openSUSE Security October 2000

security@lists.opensuse.org

153 participants
182 discussions

su1 vs. sudo
by Johannes Geiger 30 Oct '00

30 Oct '00

Hi! Could someone please explain to me in short what the difference is between su1 and sudo (or, if this is a FAQ -- sorry --, point me to the answer). Thanks! Johannes

1 0

rc.firewall
by Gerd Bitzer 30 Oct '00

30 Oct '00

Hi all, does anybody know this URL: http://www.jsmoriss.dyndns.org/linux/firewall.html and has experience with this script (compared to suse-firewall) ? TIA

1 0

SuSEfirewall 4.0, FW_FORWARD_MASQ_??P
by Argentium G. Tiger 29 Oct '00

29 Oct '00

I'm hoping one of you bright folks can lend me a hand with a small configuration problem I'm having with Marc Heuse' new SuSEfirewall 4.0 package. This is on a SuSE 7.0 professional system. For several versions of SuSEfirewall, SuSE 6.3 through 7.0, I've tried to configure the script to allow outside connections to port 6699 on the firewall (napster) to my internally masqueraded windows desktop running napster. Additionally, I've tried to let select other services through to server machines on the internal masqueraded network, but so far, no joy. My internal windows desktop is at 192.168.1.101, and is successfully able to get to Napster servers on port 6699 through the firewall. I just wish I could share some of my files with the rest of the world. Oh, and in my /etc/rc.firewall settings, don't be concerned about pcanywheredata and pcanywherestat being open to the outside world. I actually have sshd running on those ports, as that's the only way to get to my firewall from my workplace. ;-) Here are my /etc/rc.firewall settings: FW_DEV_WORLD="eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.1.0/24" FW_MASQ_DEV="$FW_DEV_WORLD" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_GLOBAL_SERVICES="yes" FW_SERVICES_EXTERNAL_TCP="ssh sshalt pcanywheredata pcanywherestat ident napster" FW_SERVICES_EXTERNAL_UDP="pcanywheredata pcanywherestat napster" FW_SERVICES_EXTERNAL_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INTERNAL_TCP="telnet ftp smtp ssh sshalt pcanywheredata pcanywherestat domain icq napster www 8080 rrlogind" FW_SERVICES_INTERNAL_UDP="pcanywheredata pcanywherestat domain www icq 8080 rrlogind" FW_SERVICES_INTERNAL_IP="" FW_TRUSTED_NETS="" FW_SERVICES_TRUSTED_TCP="" FW_SERVICES_TRUSTED_UDP="" FW_SERVICES_TRUSTED_IP="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="yes" FW_SERVICE_DHCPD="yes" FW_SERVICE_SAMBA="no" FW_FORWARD_TCP="" FW_FORWARD_UDP="" FW_FORWARD_IP="" # Here's where I'm trying to let napster in from the rest of the # world to my windows box at 192.168.1.101 # FW_FORWARD_MASQ_TCP="0/0,192.168.1.101,6699" FW_FORWARD_MASQ_UDP="0/0,192.168.1.101,6699" FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive" - - - Similarly, I tried allowing requests to port 80 through to 192.168.1.10, which is one of my internal fileservers. It's running apache. No joy there either... Tried: FW_FORWARD_MASQ_TCP="0/0,192.168.1.10,80" FW_FORWARD_MASQ_UDP="0/0,192.168.1.10,80" Anyone have any ideas? I'll try to anticipate peoples' questions about my system by providing some more information now, and I'll be happy to provide more information if requested to do so. I'm running a self-compiled kernel from the LX_SUSE sources, with the international crypto patches applied so I could turn on some of the crypto modules. The following packages _are_ installed: Series n: - ipmasqad - iproute2 And the following relevant kernel configs were/are set, and the modules available: Networking Options: [*] Routing messages [*] Network firewalls [*] Socket filtering [*] IP: Advanced Router [*] IP: policy routing [*] IP: verbose route monitoring [*] IP: firewalling [*] IP: firewall packet netlink device [*] IP: use FWMARK value as routing key [*] IP: masquerading [*] IP: masquerading special modules support <M> IP: ipautofw masquerade support (Experimental) <M> IP: ipportfw masquerade support <M> IP: ipmarkfw masquerade support <M> IP: tunneling <M> IP: GRE tunnels over IP I *think* this should get me where I need to go. I've confirmed that in /lib/modules/2.2.16, there are the following modules ready to go: ip_gre.o ip_masq_cuseeme.o ip_masq_irc.o ip_masq_portfw.o ip_masq_raudio.o ip_masq_vdolive.o ip_masq_autofw.o ip_masq_ftp.o ip_masq_mfw.o ip_masq_quake.o ip_masq_user.o ipip.o

