November 2002 - openSUSE Security - openSUSE Mailing Lists

how to keep nimda and code red from filling apache logs
by Mathias Homann 25 Sep '03

25 Sep '03

Hi all, here's a bit of a step-by-step description on how to keep nimda and codered from filling your apache logs. Parts used: - SuSE 7.2 Professional - SuSEfirewall2 - iptables 1.2.3 - linux kernel 2.4.13-pre5 steps: 1. install kernel sources for a kernel >> 2.4.9, running 2.4.13- pre5 here, works fine so far 2. get the sources for iptables 1.2.3 from http://netfilter.samba.org 3. unpack sources somewhere 4. export KERNEL_DIR=$(where you put the kernel tree) 5. cd into unpacked iptables sources, there's a subdirectory named patch-o-matic there 6. apply wanted patches by running ./runme $(name.of.patch)patch for this here You'll want the string patch You can also apply other patches, like the irc-conntrack patch 7. now there's a little bug in this patch... here's a diff: --- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21 00:16:29 2001 +++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21 16:54:45 2001 @@ -62,7 +62,7 @@ sk = skip[haystack[right_end - i]]; sh = shift[i]; - right_end = max(int, right_end - i + sk, right_end + sh); + right_end = max(right_end - i + sk, right_end + sh); } return NULL; 8. now, make config/menuconfig/xconfig... as usual. You can import your running kernel's config first. 9. enable the experimental stuff 10. go to networking options->netfilter, there's an option there to enable string matching; set that to M 11. compile and install kernel as usual; remember to uncomment the export INSTALL_PATH=/boot in the main makefile. 12. now build a rpm file for the new iptables stuff by installing the source rpm which comes with suse, then edit the spec file, put the iptables source in /usr/src/packages/SOURCE and rebuild. 13. now there are some small changes to the firewall config files. a) uncomment the last line in /etc/rc.config.d/firewall2.rc.config: FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" b) edit that file, I got the following stuff in mine: for forbidden_string in root.exe cmd.exe .ida; do iptables -I input_ext -p tcp --dport http -m string \ --string $forbidden_string -m state \ --state ESTABLISHED -j REJECT --reject-with tcp-reset done put that in the last supfunction defined in the custom rc file. c) change the FW_LOG setting in firewall2.rc.config from reading -log-level warning to -log-level kernel.warning 14. last: some small changes to /sbin/SuSEfirewall2 search in the script for the parts where the modules are loaded and unloaded; be sure to add ipt_string (and the other new modules you created by patching the kernel and enabling them in make config) to the modules loading/unloading code there. 15. reboot 16. if you try now to access (from outside, of course) one of the nimda or codered URLS, all you get is a 'connection reset by peer', and the request doesn't show in apache log files. btw, no guarantees, and the usual YMMV :) bye [L]

7 7

suse samba server
by jonathan 23 Jan '03

23 Jan '03

Hello I have basically a suse samba server setup. Eth0 is for the internet connection (cable). Eth1 is my internal network. I use eth1 for my samba server. When i have the shares/ drive letters mapped, whatever, Ill goto access them and that computer will just lockup or timeout for about 1 minute, then it will resume operation normally. I have approx. 5 comptuers on the suse server, and they all do this from windows xp to windows 98se. I am using set up addresses of 192.168.0.x, where is greater than 2. My question is have or is there something Ive setup wrong to cause this pause to occur. ? Its becomming very annoying..and frustrating. Im using kernel 2.4.18-64GB-SMP with a dual processor setup. If anyone has any ideas please let me know. Every package installed is orginal versions from the suse install cdroms. (no updates done). Anything come to mind. btw, ive replaced the switch, with a new netgear one, and all the networks at startech ST100 Realtek 8139 chipsets on 100Tx. Anyone... !

