openSUSE Security September 2000

security@lists.opensuse.org

108 participants
145 discussions

by Chris Clarke

I tried sending this yesterday, but I don't think it got through. My apologies if it shows up as a duplicate... Hi, I've recently installed the suse firewall script, and have it cnofigured so that incoming high tcp ports are not allowed, and incoming high udp ports are dns only. This appears to be working great 99% of the time, however recently I have run into some web sites that appear to want to make high port tcp connections, and won't give me any response without them. Two imortant sites that I am observing this on are: www.ctan.org: keeps trying to make tcp connections to port 61116 www.sun.com: keeps trying to make tcp connections to port 61229 Before I reconfigure my firewall to open these ports, I was wondering if anyone knew what these sites wanted to do? I find it odd that all other services or web sites I use are fine with the ruleset I have, yet these sites want more. Cheers, Chris. -- Chris Clarke stcanard(a)yahoo.com __________________________________________________ Do You Yahoo!? Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free! http://photos.yahoo.com/

21 years, 10 months

Masquerade & Firewall Setup

by j b

I cannot get my firewall to pass reply packets back. ping to the ISP causes wvdial.dod to dial the ISP, I can see packets being sent, and a reply coming back. But I still get 100% packet loss. I have followed the advice of several HOW-TO's but with no success. I can ping the inet side of the modem, but not the p-t-p side. What should my rc.firewall, rc.config, route.conf, networks configuration files look like? __________________________________________________ Do You Yahoo!? Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free! http://photos.yahoo.com/

21 years, 10 months

Antwort: [suse-security] internet gateway--ipchains

by gerhard.possler＠westernacher.de

Hi Sridhar, try to "jump" from the forward chain and not from the output chain; your syntax error is "web" and "forward" are chains and you cannot concatenate 2 chains :-) regards gerhard Sridhar <omicron(a)symonds.net> am 27.09.2000 19:05:09 Bitte antworten an omicron(a)symonds.net An: suse-security(a)suse.com Kopie: Thema: [suse-security] internet gateway--ipchains hi i have a gateway for the internet. and also an internal machine , both running linux with ipchains . i want to set up masquerading in the gateway for the internal comp. i set up the masq in the forward chain of the gateway, but how do i tell to recognise the gateway ? i tried settingit up so that , every packet from the internal machine whose destination is _not_ the gateway must be forwarded to the gateway. but somehow i think i'm wrong in giving the command. on the internal machine, i tried.. #ipchains -N web #ipchains -A output -b -d 192.168.1.2 -i lo ACCEPT #ipchains -A input -b -d 192.168.1.2 -i lo ACCEPT # ipchains -A output -d ! 192.168.1.1 -i eth1 -j web #ipchains -A forward ACCEPT the below one is causing problem... **** # ipchains -A web forward 192.168.1.1 this is not working. there is a syntax error somewhere.. can u help ? --cheedu -- Optimist ? No... Pessimist ? No... Opportunist ? *Yes* !! :D Sridhar omicron(a)cheedu.dyndns.org ------------------------------------------------------------------------ Gerhard Possler

21 years, 10 months

2 LAN

by Lars

-- german -- hi, wie kann ich zwei LANs grundsätzlich über das Internet miteinander,verbinden, - Samba und Apache - und wie steht es dann mit der Sicherheit? bye lars -- english -- hi, how can i put 2 LANs together over the internet and 2 local linux-server? i want to use samba and apache. how many security holes are known? bye lars sorry - my (writeing) english is terrible)

