Hi all,
here's a bit of a step-by-step description on how to keep nimda
and codered from filling your apache logs.
Parts used:
- SuSE 7.2 Professional
- SuSEfirewall2
- iptables 1.2.3
- linux kernel 2.4.13-pre5
steps:
1. install kernel sources for a kernel >> 2.4.9, running 2.4.13-
pre5 here, works fine so far
2. get the sources for iptables 1.2.3 from
http://netfilter.samba.org
3. unpack sources somewhere
4. export KERNEL_DIR=$(where you put the kernel tree)
5. cd into unpacked iptables sources, there's a subdirectory
named patch-o-matic there
6. apply wanted patches by running ./runme $(name.of.patch)patch
for this here You'll want the string patch
You can also apply other patches, like the irc-conntrack patch
7. now there's a little bug in this patch...
here's a diff:
--- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21
00:16:29 2001
+++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21
16:54:45 2001
@@ -62,7 +62,7 @@
sk = skip[haystack[right_end - i]];
sh = shift[i];
- right_end = max(int, right_end - i + sk,
right_end + sh);
+ right_end = max(right_end - i + sk, right_end +
sh);
}
return NULL;
8. now, make config/menuconfig/xconfig... as usual. You can
import your running kernel's config first.
9. enable the experimental stuff
10. go to networking options->netfilter, there's an option there
to enable string matching; set that to M
11. compile and install kernel as usual; remember to uncomment
the export INSTALL_PATH=/boot in the main makefile.
12. now build a rpm file for the new iptables stuff by installing
the source rpm which comes with suse, then edit the spec file,
put the iptables source in /usr/src/packages/SOURCE and rebuild.
13. now there are some small changes to the firewall config
files.
a) uncomment the last line in
/etc/rc.config.d/firewall2.rc.config:
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
b) edit that file, I got the following stuff in mine:
for forbidden_string in root.exe cmd.exe .ida; do
iptables -I input_ext -p tcp --dport http -m string \
--string $forbidden_string -m state \
--state ESTABLISHED -j REJECT --reject-with tcp-reset
done
put that in the last supfunction defined in the custom rc file.
c) change the FW_LOG setting in firewall2.rc.config from reading
-log-level warning to -log-level kernel.warning
14. last: some small changes to /sbin/SuSEfirewall2
search in the script for the parts where the modules are loaded
and unloaded; be sure to add ipt_string (and the other new
modules you created by patching the kernel and enabling them in
make config) to the modules loading/unloading code there.
15. reboot
16. if you try now to access (from outside, of course) one of the
nimda or codered URLS, all you get is a 'connection reset by
peer', and the request doesn't show in apache log files.
btw, no guarantees, and the usual YMMV :)
bye
[L]
Hello
I have basically a suse samba server setup. Eth0 is for the internet
connection (cable). Eth1 is my internal network. I use eth1 for my samba
server. When i have the shares/ drive letters mapped, whatever, Ill goto
access them and that computer will just lockup or timeout for about 1
minute, then it will resume operation normally. I have approx. 5 comptuers
on the suse server, and they all do this from windows xp to windows 98se. I
am using set up addresses of 192.168.0.x, where is greater than 2. My
question is have or is there something Ive setup wrong to cause this pause
to occur. ? Its becomming very annoying..and frustrating. Im using kernel
2.4.18-64GB-SMP with a dual processor setup. If anyone has any ideas please
let me know. Every package installed is orginal versions from the suse
install cdroms. (no updates done).
Anything come to mind. btw, ive replaced the switch, with a new netgear one,
and all the networks at startech ST100 Realtek 8139 chipsets on 100Tx.
Anyone... !
Hi there SuSErs...
Well I must be doing something really wrong because everything that I do with SuSEFirewall2 is just not working!
I have a small network with 5 PCs (all Win9X) and a Linux box (Currently SuSE 7.3) acting as a server. The server is a DHCP server and a Samba server for the entire network. So far everything is working perfect!!! Users log on the network, logon script executes etc....
Then a new task came up: let's input the internet into the network.
Configured a 56Kbps modem on the server with YAST. Manged to get my account setup and running. Made a test connection and netscape works great on the server as well as e-mail (pop3).
I tried configuring SuSEfirewall to manage all incoming requests from the PCs of the network. The firewall warned me about masquerading etc. so I downloaded the latest version of SuSEfirewall2 from the internet and installed it.
Since I only need direct masquerading to be done (no proxies are currently working on the net) I made all the necessary changes as outlined in the examples supplied with the software. Since I needed to have Samba to keep working on the network, I opened (among others) 139 port for samba to work.
