December 2000 - openSUSE Security - openSUSE Mailing Lists

SSH Authentication
by Joao Reis 18 Nov '02

18 Nov '02

Hi! I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password. In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. This second solution is a good solution or that brings other security problems ? Thanks. -- Farewell. "Keep your friends close, but your enemies closer." "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------

2 1

Re: is SuSE going to implement libsafe?
by marc＠suse.de 18 Feb '01

18 Feb '01

Hi, >I have just read an Bell Labs anouncement, that they are going to release >libsafe under GNU licence, and that some major Linux distros are going to >be using it. SuSE was not amongst them, why is that? I think that libsafe would >be a good echnacement against buffer overflow. > >Anouncement is on: >http://www.bell-labs.com/news/2000/april/20/1.html just because something new pops up please be careful with questions like "when will you implement it?" ;-) There are several questions to ask: a) is it STABLE and does it NOT affect the stability of other programs? b) does it bring additional security problems into the system? c) is the security protection effective? Well, of course the SuSE Security Team already reviewed libsafe. Here are the answers: a) unsure. it would have to be tested very intensive. this was not done yet. b) the code might have vulnerabilities, however the protection gained is higher even if a vulnerability would be present c) okay, now the tough part: libsafe is a dynamic library which is set in the environment which checks several dangerous functions, which can be a security problem. Because it is a dynamic library, it is NO protection against local attackers, just against remote attackers on network services. (if an attacker wants to attack a local suid file, he would just reset his library path environment). Next thing: it does not check for all known vulnerabilites. It even doesn't protect against all buffer overflows, It just protects against *some* overflows. those which happen because of insecure use of strcat/strcpy etc. summary: I can not remember a vulnerability in a network service for the last year which this tool would have prevented. Therefore: as long as this tool is not enhanced to also protect open/fopen calls against symlink/hardlink/pipe attacks, several more buffer overflow types, system/exec* function protection etc. it is not useful to use this tool. I would rather propose to use the secumod module which comes with SuSE Linux since 6.3 and maybe the secure-linux kernel patch from www.openwall.com - these two tools enhance your security. (and btw, install seccheck, hardensuse and firewals and use them - then your security is very high) Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc(a)suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C

5 4

Mail filter on firewall?
by Stefan Hoffmeister 08 Jan '01

08 Jan '01

Is there a way to filter mail (for viruses / content / attachments) on a masquerading firewall without a server on the gateway? I currently have SuSE 7.0 running here, providing NAT for a few clients on the LAN; SuSEfirewall 4.2 protects the gateway. In order to protect some clients, I would like check the emails that are flowing in and filter or modify the content in case some criteria are matched (".EXE file attached? Kill. Now." etc). ZoneAlarm (http://www.zonealarm.com/) on Windows has functionality for clients that does this to some extent (rename .VBS scripts). At the same time, I would like to allow connections to any standard mail server out there (freemailers, for instance). I am under the impression that having a port redirector on the firewall which looks at the POP3 traffic might be effective? Is there such a thing at all? I looked around and only found setups where a (gateway) "local" mail server was around that did all the processing, with clients connecting to the *local* gateway. TIA, Stefan

2 1

proftpd-1.2.rc2: BUG! passive FTP not working (FIX attachted)
by Steffen Dettmer 04 Jan '01

04 Jan '01

Hi, the package mention above contains a bug concered to passive mode FTP. After upgrading, no passive FTP is possible! I attach a modified SPEC file and the needed patch. HOW TO BUILD: ------------- 1. install the right source rpm (via rpm -i proftpd.spm) 2. overwrite the SPEC file in /usr/src/packages/SPECS/ 3. copy the patch to /usr/src/packages/SOURCES 4. build RPMS (rpm -ba /usr/src/packages/SPECS/proftpd.spec) 5. upgrade to new RPM (rpm -U /usr/src/packages/RPMS/i386proftpd-1.2.0rc2-37.i386.rpm) [sorry for long line] PLEASE NOTE: If you haven't openLDAP installed, you may remove openLDAP support by editing the SPEC file: Change line 68 from: --with-modules=mod_ratio:mod_readme:mod_linuxprivs:mod_ldap \ to: --with-modules=mod_ratio:mod_readme:mod_linuxprivs \ (before STEP 4, or if you get ldap errors with executing step 4; in the latter case edit file and redo step 4 and go on; that seems to be neccesary for SuSE 6.1) Standard disclaimer applies. UNTESTED except a quick test on a SuSE 6.1 but the new patch is a very simple one - but who knows! I wonder why nobody got this problem here before (it's known on proftpd.net...) TECHNICAL NOTE: The spec file got a new release number (37), hope this makes no conflicts. I only added the patch. I have no time to supply a diff of the SPECs right now, but that's what SuSE support is for ;) short in time as always ;) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.