1 0

Firewall 4.0
by Schulz, Wolfgang 29 Oct '00

29 Oct '00

Hello! I'm testing the Firewall 4.0 script. Although it is not a good idea I want to forward a connection made on the internet side of the firewall to a special port on an internal server. We are using private IP addresses internally. I want to allow only connection from a small subnet 195.10.11.0/29 and I used FW_FORWARD_MASQ_TCP FW_FORWARD_MASQ_TCP="195.10.11.0/29,10.96.1.110,1548" I tried afterwards to connect to this port - there is a connection but it seems that nothing is forwarded to the internal machine. What could be wrong? Thanks Wolfgang

1 0

Re: [suse-security] Microsoft Hacked!!!!!
by Jan Theofel 29 Oct '00

29 Oct '00

Hello Ralph, Ralph De Witt wrote: > > Wow MS operating System source code hacked with the possiblite that ever copy > of ME and 2000 now is open to these people. Makes my open source os seem > better by the minute. And MS did not even know about it for over 3 months. Yes, that's it. And we DO NOT KNOW how often this happend already and they perhaps didn't realise at all! Or so say it in Bruce Schneier's words: "As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades." (http://www.counterpane.com/crypto-gram-9909.html) Bye, Jan -- ETES - Espenhain & Theofel EDV-Systeme GbR Libanonstrasse 54 * D-70184 Stuttgart Phone +49 711 4895550 * Fax +49 711 4809761 EMail: info(a)etes.de --- URL: www.etes.de ... Beratung, Netzwerke, Internet, Homepages, Datenbanken, Kommunikation, Software, Hardware ...

3 2

Microsoft Hacked!!!!!
by Matthew Johnson 28 Oct '00

28 Oct '00

http://news.bbc.co.uk/hi/english/business/newsid_993000/993933.stm Thoughts? Opinions? Erm, jokes? Matthew

7 6

RE: [suse-security] Microsoft Hacked!!!!!
by Mike Johnson 28 Oct '00

28 Oct '00

Hi again! Here's one: http://www.msnbc.com/news/481998.asp I lost the other one that included a link to CERT's page. Theres a mention of it here: http://www.cert.org/current/current_activity.html No, they're not stupid. But no system is perfect.... It's not an extreme virus, either. I found a copy of it on my linux server, but the registry entries they talked about didn't seem to be included on any NT machines, only 98. - Mike -----Original Message----- From: Eduardo Carriles [mailto:eduardo.carriles@teleline.es] Sent: Friday, October 27, 2000 5:00 PM To: SuSE Security Mail List Subject: Re: [suse-security] Microsoft Hacked!!!!! Hi, ---- Mike Johnson wrote: > Hey, that's just what I heard on MS-NBC. Need a read this cute MS-NBC, got some link on it?? But i maintain my original guess on the not stupidity of $MS. Greets...!! > Also, if you read the text I included, the Feb article is actually a set of > recommendations on an older, similar case. > > [snip...] -- HTH Best regards, Eduardo Carriles [-- Better a smile than a flame --] (Long time SuSE-Linux [preferred distro] user). [-- Se me nota mucho? -- Notices me much?] [-- Have a lot of fun...] --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com

3 2

Limiting root access
by Bob Vickers 28 Oct '00

28 Oct '00

There was some discussion a few weeks ago about limiting root access to one group, as is done on many other flavours of Unix. I did some experiments on SuSE 6.4, and also a bit of searching on the net, but still haven't found a solution. One suggestion was to use /etc/suauth. My experiments, and also some hints I dug up from old message archives, suggest that /etc/suauth is ignored on SuSE Linux. If this is true, please could SuSE remove the man page from the distribution! The other suggestion was to use PAM. I managed to find a manual which appeared to have a suitable example, and I put the line auth required /lib/security/pam_wheel.so group=root in /etc/pam.d/su . But this had too much effect! It stopped anybody using su, including members of group root. Has anyone managed to achieve this simple security precaution? Bob ============================================================== Bob Vickers R.Vickers(a)dcs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691