Double checked all the changes that I have made and run rcSuSEfirewall2 to see what happens. Strange enough when wvdial executes it tells me that DNS is not functioning properly since www.suse.com cannot be found (or something like that please forgive me I am away from the Linux station now).
Further on, when I open mIRC or other like programs (winmx etc) from a station, I look at the activity of IPtraf (I check this to see what happens) and I see no connections being created whatsoever.... mIRC prompts me that there was an error trying to find the host....
I have made no changes to the Win9X PCs.
Is there something that I am forgeting to do?? I undestand that it is impossible for all of you to react to this since I have no output of the SuSEfirewall.conf file being published to this message.... I understand.
Can someone please send me their configuration file so I can see what you have done, on a system that currently is working fine?? In addition, is there something that I have to do regarding route or routing??
What about the Win9X PCs?? Is there something that I have to do there??
I thank you so very much for all your help is advance!!!! I am killing myself trying to figure this one out for about 2 weeks now and managed nothing more than thin air!!!!!
Chris
Hi!
I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
Thanks.
--
Farewell.
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
João Reis
-------------------------------------------------------
Hi,
When I create a new user (useradd os yast2) the users home directory have 755
access permissions. Is this normal ? What am I doing wrong ?!
--
Cornel.
tel.:4092743604
Hello,
this morning I updated all linux servers running SuSE 7.3 to OpenSSH 3.3.
Now I am not able to login via ssh anymore - password confirmation fails.
First I tought, that sshd is not allowed to read /etc/shadow, but this was not the case.
"harden_suse" made my /etc/shadow passwords be encrypted with MD5. After adding a new user
with yast the new user's password was only DES encrypted.
With this user I am able to login, with users who has got MD5 encrypted passwords I'm not able to
login via ssh.
Am I right, that the new sshd has got problems with MD5 password?
What can I do now?
Regards,
Thomas
Hi,
I have a problem with my SuSEfirewall2..despite reading the examples and faq
I cant get it to allow incoming and otugoing traffic on port 25
the firewall is run on a machine configured as follows
eth0 = external network (internet)
eth1 = internal network (192.168.1.1)
the machine runs postfix and postfix can't open port 25.
I've enclosed my firewall script..I'm hoping someone can see what I've done
wrong.
Thomas
-------------------------------------------------------
I've read most of the recent discussion about Openssh 3.3p1 but haven't seen
this particular issue so...
I installed the 3.3p1 patch on several Suse 7.1 boxes, 7 in the UK that I
can reach locally yesterday and they all seem fine and 5 more in another
country that I can't get to without a plane ticket :-( Sequence of
installation was to use YOU to apply the patch while logged on via SSH on
all machines then to shutdown -r now them, wait a bit then log back on. So
far so good on all boxes. However, within 30 minutes of the reboot on the 5
machines that I cannot reach locally, 2 of them have become inaccessible.
They don't ping and nmap with the -P0 option doesn't get any response from
them. That looks pretty dead to me.
Neither of these two machines has done this before and up until now, they've
up and running for 113 days without any issue.
I can't categorically state that it is the Openssh patch that's done this
since I can't find anyone around to go and look at them to find out if
they're sitting with an Ooops message or what's wrong with them. But it's
suspicious enough that I've backed out 3.3p1 on the machines I can still get
to and gone back to 2.9.9p2-98 for now.
And, yes, if I'd read the mailing list before I put the patches on then I
probably wouldn't have bothered :-)
With issues like this, maybe Suse should pull these particular patches off
the web page/ftp site? Especially since it appears that the 2.9.9p2 rpm's
aren't vulnerable to the exploit that the advisory is meant to fix.
Trevor Hemsley,
Security Specialist,
Atos Origin Ltd,
Whyteleafe,
+44-(0)1883-628139
[This electronic transmission and any files attached to it are strictly
confidential and intended solely for the addressee. If you are not the
intended addressee, you must not disclose, copy or take any action in
reliance of this transmission. If you have received this transmission in
error, please notify us by return and delete the same. The views expressed
in this electronic transmission do not necessarily reflect those of Atos
Origin or any of its subsidiary companies. Although the sender endeavours to
maintain a computer virus free network, the sender does not warrant that
this transmission is virus-free and will not be liable for any damages
resulting from any virus transmitted. Thank You.]
> for those who doesn't know already:
>
> http://online.securityfocus.com/archive/1/279637/2002-06-2
> 6/2002-07-02/0
>
> so, hava nice weekend ;)
>
> Sven
Yeah, I looked at this, the resolver libraries.
8.3.3 and 9.0(?) were reported safe.
Any ideas on a quick fix?