February 2001 - openSUSE Security - openSUSE Mailing Lists

Updates for SuSEfirewall and harden_suse
by marc＠suse.de 24 Feb '01

24 Feb '01

Hi folks, I'm back from one month of vacation so it's time for some updates! With the kernel-2.4 being released I will now start to work on SuSEfirewall2 which will be for iptables. Should be available in the next days/weeks SuSEfirewall v4.3: * Added support for selective access for trusted hosts/nets. * Added bind9 support to FW_SERVICE_DNS * Fixed a bug in the FW_ALLOW_PING_DMZ function * Fixed a mini bug in SuSEfirewall where the ICMP timeexceed rate was not set. (thanks to sm(a)suse.de) * Added a check for /etc/resolv.conf to prevent awk error messages * Fixed many typos (thanks to the SuSE Team!) v4.2.1 01.02.01 (gamma release) -> SuSE 7.1 * Added kernel 2.4 support via ipchains modul * Changed install script to new runlevels (done by Kurt Garloff, thanks!) harden_suse v3.0: * added RUN_UPDATEDB_AS security * removed permissions.paranoia support. yes to to question 2 sets permissions to secure, a no leaves the old value * removed the ulimit settings, just core files will be prevented * added some START_ variables to ignore for SuSE 7.1 * fixed a bug where accounting and scanlogd were not enabled * fixed some output presentation stuff Please note that harden_suse was not available on SuSE Linux 7.1 - so get it as an update package. Either wait for the rpm to be available on the SuSE FTP servers, or be desperate and a nice beta tester (although I tested them and found no bugs) and download the .tar.gz balls from http://www.suse.de/~marc Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc(a)suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

1 0

Lomac
by Togan Muftuoglu 24 Feb '01

24 Feb '01

Hi everyone, Has anyone using the lomac kernel module if so please share your experiences good/bad http://www.pgp.com/research/nailabs/secure-execution/lomac.asp TIA -- Togan Muftuoglu

1 0

new e-mail accounts (group 500 users)
by Philipp Snizek 24 Feb '01

24 Feb '01

Dear list-users, If I make a new e-mail account for my sendmail it's the same as if I made a new user account for the mail server. People could login e.g. through ssh. How can I restrict access to only just the corresponding e-mail account so users could not log on to the mail server by a terminal client? Thank you Philipp

4 6

Suse 7.1
by Gerhard den Hollander 24 Feb '01

24 Feb '01

Slightly off topic maybe, But has anyone who has one of those Suse subscriptions already received his 7.1 CD (professional) ? Kind regards, -- Gerhard den Hollander Phone +31-10.280.1515 Technical Support Jason Geosystems BV Fax +31-10.280.1511 (When calling please note: we are in GMT+1) gdenhollander(a)jasongeo.com POBox 1573 visit us at http://www.jasongeo.com 3000 BN Rotterdam JASON.......#1 in Reservoir Characterization The Netherlands This e-mail and any attachment is/are intended solely for the named addressee(s) and may contain information that is confidential and privileged. If you are not the intended recipient, we request that you do not disseminate, forward, distribute or copy this e-mail message. If you have received this e-mail message in error, please notify us immediately by telephone and destroy the original message.

4 3

Re: [suse-security] iptables and conntrack
by christian.burri＠synecta.ch 24 Feb '01

24 Feb '01

Martin Peikert <news-list.suse.security@inno To: suse-security(a)suse.com minate.de> cc: Subject: Re: [suse-security] iptables and conntrack 23.02.01 09:49 Please respond to Martin Peikert Marco Ahrendt <marco.ahrendt(a)adconsys.de> wrote: > Hi all, > > I want to set up a firewall to secure my private network. This network > includes about 5-6 computers running linux and windows os. I decided to > use netfilter (iptables) with the new 2.4.2 kernel which I compiled > on my pentium today. Now I have a question about the new iptables and > the connection tracking module: > I want to set a default policy for all chains (at first INPUT,OUTPUT and > FORWARD) to DENY. Now for example I want to allow a ssh connection from > the internet to my firewall. (I want the firewall to be the gate to my > local linux computers. I mean, if anyone wants to ssh to my private > computers, he only can get a connection if he first connects to the > firewall, and then connect to the target computer in my network.) Is > this a good idea ? I do not think so. On your firewall only those services should run that are required for the firewall. If you really need to allow ssh to your internal network from an untrusted net, try portforwarding to _one_ machine in your internal network, but _not_ to the firewall. Then your users can login to that machine, but I would not give them a normal shell on that computer, only ssh to other machines... --> I definately and strongly agree. giving ppl accounts on your firewall renders the thing quite useless, heh. > So I don't have to allow ssh to any of my computers > in the local net. Only to the firewall! What do you think about this? > Now the problem: If I use connection tracking for ssh. > > iptables -A INPUT -p tcp --dport 22 -s 0.0.0.0/0 -d $FIREWALLHOST -m > state --state NEW,ESTABLISHED,RELATED -i eth0 -j ACCEPT > > In this rule I would accept all connections coming from internet to my > firewall at port 22 and all packets in relation with this connect. > Right?! Should I now add a rule to the OUTPUT chain too, or is any > outgoing connection in relation with the ssh rule INPUT above accepted now? No. You need an additional rule for OUTPUT. But, as said above, I do not think that this would be a good idea. If you want to secure your private network, do not allow ssh from outside. --> hmm. Isnt the RELATED option used in conjunction with stateful protocols like FTP and not necessary for stateless TCP connections (telnet, ssh, ntp, http etc ...)? mesa not sure cuz I just got my SuSE 7.1 an am now putting the thing on my firewall. Netfilter rules; they say. YAY. time to get a grip :D --> Cheers Chris HTH Martin -- martin.peikert(a)innominate.com innominate AG the linux architects tel: +49-30-308806-0 fax: -77 http://www.innominate.com --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com

