March 2002 - openSUSE Security - openSUSE Mailing Lists

how to keep nimda and code red from filling apache logs
by Mathias Homann 25 Sep '03

25 Sep '03

Hi all, here's a bit of a step-by-step description on how to keep nimda and codered from filling your apache logs. Parts used: - SuSE 7.2 Professional - SuSEfirewall2 - iptables 1.2.3 - linux kernel 2.4.13-pre5 steps: 1. install kernel sources for a kernel >> 2.4.9, running 2.4.13- pre5 here, works fine so far 2. get the sources for iptables 1.2.3 from http://netfilter.samba.org 3. unpack sources somewhere 4. export KERNEL_DIR=$(where you put the kernel tree) 5. cd into unpacked iptables sources, there's a subdirectory named patch-o-matic there 6. apply wanted patches by running ./runme $(name.of.patch)patch for this here You'll want the string patch You can also apply other patches, like the irc-conntrack patch 7. now there's a little bug in this patch... here's a diff: --- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21 00:16:29 2001 +++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21 16:54:45 2001 @@ -62,7 +62,7 @@ sk = skip[haystack[right_end - i]]; sh = shift[i]; - right_end = max(int, right_end - i + sk, right_end + sh); + right_end = max(right_end - i + sk, right_end + sh); } return NULL; 8. now, make config/menuconfig/xconfig... as usual. You can import your running kernel's config first. 9. enable the experimental stuff 10. go to networking options->netfilter, there's an option there to enable string matching; set that to M 11. compile and install kernel as usual; remember to uncomment the export INSTALL_PATH=/boot in the main makefile. 12. now build a rpm file for the new iptables stuff by installing the source rpm which comes with suse, then edit the spec file, put the iptables source in /usr/src/packages/SOURCE and rebuild. 13. now there are some small changes to the firewall config files. a) uncomment the last line in /etc/rc.config.d/firewall2.rc.config: FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" b) edit that file, I got the following stuff in mine: for forbidden_string in root.exe cmd.exe .ida; do iptables -I input_ext -p tcp --dport http -m string \ --string $forbidden_string -m state \ --state ESTABLISHED -j REJECT --reject-with tcp-reset done put that in the last supfunction defined in the custom rc file. c) change the FW_LOG setting in firewall2.rc.config from reading -log-level warning to -log-level kernel.warning 14. last: some small changes to /sbin/SuSEfirewall2 search in the script for the parts where the modules are loaded and unloaded; be sure to add ipt_string (and the other new modules you created by patching the kernel and enabling them in make config) to the modules loading/unloading code there. 15. reboot 16. if you try now to access (from outside, of course) one of the nimda or codered URLS, all you get is a 'connection reset by peer', and the request doesn't show in apache log files. btw, no guarantees, and the usual YMMV :) bye [L]

7 7

suse samba server
by jonathan 23 Jan '03

23 Jan '03

Hello I have basically a suse samba server setup. Eth0 is for the internet connection (cable). Eth1 is my internal network. I use eth1 for my samba server. When i have the shares/ drive letters mapped, whatever, Ill goto access them and that computer will just lockup or timeout for about 1 minute, then it will resume operation normally. I have approx. 5 comptuers on the suse server, and they all do this from windows xp to windows 98se. I am using set up addresses of 192.168.0.x, where is greater than 2. My question is have or is there something Ive setup wrong to cause this pause to occur. ? Its becomming very annoying..and frustrating. Im using kernel 2.4.18-64GB-SMP with a dual processor setup. If anyone has any ideas please let me know. Every package installed is orginal versions from the suse install cdroms. (no updates done). Anything come to mind. btw, ive replaced the switch, with a new netgear one, and all the networks at startech ST100 Realtek 8139 chipsets on 100Tx. Anyone... !

4 5

Urgggggg!!! SuSEFirewall2 is getting on my nerves!!!!!
by Chris Bek 08 Jan '03

08 Jan '03

Hi there SuSErs... Well I must be doing something really wrong because everything that I do with SuSEFirewall2 is just not working! I have a small network with 5 PCs (all Win9X) and a Linux box (Currently SuSE 7.3) acting as a server. The server is a DHCP server and a Samba server for the entire network. So far everything is working perfect!!! Users log on the network, logon script executes etc.... Then a new task came up: let's input the internet into the network. Configured a 56Kbps modem on the server with YAST. Manged to get my account setup and running. Made a test connection and netscape works great on the server as well as e-mail (pop3). I tried configuring SuSEfirewall to manage all incoming requests from the PCs of the network. The firewall warned me about masquerading etc. so I downloaded the latest version of SuSEfirewall2 from the internet and installed it. Since I only need direct masquerading to be done (no proxies are currently working on the net) I made all the necessary changes as outlined in the examples supplied with the software. Since I needed to have Samba to keep working on the network, I opened (among others) 139 port for samba to work. Double checked all the changes that I have made and run rcSuSEfirewall2 to see what happens. Strange enough when wvdial executes it tells me that DNS is not functioning properly since www.suse.com cannot be found (or something like that please forgive me I am away from the Linux station now). Further on, when I open mIRC or other like programs (winmx etc) from a station, I look at the activity of IPtraf (I check this to see what happens) and I see no connections being created whatsoever.... mIRC prompts me that there was an error trying to find the host.... I have made no changes to the Win9X PCs. Is there something that I am forgeting to do?? I undestand that it is impossible for all of you to react to this since I have no output of the SuSEfirewall.conf file being published to this message.... I understand. Can someone please send me their configuration file so I can see what you have done, on a system that currently is working fine?? In addition, is there something that I have to do regarding route or routing?? What about the Win9X PCs?? Is there something that I have to do there?? I thank you so very much for all your help is advance!!!! I am killing myself trying to figure this one out for about 2 weeks now and managed nothing more than thin air!!!!! Chris

