Hi!
I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
Thanks.
--
Farewell.
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
João Reis
-------------------------------------------------------
Hi,
>I have just read an Bell Labs anouncement, that they are going to release
>libsafe under GNU licence, and that some major Linux distros are going to
>be using it. SuSE was not amongst them, why is that? I think that libsafe would
>be a good echnacement against buffer overflow.
>
>Anouncement is on:
>http://www.bell-labs.com/news/2000/april/20/1.html
just because something new pops up please be careful with questions like
"when will you implement it?" ;-)
There are several questions to ask:
a) is it STABLE and does it NOT affect the stability of other programs?
b) does it bring additional security problems into the system?
c) is the security protection effective?
Well, of course the SuSE Security Team already reviewed libsafe.
Here are the answers:
a) unsure. it would have to be tested very intensive. this was not done yet.
b) the code might have vulnerabilities, however the protection gained is
higher even if a vulnerability would be present
c) okay, now the tough part:
libsafe is a dynamic library which is set in the environment which checks
several dangerous functions, which can be a security problem.
Because it is a dynamic library, it is NO protection against local
attackers, just against remote attackers on network services. (if an
attacker wants to attack a local suid file, he would just reset his library
path environment). Next thing: it does not check for all known
vulnerabilites. It even doesn't protect against all buffer overflows, It
just protects against *some* overflows. those which happen because of
insecure use of strcat/strcpy etc.
summary:
I can not remember a vulnerability in a network service for the last year
which this tool would have prevented. Therefore: as long as this tool is not
enhanced to also protect open/fopen calls against symlink/hardlink/pipe
attacks, several more buffer overflow types, system/exec* function
protection etc. it is not useful to use this tool.
I would rather propose to use the secumod module which comes with SuSE Linux
since 6.3 and maybe the secure-linux kernel patch from www.openwall.com -
these two tools enhance your security. (and btw, install seccheck,
hardensuse and firewals and use them - then your security is very high)
Greets,
Marc
--
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc(a)suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
Is there a way to filter mail (for viruses / content / attachments) on a
masquerading firewall without a server on the gateway?
I currently have SuSE 7.0 running here, providing NAT for a few clients on
the LAN; SuSEfirewall 4.2 protects the gateway.
In order to protect some clients, I would like check the emails that are
flowing in and filter or modify the content in case some criteria are
matched (".EXE file attached? Kill. Now." etc). ZoneAlarm
(http://www.zonealarm.com/) on Windows has functionality for clients that
does this to some extent (rename .VBS scripts). At the same time, I would
like to allow connections to any standard mail server out there
(freemailers, for instance).
I am under the impression that having a port redirector on the firewall
which looks at the POP3 traffic might be effective? Is there such a thing
at all? I looked around and only found setups where a (gateway) "local"
mail server was around that did all the processing, with clients
connecting to the *local* gateway.
TIA,
Stefan
Hi,
the package mention above contains a bug concered to passive mode
FTP. After upgrading, no passive FTP is possible!
I attach a modified SPEC file and the needed patch.
HOW TO BUILD:
-------------
1. install the right source rpm (via rpm -i proftpd.spm)
2. overwrite the SPEC file in /usr/src/packages/SPECS/
3. copy the patch to /usr/src/packages/SOURCES
4. build RPMS (rpm -ba /usr/src/packages/SPECS/proftpd.spec)
5. upgrade to new RPM (rpm -U /usr/src/packages/RPMS/i386proftpd-1.2.0rc2-37.i386.rpm)
[sorry for long line]
PLEASE NOTE: If you haven't openLDAP installed, you may remove
openLDAP support by editing the SPEC file:
Change line 68 from:
--with-modules=mod_ratio:mod_readme:mod_linuxprivs:mod_ldap \
to:
--with-modules=mod_ratio:mod_readme:mod_linuxprivs \
(before STEP 4, or if you get ldap errors with executing step 4;
in the latter case edit file and redo step 4 and go on; that
seems to be neccesary for SuSE 6.1)
Standard disclaimer applies.
