March 2001 - openSUSE Security - openSUSE Mailing Lists

SSH Authentication
by Joao Reis 18 Nov '02

18 Nov '02

Hi! I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password. In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. This second solution is a good solution or that brings other security problems ? Thanks. -- Farewell. "Keep your friends close, but your enemies closer." "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------

2 1

Sendmail SMTP AUTH / SSL
by Raffy 02 Apr '01

02 Apr '01

Hey list, On my box I have sendmail running. In order to use SMTP over SSL I run it with stunnel in inetd: smpts stream tcp nowait root /usr/local/sbin/stunnel stunnel -D 3 -p /usr/local/ssl/certs/stunnel.pem -r smtp Further I configured sendmail to use SMTP AUTH. Everything works perfect. But: smpts is on port 465. I configured my clients such that they use that port. So far so good. But now port 25 can still be used to send email. I could block it at the firewall but then I am not able to receive email any more, because other mailservers are talking with me on that port. (right?) Is there a solution that I can use SMTP over SSL and SMTP AUTH? Clients should not be able to connect without SSL or SMPT AUTH! Thanks Raffy

19 31

Bind
by Hipolito A. Gonzalez M. 02 Apr '01

02 Apr '01

I upgrade to the new 8-8.2.3 bind version, but, every morning the daemon "named" is stop. Is any trying to hack me? I have and real ip and I'm making hosting. Thank you. In log nothing appear. -- www.geekcode.com -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS/cc/e/it d++ s+:+ a-- C++$ UL+++$ E++ W+++$ w--- O---- M V- PS PE+++ Y+ PGP- t+ 5 X++ R tv+ b++ DI-- D+ G e++$ h! r++ y++ ------END GEEK CODE BLOCK------ - A veces creo que hay vida en otros planetas, y a veces creo que no. En cualquiera de los dos casos, la conclusión es asombrosa (Carl Sagan) -----------------------------------------------------------------

3 3

iptables
by office＠tride.net 02 Apr '01

02 Apr '01

Hello list, does the SuSEfirewall-script support iptables? cu

3 2

bind-update-attempt
by Daniel Quappe 31 Mar '01

31 Mar '01

hi list, in the last weeks i often got the syslog-message that somebody wanted to update my bind-server for somedomain which was of course denied by my bind-system by default. but: are there any problems in the software i have to think about with regard to a worst case scenario...;-) many thanks in advance, bye daniel

3 3

suse enterprise server
by bacano 30 Mar '01

30 Mar '01

hi2all, Regarding the security applications and features included in suse enterprise edition, what it has more than the professional version? Will be available any upgrade from professional to enterprise edition? [ ]'s bacano

1 0

lockdsvc : invalid argument. when loading nfsserver in 2.4.2
by Avi Schwartz 30 Mar '01

30 Mar '01

When starting up the nfsserver under Kernel 2.4.2 I get the error message lockdsvc : invalid argument. Searching the Internet (thanks Google!), I found some messages in the linux-kernel mailing list that there is no need to start rpc.lockd from the init scripts any more when using rhe 2.4.X kernels as it is loaded automatically on mount. I commented out these line from /etc/rc.d/nfsserver: checkproc -n lockd || \ /usr/sbin/rpc.lockd and restarted the NFS server. The error is gone and so far everything seems to work. Two questions: 1) Am I inviting problems by commenting out these lines? Is there a security issue? 2) If they are no longer needed, could SuSE please fix the scripts. Thanks, Avi -- Avi Schwartz Get a Life, avi(a)CFFtechnologies.com Get Linux!

1 0

many nic's
by office 30 Mar '01

30 Mar '01

Hello, how many network cards can i put into my linux box for firewalling? cu

3 2

Re: [suse-security] Ports
by NightWatcher 29 Mar '01

29 Mar '01

On Thu, 29 Mar 2001, you wrote: > I am administering a system that needs access to certain ports, but I do > not want to restrict access to these ports for these programs. The ports > are 5555 and 7000. How do I do this do that it is still secure and won't > create any security holes. > > > thank you, > michael > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com well who do u want to have access to the host (all? or single ips?) when it are single ips u can use the ipchains -I input -p tcp-s thefromip -d yourinternetip portnumber -j ACCEPT and after that ipchains -A input -p -s 0/0 -d urip port -j REJECT.. then only the accepted ips can enter.. otherwise make sure u cant login to that port using telnet etc (like an ftp server wich u can access with telnet and then turn it off( www.dutchriot.com)) hope that u have something about it greetz remko (NightWatcher IRCop(a)irc.quicknet.nl) Security Admin / advisor -------------------------------------------------------

1 0

DNS and Firewall (again) !
by Diogo Bacelar Quintela 29 Mar '01

29 Mar '01

Hello List I have a small network base on private ips and have one masquerading server. I want to specify in TCP options on the other machines the gate way machine as a dns server also.. Some abstraction.. I used to have named doing name caching for that. However now I am trying to use SuSEFirewall (or even by hand) to do that work. I mean.. All trafic from internal machines to firewall 's dns port (53) be automatically redirected (and masqueraded) to one dns server of the ISP (or both of those..) I have a cable connection and a SuSE 7.1 FTP clean installation. I believe it is SuSEfirewall 4.3 and kernel 2.4.2.. Is it possible ? I've looked and firewall's config and there are two non matching option's : port redirection (No private ips) and local port redirection (doesn't work!) TIA Diogo Quintela /------------------------------------------------------------------ || Diogo Bacelar Quintela ||----------------------------------------------------------------- || diogo.quintela(a)netcabo.pt // dbq(a)rnl.ist.utl.pt ||----------------------------------------------------------------- || PGP Public Key || http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x2099755D \------------------------------------------------------------------

1 0