December 2001 - openSUSE Security - openSUSE Mailing Lists

how to keep nimda and code red from filling apache logs
by Mathias Homann 25 Sep '03

25 Sep '03

Hi all, here's a bit of a step-by-step description on how to keep nimda and codered from filling your apache logs. Parts used: - SuSE 7.2 Professional - SuSEfirewall2 - iptables 1.2.3 - linux kernel 2.4.13-pre5 steps: 1. install kernel sources for a kernel >> 2.4.9, running 2.4.13- pre5 here, works fine so far 2. get the sources for iptables 1.2.3 from http://netfilter.samba.org 3. unpack sources somewhere 4. export KERNEL_DIR=$(where you put the kernel tree) 5. cd into unpacked iptables sources, there's a subdirectory named patch-o-matic there 6. apply wanted patches by running ./runme $(name.of.patch)patch for this here You'll want the string patch You can also apply other patches, like the irc-conntrack patch 7. now there's a little bug in this patch... here's a diff: --- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21 00:16:29 2001 +++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21 16:54:45 2001 @@ -62,7 +62,7 @@ sk = skip[haystack[right_end - i]]; sh = shift[i]; - right_end = max(int, right_end - i + sk, right_end + sh); + right_end = max(right_end - i + sk, right_end + sh); } return NULL; 8. now, make config/menuconfig/xconfig... as usual. You can import your running kernel's config first. 9. enable the experimental stuff 10. go to networking options->netfilter, there's an option there to enable string matching; set that to M 11. compile and install kernel as usual; remember to uncomment the export INSTALL_PATH=/boot in the main makefile. 12. now build a rpm file for the new iptables stuff by installing the source rpm which comes with suse, then edit the spec file, put the iptables source in /usr/src/packages/SOURCE and rebuild. 13. now there are some small changes to the firewall config files. a) uncomment the last line in /etc/rc.config.d/firewall2.rc.config: FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" b) edit that file, I got the following stuff in mine: for forbidden_string in root.exe cmd.exe .ida; do iptables -I input_ext -p tcp --dport http -m string \ --string $forbidden_string -m state \ --state ESTABLISHED -j REJECT --reject-with tcp-reset done put that in the last supfunction defined in the custom rc file. c) change the FW_LOG setting in firewall2.rc.config from reading -log-level warning to -log-level kernel.warning 14. last: some small changes to /sbin/SuSEfirewall2 search in the script for the parts where the modules are loaded and unloaded; be sure to add ipt_string (and the other new modules you created by patching the kernel and enabling them in make config) to the modules loading/unloading code there. 15. reboot 16. if you try now to access (from outside, of course) one of the nimda or codered URLS, all you get is a 'connection reset by peer', and the request doesn't show in apache log files. btw, no guarantees, and the usual YMMV :) bye [L]

7 7

SSH Authentication
by Joao Reis 18 Nov '02

18 Nov '02

Hi! I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password. In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. This second solution is a good solution or that brings other security problems ? Thanks. -- Farewell. "Keep your friends close, but your enemies closer." "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------

2 1

VPN masquerading
by Joost van der Lugt 06 May '02

06 May '02

Hi all, I am trying to set up VPN masquerading, for a Windows box, and just wondered if there was an easy way to do this, using just the firewall.rc.config script, or do both that plus the custom config script have to be used? I have seen the VPN how-to, however just wondered about a how to aply this with SuSE's scripts. Thanks for any suggestions, (PS if there is someone familiar with setting upo VPN on the SuSe box itself, I would be very interested as well..., of course) - Cheers, Joost

4 4

postfix regexp in body_checks
by Philipp Snizek 25 Apr '02

25 Apr '02

Hi, I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle. If there is some postfix & regexp pro on this list, please tell me what I am doing wrong. Thanx, Philipp

9 16

user ***** - am I hacked?
by Marc Wiesenhütter 10 Jan '02

10 Jan '02

Hi, wenn i just checked users login with last, i found this entry ***** p*******p*** Thu Jan 1 01:00 still logged in and user ***** is not known to me. the prozess table didn't show any strange thing so am I hacked or what does it mean? Any ideas welcome! bye Marc

8 9

Attack or not?
by Erwin Zierler - stubainet.at 09 Jan '02

09 Jan '02

Hi all, I have recently found the following lines in /var/log/messages on one of my servers running SuSE 7.0, kernel 2.2.16, openssh-2.1.1p1-19: Dec 28 09:21:10 server -- MARK -- ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ [many many more of this] ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ Dec 28 14:34:46 server syslogd 1.3-3: restart. This server is connected to the internet via ADSL and sits behind a Zyxcel Prestige 310 where port 22 is NATed to the server. This is for remote administration - everything else on the Zyxcel is closed to the outside world. Looks to me like a buffer overflow with following crash, but then there is this time gap between the long line of ^@'s and the server restart 09:21 - 14:34 which worries me. I have not reached anyone there so I'll have to wait until next week to find out whether they maybe did a hard-boot or something. last shows: reboot system boot 2.2.16 Fri Dec 28 14:34 (1+20:48) reboot system boot 2.2.16 Fri Dec 28 11:56 (1+23:26) Checking the system with chkrootkit gave me only one wierd line: Checking `wted'... 1 deletion(s) between Fri Dec 28 11:56:50 2001 and Fri Dec 28 11:56:50 2001 Anyway, I wonderd if anyone has seen something similar yet and if I have to worry. Thanks in advance for your input. Erwin

