here's a bit of a step-by-step description on how to keep nimda
and codered from filling your apache logs.
- SuSE 7.2 Professional
- iptables 1.2.3
- linux kernel 2.4.13-pre5
1. install kernel sources for a kernel >> 2.4.9, running 2.4.13-
pre5 here, works fine so far
2. get the sources for iptables 1.2.3 from
3. unpack sources somewhere
4. export KERNEL_DIR=$(where you put the kernel tree)
5. cd into unpacked iptables sources, there's a subdirectory
named patch-o-matic there
6. apply wanted patches by running ./runme $(name.of.patch)patch
for this here You'll want the string patch
You can also apply other patches, like the irc-conntrack patch
7. now there's a little bug in this patch...
here's a diff:
--- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21
+++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21
@@ -62,7 +62,7 @@
sk = skip[haystack[right_end - i]];
sh = shift[i];
- right_end = max(int, right_end - i + sk,
right_end + sh);
+ right_end = max(right_end - i + sk, right_end +
8. now, make config/menuconfig/xconfig... as usual. You can
import your running kernel's config first.
9. enable the experimental stuff
10. go to networking options->netfilter, there's an option there
to enable string matching; set that to M
11. compile and install kernel as usual; remember to uncomment
the export INSTALL_PATH=/boot in the main makefile.
12. now build a rpm file for the new iptables stuff by installing
the source rpm which comes with suse, then edit the spec file,
put the iptables source in /usr/src/packages/SOURCE and rebuild.
13. now there are some small changes to the firewall config
a) uncomment the last line in
b) edit that file, I got the following stuff in mine:
for forbidden_string in root.exe cmd.exe .ida; do
iptables -I input_ext -p tcp --dport http -m string \
--string $forbidden_string -m state \
--state ESTABLISHED -j REJECT --reject-with tcp-reset
put that in the last supfunction defined in the custom rc file.
c) change the FW_LOG setting in firewall2.rc.config from reading
-log-level warning to -log-level kernel.warning
14. last: some small changes to /sbin/SuSEfirewall2
search in the script for the parts where the modules are loaded
and unloaded; be sure to add ipt_string (and the other new
modules you created by patching the kernel and enabling them in
make config) to the modules loading/unloading code there.
16. if you try now to access (from outside, of course) one of the
nimda or codered URLS, all you get is a 'connection reset by
peer', and the request doesn't show in apache log files.
btw, no guarantees, and the usual YMMV :)
I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
I am trying to set up VPN masquerading, for a Windows box,
and just wondered if there was an easy way to do this, using just the
firewall.rc.config script, or do both that plus the custom config
script have to be used?
I have seen the VPN how-to, however just wondered about a how to aply
this with SuSE's scripts.
Thanks for any suggestions,
(PS if there is someone familiar with setting upo VPN on the SuSe box
itself, I would be very interested as well..., of course)
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter
malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works
fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a
regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all
*.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
If there is some postfix & regexp pro on this list, please tell me what I am doing wrong.
I like to offer some customers a kind off sftp account but to deny any login
to this accounts. So I thought about having /bin/false as shell in /etc/passwd
but this prevents sftp to. What can I do?
Thanks in advance
bye bye (c) by Thom | Thorsten Marquardt
| EMail: THOM(a)kaupp.chemie.uni-oldenburg.de
| Member of the pzt project.
I have configured my firewall with iptables to basically let in only
answers on my requests, which works fine at about 95% of all webservers.
But when I'm trying to access some sites my firewall blocks the answers
Nov 26 10:04:18 internet kernel: DROP-TCP IN=ppp0 OUT= MAC=
SRC=18.104.22.168 DST=22.214.171.124 LEN=1490 TOS=0x00 PREC=0x00 TTL=54
ID=8559 DF PROTO=TCP SPT=80 DPT=1789 WINDOW=15972 RES=0x00 ACK URGP=0
which is correct, because I was trying to contact www.bahn.de
(126.96.36.199). I think that they have a load balancer who sent me to
that ip-address, but as my firewall did not open a connection there it
blocks the packages.
