October 2000 - openSUSE Security - openSUSE Mailing Lists

[suse-security] Security Crash course
by Scott_Smith＠mastercard.com 31 Oct '00

31 Oct '00

Hello world, After 7 years of **IX based development, I find myself in a VERY security conscious environment. I am aware of the basics, but I need come up to speed very quickly on the details of how or why to implement various security features, e.g. how does ssh work. What are the specific holes to watch out for etc., I'm looking more for the lower level mechanics not the "don't surf the web as root" stuff. If someone could point me to the FAQ for this group and any other recommended reading I sure would appreciate it. Thanks, Scott

1 0

OpenSSH
by Dustin Huptas 31 Oct '00

31 Oct '00

Hi folks, I try to set up a backup of a webserver which uses SSH Version 1.2.27. The backup system uses OpenSSH_2.1.13, which is said to be more secure. Now I want to copy all relevant files from the original to the backup system as I used to do all the time. Unfortunately the backup system does not allow to be accessed via SSH. It always says: "Permission denied.", though the password works when logging in locally. I have used harden_suse on the backup system. I don´t know whether this script has something to do with the refusal of connection. I even tried the undo_harden_suse. But it gave the same result. I hope my problem fits this newsgroup. Thanks for any help Dustin

4 4

Strange error from Sendmail
by Heiko Rother 31 Oct '00

31 Oct '00

Am Mon, 30 Oct 2000 23:23:59 schrieb SYSTEM-LOGGER: [syslog(a)machine.domain: Oct 30 22:23:59 www sendmail[21250]: NOQUEUE: SYSERR: putoutmsg ([xx.xx.xx.xx]): error on output channel sending "220 machine.domain ESMTP Sendmail 8.9.3/8.9.3; Mon, 30 Oct 2000 22:23:59 GMT": Broken pipe] Hello, I received the mentioned message from one of our mail servers. Does anybody know, what has happened there? Did someone succeed in exploiting one of Sendmail's uncounted weaknesses? Greets, Heiko -- Heiko Rother -- CM Systemhaus GmbH, Hannover, Abt. Online-Medien

2 1

AW: [suse-security] SuSEfirewall 4.0, FW_FORWARD_MASQ_??P
by Schulz, Wolfgang 31 Oct '00

