openSUSE Security November 2001

security@lists.opensuse.org

208 participants
277 discussions

how to keep nimda and code red from filling apache logs
by Mathias Homann 25 Sep '03

25 Sep '03

Hi all, here's a bit of a step-by-step description on how to keep nimda and codered from filling your apache logs. Parts used: - SuSE 7.2 Professional - SuSEfirewall2 - iptables 1.2.3 - linux kernel 2.4.13-pre5 steps: 1. install kernel sources for a kernel >> 2.4.9, running 2.4.13- pre5 here, works fine so far 2. get the sources for iptables 1.2.3 from http://netfilter.samba.org 3. unpack sources somewhere 4. export KERNEL_DIR=$(where you put the kernel tree) 5. cd into unpacked iptables sources, there's a subdirectory named patch-o-matic there 6. apply wanted patches by running ./runme $(name.of.patch)patch for this here You'll want the string patch You can also apply other patches, like the irc-conntrack patch 7. now there's a little bug in this patch... here's a diff: --- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21 00:16:29 2001 +++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21 16:54:45 2001 @@ -62,7 +62,7 @@ sk = skip[haystack[right_end - i]]; sh = shift[i]; - right_end = max(int, right_end - i + sk, right_end + sh); + right_end = max(right_end - i + sk, right_end + sh); } return NULL; 8. now, make config/menuconfig/xconfig... as usual. You can import your running kernel's config first. 9. enable the experimental stuff 10. go to networking options->netfilter, there's an option there to enable string matching; set that to M 11. compile and install kernel as usual; remember to uncomment the export INSTALL_PATH=/boot in the main makefile. 12. now build a rpm file for the new iptables stuff by installing the source rpm which comes with suse, then edit the spec file, put the iptables source in /usr/src/packages/SOURCE and rebuild. 13. now there are some small changes to the firewall config files. a) uncomment the last line in /etc/rc.config.d/firewall2.rc.config: FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" b) edit that file, I got the following stuff in mine: for forbidden_string in root.exe cmd.exe .ida; do iptables -I input_ext -p tcp --dport http -m string \ --string $forbidden_string -m state \ --state ESTABLISHED -j REJECT --reject-with tcp-reset done put that in the last supfunction defined in the custom rc file. c) change the FW_LOG setting in firewall2.rc.config from reading -log-level warning to -log-level kernel.warning 14. last: some small changes to /sbin/SuSEfirewall2 search in the script for the parts where the modules are loaded and unloaded; be sure to add ipt_string (and the other new modules you created by patching the kernel and enabling them in make config) to the modules loading/unloading code there. 15. reboot 16. if you try now to access (from outside, of course) one of the nimda or codered URLS, all you get is a 'connection reset by peer', and the request doesn't show in apache log files. btw, no guarantees, and the usual YMMV :) bye [L]

7 7

SSH Authentication
by Joao Reis 18 Nov '02

18 Nov '02

Hi! I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password. In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. This second solution is a good solution or that brings other security problems ? Thanks. -- Farewell. "Keep your friends close, but your enemies closer." "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------

2 1

VPN masquerading
by Joost van der Lugt 06 May '02

06 May '02

Hi all, I am trying to set up VPN masquerading, for a Windows box, and just wondered if there was an easy way to do this, using just the firewall.rc.config script, or do both that plus the custom config script have to be used? I have seen the VPN how-to, however just wondered about a how to aply this with SuSE's scripts. Thanks for any suggestions, (PS if there is someone familiar with setting upo VPN on the SuSe box itself, I would be very interested as well..., of course) - Cheers, Joost

4 4

postfix regexp in body_checks
by Philipp Snizek 25 Apr '02

25 Apr '02

Hi, I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle. If there is some postfix & regexp pro on this list, please tell me what I am doing wrong. Thanx, Philipp

9 16

sftp without without a valid shell?
by Thorsten Marquardt 10 Dec '01

10 Dec '01

Hi List, I like to offer some customers a kind off sftp account but to deny any login to this accounts. So I thought about having /bin/false as shell in /etc/passwd but this prevents sftp to. What can I do? Thanks in advance Thom -- ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM(a)kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------

8 15

Access to some webservers through firewall
by Ralf Ronneburger 05 Dec '01

05 Dec '01

Hello! I have configured my firewall with iptables to basically let in only answers on my requests, which works fine at about 95% of all webservers. But when I'm trying to access some sites my firewall blocks the answers like this: Nov 26 10:04:18 internet kernel: DROP-TCP IN=ppp0 OUT= MAC= SRC=213.83.13.35 DST=222.82.183.145 LEN=1490 TOS=0x00 PREC=0x00 TTL=54 ID=8559 DF PROTO=TCP SPT=80 DPT=1789 WINDOW=15972 RES=0x00 ACK URGP=0 which is correct, because I was trying to contact www.bahn.de (213.83.12.10). I think that they have a load balancer who sent me to that ip-address, but as my firewall did not open a connection there it blocks the packages. Any ideas what I can do about that? By the way, I had the same problem with suse-firewall, too. Best regards, Ralf Ronneburger