4 5

Urgggggg!!! SuSEFirewall2 is getting on my nerves!!!!!
by Chris Bek 08 Jan '03

08 Jan '03

Hi there SuSErs... Well I must be doing something really wrong because everything that I do with SuSEFirewall2 is just not working! I have a small network with 5 PCs (all Win9X) and a Linux box (Currently SuSE 7.3) acting as a server. The server is a DHCP server and a Samba server for the entire network. So far everything is working perfect!!! Users log on the network, logon script executes etc.... Then a new task came up: let's input the internet into the network. Configured a 56Kbps modem on the server with YAST. Manged to get my account setup and running. Made a test connection and netscape works great on the server as well as e-mail (pop3). I tried configuring SuSEfirewall to manage all incoming requests from the PCs of the network. The firewall warned me about masquerading etc. so I downloaded the latest version of SuSEfirewall2 from the internet and installed it. Since I only need direct masquerading to be done (no proxies are currently working on the net) I made all the necessary changes as outlined in the examples supplied with the software. Since I needed to have Samba to keep working on the network, I opened (among others) 139 port for samba to work. Double checked all the changes that I have made and run rcSuSEfirewall2 to see what happens. Strange enough when wvdial executes it tells me that DNS is not functioning properly since www.suse.com cannot be found (or something like that please forgive me I am away from the Linux station now). Further on, when I open mIRC or other like programs (winmx etc) from a station, I look at the activity of IPtraf (I check this to see what happens) and I see no connections being created whatsoever.... mIRC prompts me that there was an error trying to find the host.... I have made no changes to the Win9X PCs. Is there something that I am forgeting to do?? I undestand that it is impossible for all of you to react to this since I have no output of the SuSEfirewall.conf file being published to this message.... I understand. Can someone please send me their configuration file so I can see what you have done, on a system that currently is working fine?? In addition, is there something that I have to do regarding route or routing?? What about the Win9X PCs?? Is there something that I have to do there?? I thank you so very much for all your help is advance!!!! I am killing myself trying to figure this one out for about 2 weeks now and managed nothing more than thin air!!!!! Chris

11 10

sendmails default-mailbox size?
by Guido Schiffer 30 Nov '02

30 Nov '02

Hi Folks, finally I managed to run a receiving sendmail with a dyndns-Domain (using defaults and webmin helps fine *g-*) No my prob: The last german LAN-Line contained a mailserver-test-suite, which i ran. While running the tests the suite sends tons of mails and my mailbox has been overflown (about 49 megs!). Fetching mails of the tested account wasn't possible anymore Server-answer: Unable to copy mail spool file to temp dropbox /var/mail/.gschiffer.pop: No space left on device (28) I killed all the files which are connencted with the account and touched /var/spool/mail/gschiffer. It works again samba:/var/spool/mail # df -h /var/ Filesystem Size Used Avail Use% Mounted on /dev/hdc2 164M 78M 86M 48% /var samba:/var/spool/mail # Has anyone of you an idea about the default mailbox-size and how I can fix to e.g. 10 megs and how I can prevent mailbombing on certain accounts? Thx for tipps CU Guido

3 2

mail script scanner
by Alex Levit 30 Nov '02

30 Nov '02

-----BEGIN PGP SIGNED MESSAGE----- Somebody is exploiting a php mail script on my web-server and use it for sending spam. I dont't have any formmail.pl or any other perl based scripts. I host about 50 domains on this server with large amount of content. And can't seem to find that script. All the scanners I found only check for vulnerable perl scripts. If somebody knows of a good mail script scanner that checks php please let me know. -----BEGIN PGP SIGNATURE----- Version: 2.6.3in Charset: noconv iQDVAwUBPeUOuOCcv2bLcfmfAQFLzwX9FQ33JltdGRfmzx/+P0Yojyc7lCaIWpG7 k3mVu/PohOV/CqWl95C+b83DUjqD5mIZ6ASrZ99hRDwfY0nBLDm8LiswO0l8ZVpZ 2ywtfdHsO+d9Y5D8fayMopJgdZa34shK8xBcCVeIyFDFHwNv2rFC9Gt79KIgiUT/ ppSYwKYsYVY4rEMmLzL2TI1o9LqJZKhdYeM4o7MupPUEhDQuzMvoUIS0MCjLYBGx UlsFQVySjhu15kngh0+0v1Qa/EQnF4jt =4Xyb -----END PGP SIGNATURE-----

4 4

Pix
by Grupo DIGNITAS 30 Nov '02

30 Nov '02

Hi list: Does somebody know where I can find documentation about as configuring a firewall PIX so that it allows traffic SSH? Sorry for the question, but I am half desperate. Ernesto

2 1

RE: SuSEfirewall2: external ip aliases with forward / masq?
by Howard, Neal 29 Nov '02