1 0

RE: [suse-security] web mail into a Linux box
by Jacks, Charles 23 Feb '01

23 Feb '01

Mainly I have several of the free web mail accounts but I also have a web mail server for work that requires 128 bit secure sockets and they won't allow pop/imap or other non M$ exchange method. If I had a Linux program that would interface to M$ exchange I might be able to use that but I would still like to be able to download the free web mail accounts (with security) with my home pc which runs Linux. getting it back into a standard system I can do what I want with it, including getting my mail from the home pc (after it gets it from the various places) when I check in at home. The mail administrators are M$ all the way and ssl wrapped POP/IMAP may be either beyond them or the folks looking over their shoulders (POP was allowed but now not allowed, won't be allowed). Either way its slow, a pain, and higher cost to make a long distance call into their access port. The home pc could do it with a local call and I should be able to get to the home pc with a call to a local isp at pre set times. (I want DSL someday.) Security has to be acceptable at each point. The web mail is the sticking point. Will look into wget. Thanks Charles Jacks -----Original Message----- From: Kurt Seifried [mailto:listuser@seifried.org] Sent: Friday, February 23, 2001 16:22 To: Jacks, Charles; suse-security(a)suse.com Subject: Re: [suse-security] web mail into a Linux box wget? Then a perl script to turn it from html back into mail? Why don't they just setup ssl wrapped POP/IMAP (It's what I use on the road and I'm a total security freak). Kurt Seifried, seifried(a)securityportal.com Securityportal - your focal point for security on the 'net > I have a problem and I need a pointer where to look. > > I want to "download" mail from a web mail server that requires 128 bit secure sockets into a Linux system as "standard" mail that can be handled by a mail program for an intranet. > > Any suggestions as to what program might be applicable? > > Thanks > Charles Jacks > > --------------------------------------------------------------------- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com > --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com

1 0

web mail into a Linux box
by Jacks, Charles 23 Feb '01

23 Feb '01

I have a problem and I need a pointer where to look. I want to "download" mail from a web mail server that requires 128 bit secure sockets into a Linux system as "standard" mail that can be handled by a mail program for an intranet. Any suggestions as to what program might be applicable? Thanks Charles Jacks

3 2

RE: [suse-security] web mail into a Linux box
by Franziskus Scharpff 23 Feb '01

23 Feb '01

Maybe you just talking about POP3s, which means a "Standard" POP3 Connection with SSl ?? Just guessing Franziskus -----Original Message----- From: Jacks, Charles [mailto:jacks@wpb.nuwc.navy.mil] Sent: Freitag, 23. Februar 2001 16:51 To: 'suse-security(a)suse.com' Subject: [suse-security] web mail into a Linux box I have a problem and I need a pointer where to look. I want to "download" mail from a web mail server that requires 128 bit secure sockets into a Linux system as "standard" mail that can be handled by a mail program for an intranet. Any suggestions as to what program might be applicable? Thanks Charles Jacks --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com

1 0

SKIP?
by Mark Robinson 23 Feb '01

23 Feb '01

Hi all, Does anyone have any experience with SKIP and SuSE 7.0? I'm trying to set up a server to masquerade protocol 57, but I can't find anything useful... I can't see anything on www.skip.org about Linux. :-( Do I need to patch a kernel, or do something with the firewall script? Any pointers much appreciated... Thanks, Mark

1 0

Re: [suse-security] unknow message
by Eilert Brinkmann 23 Feb '01

23 Feb '01

Tor Sigurdsson wrote: > Það var föstudagur 23 febrúar 2001 13:21 þegar þú skrifaðir: > > >Feb 23 13:43:20 upnlr3 kernel: martian destination 00000000 > > >from 1f011f0a, > > >dev eth1 > > > > 1f011f0a > > 1f -> 31 > > 01 -> 1 > > 1f -> 31 > > 0a -> 10 > > -> IP 10.31.1.31 > > I think you got it backwards :-) No. This is because the x86 architecture host byte order differs from network byte order. The IP address is internally stored in network byte order, i.e., with the highest byte first: 0a 1f 01 1f. The kernel uses a simple printf("... %08x ...", ...) to produce the log message, so the bytes of the address are interpreted as a 32 bit integer according to _host_ byte order, i.e., lowest byte first (on x86). This results in the reversed output, because the last byte of the IP address is printed as the highest part of the number, and so on. Eilert -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Eilert Brinkmann -- Universitaet Bremen -- FB 3, Informatik eilert(a)informatik.uni-bremen.de - eilert(a)tzi.org - eilert(a)linuxfreak.com http://www.informatik.uni-bremen.de/~eilert/

2 1