September 2000 - openSUSE Security - openSUSE Mailing Lists

SuSEFirewall and Web sites
by Chris Clarke 28 Sep '00

28 Sep '00

I tried sending this yesterday, but I don't think it got through. My apologies if it shows up as a duplicate... Hi, I've recently installed the suse firewall script, and have it cnofigured so that incoming high tcp ports are not allowed, and incoming high udp ports are dns only. This appears to be working great 99% of the time, however recently I have run into some web sites that appear to want to make high port tcp connections, and won't give me any response without them. Two imortant sites that I am observing this on are: www.ctan.org: keeps trying to make tcp connections to port 61116 www.sun.com: keeps trying to make tcp connections to port 61229 Before I reconfigure my firewall to open these ports, I was wondering if anyone knew what these sites wanted to do? I find it odd that all other services or web sites I use are fine with the ruleset I have, yet these sites want more. Cheers, Chris. -- Chris Clarke stcanard(a)yahoo.com __________________________________________________ Do You Yahoo!? Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free! http://photos.yahoo.com/

1 0

Masquerade & Firewall Setup
by j b 28 Sep '00

28 Sep '00

I cannot get my firewall to pass reply packets back. ping to the ISP causes wvdial.dod to dial the ISP, I can see packets being sent, and a reply coming back. But I still get 100% packet loss. I have followed the advice of several HOW-TO's but with no success. I can ping the inet side of the modem, but not the p-t-p side. What should my rc.firewall, rc.config, route.conf, networks configuration files look like? __________________________________________________ Do You Yahoo!? Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free! http://photos.yahoo.com/

1 0

Antwort: [suse-security] internet gateway--ipchains
by gerhard.possler＠westernacher.de 27 Sep '00

27 Sep '00

Hi Sridhar, try to "jump" from the forward chain and not from the output chain; your syntax error is "web" and "forward" are chains and you cannot concatenate 2 chains :-) regards gerhard Sridhar <omicron(a)symonds.net> am 27.09.2000 19:05:09 Bitte antworten an omicron(a)symonds.net An: suse-security(a)suse.com Kopie: Thema: [suse-security] internet gateway--ipchains hi i have a gateway for the internet. and also an internal machine , both running linux with ipchains . i want to set up masquerading in the gateway for the internal comp. i set up the masq in the forward chain of the gateway, but how do i tell to recognise the gateway ? i tried settingit up so that , every packet from the internal machine whose destination is _not_ the gateway must be forwarded to the gateway. but somehow i think i'm wrong in giving the command. on the internal machine, i tried.. #ipchains -N web #ipchains -A output -b -d 192.168.1.2 -i lo ACCEPT #ipchains -A input -b -d 192.168.1.2 -i lo ACCEPT # ipchains -A output -d ! 192.168.1.1 -i eth1 -j web #ipchains -A forward ACCEPT the below one is causing problem... **** # ipchains -A web forward 192.168.1.1 this is not working. there is a syntax error somewhere.. can u help ? --cheedu -- Optimist ? No... Pessimist ? No... Opportunist ? *Yes* !! :D Sridhar omicron(a)cheedu.dyndns.org ------------------------------------------------------------------------ Gerhard Possler

1 0

2 LAN
by Lars 27 Sep '00

27 Sep '00

-- german -- hi, wie kann ich zwei LANs grundsätzlich über das Internet miteinander,verbinden, - Samba und Apache - und wie steht es dann mit der Sicherheit? bye lars -- english -- hi, how can i put 2 LANs together over the internet and 2 local linux-server? i want to use samba and apache. how many security holes are known? bye lars sorry - my (writeing) english is terrible)