4 5

RE: [suse-security] Microsoft Hacked!!!!!
by Mike Johnson 27 Oct '00

27 Oct '00

Hey, that's just what I heard on MS-NBC. Also, if you read the text I included, the Feb article is actually a set of recommendations on an older, similar case. -----Original Message----- From: Eduardo Carriles [mailto:eduardo.carriles@teleline.es] Sent: Friday, October 27, 2000 4:26 PM To: SuSE Security Mail List Subject: Re: [suse-security] Microsoft Hacked!!!!! Hi Mike and friends all, Greets, [read below...] ---- Mike Johnson wrote: > It was the Qaz.worm virus. We got hit a couple of weeks ago because the > company brass likes to open every single email attachment they get.... > > I've been busy changing passwords all week. > > Here's what CERT said about it: > > QAZ Worm > The QAZ Worm is a trojan that has been spreading on the Internet for several > weeks. This worm exploits unprotected windows networking shares similar to > the network.vbs worm as discussed in CERT Incident Note IN-2000-02 > IN-2000-02, Exploitation of Unprotected Windows Networking Shares > The QAZ worm searches for shared drives where \\Windows\Notepad.exe is > available. Once the worm finds an unprotected share with notepad.exe > available, it copies itself to the machine and modifies the registry to > insure that it is run every time Windows is restarted. When the machine is > rebooted the worm renames the original notepad.exe to note.com and copies > itself in place as notepad.exe. > Users are encouraged to follow the advice in IN-2000-02 for securing Windows > networking shares. > Additional information about these viruses and others can be found by > visiting the sites listed on our Computer Virus Resources page. > > I found that it didn't necessarily need a windows share with notepad > available. Come on, no one will believe that $MS was caught on this. It is stupid and not new, as you can guess by CERTs IN-2000-02 [feb2000_is_old(tm)] This was much more extensive. [stolen sources included, humans ahead] not a blind virus. They caught them dead. Just my 2 cents on it. =:`8) Good try with your [QAZ Worm], but it won't work on them, they ain't stupid. (thought...) > - Mike Johnson > > -----Original Message----- > From: Eduardo Carriles [mailto:eduardo.carriles@teleline.es] > [snip...] -- HTH Best regards, Eduardo Carriles [-- Better a smile than a flame --] (Long time SuSE-Linux [preferred distro] user). [-- Se me nota mucho? -- Notices me much?] [-- Have a lot of fun...] --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com

2 1

Re: RE: [suse-security] UE draft on cybercrime
by r.maurizzi＠gvs.it 27 Oct '00

27 Oct '00

> Legislation is not courtesy of the european council but of all of us. There's more than a little suspect that this legislation is a brainchild of NSA, and that they are trying to impose this on Europe and all their other commercial partners, using methods ranging from "it's in your best interest" to "If you don't do this, then we won't do business with you because you're insecure". In the US they have (or are about pass) similar bills/laws, and a discussion like this one was made I think 1.5 years ago on the NTBugTraQ M/L. The nicest thing of the US proposed bill is that bugs and security deficiencies will be considered *Intellectual Property* of the program creator/distributor, and (under the DMCA) it can become illegal to disclose them publicy (as in "they can sue you out of business" if you disclose a weakness in a commercial program) IMHO, the day a similar bill passes and Micros^H^H^H^H^H^H big IT firms start to use it to silence the security people, it will be the start of the end for the Internet Age as we now know it, because in a matter of a few months all security firms and consultants will be out of business and the real black hat crackers will have easy access to all the "C2 security certifiable" systems that are out there. And after that, all hell will break loose... ;-) BTW, the fact that it's a european company is not my first reason to use SuSE, but it's quite up in the "list of reasons" I give to all the "why don't you use RedHat" people I know... ;-) Ciao, Roberto. P.S. The same problem (USA forcing on a more or less complacent/clueless EU council all their stupid laws) is a problem that doesn't afflict IT security only: from trade rules to consumer rihgts, in the last few years EU had a lot of fights with the US over a lot of things. And practically, they lost them all.

5 4

Jump to page:

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security October 2000