here's a bit of a step-by-step description on how to keep nimda
and codered from filling your apache logs.
- SuSE 7.2 Professional
- iptables 1.2.3
- linux kernel 2.4.13-pre5
1. install kernel sources for a kernel >> 2.4.9, running 2.4.13-
pre5 here, works fine so far
2. get the sources for iptables 1.2.3 from
3. unpack sources somewhere
4. export KERNEL_DIR=$(where you put the kernel tree)
5. cd into unpacked iptables sources, there's a subdirectory
named patch-o-matic there
6. apply wanted patches by running ./runme $(name.of.patch)patch
for this here You'll want the string patch
You can also apply other patches, like the irc-conntrack patch
7. now there's a little bug in this patch...
here's a diff:
--- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21
+++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21
@@ -62,7 +62,7 @@
sk = skip[haystack[right_end - i]];
sh = shift[i];
- right_end = max(int, right_end - i + sk,
right_end + sh);
+ right_end = max(right_end - i + sk, right_end +
8. now, make config/menuconfig/xconfig... as usual. You can
import your running kernel's config first.
9. enable the experimental stuff
10. go to networking options->netfilter, there's an option there
to enable string matching; set that to M
11. compile and install kernel as usual; remember to uncomment
the export INSTALL_PATH=/boot in the main makefile.
12. now build a rpm file for the new iptables stuff by installing
the source rpm which comes with suse, then edit the spec file,
put the iptables source in /usr/src/packages/SOURCE and rebuild.
13. now there are some small changes to the firewall config
a) uncomment the last line in
b) edit that file, I got the following stuff in mine:
for forbidden_string in root.exe cmd.exe .ida; do
iptables -I input_ext -p tcp --dport http -m string \
--string $forbidden_string -m state \
--state ESTABLISHED -j REJECT --reject-with tcp-reset
put that in the last supfunction defined in the custom rc file.
c) change the FW_LOG setting in firewall2.rc.config from reading
-log-level warning to -log-level kernel.warning
14. last: some small changes to /sbin/SuSEfirewall2
search in the script for the parts where the modules are loaded
and unloaded; be sure to add ipt_string (and the other new
modules you created by patching the kernel and enabling them in
make config) to the modules loading/unloading code there.
16. if you try now to access (from outside, of course) one of the
nimda or codered URLS, all you get is a 'connection reset by
peer', and the request doesn't show in apache log files.
btw, no guarantees, and the usual YMMV :)
I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
I am trying to set up VPN masquerading, for a Windows box,
and just wondered if there was an easy way to do this, using just the
firewall.rc.config script, or do both that plus the custom config
script have to be used?
I have seen the VPN how-to, however just wondered about a how to aply
this with SuSE's scripts.
Thanks for any suggestions,
(PS if there is someone familiar with setting upo VPN on the SuSe box
itself, I would be very interested as well..., of course)
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter
malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works
fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a
regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all
*.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
If there is some postfix & regexp pro on this list, please tell me what I am doing wrong.
I'm trying to get rid of non-vital logging info, with the aid of
logsurfer. The accent is not on mailing suspicious stuff, more on
keeping logfiles manageably small. However I find the docs that come
with logsurfer inadequate, quite confusing even. I had hoped for more
examples... Can anyone here share [parts of-] his/her logsurfer.conf for
clarity and / or as examples ?
The way to "ignore" certain messages is clear and simple, so is the way
to alert when something evil is happening. What I don't really understand
is how the "context" rules work. Let's say for instance I'd like to get
rid of the 'named' starting messages:
Oct 30 16:21:09 hostname named: starting (/etc/named.conf). [...]
Oct 30 16:21:09 hostname named: hint zone "" (IN) loaded (serial 0)
Oct 30 16:21:09 hostname named: master zone "localhost" (IN) [...]
Oct 30 16:21:09 hostname named: master zone "0.0.127.in-addr.arpa"
Oct 30 16:21:09 hostname named: master zone "foobar" (IN) [...]
Oct 30 16:21:09 hostname named: master zone "8.9.10.in-addr.arpa"
Oct 30 16:21:09 hostname named: listening on [10.9.8.7].53 (eth8)
Oct 30 16:21:09 hostname named: Forwarding source address [...]
Oct 30 16:21:09 hostname named: Ready to answer queries.
In that case we'd like a rule that, if it sees a
'named .* starting (/etc/named.conf)'
will open a context (and eventually ignore all inside) for all following
rules from the same PID, UNLESS there is a
'.* rejected due to errors .*' statement in one of those lines.
My problem is, A) I don't know how to implement this, and B) This is not
safe because it could drop other types of, possibly fatal, errors.
Yet the only alternative is, "make 1 rule per line". Not only is that
quite a mess and a LOT of work, but it makes it impossible to look at the
context to see whether a message is benign or not; "With invalid flags"
sounds like a serious warning, but looking at the context it's just 1
line out of many when squid is attempting to start.
Oct 29 18:17:24 hostname squid: 0 With invalid flags.
