March 2002 - openSUSE Security - openSUSE Mailing Lists

Re: [suse-security] Problems with ssh and firewall script
by ralf＠schoenian-online.de 02 Apr '02

02 Apr '02

Hi, > is ssh active on port 10022? > check your /etc/ssh/sshd_conf > > normaly it's port 22 Yes, it is running at port 10022 and listenAddress is 0.0.0.0 that should be ok and I can connect if the firewall is down. > Am Mittwoch 27 März 2002 07:19 schrieben Sie: > > Hello list, > > > > I cannot connect to our network from at home. I always get the error > > message: Connection refused at port 10022. The sshd doesn' t log anything > > in /var/log/messages and the firewall script is also empty. Without the > > active firewall I can login without any problems. We are running SuSE Linux > > 7.3 Has anyone an idea, what is wrong with our firewall script? > > > > Any hint is welcome.

4 3

Locked out
by Erwin Zierler - stubainet.at 02 Apr '02

02 Apr '02

Hi list, seems I have a little problem there. On a SuSE 6.4 system (kernel 2.2.19) that I am administering which is running mainly as a mailserver (smtp & pop3) I recently updated libz by fetching the sources from ftp.suse.com and doing a rpm -bb libz... and then rpm -Uhv libz... Anyway, for remote administration I use ssh (latest version available for 6.4) and access is restricted via /etc/hosts.deny. Also protocol version 1 is disabled. The next time (after I updated libz) I could not log in anymore, this is what I get when I try to connect from any of the allowed IP addresses: ssh_exchange_identification: Connection closed by remote host Could it be that the newly installed libz is the reason? I have checked with ldd /usr/sbin/sshd and it tells me on all my other systems that its linked against /usr/lib/libz.so.1 So now the big question: can the libz update really be the reason or is it more likely that I messed something else up that I can't remember? Or in other words: do I have to drive ~ 550 kilometers to fix that server or is there any other way to be able to log in again :-) Thanks in advance for all your help! Erwin -- Erwin Zierler | web- / host- / postmaster - stubainet.at | erwin.zierler(a)stubainet.at / webmaster(a)stubainet.at | Tel.: 0 5225 - 64325 Fax 99 Mobil: 0664 - 130 67 91

3 2

Port 1368 Unrecognized Access
by balthus gmx 31 Mar '02

31 Mar '02

Hello suse-security, maybe you can help me out with some information referring this message: Sonntag, 31. März 2002 14:03:45 192.168.0.3 logged out * DOD:TCP trigger from 192.168.0.3:1368 to 80.237.252.241:80 -> (router D-Link, message Log) As I logged out from my router I received this message in my log-file. "trigger from 192.168.0.3:1368 to 80.237.252.241:80" Does somebody know what this means ? Does this eventually mean that a software on 192.168.0.3 is sending Information to 80.237.252.241 port 80 when I log out ? If yes how can I locate this software ? Has it something to do with the Screensharing Software ScreenCast ? Sonntag, 31. März 2002 14:55:08 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 Sonntag, 31. März 2002 14:55:11 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 Sonntag, 31. März 2002 14:55:17 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 Sonntag, 31. März 2002 14:55:29 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 Sonntag, 31. März 2002 14:55:53 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 Sonntag, 31. März 2002 14:56:41 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 Sonntag, 31. März 2002 14:58:17 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 Sonntag, 31. März 2002 15:00:17 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 Sonntag, 31. März 2002 15:02:17 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 Sonntag, 31. März 2002 15:04:17 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 Sonntag, 31. März 2002 15:06:17 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 Sonntag, 31. März 2002 15:08:17 Unrecognized access from 216.15.168.66:3420 to TCP port 1368 thx bd