29 Nov '02

I tried these configs and having the aliases eth0:1 and eth0:2 only in FW_DEV_DMZ and all I got was SuSE-FW-UNAUTHORIZED-TARGET and by adding eth0 in there as well got me SuSE-FW-DROP-SPOOF messages in my logfile. By putting the aliases in FW_DEV_EXT, I obtained more progress in that I can now see SuSE-FW-ACCEPT-TRUST inbound messages from my test machine (emulated vendor) and destined for the ip address of the eth0:1 alias, but a complete lack of the FW_FORWARD_MASQ operation happening. According to all the examples I've looked at, it seems the first ip address in each line of FW_FORWARD_MASQ must be the outside address coming in (i.e. my vendor who wants to get to one of my my internal pcanywhere hosts), and the second address in each FW_FORWARD_MASQ line is the internal address of the destination internal host. I guess what I need is a was to specify three ip addresses for each forward_masq operation, first the originating source address, secondly the external ip alias on the firewall, and thirdly the interior ip address of the particular pcanywhere host something like: vendor's ip address = x.y.z.123 external ip of eth0 = a.b.c.100 external ip of eth0:1 = a.b.c.101 external ip of eth0:2 = a.b.c.102 interior pcanywhere host 1 = 192.168.1.10 interior pcanywhere host 2 = 192.168.1.11 interior pcanywhere host 3 = 192.168.1.12 If only the FW_FORWARD_MASQ supported the concept of three addresses such as: source_ip,firewalls_external_ip,interior_destination_ip,protocol,portnumber then I'd be really happy. FW_FORWARD_MASQ = "x.y.z.123,a.b.c.100,192.168.1.10,tcp,5631 \ x.y.z.123,a.b.c.100,192,168,1,10,udp,5632 \ x.y.z.123,a.b.c.101,192.168.1.11,tcp,5631 \ x.y.z.123,a.b.c.101,192.168.1.11,udp,5632 \ x.y.z.123,a.b.c.102,192.168.1.12,tcp,5631 \ x.y.z.123,a.b.c.102,192.168.1.12,udp,5632" but alas, it only supports two ip addresses of originating source and final internal destination like: FW_FORWARD_MASQ = "x.y.z.123,192.168.1.10,tcp,5631 \ x.y.z.123,192,168,1,10,udp,5632" and putting the external firewall address in the first part, doesn't work If anyone has any other ideas of making such a scenario work, I'd sure appreciate the help, otherwise I guess I'm going to go back to the single external ip on the firewall with alternate port numbers for my various interior pcanywhere hosts and just tell my vendor that his poor little childish support staff are just going to have to learn how to deal with using alternate ports in their pca remotes, that this is all I can support on my end and if he wants to continue to get my business he'll have to do things my way. -----Original Message----- From: Togan Muftuoglu Sent: Tuesday, November 26, 2002 5:37 PM To: Suse-Security Subject: Re: [suse-security] SuSEfirewall2: external ip aliases with forward / masq? * Howard, Neal; <nhoward(a)cwftx.net> on 26 Nov, 2002 wrote: >I'll try it out tomorrow, it's been a long day here in Texas too and my >brain hurts right now! I know the feeling :-) > >I'm guessing I should use the external ip aliases in the first part of >each stanza of FW_FORWARD_MASQ instead of putting the vendor's ip address >in that place like I was doing? Now although I said > >FW_DEV_EXT="eth0 eth0:1 eth0:2" It's better to have the aliases eth0:1 and eth0:2 in FW_DEV_DMZ and then FW_FORWARD_MASQ them for the vendor this way it should be both secure and doable (cross your fingers) -- Togan Muftuoglu -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here

3 2

e2fsprogs-1.28 could corrupt directories
by Richard Ems 28 Nov '02

28 Nov '02

Hi list! This could be slightly off-topic, but isn't data corruption security related? SuSE 8.1 was delivered with e2fsprogs-1.28, which has a "fencepost error" (???) which could cause directory corruption. Please read the following mail extracted from linux-kernel mailing list: ====================================================================== On Tue, Nov 26, 2002 at 10:55:10AM -0500, Clemmitt Sigler wrote: > The e2fsck run seemed to me to go normally. It reported that it > optimized some directories, but this has happened on other auto-fscks > of my ext3 filesystems without corruption under earlier kernels. > (This > is the first corruption I've seen in many, many years.) But I didn't > capture the messages :^( and they don't get written into > /var/log/messages (that I could find). Ah, ha. I think I know what happened. What version of e2fsprogs were you using? If it was 1.28, that would explain what you saw. There was a fencepost error that could corrupt directories when it was optimizing/rehashing them. This bug was fixed in in the next version, which was rushed out the door as a result of this bug. Fortunately, 1.28 didn't get adopted by any distro's as far as I know, and not that many people downloaded and compiled e2fsprogs 1.28. If you're not using the latest version of e2fsprogs, which is e2fsprogs 1.32, I'd strongly suggest updating to it. Version 1.28 is just *so* three months ago. :-) - Ted P.S. If you do have a directory which is corrupted by e2fsck 1.28, no data is lost; it just created a directory entry which is too small, so it triggers the sanity checks in the kernel. Running e2fsck version 1.29 or later will unbork the directory. ====================================================================== -- Richard Ems ... e-mail: r.ems(a)gmx.net ... Computer Science, University of Hamburg Unix IS user friendly. It's just selective about who its friends are.