3 5

error in amavis?
by Stadt.Waren-Mueritz＠t-online.de 03 Dec '01

03 Dec '01

Hi, in /usr/sbin/amavis (original 25.10.2001 / perl-11) is an "error" in line 1147 [...] 1146 /^gzip compresssed/io && ..... 1147 /^compress'd/io && ..... < is this correct?? 1148 /^bzip2 compressed/io && ..... [...] Kind regards --- Matthias Bitterlich Tel: 03991-177151 Fax: 03991-177112 Stadt Waren (Müritz) Hauptamt - EDV www.stadt-waren.de Zum Amtsbrink 1 17192 Waren (Müritz) Germany

2 1

RE: [suse-security] SuSE Security Announcement: wuftpd (SuSE-SA:2001:043)
by carlos＠keysoft.pt 02 Dec '01

02 Dec '01

Jus't to say that I also didn't see the suse-security announce. I'm subscribed to both lists and always archive the announcements from suse-security (shorter subject) - I'm (I was:) still waiting for the suse-security announcement so that it could be archived. Carlos > -----Original Message----- > From: cwe(a)bph.ruhr-uni-bochum.de [mailto:cwe@bph.ruhr-uni-bochum.de] > Sent: sexta-feira, 30 de Novembro de 2001 18:12 > To: abien(a)gmx.net; draht(a)suse.de > Cc: suse-security(a)suse.com > Subject: Re: RE: [suse-security] SuSE Security Announcement: wuftpd > (SuSE-SA:2001:043) > > > 30.11.2001 19:00:16, Roman Drahtmueller <draht(a)suse.de> wrote: > > >Actually no... I've seen it running through. It was sent to > >suse-security-announce at Wed, 28 Nov 2001 23:55:25 +0100 (MET), to > >suse-security at Wed, 28 Nov 2001 23:58:18 +0100 (MET), and > to bugtraq at > >Wed, 28 Nov 2001 23:59:42 +0100 (MET). We usually wait until > we see our > >own posting from -announce until we send it off to > suse-security, later > >other addresses, including bugtraq. > > > >Roman. > > > Hi, > well I didn't get it and I can't find it on the list archive > > http://lists2.suse.com/archive/suse-security/2001-Nov/ > > but maybe I am too stupid... > > Christoph > -- > .-. Ruhr-Universitaet Bochum > /v\ L I N U X Lehrstuhl fuer Biophysik > // \\ >Penguin Computing< c/o Christoph Wegener > /( )\ Gebaeude ND 04/Nord > ^^-^^ D-44780 Bochum, GERMANY > > Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 > mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de > > > > > > -- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com > >

4 4

firewall log entries
by michael.ryan＠storm.ie 01 Dec '01

01 Dec '01

I just noticed the following entries in my firewall log: Nov 23 19:44:11 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=16126 F=0x0000 T=246 SYN (#3) Nov 23 19:47:21 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=28824 F=0x0000 T=246 SYN (#3) Nov 23 19:47:58 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=9754 F=0x0000 T=246 SYN (#3) Nov 23 19:51:35 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=38173 F=0x0000 T=246 SYN (#3) eth0 is the external i/f ... does this indicate ssh connection attempts with spoofed IP source addresses? (I do have a machine on reserved IP address 192.168.1.4 but it can only establish connections to the firewall via eth1) TIA Michael

2 1

Re[2]: [suse-security] UDP 4665
by Ralf Koch 30 Nov '01

30 Nov '01

Hi, I looked up videobeans on different locations, all of them report port 3058 for videobeans. The list I use normaly from COTSE (http://webmail.cotse.com/dlf/man/ports/) shows the 4665 as an unassigned port. However, thanks for your guess. Ralf >> Nov 29 22:02:57 acme kernel: Packet log: input DENY ppp0 PROTO=17 >> 217.216.153.114:3058 217.0.156.224:4665 L=34 S=0x00 I=29563 F=0x0000 >> T=113 (#48) >> >> 15 - 50 hits per second. Does anybody know what they try to connect to? > >http://www.echogent.com/cgi-bin/fwlog.pl says, that the service >on this port is videobeans. No further information, and I'm no >(not yet?) guru on firewalling ... > >HTH, > Susan Dittmar >-- >Susan Dittmar Tel: +49 700 387322-33 >EURECA Messtechnik GmbH Fax: +49 700 387322-329 >Am Feldgarten 3 http://www.eureca.de >50769 Köln, GERMANY S.Dittmar(a)eureca.de > > >

2 3

Jump to page:

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security November 2001