Hi all,
here's a bit of a step-by-step description on how to keep nimda
and codered from filling your apache logs.
Parts used:
- SuSE 7.2 Professional
- SuSEfirewall2
- iptables 1.2.3
- linux kernel 2.4.13-pre5
steps:
1. install kernel sources for a kernel >> 2.4.9, running 2.4.13-
pre5 here, works fine so far
2. get the sources for iptables 1.2.3 from
http://netfilter.samba.org
3. unpack sources somewhere
4. export KERNEL_DIR=$(where you put the kernel tree)
5. cd into unpacked iptables sources, there's a subdirectory
named patch-o-matic there
6. apply wanted patches by running ./runme $(name.of.patch)patch
for this here You'll want the string patch
You can also apply other patches, like the irc-conntrack patch
7. now there's a little bug in this patch...
here's a diff:
--- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21
00:16:29 2001
+++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21
16:54:45 2001
@@ -62,7 +62,7 @@
sk = skip[haystack[right_end - i]];
sh = shift[i];
- right_end = max(int, right_end - i + sk,
right_end + sh);
+ right_end = max(right_end - i + sk, right_end +
sh);
}
return NULL;
8. now, make config/menuconfig/xconfig... as usual. You can
import your running kernel's config first.
9. enable the experimental stuff
10. go to networking options->netfilter, there's an option there
to enable string matching; set that to M
11. compile and install kernel as usual; remember to uncomment
the export INSTALL_PATH=/boot in the main makefile.
12. now build a rpm file for the new iptables stuff by installing
the source rpm which comes with suse, then edit the spec file,
put the iptables source in /usr/src/packages/SOURCE and rebuild.
13. now there are some small changes to the firewall config
files.
a) uncomment the last line in
/etc/rc.config.d/firewall2.rc.config:
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
b) edit that file, I got the following stuff in mine:
for forbidden_string in root.exe cmd.exe .ida; do
iptables -I input_ext -p tcp --dport http -m string \
--string $forbidden_string -m state \
--state ESTABLISHED -j REJECT --reject-with tcp-reset
done
put that in the last supfunction defined in the custom rc file.
c) change the FW_LOG setting in firewall2.rc.config from reading
-log-level warning to -log-level kernel.warning
14. last: some small changes to /sbin/SuSEfirewall2
search in the script for the parts where the modules are loaded
and unloaded; be sure to add ipt_string (and the other new
modules you created by patching the kernel and enabling them in
make config) to the modules loading/unloading code there.
15. reboot
16. if you try now to access (from outside, of course) one of the
nimda or codered URLS, all you get is a 'connection reset by
peer', and the request doesn't show in apache log files.
btw, no guarantees, and the usual YMMV :)
bye
[L]
Hi!
I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
Thanks.
--
Farewell.
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
João Reis
-------------------------------------------------------
Hi all,
I am trying to set up VPN masquerading, for a Windows box,
and just wondered if there was an easy way to do this, using just the
firewall.rc.config script, or do both that plus the custom config
script have to be used?
I have seen the VPN how-to, however just wondered about a how to aply
this with SuSE's scripts.
Thanks for any suggestions,
(PS if there is someone familiar with setting upo VPN on the SuSe box
itself, I would be very interested as well..., of course)
-
Cheers,
Joost
Hi,
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter
malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works
fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a
regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all
*.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
If there is some postfix & regexp pro on this list, please tell me what I am doing wrong.
Thanx,
Philipp
Hi,
wenn i just checked users login with last, i found this entry
***** p*******p*** Thu Jan 1 01:00 still logged
in
and user ***** is not known to me. the prozess table didn't show any
strange thing so am I hacked or what does it mean?
Any ideas welcome!
bye
Marc
Hi all,
I have recently found the following lines in /var/log/messages on one of
my servers running SuSE 7.0, kernel 2.2.16, openssh-2.1.1p1-19:
Dec 28 09:21:10 server -- MARK --
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
[many many more of this]
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
Dec 28 14:34:46 server syslogd 1.3-3: restart.
This server is connected to the internet via ADSL and sits behind a
Zyxcel Prestige 310 where port 22 is NATed to the server. This is
for remote administration - everything else on the Zyxcel is closed
to the outside world.
Looks to me like a buffer overflow with following crash, but then there
is this time gap between the long line of ^@'s and the server restart
09:21 - 14:34 which worries me. I have not reached anyone there so I'll
have to wait until next week to find out whether they maybe did a
hard-boot or something. last shows:
reboot system boot 2.2.16 Fri Dec 28 14:34 (1+20:48)
reboot system boot 2.2.16 Fri Dec 28 11:56 (1+23:26)
Checking the system with chkrootkit gave me only one wierd line:
Checking `wted'... 1 deletion(s) between Fri Dec 28 11:56:50 2001 and
Fri Dec 28 11:56:50 2001
Anyway, I wonderd if anyone has seen something similar yet and if
I have to worry.