21 years, 10 months

internet gateway--ipchains

by Sridhar

hi i have a gateway for the internet. and also an internal machine , both running linux with ipchains . i want to set up masquerading in the gateway for the internal comp. i set up the masq in the forward chain of the gateway, but how do i tell to recognise the gateway ? i tried settingit up so that , every packet from the internal machine whose destination is _not_ the gateway must be forwarded to the gateway. but somehow i think i'm wrong in giving the command. on the internal machine, i tried.. #ipchains -N web #ipchains -A output -b -d 192.168.1.2 -i lo ACCEPT #ipchains -A input -b -d 192.168.1.2 -i lo ACCEPT # ipchains -A output -d ! 192.168.1.1 -i eth1 -j web #ipchains -A forward ACCEPT the below one is causing problem... **** # ipchains -A web forward 192.168.1.1 this is not working. there is a syntax error somewhere.. can u help ? --cheedu -- Optimist ? No... Pessimist ? No... Opportunist ? *Yes* !! :D Sridhar omicron(a)cheedu.dyndns.org ---------------------------------------------------

21 years, 10 months

console login

by semat

Some time ago I wrote to this list about restricting console login access well sometime later I found the access.conf script on my machine which is remarkably similar to login.access on my BSD box however pam does not seem to read it. I wonder whether anyone knows the right modules I will have to load in login for this file to be read before any user logs in and should it be for auth or account or session? But for now in case anyone is also interested I found a nice package called ttc ( terminal type control ) it also implements timing for users and controls how many times a day they can login.

21 years, 10 months

Good general Admin mailling list

by Steven Thompson

Hi I'm looking for a good linux admin mailling list to answers queries like for example. What is the correct major & minor number for your floppy device /dev/fd0 Thanks in Advance Steven

21 years, 10 months

this one is for Kurt Seifried

by Philipp Snizek

Hi Kurt I copied your ipchains firewall from SecurityPortal. I ve got a question about Anti Spoofing. You've done it like this: # ANTI-SPOOFING ipchains -A input -p all -j DENY -s 10.0.0.0/8 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 192.168.0.0/16 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s 172.16.0.0/16 -i eth0 -d 0.0.0.0/0 ipchains -A input -p all -j DENY -s $ETH0IP -i eth0 -d 0.0.0.0/0 First question: Do spoofers use IP Adresses only of private IP ranges? Second question: Where is the difference to : echo 1 > /proc/net/sys/ipv4/conf/all/rp_filter (frankly I don't know exactly what this does, I've read this line in suse-security mailinglist one month ago) Thank you Philipp

21 years, 10 months

lprNG

by Roman Drahtmueller

Hi, Linux vendors will be writing advisories about a vulnerability in lprNG, the printer spooling package. SuSE Linux versions 6.3, 6.4 and 7.0 come with an lprNG package of an older version (6.3 had 3.6.12, 6.4 was 3.6.13 and 7.0 has a downgrade back to 3.6.12). These packages are not susceptible to the attack. Therefore we do not provide any update packages. Thanks, Roman. -- - - | Roman Drahtmüller <draht(a)suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

21 years, 10 months

Re: [suse-security] disable init=/bin/sh?

by wilson＠claborn.net

I don't think that answers his Q. On my boxes if you put a password in lilo it will NOT boot on it's own after a power failure. Frank, what you should probably do is remove the "prompt" line from /etc/lilo.conf. That way it will boot straight into Linux without asking anything - much the same as windows boots straight into windows without asking. That way there will never be a prompt for user input, so no malicious users will have a chance to type anything in(of course neither will you). JW At 07:24 PM 9/26/2000 +0200, you wrote: >Hi! > >> just stepped on this option to type "linux init=/bin/sh" at >> the boot prompt, which gives me a root shell. For me, that's >> really a security problem: We have some computers here which >> we cannot protect with boot-passwords because they have to >> come up automatically after a power drop. >> Can I somehow disable this possibility of passing an alternative >> init-parameter for my SuSE 6.4? > >this is from SuSE /etc/lilo.conf: > ># Start LILO global Section ># If you want to prevent console users to boot with init=/bin/bash, ># restrict usage of boot params by setting a passwd and using the option ># restricted. >password=password >restricted > > > >good luck! >Yuri. > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com >For additional commands, e-mail: suse-security-help(a)suse.com

21 years, 10 months

← Newer
1
2
3
4
5
6
7
...
15
Older →

Jump to page:

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security September 2000