Does anyone have relevant experience(s) with logsurfer that he /she is
willing to share and / or discuss here (or off-list if perhaps perceived
off-topic) ? Maybe even agree on a generic "safe_to_use"(...) ruleset
for SuSE machines ?
Any help or comments are greatly appreciated,
Maarten J. H. van den Berg ~~//~~ network administrator
van Boetzelaer van Bemmel - Amsterdam - The Netherlands
http://vbvb.nl T+31204233288 F+31204233286 G+31651994273
I am trying to run gnutella behind a host running SuSEFirewall2 and everytime
I do the FR gets crashed. I heard there is a bug around iptables and 2.4.*
kenerls that makes SuSEFirewall2 crash, is that right?
Good night list,
Kurt Seifried wrote: Friday, October 26, 2001 11:05 PM
Subject: Re: [suse-security] I forgot my root password
> Using init=/bin/sh is a LOT more simple if you don't have a cdrom
> example (most of my servers don't have cdrom drives). the
> work, no matter what unless someone has locked down lilo with
Ok, you won. But I still think that this "cryptic" way is more
complicated than my suggestion. Using init=/bin/sh is more
ultimative than my solution, but what do you do when the sh (I think
it's only optional) is not installed (if want to avoid opening the
For that case, I guess you should have a rescue-boot-disk with all
the tools you need, if you forgot the password or the system
crashed. So you're independant from the installed system (and you
I am currently using SuSEfirewall2 with the following configuration.
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
I have a firewall with 3 interfaces. eth0 is outside,public. eth1 is one
local subnet (192.168.0/24), private. eth2 is a second internal private
subnet(192.168.254/24). I have routing setup beween both subnets and I am
able to ping across the firewall/router from one subnet to the other.
Currently I have a DHCP server installed in the 192.168.0/24
subnet. Address 192.168.0.2. On the firewall I installed the DHCP realy
package from the suse 7.2 CD It listenes on eth2 and forwards all request
to 192.168.0.2 (the DHCP server). when I check the dhcp server logs I see
that it is creating a lease for the new host on eth2 of the
firewall. However the host is not receiving the address. I sure that it
is a small misconfiguration on the firewall, but I cannot figure out what
Any help is greatly appreciated. If you need more information just e-mail
me and I will try to get it.
Thanks is advance,
Pablo A. Maurin
I have a situation where I think someone has edited files they weren't supposed to.
The first clue is the files are all renamed with a common pattern, the second thing is that running ls -l on the suspect files now shows a date from 2000, even though this computer has only existed for about 6 months.
That makes me nervous. How would someone change the date on a file anyway - with what command? Is there any way for file dates to be changed by accident (the contents of the files look o.k.)?
I tried lsattr on them but it appears that lsattr doesn't work on RieserFS.
I ran md5sum against the ls, file and md5sum binaries -- it matches the sum of those binaries on another SuSE 7.1 system, but that's not exactly reliable if someone's been messing with stuff (think: root kit. I hope not).
What do y'all think?
Cedar Creek Software http://www.cedarcreeksoftware.com
Central Texas IT http://www.centraltexasit.com
>Von: John Andersen [mailto:email@example.com]
>Gesendet am: Dienstag, 30. Oktober 2001 11:04
>Betreff: Re: AW: [suse-security] raid on what
>>On Monday 29 October 2001 11:45 pm, Pawelczyk, Heiko wrote:
>> -----Ursprüngliche Nachricht-----
>> >Using Suse 7.3, I'm planning a raid (5) server instalation
>> >and was planing to use reiserfs partitions on three drives
>> >connected each to a different ide controller.
>> >Any problems with this?
>> No if all of them are master without a slave device on the same cable.
>Yes, one disk per controller channel was what I was planning.
>this requires an additional controller card which hopefully will
>be supported by Suse. We shall see.
>> >Is reiserfs a suitable partition for raid?
>> >any other suggestions?
>> Reiserfs is fine, but you have first to partition the disks, then you
>> define the raid-array and don´t format it, if you plan to use LVM! At
>> point you leave it as ext2. With LVM you can partition the raid-array.
>> yast2 for installation. Yast1 can´t configure raid.
>I'm running Reiserfs on one of my machines and am quite happy
>with it, so I understand the basics, but I don't understand your comments
>I'm expecting to use a seperate physical disk for each
>element of the array, rather than chopping up a single
>disk into volumes.
>So I don't understand where LVM comes into it?
So every Disk will have one Partition using all available space of the
respective disk. That means all of them need to have the same size.
The result of that operation is one raid volume of some size. I don´t know
wether there are other disks in your system. Usually you would want to do
some partioning, like putting /home on one device and the rest of the system
somewhere else. Certainly you would want to have a swap device. All this is
not mandatory but it is good common practice. There is no need to put a swap
device on a raid-disk (a good reason not to integrate all diskspace in the
raid-array). You could also consider, wether there is a need to put the
parts of the system on a raid-array, which are easily recoverable by a
reinstall. Anyway you will still have a need for a good back-up strategy,
since the raid-array won´t help you when files get deletet for some reason.
LVM gives you the flexibility to put partitions on the raid-array.
To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
For additional commands, e-mail: suse-security-help(a)suse.com