I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
>I have just read an Bell Labs anouncement, that they are going to release
>libsafe under GNU licence, and that some major Linux distros are going to
>be using it. SuSE was not amongst them, why is that? I think that libsafe would
>be a good echnacement against buffer overflow.
>Anouncement is on:
just because something new pops up please be careful with questions like
"when will you implement it?" ;-)
There are several questions to ask:
a) is it STABLE and does it NOT affect the stability of other programs?
b) does it bring additional security problems into the system?
c) is the security protection effective?
Well, of course the SuSE Security Team already reviewed libsafe.
Here are the answers:
a) unsure. it would have to be tested very intensive. this was not done yet.
b) the code might have vulnerabilities, however the protection gained is
higher even if a vulnerability would be present
c) okay, now the tough part:
libsafe is a dynamic library which is set in the environment which checks
several dangerous functions, which can be a security problem.
Because it is a dynamic library, it is NO protection against local
attackers, just against remote attackers on network services. (if an
attacker wants to attack a local suid file, he would just reset his library
path environment). Next thing: it does not check for all known
vulnerabilites. It even doesn't protect against all buffer overflows, It
just protects against *some* overflows. those which happen because of
insecure use of strcat/strcpy etc.
I can not remember a vulnerability in a network service for the last year
which this tool would have prevented. Therefore: as long as this tool is not
enhanced to also protect open/fopen calls against symlink/hardlink/pipe
attacks, several more buffer overflow types, system/exec* function
protection etc. it is not useful to use this tool.
I would rather propose to use the secumod module which comes with SuSE Linux
since 6.3 and maybe the secure-linux kernel patch from www.openwall.com -
these two tools enhance your security. (and btw, install seccheck,
hardensuse and firewals and use them - then your security is very high)
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc(a)suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
I am running SuSe 7.0, and I have a couple of questions...
1.) I have been asked by one of my customers to setup a logging function to
log all inbound and outbound e-mails that are being sent through their
server. What program would be good for this?
2.) I would like to setup a web based e-mail server for my customers so
they can get their mail off the web. What is a good program to use and how
secure is this?
Network Operations Administrator (COO)
Postmaster and Routing lead
Admin of beer.wa.us.ircsol.net /server beer.ircsol.net
Admin of unix.az.us.ircsol.net /server unix.ircsol.nethttp://www.ircsol.net
I posed this questin a few days ago. I got no response, so I've been
digging, and maybe I can ask a slightly different question.
System: SuSE 6.4 running SuSEfirewall 4.2
Symptom: Output DENY messages when sending mail. I've also sometimes
seen these directed at my ISP's DNS servers.
When sending mail, I get four repetitions of the following, but the mail
output DENY ppp0 PROTO=1 my.ip.ad.dr:3 isp.smtp.ip.addr:3 L=108 S=0xC0
I=5893 F=0x0000 T=
After reading thru SuSEfirewall, I discovered that the messages disappear
when I set FW_ALLOW_FW_TRACEROUTE = "yes" , although my reading of the
script looks like they're still being denied by the '# deny all other type
3' rule, which isn't logged. So it's transparent, with the same effect.
I tried hacking the script, moving the $DENY port-unreachable $LDC just
outside the bracket, and changing it to $ACCEPT port-unreachable
$LAC. Now I can turn off FW_ALLOW_FW_TRACEROUTE again. I'm still
invisible to traceroute, and sending mail gives me just one message in the
output ACCEPT ppp0 PROTO=1 220.127.116.11:3 18.104.22.168:3 L=108 S=0xC0
I=26218 F=0x0000 T=255 (#3)
The destination address is my ISP's mail relay host.
So now my mail is going out without the delay of waiting for four
timeouts. But I still have the question of what is going on here? I have
not been able to find any documentation of the various parameters
displayed with the log message. What port is my ISP's mail host trying to
connect to, and why? Is this normal smtp behaviour?
Can someone point me to the RFC that defines all the ICMP sub-types?
-- Rick Green
is there any tool to filter pron and other rated sites and/or contents? We
want to provide a S.u.S.E-based firewall for a school and think we must at
least make it difficult to access any rated content.
Or what to do with a home networking setup and the kids...