1 0

Firewall2 not working
by Monica Peter 31 Mar '02

31 Mar '02

Hi I have a connection problem, when running Firewall2. I have the Suse 7.2 distribution. I updated to Kernel 2.4.16. I then dl Firewall2 as rpm from the Suse site and installed it. After that I deinstalled Firewall1 and Personal Firewall. Since I could not get a connection with the T-DSL line I unloaded Firewall2 and let Firewall2 run in test mode. With a primitive IPTables script (mainly ipforwarding and masquerading) i started the pppoed again and I get the following message from the /var/log/firewall. Mar 27 13:32:39 linux kernel: SuSE-FW-UNALLOWED-TARGET IN=ppp0 OUT= MAC= SRC=62.41.113.136 DST=217.1.132.119 LEN=52 TOS=0x08 PREC=0x00 TTL=52 ID=19021 DF PROTO=TCP SPT=80 DPT=1081 WINDOW=31900 RES=0x00 ACK URGP=0 OPT (0101080A032AB4AF00024C5E Actually, the above is all in one line. I include my firewall2 config file below, where i basically tried to allow everything. Thank you for any help Thomas firewall2-configuration file: 2 network cards on Linux router. local net is 192.168.10.xx FW_DEV_EXT="ppp0 eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.10.0/24,0/0,tcp,1:65535 \ 192.168.10.0/24,0/0,udp,1:65535" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="1:65535" # Common: smtp domain FW_SERVICES_EXT_UDP="1:65535" # Common: domain FW_SERVICES_EXT_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="1:65535" #Common: ssh smtp domain FW_SERVICES_INT_UDP="1:65535" #Common: domain syslog FW_SERVICES_INT_IP="" # For VPN/Routing which END at the firewall!! FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="0/0,0/0,tcp,1:65535 0/0,0/0,udp,1:65535" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_PING_INTERNET="yes" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/rc.config.d/firewall2-custom.rc.config # #FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards� http://movies.yahoo.com/

4 7

Firewall2, Problem with Dial on Demand on LAN
by Monica Peter 31 Mar '02

31 Mar '02

Hi Thanks again to Robert and all the others for helping to solve my problem with Firewall2. Since Firewall2 works, the dial on demand does not work anymore for the LAN (trusted, local). It still works for the Router with the Firewall2, but the local LAN can not activate the dial in for the T-DSL connection even so the pppoed is running. Hope someone can help Thanks Thomas --------------------------------- Do You Yahoo!? Yahoo! Greetings - send greetings for Easter, Passover

1 0

network install
by Brian Smith 28 Mar '02

28 Mar '02

I have an old Pentium 166 w/2 3com network cards running Linux mandrake 8.1. Eth0 is hooked up to my cable modem and during install of SUSE I load the network modules and they load up fine, then I tell the install that eth0 is dhcp and I get a bootp timeout so I can't run the install past that point. Any ideas on getting this to work? Brian Smith Network Applications Volaris Online

2 1

Introducing fou4s - Fast OnlineUpdate for SuSE
by Markus Gaugusch 28 Mar '02

28 Mar '02

Hello list! As I did not like the SuSE online update very much, I wrote something on my own: fou4s - Fast Online Update for SuSE Features: ========= * Tested with 7.1, 7.2 and 7.3 (automatic release detection) * Gets the package descriptions from ftp server (currently hardcoded to ftp.gwdg.de, but you can change this in the script). This is on demand only and not every time. Only changed/new package descriptions are actually downloaded. * Compares downloaded description files with installed RPMs and prints differences * Support for external http URLs (e.g. NVidia drivers) * Downloads and installs the RPMs using wget (with continue option - aborted downloads will be resumed) * Everything except real upgrade can be done as normal user. Bugs/Missing features: ====================== * Does not verify GPG signature (sorry, I forgot and it is too late today) This will be in the next version. * Package descriptions can't be downloaded with set ftp_proxy (is unset automatically) * User has to call SuSEconfig manually after update * No selection - you have to get all patches or none (workaround: do as normal user and put "su -c" in front of the rpm command - then enter a wrong password for the packages you don't want) * Update descriptions are very ugly - The text in the package descriptions is so badly formatted, that I would have to do some pretty printing to make it user-friendly readable. * Package description update tries to get update/patches/* and update/patches.cont/* - the patches.cont directory does not exist for every distribution version (e.g. 7.1), but for others it contains most of the packages (7.3) You will therefore get a harmless error during package list retrieval. Screenshot ========== markus@phoenix:~/fou4s-0.0.1> ./fou4s fou4s v0.0.1 (c) 2002 Markus Gaugusch [markus(a)gaugusch.at] usage: fou4s [options] options: update Get new package list from FTP server and exit upgrade Compare package list with RPM db and get/install packages donothing Compare package list with RPM db and do nothing else (for testing) -v Verbose mode The options "update" and "upgrade" are borrowed from apt-get, therefore the unusual style without leading dash. Download ======== You can get it at http://www.gaugusch.at/linux/fou4s-0.0.1.tar.bz2 Quick Start =========== tar xIvf fou4s-0.0.1.tar.bz2 cd fou4s-0.0.1 ./fou4s update ./fou4s donothing -v ./fou4s donothing # (to get a more readable output) ./fou4s upgrade # (cross your fingers, if you are root ;) Try as non-root first, if you are unsure what happens. Package comparison takes its time!! Be patient. On my machine it takes about 35 seconds to check all packages (without any downloads). Notes to SuSE People ==================== One thing I found out while hacking this: The openssh package description contains the wrong version number. On FTP server there is 2.9.9p2-98, but in description file there is 2.91.9p2-98. This will lead to an update every time, but I can't do anything against this :( I also noticed, that my machines did not have several updates, although the release number in the description file was higher... strange, isn't it? regards, Markus Gaugusch -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus(a)gaugusch.at X Against HTML Mail / \