UNTESTED except a quick test on a SuSE 6.1 but the new patch is a
very simple one - but who knows!
I wonder why nobody got this problem here before (it's known on
proftpd.net...)
TECHNICAL NOTE: The spec file got a new release number (37), hope
this makes no conflicts. I only added the patch. I have no time
to supply a diff of the SPECs right now, but that's what SuSE
support is for ;)
short in time as always ;)
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
Yes, this was my intended plan, however, I am more than
happy to accept sections written by YOU!
*hint hint*
(anyone who wants credit for writing a major section will receive a listing
in a CREDITS file. At least thats what I've been thinking of doing... Thoughts
anyone?)
-Nix
At 10:38 PM 16/12/2000 +0800, you wrote:
>I would like to see additional security programs i.e.,
>snort, Portsentry, SuSEfirewall, etc. Thus people will know
>the things to install to beef up security, maybe even
>Howto's on setting these up(?).
>-
--
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
I must be able to telnet from a terminal (not a console) as a root without
using su.
In solaris i could do that editing /etc/default/login file,but i can't find
it on this
Operating System.
How can i do ?
Thanks
This is an interesting review that the SuSE marketing droids may be able to
use..
http://www.linuxtests.org/articles/distributions/suse/7.0/
It pretty much mirrors what I think of SuSE 7.0..
I had a very similar problem installing on my Sparc.. where
linuxrc would just die...
Does anyone else HATE YaST2????
-Nix
--
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Hi to all,
My company mail server is running on a Suse 6.3 system, with sendmail 8.9.3,
and until sotime ago everything was running beautifully.
What happened is that we started to receive mail messages with links to
porno sites. These mail messages are always addressed to non existant users
in the mail system. We have tried to configure sendmail by way of webadmin
to reject mail from the source addresses but the source adress is always
changing. Is there any security problem with Suse 6.3 and/or sendmail that
can cause this ?
What can I do to solve this?
Thanks in advance
// luis oliveira
Hi to all,
My company mail server is running on a Suse 6.3 system, with sendmail 8.9.3,
and until sotime ago everything was running beautifully.
What happened is that we started to receive mail messages with links to
porno sites. These mail messages are always addressed to non existant users
in the mail system. We have tried to configure sendmail by way of webadmin
to reject mail from the source addresses but the source adress is always
changing. Is there any security problem with Suse 6.3 and/or sendmail that
can cause this ?
What can I do to solve this?
Thanks in advance
// luis oliveira
Hi Liste !!
Ich habe da eine kleine Verständnisfrage:
Wenn ein Passwort verschlüsselt ist (z.B. shadow)
und man davon ausgeht, daß es Verschlüsselungsverfahren
gibt, die nur schwer bzw. (momentan) gar nicht zu knacken sind,
wie bekommt dann das System (z.B. bei Login-Passwort)
das unverschlüsselte Passwort heraus ???
OK, ich könnte mir vorstellen, daß die Entschlüsselung o.ä.
im Login-Programm enthalten ist, aber dann wäre sie doch
(wegen Open-Source u.ä.) auch frei verfügbar - oder nicht !?
Das gleiche ist ja auch bei z.B. EC-Karten der Fall.
Glaubt man der Bank, so ist es für die Angestellten nicht möglich
eine vergessene Geheimzahl nachträglich herauszufinden.
Wie schafft es denn dann der Geldautomat herauszufinden,
ob ich die korrekte Geheimzahl eingegeben habe ???
Dementrsprechend muß es doch auch (mehr oder weniger leicht)
möglich sein, die Geheimzahl zu ermitteln, da es der Automat
ja auch kann....
Oder befinde ich mich da vollkommen auf dem Holzweg ???
OK, klingt zwar etwas unprofessionell und laienhaft,
aber das interresiert mich gerade irgendwie und es wäre nett,
wenn mir da jemand eine qualifizierte und detailierte Antwort zu
geben könnte.
Vielen Dank im Voraus.....
CU :-)
Claudia