10 11

iptables order of rules
by erez avraham 31 Dec '01

31 Dec '01

Greetings using Suse 7.1 kernel 2.4.0 iptables 1.2.4 with 2 nics eth0 192.168.4.2 pointing to my ADSL Router eth1 192.168.5.1 pointing to the LAN i inserted some rules and got surprising rezolts, doing iptables -L shows me ANY to ANY tcp ACCEPT ! i didn't put this rule. incoming connection will stop at first rule on the list right? so is this rule here to enable any connection at all and then eliminating what i'm blocking? my ADSL router is doing the NAT from 192.117.x.1 to 192.168.4.1, i have no problem getting out of the firewall but I'm nut sure about getting into the firewall or LAN behind it. 192.117.x.1 is the router address so how can I open ports on/through the firewall? I guess I will have to disable routing on the router and do it on the firewall, right? thanks and happy year here is the rules and output iptables -L: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW LOG all -f anywhere anywhere LOG level warning prefix `IPTABLES FRAGMENTS: ' DROP all -f anywhere anywhere ACCEPT udp -- 212.179.27.100 anywhere udp spt:domain state ESTABLISHED ACCEPT udp -- 216.34.120.171 anywhere udp spt:domain state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere 212.179.27.100 udp dpt:domain state NEW,ESTABLISHED ACCEPT udp -- anywhere 216.34.120.171 udp dpt:domain state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:smtp state NEW,ESTABLISHED rules: =============================== ## LOOPBACK # Allow unlimited traffic on the loopback interface. iptables -A INPUT -i lo -j ACCEPT ## Make sure NEW tcp connections are SYN packets iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP ## FRAGMENTS # Log fragments just to see if we get any, and deny them too. iptables -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " iptables -A INPUT -i eth0 -f -j DROP ## DNS # Allow UDP packets in for DNS client from nameservers. iptables -A INPUT -i eth0 -p udp -s $NAMESERVER_1 --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp -s $NAMESERVER_2 --sport 53 -m state --state ESTABLISHED -j ACCEPT # Allow UDP packets to DNS servers from client. iptables -A OUTPUT -o eth1 -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT ## WWW # Allow www outbound to 80. iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT #FTP iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT #smtp #iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

2 1

glibc update problem
by Matt Hubbard 31 Dec '01

31 Dec '01

SuSE security community, I just updated the glibc source, devel, and profile packages on a SuSE 7.2 server via Yast1. I encountered the following problems: 1. /sbin/ldconfig generates the following error "usr/lib/libexpat.so.1 is not a symbolic link" 2. The Apache server will no longer start with mod_auth_nds included. When I remove the reference to this module from /etc/httpd/suse_loadmodule.conf and /etc/httpd/suse_addmodule.conf I can start the server. Could this module be incompatible with the new glibc packages? Matt Hubbard

3 3

iptables-question
by da_bug 31 Dec '01

31 Dec '01

Hi! I have question about iptables: If I want to block e.g. telnet for my two ippp-devices I do it this way (this works very good :)): iptables -A INPUT -i ippp0 -p tcp --dport 23 -j DROP iptables -A INPUT -i ippp1 -p tcp --dport 23 -j DROP So my question: Is there a way that I don't need to write a rule for every single interface? Something like "iptables -A INPUT -i ippp0,ippp1 -p tcp --dport 23 -j DROP" (I know this does not work) At the moment I use 4 interfaces and I don't like to type all my rules 4 times and of course it's not nice to have such a big firewall-skript... Greedings <da_bug(a)gmx.net>

4 3

Re: [suse-security] iptables-question
by johannes.marloth＠t-online.de 30 Dec '01

30 Dec '01

Hi da_bug, * Sun, 30 Dec 2001 15:39:48 +0100 da_bug wrote: > If I want to block e.g. telnet for my two ippp-devices I do it this > way (this works very good :)): > > iptables -A INPUT -i ippp0 -p tcp --dport 23 -j DROP > iptables -A INPUT -i ippp1 -p tcp --dport 23 -j DROP > > So my question: > Is there a way that I don't need to write a rule for every single > interface? Perhaps you'll write a bash/shell script for your firewall, so it's easy to do as you like: DEVICES="ippp1 ippp2 ippp3 ippp4" for DEV in $DEVICES do iptables -A INPUT -i $DEV -p tcp --dport 23 -j DROP done > Something like > "iptables -A INPUT -i ippp0,ippp1 -p tcp --dport 23 -j DROP" > (I know this does not work) Simply NO! HTH, Johannes

1 0