31 Oct '00

Is there a solution for this problem? I have the same! Wolfgang > -----Ursprüngliche Nachricht----- > Von: Argentium G. Tiger [mailto:agtiger@kc.rr.com] > Gesendet: Sonntag, 29. Oktober 2000 21:41 > An: suse-security(a)suse.com > Betreff: [suse-security] SuSEfirewall 4.0, FW_FORWARD_MASQ_??P > > > I'm hoping one of you bright folks can lend me a hand with a small > configuration problem I'm having with Marc Heuse' new SuSEfirewall 4.0 > package. This is on a SuSE 7.0 professional system. > > For several versions of SuSEfirewall, SuSE 6.3 through 7.0, > I've tried to > configure the script to allow outside connections to port 6699 on the > firewall (napster) to my internally masqueraded windows > desktop running > napster. Additionally, I've tried to let select other > services through > to server machines on the internal masqueraded network, but so far, > no joy. > > My internal windows desktop is at 192.168.1.101, and is > successfully able > to get to Napster servers on port 6699 through the firewall. > > I just wish I could share some of my files with the rest of the world. > > Oh, and in my /etc/rc.firewall settings, don't be concerned about > pcanywheredata and pcanywherestat being open to the outside world. I > actually have sshd running on those ports, as that's the only > way to get > to my firewall from my workplace. ;-) > > Here are my /etc/rc.firewall settings: > > FW_DEV_WORLD="eth0" > FW_DEV_INT="eth1" > FW_DEV_DMZ="" > FW_ROUTE="yes" > FW_MASQUERADE="yes" > FW_MASQ_NETS="192.168.1.0/24" > FW_MASQ_DEV="$FW_DEV_WORLD" > FW_PROTECT_FROM_INTERNAL="yes" > FW_AUTOPROTECT_GLOBAL_SERVICES="yes" > > FW_SERVICES_EXTERNAL_TCP="ssh sshalt pcanywheredata > pcanywherestat ident > napster" > FW_SERVICES_EXTERNAL_UDP="pcanywheredata pcanywherestat napster" > FW_SERVICES_EXTERNAL_IP="" > > FW_SERVICES_DMZ_TCP="" > FW_SERVICES_DMZ_UDP="" > FW_SERVICES_DMZ_IP="" > > FW_SERVICES_INTERNAL_TCP="telnet ftp smtp ssh sshalt pcanywheredata > pcanywherestat domain icq napster www 8080 rrlogind" > FW_SERVICES_INTERNAL_UDP="pcanywheredata pcanywherestat > domain www icq 8080 > rrlogind" > FW_SERVICES_INTERNAL_IP="" > > FW_TRUSTED_NETS="" > FW_SERVICES_TRUSTED_TCP="" > FW_SERVICES_TRUSTED_UDP="" > FW_SERVICES_TRUSTED_IP="" > > FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" > FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" > > FW_SERVICE_DNS="yes" > FW_SERVICE_DHCLIENT="yes" > FW_SERVICE_DHCPD="yes" > FW_SERVICE_SAMBA="no" > > FW_FORWARD_TCP="" > FW_FORWARD_UDP="" > FW_FORWARD_IP="" > > # Here's where I'm trying to let napster in from the rest of the > # world to my windows box at 192.168.1.101 > # > FW_FORWARD_MASQ_TCP="0/0,192.168.1.101,6699" > FW_FORWARD_MASQ_UDP="0/0,192.168.1.101,6699" > > FW_REDIRECT_TCP="" > FW_REDIRECT_UDP="" > > FW_LOG_DENY_CRIT="yes" > FW_LOG_DENY_ALL="no" > FW_LOG_ACCEPT_CRIT="yes" > FW_LOG_ACCEPT_ALL="no" > > FW_KERNEL_SECURITY="yes" > > FW_STOP_KEEP_ROUTING_STATE="no" > > FW_ALLOW_PING_FW="yes" > FW_ALLOW_PING_DMZ="no" > > FW_ALLOW_FW_TRACEROUTE="yes" > > FW_ALLOW_FW_SOURCEQUENCH="yes" > > FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake > raudio user vdolive" > > - - - > > Similarly, I tried allowing requests to port 80 through to > 192.168.1.10, > which is one of my internal fileservers. It's running apache. No joy > there either... Tried: > > FW_FORWARD_MASQ_TCP="0/0,192.168.1.10,80" > FW_FORWARD_MASQ_UDP="0/0,192.168.1.10,80" > > Anyone have any ideas? I'll try to anticipate peoples' > questions about > my system by providing some more information now, and I'll be happy to > provide more information if requested to do so. > > I'm running a self-compiled kernel from the LX_SUSE sources, with the > international crypto patches applied so I could turn on some of > the crypto modules. > > The following packages _are_ installed: > Series n: > - ipmasqad > - iproute2 > > And the following relevant kernel configs were/are set, and > the modules > available: > > Networking Options: > [*] Routing messages > [*] Network firewalls > [*] Socket filtering > [*] IP: Advanced Router > [*] IP: policy routing > [*] IP: verbose route monitoring > [*] IP: firewalling > [*] IP: firewall packet netlink device > [*] IP: use FWMARK value as routing key > [*] IP: masquerading > [*] IP: masquerading special modules support > <M> IP: ipautofw masquerade support (Experimental) > <M> IP: ipportfw masquerade support > <M> IP: ipmarkfw masquerade support > <M> IP: tunneling > <M> IP: GRE tunnels over IP > > I *think* this should get me where I need to go. > > I've confirmed that in /lib/modules/2.2.16, there are the following > modules ready to go: > > ip_gre.o > ip_masq_cuseeme.o > ip_masq_irc.o > ip_masq_portfw.o > ip_masq_raudio.o > ip_masq_vdolive.o > ip_masq_autofw.o > ip_masq_ftp.o > ip_masq_mfw.o > ip_masq_quake.o > ip_masq_user.o > ipip.o > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com >