Any ideas what I can do about that? By the way, I had the same problem
with suse-firewall, too.
Jus't to say that I also didn't see the suse-security announce.
I'm subscribed to both lists and always archive the announcements from
suse-security (shorter subject) - I'm (I was:) still waiting for the
suse-security announcement so that it could be archived.
> -----Original Message-----
> From: cwe(a)bph.ruhr-uni-bochum.de [mailto:email@example.com]
> Sent: sexta-feira, 30 de Novembro de 2001 18:12
> To: abien(a)gmx.net; draht(a)suse.de
> Cc: suse-security(a)suse.com
> Subject: Re: RE: [suse-security] SuSE Security Announcement: wuftpd
> 30.11.2001 19:00:16, Roman Drahtmueller <draht(a)suse.de> wrote:
> >Actually no... I've seen it running through. It was sent to
> >suse-security-announce at Wed, 28 Nov 2001 23:55:25 +0100 (MET), to
> >suse-security at Wed, 28 Nov 2001 23:58:18 +0100 (MET), and
> to bugtraq at
> >Wed, 28 Nov 2001 23:59:42 +0100 (MET). We usually wait until
> we see our
> >own posting from -announce until we send it off to
> suse-security, later
> >other addresses, including bugtraq.
> well I didn't get it and I can't find it on the list archive
> but maybe I am too stupid...
> .-. Ruhr-Universitaet Bochum
> /v\ L I N U X Lehrstuhl fuer Biophysik
> // \\ >Penguin Computing< c/o Christoph Wegener
> /( )\ Gebaeude ND 04/Nord
> ^^-^^ D-44780 Bochum, GERMANY
> Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626
> mailto:firstname.lastname@example.org http://www.bph.ruhr-uni-bochum.de
> To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
> For additional commands, e-mail: suse-security-help(a)suse.com
I just noticed the following entries in my firewall log:
Nov 23 19:44:11 kore kernel: Packet log: input DENY eth0 PROTO=6
a.b.c.d:22 L=40 S=0x00 I=16126 F=0x0000 T=246 SYN (#3)
Nov 23 19:47:21 kore kernel: Packet log: input DENY eth0 PROTO=6
a.b.c.d:22 L=40 S=0x00 I=28824 F=0x0000 T=246 SYN (#3)
Nov 23 19:47:58 kore kernel: Packet log: input DENY eth0 PROTO=6
a.b.c.d:22 L=40 S=0x00 I=9754 F=0x0000 T=246 SYN (#3)
Nov 23 19:51:35 kore kernel: Packet log: input DENY eth0 PROTO=6
a.b.c.d:22 L=40 S=0x00 I=38173 F=0x0000 T=246 SYN (#3)
eth0 is the external i/f ... does this indicate ssh connection attempts
with spoofed IP source addresses?
(I do have a machine on reserved IP address 192.168.1.4 but it can only
establish connections to the firewall via eth1)
I looked up videobeans on different locations, all of them report port
3058 for videobeans.
The list I use normaly from COTSE
(http://webmail.cotse.com/dlf/man/ports/) shows the 4665 as an unassigned
However, thanks for your guess.
>> Nov 29 22:02:57 acme kernel: Packet log: input DENY ppp0 PROTO=17
>> 188.8.131.52:3058 184.108.40.206:4665 L=34 S=0x00 I=29563 F=0x0000
>> T=113 (#48)
>> 15 - 50 hits per second. Does anybody know what they try to connect to?
>http://www.echogent.com/cgi-bin/fwlog.pl says, that the service
>on this port is videobeans. No further information, and I'm no
>(not yet?) guru on firewalling ...
> Susan Dittmar
>Susan Dittmar Tel: +49 700 387322-33
>EURECA Messtechnik GmbH Fax: +49 700 387322-329
>Am Feldgarten 3 http://www.eureca.de
>50769 Köln, GERMANY S.Dittmar(a)eureca.de