11 10

SSH Authentication
by Joao Reis 18 Nov '02

18 Nov '02

Hi! I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password. In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. This second solution is a good solution or that brings other security problems ? Thanks. -- Farewell. "Keep your friends close, but your enemies closer." "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------

2 1

Spamming ...
by Martin Schichl 27 May '02

27 May '02

Morning! Since some days I get Returned Mails from unknown mail-users which seems that someone is spamming from our machine. But when i analyze the header of the original mail i fin a line: >> Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1) << Although the IP of scc.co.at is 193.81.182.39 The IP 210.97.42.1 will change permanently when reading other similar mails. My questions: 1) Is it possible that someone beoke into our machine and sent this mail directly over scc.co.at 2) What can I do to stop those spammers ... ThanX Martin The header file of the original Message --------------------------------------------------------------- X-Track: 92154: 2 X-Rocket-Spam: 210.97.42.1 X-YahooFilteredBulk: 210.97.42.1 Return-Path: <rjnr3245i37(a)scc.co.at> Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1) by mta514.mail.yahoo.com with SMTP; 28 Feb 2002 15:32:36 -0800 (PST) Reply-To: <rjnr3245i37(a)scc.co.at> Message-ID: <001a07e37abc$2777d8d5$6ce83be4@lplwmr> From: <rjnr3245i37(a)scc.co.at> To: <doctorbutcher(a)yahoo.com> --------------------------------------------------------------- ----------------------------------------------------------------- Dipl.-Ing. Martin Schichl SC&C Software, Communication & Consulting GmbH & Co KEG Grottenhofstr. 3, A-8053 Graz Tel. +43/(0)316/265-205, Fax +43/(0)316/265-234 mschichl(a)scc.co.at, http://scc.co.at

9 12

VPN masquerading
by Joost van der Lugt 06 May '02

06 May '02

Hi all, I am trying to set up VPN masquerading, for a Windows box, and just wondered if there was an easy way to do this, using just the firewall.rc.config script, or do both that plus the custom config script have to be used? I have seen the VPN how-to, however just wondered about a how to aply this with SuSE's scripts. Thanks for any suggestions, (PS if there is someone familiar with setting upo VPN on the SuSe box itself, I would be very interested as well..., of course) - Cheers, Joost

4 4

Re: [Users] IPSEC and SuSEFirewall2 v2.1
by Robert Klein 01 May '02

01 May '02

> I have modified the SuSEfirewall2 Script (Version 2.1) for better > support of FreeSWAN/IPSEC. Nice idea. > Any comments/suggestions/feedback? Two questions: Is it possible to use more than one IPSEC device? E.g. FW_DEV_IPSEC="ipsec0 ipsec1" and: Can I use more than one remote network? E.g. FW_IPSEC_REMOTENET="192.168.3.0/24 192.168.4.0/24" Robert

3 2

postfix regexp in body_checks
by Philipp Snizek 25 Apr '02

25 Apr '02

Hi, I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle. If there is some postfix & regexp pro on this list, please tell me what I am doing wrong. Thanx, Philipp

9 16

problem installing apache 1.3.19-114
by Bob Vickers 17 Apr '02

17 Apr '02

On 5th March an Apache security update appeared on SuSE's web site (e.g. the 7.2 version in http://www.suse.de/en/support/download/updates/72_i386.html ). But this seems to be impossible to install if you also have jserv installed: # rpm -q -p apache.rpm apache-1.3.19-114 # rpm -Fhv apache.rpm error: failed dependencies: apache = 1.3.19-66 is needed by jserv-1.1.2-156 I can't find a newer version of jserv. I had problems with the 7.1 and 7.3 versions too, but managed to get round them by erasing software I didn't need. Can this update be safely forced? Regards, Bob ============================================================== Bob Vickers R.Vickers(a)cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691

3 3

ssh error
by Robert Szentmihalyi 03 Apr '02

03 Apr '02

Hi, after having updated the openssh package on a SuSE Linux 7.1 system, sshd says: "Disabling protocol version 2. Could not load host key" Deleting /etc/ssh/ssh_host_key and letting the start script regenerate it does not seem to help. What's wrong? Thanks, Robert -- Where do you want to be tomorrow? Entracom. Building Linux systems. http://www.entracom.de

10 11