1 0

AW: AW: [suse-security] Re: OpenSSH
by Dustin Huptas 31 Oct '00

31 Oct '00

Hi Daniel! Sorry to say this but you?re wrong. They are compatible! I just got it running. I made some stupid mistakes in the following config files: Here the correct definitions: /etc/ssh/sshd.config -> PermitRootLogin = yes /etc/hosts.allow -> sshd: ALL #(or the ip you want to allow) Thank you very much to everyone who has helped me solving my little problem! Rgds Dustin -----Ursprungliche Nachricht----- Von: Daniel Quappe [mailto:quappe@erster.de] Gesendet: Dienstag, 31. Oktober 2000 11:20 An: Dustin Huptas Betreff: Re: AW: [suse-security] Re: OpenSSH yes, you're right. i had the same problems. they arent't compatible. sorry, read to late... Dustin Huptas schrieb: > Thanks, but I?ve been using the verbose option all over and it said: > > Permission denied. > lost connection > > Is it possible, that SSH and OpenSSH are not compatible? > > Rgds Dustin > > -----Ursprungliche Nachricht----- > Von: Johannes Geiger [mailto:geiger@informatik.tu-muenchen.de] > Gesendet: Dienstag, 31. Oktober 2000 10:50 > An: suse-security(a)suse.com > Betreff: [suse-security] Re: OpenSSH > > Hallo Dustin Huptas! > > Am Tue, Oct 31, 2000 at 10:39:49AM +0100 schrieb Dustin Huptas: > > I try to set up a backup of a webserver which uses SSH Version 1.2.27. The > > backup system uses OpenSSH_2.1.13, which is said to be more secure. Now I > > want to copy all relevant files from the original to the backup system as > I > > used to do all the time. Unfortunately the backup system does not allow to > > be accessed via SSH. It always says: "Permission denied.", though the > > password works when logging in locally. > > Tryp the -v (verbose) option for ssh. This might give you a hint what > goes wrong. > > Hope that helps! > > Johannes > > --------------------------------------------------------------------- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com -- Daniel Quappe Dienstag, der 31. Oktober 2000 Netz-Administration Fon +49 (0)202 252 15 99 Fax +49 (0)202 52 20 99 Didn't take a look at http://www.erster.de yet ?!

1 0

Help!
by Kai seefeldt 31 Oct '00

31 Oct '00

Hi, i just found out that some spammers use my webserver by relaying e-mails over it. I have sendmail 8.9.3 installed. How can I stop relaying form any host, but allow sending e-mails with my "outlook Express" fom at home? PLEACE help me! Thanks a lot.

