April 2001 - openSUSE Security - openSUSE Mailing Lists

AW: [suse-security] Security Problems with Squid 2.2 Stable 5
by Thomas Lamy 24 Apr '01

24 Apr '01

One may also note that nessus may generate false positives, as squid indeed does serve pages (with error messages) while trying to connect to forbidden ports. Just my $0.02, Thomas > -----Ursprüngliche Nachricht----- > Von: Steffen Dettmer [mailto:steffen@dett.de] > Gesendet: Dienstag, 24. April 2001 10:15 > An: 'Suse-Security' (E-Mail) > Betreff: Re: [suse-security] Security Problems with Squid 2.2 Stable 5 > > > * Mario Enrico Ragucci wrote on Tue, Apr 24, 2001 at 03:46 +0200: > > - The proxy allows the users to perform > > CONNECT requests like > > CONNECT http://cvs.nessus.org:23 > > Did you use: > > acl SSL_ports port 443 563 > acl Safe_ports port 80 81 85 21 443 563 70 210 1025-65535 > acl CONNECT method CONNECT > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > otherwise give it a try. > > oki, > > Steffen > > -- > Dieses Schreiben wurde maschinell erstellt, > es trägt daher weder Unterschrift noch Siegel. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com > >

1 0

Re: [suse-security] Recursive Shellscript
by Andreas Siegert 24 Apr '01

24 Apr '01

Quoting Christopher Mahmood (ckm(a)interearth.com) on Mon, Apr 23, 2001 at 06:57:53PM +0200: > * Andreas Siegert (afx(a)atsec.com) [010423 03:02]: > > This is a security hole if you ask me. Especially when seeing a non privileged > > user process eating up resources quickly. That should not happen, even without > > explicit ulimits. > > No, it's an admin error. There's no reason that the kernel should > assume it's smarter than you. Of course the admin should set limits. But a kernel going bonkers over run-away processes is a kernel error, not an admin error. > > > AIX had the same problem some yaers ago, then the changed the algorithm for > > killing processes in that situation and nowadays it seems to be killing the > > offender most of the time. > > If that's correct then this sounds like one more reason not to run > AIX. Well, at least AIX doesn't kill random processes but the ones causing the problem. One more reason to run AIX IMNSHO. cheers afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!

1 0

ftp
by Anders Johansson 24 Apr '01

24 Apr '01

Hi, I got this in my log Apr 23 10:15:48 mymachine wu.ftpd[13697]: connect from 62.2.87.42 (62.2.87.42) Apr 23 10:15:49 mymachine ftpd[13697]: USER anonymous Apr 23 10:15:49 mymachine ftpd[13697]: PASS guest(a)here.com Apr 23 10:15:49 mymachine ftpd[13697]: CWD /pub/ Apr 23 10:15:49 mymachine ftpd[13697]: MKD 010423101604p Apr 23 10:15:49 mymachine ftpd[13697]: CWD /public/ Apr 23 10:15:49 mymachine ftpd[13697]: CWD /pub/incoming/ Apr 23 10:15:50 mymachine ftpd[13697]: CWD /incoming/ Apr 23 10:15:50 mymachine ftpd[13697]: CWD /_vti_pvt/ Apr 23 10:15:50 mymachine ftpd[13697]: CWD / Apr 23 10:15:50 mymachine ftpd[13697]: MKD 010423101605p Apr 23 10:15:50 mymachine ftpd[13697]: CWD /upload/ after which the person disappeared. Is there an exploit here that I'm unaware of? I couldn't find anything on either cert.org of securityfocus.com. Or is it just someone looking for a place to store warez? Am I being paranoid? :) Regards Anders

2 1

harden-suse for 7.1
by Togan Muftuoglu 24 Apr '01

24 Apr '01

Hi everyone, I was just going to apply harden-suse-3.2 for my firewall machine but I thought before shouting for possible help I go and ask some questions. When I read the actuall script I saw that it needs the /usr/share/doc/pam/md5.config directory to exist. Since I was low on space I had deleted all the man pages and /usr/share/doc/ directories it was good to know it is needed. Are there any other specific files to be present -- Togan Muftuoglu

1 0

VPN with cipe or freeswan?
by Thorsten Marquardt 24 Apr '01

24 Apr '01

Hi, I need to build a VPN connection to a win nt based partner network. If i'm right this could be done with cipe and freeswan. Which package is recommendet? Who do I havce to configure firewall.rc.config? My System Kernel 2.2.18 ipchains 1.3.9-217 SuSEfirewall 4.3-3 Thanks in advance Thom - ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM(a)kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------