2 1

sessreg & GDM/GNOME
by geoffrey 28 Mar '02

28 Mar '02

Hi all, Okay, this is somewhat security related. I have a couple of questions. First, I have a need to monitor users for idle time and log out anyone who is away from the system after a set period of time (say 30 minutes). I though of using idled, but it appears that idled must be able to see the listing from "w" or some command like that to check a user's idle time. So, my setup is SuSE v7.3 using GNOME and GDM. However, the Session scripts that call sessreg do not seem to get the Xsessions to log to wtmp. Will idled still work properly? Is there better documentation that that provided in /usr/share/doc/packages/idled ? Or, does anyone have a suggestion on how I can monitor Xsessions and subsequently log out sessions that have been idle too long? One caveat that may, or may not, affect this is that I am running the Xsessions on an ltsp setup. So, the workstations are diskless Xclients. However, I do w on the server, and see nothing. I did test this on a SuSE v7.3 box that is not diskless, and got the same result: a blank listing in "w" for the currently running (logged in) XWindows session on tty7. So, suggestions? The second question has to do with iptables and transparent proxying with Squid. I have followed the directions at squid-cache.org and from the netfilter mailing list, but I cannot get things to work. When a browser is told to use a proxy, what do the packets coming from it really look like in the headers? Are the packets addressed to the squid boxes address at port 3128 (or whatever port you run squid on), or are they pointed at the external address. I think it goes to the internal squid box address with the packet payload containing the actual desired systems url. So, once the squid/iptables box receives the packet, how does it handle sending it out to the outside server via squid. Does this request originate from the squid boxes loopback address, or from it's external address? Obviously I'm still quite confused by how things work. thanks for any help. geoffrey -- ******************************************* This space intentionally left non-blank *******************************************

1 0

Openssh V2 Security
by Timo Dotzauer 28 Mar '02

28 Mar '02

Hi all, i running a openssh server version 2.9p2. I generated a keypair with puttygen and put the public key on my server. Now i want to use winscp2 for file transfer, but the Problem is, that winscp2 not accepted the key passphrase. With putty i can conntect to my server. Here a part from the winscp2 log: Initialised triple-DES client->server encryption . Initialised triple-DES server->client encryption ! Access denied . Authentication refused ! Access denied . Authentication refused ! Access denied . Authentication refused ! Access denied . Authentication refused ! Access denied . Authentication refused ! Access denied . Authentication refused ! Access denied . Authentication refused ! Access denied . Authentication refused * (ESshFatal) Not connected! Can anybody help me? Best regards/ Mit freundlichen Grüßen, -- Timo Dotzauer Systemadministration inovex GmbH Karlsruher Straße 71 D-75179 Pforzheim Tel: +49-(0)72 31 - 31 91 79 Fax: +49-(0)72 31 - 31 91 91 mailto:t.dotzauer@inovex.de http://www.inovex.de

2 2

Firewall2 not working
by Monica Peter 28 Mar '02

28 Mar '02

Hi I just wanted to mention something else. Does it make a difference wether the firewall2 is run from the user ROOT or any other user? I would think not, but..... Thank you Thomas __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards� http://movies.yahoo.com/

3 2