3 2

Re: [suse-security] SuSE Security FAQ
by Nix 03 Jan '01

03 Jan '01

Yes, this was my intended plan, however, I am more than happy to accept sections written by YOU! *hint hint* (anyone who wants credit for writing a major section will receive a listing in a CREDITS file. At least thats what I've been thinking of doing... Thoughts anyone?) -Nix At 10:38 PM 16/12/2000 +0800, you wrote: >I would like to see additional security programs i.e., >snort, Portsentry, SuSEfirewall, etc. Thus people will know >the things to install to beef up security, maybe even >Howto's on setting these up(?). >- -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking

4 3

telnet as a root on a suse 6.3 suse server
by Francesco Masiello 02 Jan '01

02 Jan '01

I must be able to telnet from a terminal (not a console) as a root without using su. In solaris i could do that editing /etc/default/login file,but i can't find it on this Operating System. How can i do ? Thanks

8 7

Nice little newbie review
by Nix 02 Jan '01

02 Jan '01

This is an interesting review that the SuSE marketing droids may be able to use.. http://www.linuxtests.org/articles/distributions/suse/7.0/ It pretty much mirrors what I think of SuSE 7.0.. I had a very similar problem installing on my Sparc.. where linuxrc would just die... Does anyone else HATE YaST2???? -Nix -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking

5 5

[suse-security] How can I solve this problem with mail server
by Luis Oliveira 01 Jan '01

01 Jan '01

Hi to all, My company mail server is running on a Suse 6.3 system, with sendmail 8.9.3, and until sotime ago everything was running beautifully. What happened is that we started to receive mail messages with links to porno sites. These mail messages are always addressed to non existant users in the mail system. We have tried to configure sendmail by way of webadmin to reject mail from the source addresses but the source adress is always changing. Is there any security problem with Suse 6.3 and/or sendmail that can cause this ? What can I do to solve this? Thanks in advance // luis oliveira

2 1

How can I solve this problem with mail server
by Luis Oliveira 31 Dec '00

31 Dec '00

Hi to all, My company mail server is running on a Suse 6.3 system, with sendmail 8.9.3, and until sotime ago everything was running beautifully. What happened is that we started to receive mail messages with links to porno sites. These mail messages are always addressed to non existant users in the mail system. We have tried to configure sendmail by way of webadmin to reject mail from the source addresses but the source adress is always changing. Is there any security problem with Suse 6.3 and/or sendmail that can cause this ? What can I do to solve this? Thanks in advance // luis oliveira

2 1

Kryptographie (Passwort)
by Claudia Arnold 31 Dec '00

31 Dec '00

Hi Liste !! Ich habe da eine kleine Verständnisfrage: Wenn ein Passwort verschlüsselt ist (z.B. shadow) und man davon ausgeht, daß es Verschlüsselungsverfahren gibt, die nur schwer bzw. (momentan) gar nicht zu knacken sind, wie bekommt dann das System (z.B. bei Login-Passwort) das unverschlüsselte Passwort heraus ??? OK, ich könnte mir vorstellen, daß die Entschlüsselung o.ä. im Login-Programm enthalten ist, aber dann wäre sie doch (wegen Open-Source u.ä.) auch frei verfügbar - oder nicht !? Das gleiche ist ja auch bei z.B. EC-Karten der Fall. Glaubt man der Bank, so ist es für die Angestellten nicht möglich eine vergessene Geheimzahl nachträglich herauszufinden. Wie schafft es denn dann der Geldautomat herauszufinden, ob ich die korrekte Geheimzahl eingegeben habe ??? Dementrsprechend muß es doch auch (mehr oder weniger leicht) möglich sein, die Geheimzahl zu ermitteln, da es der Automat ja auch kann.... Oder befinde ich mich da vollkommen auf dem Holzweg ??? OK, klingt zwar etwas unprofessionell und laienhaft, aber das interresiert mich gerade irgendwie und es wäre nett, wenn mir da jemand eine qualifizierte und detailierte Antwort zu geben könnte. Vielen Dank im Voraus..... CU :-) Claudia

5 5