> >we use "squid" as proxy with stopword list's. Our list is about 350 line
One approach. The bad news is, they all don't work. It is impossible
to automatically do a linguistic analysis and decide which sites are
junk. People can get very irate when good discussions about sexuality
are blocked! This is just one example. You will find more than your
software will ever be able to handle.
Filtering by URL doesn't work either. For detecting URLs to blacklist
see above. There is commercial software about, but it all sucks. See
the example of cyberpatrol: it was proven(!) that they generate their
blacklists automatically, badly, and black out a large amount of valid
sites as well as missing junk ones. Waste of money.
Btw filtering by URL is easily circumvented: use a
URL-anomymiser/redirector. There goes that idea.
> Problem: how to keep that list updated?
Precisely. Forget it.
> reffering to that, a teacher I know keeps a very pragmatical and
> practical method of doing this: With the help of his pupils.
> Checking squid's logfiles, new sites are frequently added to the black
*laugh* do the pupils know about their help? :-)
> Any other ideas around?
None which are practical, except for this, but that isn't going to
> But never forget to solve the problem of pornsite surfing in school at
> the roots. An the roots are the pupils, and not the net.
Can't fix a social problem with blacklists...
I encountered the following problem with the SuSEfirewall-skript:
First of all, my configuration:
I've got a Linux Box (SuSE 6.4) running as a DSL-Router (incl. Masquerading)
for an internal Network.
The firewall-skript (which Version doesn't really matter, I've tried out
several versions, including the newest form Marc's Website) is installed on
HTTP & SSH are working well but when I try to connect to a Internet-Server
via FTP, POP(sometimes) or SMTP it takes a long time (ca. 20sec) until data
is transferred although the connection itself is established immediately.
I do not think that it is a DNS problem, reverse&forward lookups are working
Although I think that it has nothing to do with masquerading because if I
work on the server console, the problem also occurs.
If I shut down the firewall, everything is working fine!
I hope somebody can help me an that this is not a FAQ ;-)
I saw, that other people are interested too.
So here's the mail I wrote to Matthias.
But never forget to solve the problem of pornsite surfing in school at
the roots. An the roots are the pupils, and not the net.
Try to get a good supervision and everything works fine.
I know that most of you are 'just' freaks and so it's naturally that you
try to solve this problem on a technical level, buit it has to be solved
on a social level.
Ok, here's the rest of the mail:
On Wed, Jan 31, 2001 at 01:40:35PM +0100, Daniele Frijia wrote:
> On Wed, Jan 31, 2001 at 12:36:52PM +0100, Matthias Jaenichen wrote:
> > is there any tool to filter pron and other rated sites and/or contents? We
> > want to provide a S.u.S.E-based firewall for a school and think we must at
> > least make it difficult to access any rated content.
> But check out: http://ifix.cx/squid/ (german only).
> There is a little Script, that gets Porn-Domains from the net.
> If the school is connceted via belwue, the German provider for schools
> in BaWue, then you can use their proxy. They installed smartfilter on
> Regards, Daniele
Hi list members,
I'd like to setup a cryptographic filesystem using the
loopback device in combination with ext2 fs.
Which of the crypto codecs supplied by the international
kernel patch should I choose to get a secure but still
fast fs ?
Are there other crypto fs implementations for linux ?
Many thanks in advance.
I have a little LAN with a SuSE 6.4 Server as gateway, within my LAN I
have a NT box with IIS, I want to be able to access the the httpd on the
NT box from the internet by specifying some port on my gateway. I have
firewals-2.1-5 installed and all clients in my LAN have unlimited access
to the internet and to the gateway. I tried configuring the redirection,
but seems to me like this only works when the NT box has an public IP,
but it has not not, an will never have. So is it possible to do it with
the firewall or do I have to fiddle with ipchains ?
Thanks & regards,
# _ __ _ __ http://home.htwm.de/akuehn/ \n icq://69646724 #
# / |/ /__ ____ _(_) /_ ____ _ nagilum(a)chillout.org \n +01776461165 #
# / / _ `/ _ `/ / / // / ' \ Amiga (68k/PPC): AOS/NetBSD/Linux #
# /_/|_/\_,_/\_, /_/_/\_,_/_/_/_/ Mac (PPC): MacOS9 / Linux / MacOS-X #
# /___/ x86: Linux/FreeBSD/OpenBSD/QNX/Win98SE #