7 7

Kernel Problem or Hacked?
by Boris Kantwerk 31 Oct '00

31 Oct '00

Hi *, I had problems to connect my server. All ICMP tools like ping and tracert did their job well. Nmap was able to identify the OS and all open ports. But while connecting via SSH or WWW the programms aborted with a timeout failure. After rebooting the maschine (nothing other helps), all services work properly. I found following entries in my /var/log/messages: Oct 30 00:00:00 server /USR/SBIN/CRON[19725]: (root) CMD ( rm -f /var/cron/lastrun/cron.daily) Oct 30 00:00:09 server su: (to nobody) root on none Oct 30 00:00:09 server su: pam_unix session started for user nobody, service su Oct 30 00:00:54 server kernel: kfree: Bad obj c053a300 Oct 30 00:00:54 server kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000000 Oct 30 00:00:54 server kernel: current->tss.cr3 = 00bd8000, %%cr3 = 00bd8000 Oct 30 00:00:54 server kernel: *pde = 00000000 Oct 30 00:00:54 server kernel: Oops: 0002 Oct 30 00:00:54 server kernel: CPU: 0 Oct 30 00:00:54 server kernel: EIP: 0010:[kfree+475/496] Oct 30 00:00:54 server kernel: EFLAGS: 00010282 Oct 30 00:00:54 server kernel: eax: 0000001b ebx: c1fff620 ecx: 0000003b edx: 00000028 Oct 30 00:00:54 server kernel: esi: c053a300 edi: c053aaa0 ebp: 00000000 esp: c0babe64 Oct 30 00:00:54 server kernel: ds: 0018 es: 0018 ss: 0018 Oct 30 00:00:54 server kernel: Process find (pid: 19826, process nr: 53, stackpage=c0bab000) Oct 30 00:00:54 server kernel: Stack: c1fa71e0 00000000 c053aaa0 00000000 c053aac0 c0744450 c053aaa0 c0134562 Oct 30 00:00:54 server kernel: c053a300 c0babec0 00009803 00000405 c1fb1000 00000405 c01356bc fffffdd3 Oct 30 00:00:54 server kernel: 000001e8 c0208eb8 00009803 c0229188 c1fb1000 c09db5d0 c07e4000 c0babec0 Oct 30 00:00:54 server kernel: Call Trace: [prune_dcache+210/288] [try_to_free_inodes+188/256] [grow_inodes+32/416] [get_new_inode+229/336] [iget+106/128] [ext2_lookup+100/160] [real_lookup+79/192] Oct 30 00:00:54 server kernel: [lookup_dentry+272/432] [__namei+41/96] [sys_newlstat+19/112] [system_call+52/56] Oct 30 00:00:54 server kernel: Code: c7 05 00 00 00 00 00 00 00 00 83 c4 08 5b 5e 5f 5d 83 c4 0c Oct 30 00:00:54 server su: pam_unix session finished for user nobody, service su Oct 30 00:20:25 server -- MARK -- Oct 30 00:23:15 server sshd[199]: log: Generating new 768 bit RSA key. Oct 30 00:50:25 server -- MARK -- Oct 30 01:20:25 server -- MARK -- Any Ideas what happened with the machine? Thanx, Boris.

3 2

Port Sentry Logfile
by tabanna 31 Oct '00

31 Oct '00

Hi, Security_SuSErs :) ~ On my stand-alone desk-top 'puter, I installed "Port Sentry", and use it for a month now . . . Usually, the Log File shows nothing surprising. But, the last few days, I start to obeserve entries, like these :- __________________________________________________________ Oct 29 22:09:07 AIG kernel: Packet log: input DENY ppp0 PROTO=17 194.219.151.161:53 194.219.247.130:53 L=52 S=0x00 I=21648 F=0x0000 T=122 (#32) Oct 29 22:11:07 AIG kernel: Packet log: input DENY ppp0 PROTO=17 194.219.151.161:53 194.219.247.130:53 L=52 S=0x00 I=22928 F=0x0000 T=122 (#32) ____________________________________________________________ Any ideas, please, what this signifies . . . maybe my ISP is trying to plant some Cookies ? . . . or, what ? I have done a 'ping' to 194.219.151.161 , but it does not respond. I have done a 'dig' but it only gives the number, but no details. thanks a ton :) best wishes -- ____________ sent on Linux ____________ 100% Virus Free! ______________________________________________________________________________ Vous avez un site perso ? 2 millions de francs à gagner sur i(france) ! Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif

2 1

Switching to Linux
by Patriiiiiiiiiick 31 Oct '00

31 Oct '00

Hello!! I want to switch progressively to Linux (As a programmer, I become more and more ashamed of not having experience using it.) and I'm connected to the 'net. I will try to download the update from SuSE 6.3 to 7.0 an install it. Since I am permanently connected to the 'net, I wonder what precautions I should take before/after the installation. My connection is through a cable modem if it is a useful info. Should I be as paranoid as with a Win98 system or is the default config in SuSE more/less secure? Thank you for your help! Patrick

2 3

Setting ports > 1023 as privileged
by Anibal Vasquez 30 Oct '00

30 Oct '00

Hi * Ist there a possibility to set all ports above 1023 on a specific device to be "privileged" so only root can use them? I want to "prevent" users from sniffing e.g. X-sessions... Thanks in advance! Anibal

4 6