Thanks in advance for your input.
Erwin
Greetings
using Suse 7.1 kernel 2.4.0 iptables 1.2.4 with 2 nics
eth0 192.168.4.2 pointing to my ADSL Router
eth1 192.168.5.1 pointing to the LAN
i inserted some rules and got surprising rezolts, doing iptables -L shows
me ANY to ANY tcp ACCEPT !
i didn't put this rule.
incoming connection will stop at first rule on the list right? so is this
rule here to enable any connection at all and then eliminating what i'm
blocking?
my ADSL router is doing the NAT from 192.117.x.1 to 192.168.4.1, i have no
problem getting out of the firewall but I'm nut sure about getting into the
firewall or LAN behind it. 192.117.x.1 is the router address so how can I
open ports on/through the firewall?
I guess I will have to disable routing on the router and do it on the
firewall, right?
thanks and happy year
here is the rules and output
iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN state NEW
LOG all -f anywhere anywhere LOG level
warning prefix `IPTABLES FRAGMENTS: '
DROP all -f anywhere anywhere
ACCEPT udp -- 212.179.27.100 anywhere udp spt:domain
state ESTABLISHED
ACCEPT udp -- 216.34.120.171 anywhere udp spt:domain
state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
state ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere 212.179.27.100 udp dpt:domain
state NEW,ESTABLISHED
ACCEPT udp -- anywhere 216.34.120.171 udp dpt:domain
state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
state NEW,ESTABLISHED
rules:
===============================
## LOOPBACK
# Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
## FRAGMENTS
# Log fragments just to see if we get any, and deny them too.
iptables -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP
## DNS
# Allow UDP packets in for DNS client from nameservers.
iptables -A INPUT -i eth0 -p udp -s $NAMESERVER_1 --sport 53 -m
state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s $NAMESERVER_2 --sport 53 -m
state --state ESTABLISHED -j ACCEPT
# Allow UDP packets to DNS servers from client.
iptables -A OUTPUT -o eth1 -p udp -d $NAMESERVER_1 --dport 53 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp -d $NAMESERVER_2 --dport 53 -m
state --state NEW,ESTABLISHED -j ACCEPT
## WWW
# Allow www outbound to 80.
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT
#FTP
iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 21 -m state --state
NEW,ESTABLISHED -j ACCEPT
#smtp
#iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 25 -m state --state
NEW,ESTABLISHED -j ACCEPT
SuSE security community,
I just updated the glibc source, devel, and profile packages on a SuSE
7.2 server via Yast1. I encountered the following problems:
1. /sbin/ldconfig generates the following error "usr/lib/libexpat.so.1 is
not a symbolic link"
2. The Apache server will no longer start with mod_auth_nds included.
When I remove the reference to this module from
/etc/httpd/suse_loadmodule.conf and /etc/httpd/suse_addmodule.conf I
can start the server.
Could this module be incompatible with the new glibc packages?
Matt Hubbard
Hi!
I have question about iptables:
If I want to block e.g. telnet for my two ippp-devices I do it this
way (this works very good :)):
iptables -A INPUT -i ippp0 -p tcp --dport 23 -j DROP
iptables -A INPUT -i ippp1 -p tcp --dport 23 -j DROP
So my question:
Is there a way that I don't need to write a rule for every single
interface?
Something like
"iptables -A INPUT -i ippp0,ippp1 -p tcp --dport 23 -j DROP"
(I know this does not work)
At the moment I use 4 interfaces and I don't like to type
all my rules 4 times and of course it's not nice to have such a
big firewall-skript...
Greedings
<da_bug(a)gmx.net>
Hi da_bug,
* Sun, 30 Dec 2001 15:39:48 +0100 da_bug wrote:
> If I want to block e.g. telnet for my two ippp-devices I do it this
> way (this works very good :)):
>
> iptables -A INPUT -i ippp0 -p tcp --dport 23 -j DROP
> iptables -A INPUT -i ippp1 -p tcp --dport 23 -j DROP
>
> So my question:
> Is there a way that I don't need to write a rule for every single
> interface?
Perhaps you'll write a bash/shell script for your firewall, so it's
easy to do as you like:
DEVICES="ippp1 ippp2 ippp3 ippp4"
for DEV in $DEVICES
do
iptables -A INPUT -i $DEV -p tcp --dport 23 -j DROP
done
> Something like
> "iptables -A INPUT -i ippp0,ippp1 -p tcp --dport 23 -j DROP"
> (I know this does not work)
Simply NO!
HTH,
Johannes