2 1

internet gateway--ipchains
by Sridhar 27 Sep '00

27 Sep '00

hi i have a gateway for the internet. and also an internal machine , both running linux with ipchains . i want to set up masquerading in the gateway for the internal comp. i set up the masq in the forward chain of the gateway, but how do i tell to recognise the gateway ? i tried settingit up so that , every packet from the internal machine whose destination is _not_ the gateway must be forwarded to the gateway. but somehow i think i'm wrong in giving the command. on the internal machine, i tried.. #ipchains -N web #ipchains -A output -b -d 192.168.1.2 -i lo ACCEPT #ipchains -A input -b -d 192.168.1.2 -i lo ACCEPT # ipchains -A output -d ! 192.168.1.1 -i eth1 -j web #ipchains -A forward ACCEPT the below one is causing problem... **** # ipchains -A web forward 192.168.1.1 this is not working. there is a syntax error somewhere.. can u help ? --cheedu -- Optimist ? No... Pessimist ? No... Opportunist ? *Yes* !! :D Sridhar omicron(a)cheedu.dyndns.org ---------------------------------------------------

3 2

console login
by semat 27 Sep '00

27 Sep '00

Some time ago I wrote to this list about restricting console login access well sometime later I found the access.conf script on my machine which is remarkably similar to login.access on my BSD box however pam does not seem to read it. I wonder whether anyone knows the right modules I will have to load in login for this file to be read before any user logs in and should it be for auth or account or session? But for now in case anyone is also interested I found a nice package called ttc ( terminal type control ) it also implements timing for users and controls how many times a day they can login.

1 0

Good general Admin mailling list
by Steven Thompson 27 Sep '00

27 Sep '00

Hi I'm looking for a good linux admin mailling list to answers queries like for example. What is the correct major & minor number for your floppy device /dev/fd0 Thanks in Advance Steven

3 2

this one is for Kurt Seifried
by Philipp Snizek 27 Sep '00

27 Sep '00

Hi Kurt I copied your ipchains firewall from SecurityPortal. I ve got a question about Anti Spoofing. You've done it like this: # ANTI-SPOOFING ipchains -A input -p all -j DENY -s 10.0.0.0/8 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 192.168.0.0/16 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 172.16.0.0/16 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s $ETH0IP -i eth0 -d 0.0.0.0/0 First question: Do spoofers use IP Adresses only of private IP ranges? Second question: Where is the difference to : echo 1 > /proc/net/sys/ipv4/conf/all/rp_filter (frankly I don't know exactly what this does, I've read this line in suse-security mailinglist one month ago) Thank you Philipp

3 2

lprNG
by Roman Drahtmueller 27 Sep '00

27 Sep '00

Hi, Linux vendors will be writing advisories about a vulnerability in lprNG, the printer spooling package. SuSE Linux versions 6.3, 6.4 and 7.0 come with an lprNG package of an older version (6.3 had 3.6.12, 6.4 was 3.6.13 and 7.0 has a downgrade back to 3.6.12). These packages are not susceptible to the attack. Therefore we do not provide any update packages. Thanks, Roman. -- - - | Roman Drahtmüller <draht(a)suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

1 0

Re: [suse-security] disable init=/bin/sh?
by wilson＠claborn.net 27 Sep '00

27 Sep '00

I don't think that answers his Q. On my boxes if you put a password in lilo it will NOT boot on it's own after a power failure. Frank, what you should probably do is remove the "prompt" line from /etc/lilo.conf. That way it will boot straight into Linux without asking anything - much the same as windows boots straight into windows without asking. That way there will never be a prompt for user input, so no malicious users will have a chance to type anything in(of course neither will you). JW At 07:24 PM 9/26/2000 +0200, you wrote: >Hi! > >> just stepped on this option to type "linux init=/bin/sh" at >> the boot prompt, which gives me a root shell. For me, that's >> really a security problem: We have some computers here which >> we cannot protect with boot-passwords because they have to >> come up automatically after a power drop. >> Can I somehow disable this possibility of passing an alternative >> init-parameter for my SuSE 6.4? > >this is from SuSE /etc/lilo.conf: > ># Start LILO global Section ># If you want to prevent console users to boot with init=/bin/bash, ># restrict usage of boot params by setting a passwd and using the option ># restricted. >password=password >restricted > > > >good luck! >Yuri. > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com >For additional commands, e-mail: suse-security-help(a)suse.com

3 2