com> _____________________________________________________________________________ This information is provided freely to everyone interested and may be redistributed provided that it is not altered in any way. Type Bits/KeyID Date User ID pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <security(a)suse.de> - ------BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12Cg== =pIeS - ------END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBOD8G4Xey5gA9JdPZAQGdHwf9EqxQRsGFv+fONA6F5Aviv2pkf1pua3XM kRAJJcrvpZswnDb2PH3sJBq3YGm9ZXnz0JVhSEDoxuSz1V8GXV5wjh73wBg9YtGR hx6OzgfyFFYFdmJNEB3OpHNFzLmXuX0szrIfifRRcidWQzsPzAL50mtfcmGSZkab 3QHD3tz6oZLxuvQ6BGyie/iua3boza0MeJl2juKNq12VfievhZP6UK8/Y0nLbK2m 2zVqekGZIKfvlPitwCYPzF5Pxn9eh3TTnGDijxWTsMe0XpeakRZcAFte77kv9bNL SQwqA0nUKtoOGXdFVGxrspCbDRMDOKuMryNPo5ljsqpo3fjkfRNYVg== =obl6 -----END PGP SIGNATURE-----

6 5

PGP
by Scott McEachern 01 Dec '99

01 Dec '99

Does anyone know if PGP works with Netscape's Messenger? I was at the pgp site and it listed a lot of mail clients, no Netscape. -- mailto:scott.mceachern@sympatico.ca On the side of the software box, in the "System requirements section", it said "Requires Windows 95 or better." So I installed Linux.

3 2

Re: SuSE Security Announcement - new security tools
by marc＠suse.de 30 Nov '99

30 Nov '99

Hi, > Yummy, now these tools sound nice :) Especially the proxie suite. What > is the ambition here? A "new FWTK"? We could really use one (i.e. FWTK > is getting old). new secure proxies, which will replace most stuff of the fwtk > > SuSE FTP Proxy - The first program of the SuSE Proxy Suite. > > A secure FTP proxy with support for SSL, LDAP, command > > restriction, active and passive FTP support, and much more. > > RPM: fwproxy.rpm, fwproxys.rpm (SSL - not in the US version) > > Which bugs/exploits does this check for? almost everything. you can configure very much > Also, is there a ML that conatins *only* security announcements & > alerts (no posting from third parties) ? If not would you consider > making one, as this ML contains a bit to much "off-topic" disscusion > when surfing on a cell phone? ever heard of suse-security-announce? send an email to suse-security-announce-subscribe(a)suse.com it was created when suse-security was created .... Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc(a)suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C

1 0

Re: SuSE Security Announcement - new security tools
by marc＠suse.de 30 Nov '99

30 Nov '99

Hi, > Is there a possibility to get these packages as poor 6.{0,1,2} user > without having to buy the new distribution? > > If it is open source, please place the srpms or rpms somewhere where > we can find them! 1) You can find them on the CDs ;-) 2) You will find them on the ftp server once the distribution is placed there. I don't know when this will happen, I think somewhere in december. 3) You can find most of the tools at http://www.suse.de/~marc 4) the FTP-Proxy (which is really cool!) can be found at http://proxy-suite.suse.de Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc(a)suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C

1 0

AW: [suse-security] Info on passwords
by Michael Hamm 30 Nov '99

30 Nov '99

> >when i install suse my passwd file have a lot of users, like dbmaker and so on. How can i know these users password ? >Um Abraco. > to increase the system-security set the shell of this user to "/bin/false"

5 4