2 1

Re: [suse-security] reject identd on firewall
by Ralf Ronneburger 28 Nov '02

28 Nov '02

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Andreas, hi Gert, now it works! I don't know exactly what was the problem, but I've now included only these rules für every mailserver: ~ $IPTABLES -I INPUT 1 -p TCP -s $ms --dport 113 -j REJECT - --reject-with tcp-reset ~ $IPTABLES -I FORWARD 1 -p TCP -s $ms --dport 113 -j REJECT - --reject-with tcp-reset and now I can send mail instantly, no DENYs any more. Without the --reject-with it did not work though, looks like Gert was right - packages without a reject-type seem to be just dropped, although iptables -L -v said something else. Thank you very much for your help! Best regards, Ralf Andreas Baetz wrote: | On Wednesday 27 November 2002 18:34, Ralf Ronneburger wrote: | |>Hi Andreas, |> |>Andreas Baetz wrote: |> |>>You could try more general rules like |>>iptables -I INPUT 1 -p TCP --dport 113 -j REJECT |>>iptables -I INPUT 1 -p TCP --dport 113 -j LOG --log-prefix " Input |>>identd" iptables -I FORWARD 1 -p TCP --dport 113 -j REJECT |>>iptables -I FORWARD 1 -p TCP --dport 113 -j LOG --log-prefix " Forward |>>identd" |>> |>>In this case the first 2 rules should be |>>1. Logging |>>2. Rejecting |>>anything that goes to port 113 |> |>Thanks for your help. But now it becomes even more strange: First I get |>two log-entries for droped packages, then I get two log-entries for |>rejected packages. But they look very much the same to me: |> |> |>Nov 27 18:25:29 internet kernel: DROP-TCP IN=ppp0 OUT= MAC= |>SRC=<Mailserver-IP> DST=<External-IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 |>ID=32011 PROTO=TCP SPT=1953 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0 |> |>Nov 27 18:28:15 internet kernel: Input identd IN=ppp0 OUT= MAC= |>SRC=<Mailserver-IP> DST=<External-IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 |>ID=36212 PROTO=TCP SPT=1991 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0 |> | | You could check the following: | What happens if you comment out the actual REJECT Rule, leaving only | the LOG Rule in place ? Does one packet get logged twice ? | Do you have the netfilter code compiled as modules or into the kernel ? Maybe | not all modules are loaded the first time ? | | Andreas | | - -- - ------------------------------------------------------------ Ralf Ronneburger ralf(a)ronneburger.de Prefers to receive encrypted Mail, download public-key from http://www.ronneburger.de/gpg/ralf_ronneburger.asc - ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE95oHTLbWu9MVtJiYRAiSTAJ9UvwXGWO0VP36eKL9Hud37nXSwRQCglEPR G4X4ytNvWof4V16/AVm4xHw= =WAZS -----END PGP SIGNATURE-----

1 0

reject identd on firewall
by Ralf Ronneburger 28 Nov '02

28 Nov '02

Hello, I'm having some trouble with a mailserver outside when I send mail through my firewall. The mailserver wants to connect to port 113 on my box, which is closed, so the connection times out and sending mail seems to last endlessly. That's why I've added these 2 rules to my firewall-script: $IPTABLES -A INPUT -i $EXT -p TCP -s $ms --dport 113 -j REJECT $IPTABLES -A FORWARD -i $EXT -p TCP -s $ms --dport 113 -j REJECT where $EXT is my external device and $ms is the mailserver. But still I get entries like these in my logs: Nov 26 20:26:52 internet kernel: DROP-TCP IN=ppp0 OUT= MAC= SRC=<Mailserver-IP> DST=<my external IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=38856 PROTO=TCP SPT=3672 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0 wich means, that the last rule (reject everything) catches those requests. What do the rules have to look like to reject identd? Thanks in advance, Ralf Ronneburger

5 10