5 8

Re: [suse-security] hex IP Addresses - reading direction [was: firewall.log - martian source]
by Eilert Brinkmann 24 Apr '01

24 Apr '01

Hella.Breitkopf(a)varetis.de wrote: > Steffen Dettmer <steffen(a)dett.de> > had some perl code to decode this: > > >to convert hex to IP you may use the following one-liner: > > > >perl -e '$a=shift;{printf "%d.%d.%d.%d\n", > > ("0x" . substr($a,6,2)), > > ("0x" . substr($a,4,2)), > > ("0x" . substr($a,2,2)), > > ("0x" . substr($a,0,2));}' <string> > > > >[this works at least on intel archs] ^^^^^^^^^^^^^^ And that's the point: The output in the logfile is architecture dependent. > [snip] > >fffffea9 = 169.254.255.255 > > Err, and here starts my problem: > ff ff fe a9 is in my universe (if read from left to right) = > 255.255.254.169 > (but a9feffff *is* 169.254.255.255) > The script does it backwards ... These messages are produced by the call printk(KERN_WARNING "martian source %08x for %08x, dev %s\n", saddr, daddr, dev->name); in /usr/src/linux/net/ipv4/route.c, where saddr and daddr are 32-bit integer variables containing the IP addresses in network byte order. But this printk-call interprets them as if they where in host byte order. Therefore, if host byte order and network byte order differ, the bytes of the IP addresses are printed "from right to left". Network byte order is big endian, while host byte order on Intel is little endian, so on an Intel machine the output has the "wrong" order. Eilert -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Eilert Brinkmann -- Universitaet Bremen -- FB 3, Informatik eilert(a)informatik.uni-bremen.de - eilert(a)tzi.org http://www.informatik.uni-bremen.de/~eilert/

2 1

Re: [suse-security] Recursive Shellscript
by Andreas Siegert 23 Apr '01

23 Apr '01

Moin, Quoting Peer-Christoph Mettelem (Peer-Christoph.Mettelem(a)bezreg-muenster.nrw.de) on Mon, Apr 23, 2001 at 09:48:12AM +0200: > Hi, > > I just wrote a shell script which looks like this: > while true > do > $0 > done > > I executed it as normal user and then the following happened: As you can > imagine, very many shells were started (i wasn't able to count them because > the system wasnt responding any more). And then the system started killing > system processes like X and smbd. I got the following output on console 10: > Apr 23 09:11:54 AlBundy kernel: VM: killing process kmail > Apr 23 09:12:52 AlBundy kernel: VM: killing process smbd > Apr 23 09:13:03 AlBundy kernel: VM: killing process smbd > Apr 23 09:13:05 AlBundy kernel: VM: killing process xconsole > Apr 23 09:13:13 AlBundy kernel: VM: killing process X > > The system recovered itself by killing X. That worked because i started the > script from a shell in KDE. But if the script would be started within a > telnet session, it could be more dangerous. > > I don't know if this is a security hole, but it might be. This is a security hole if you ask me. Especially when seeing a non privileged user process eating up resources quickly. That should not happen, even without explicit ulimits. AIX had the same problem some yaers ago, then the changed the algorithm for killing processes in that situation and nowadays it seems to be killing the offender most of the time. Time for a kernel change me thinks. afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!

4 3

securing a new SuSE 6.4 box
by michael.ryan＠storm.ie 23 Apr '01

23 Apr '01

Hi, I have just completed a default installation of SuSE 6.4 on an old PC. What steps should I now take to tighten the security of this box before I connect it to the big bad internet ;-) ?? (I plan on using it as a ftp server and also perhaps as a web server) Any feedback much appreciated. Michael P.S. I am new to Linux

2 1

SuSE Security FAQ
by John Pinder 23 Apr '01

23 Apr '01

Reposted from a previous post: Nix wrote: >Just a reminder to everyone that we have a Frequently Asked >Questions (FAQ) file at: > >http://www.susesecurity.com/faq/ > >Please check it occasionally (before you post a question) as >there is some useful information there. > >If anyone has some extra sections for the FAQ, please forward >them to me, and I will put them in at my earliest convenience. > >Cheers > >--- >Nix - nix(a)susesecurity.com >http://www.susesecurity.com It sort of occurred to me that this should probably be reposted once in a while. John

1 0

(djbdns + tinydns) vs bind
by stephane parenton 23 Apr '01

23 Apr '01

what is the more secure today between bind 9.1.x and djbdns ?... We're hosting several sites, and planning to extand this activity, and we have 3 linux box (2 of them are to be upgraded and secured...). has anyone played with djbdns and tinydns ? is the installation of djbdns over a bind easy ? regards stephane

2 1