here's a bit of a step-by-step description on how to keep nimda
and codered from filling your apache logs.
- SuSE 7.2 Professional
- iptables 1.2.3
- linux kernel 2.4.13-pre5
1. install kernel sources for a kernel >> 2.4.9, running 2.4.13-
pre5 here, works fine so far
2. get the sources for iptables 1.2.3 from
3. unpack sources somewhere
4. export KERNEL_DIR=$(where you put the kernel tree)
5. cd into unpacked iptables sources, there's a subdirectory
named patch-o-matic there
6. apply wanted patches by running ./runme $(name.of.patch)patch
for this here You'll want the string patch
You can also apply other patches, like the irc-conntrack patch
7. now there's a little bug in this patch...
here's a diff:
--- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21
+++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21
@@ -62,7 +62,7 @@
sk = skip[haystack[right_end - i]];
sh = shift[i];
- right_end = max(int, right_end - i + sk,
right_end + sh);
+ right_end = max(right_end - i + sk, right_end +
8. now, make config/menuconfig/xconfig... as usual. You can
import your running kernel's config first.
9. enable the experimental stuff
10. go to networking options->netfilter, there's an option there
to enable string matching; set that to M
11. compile and install kernel as usual; remember to uncomment
the export INSTALL_PATH=/boot in the main makefile.
12. now build a rpm file for the new iptables stuff by installing
the source rpm which comes with suse, then edit the spec file,
put the iptables source in /usr/src/packages/SOURCE and rebuild.
13. now there are some small changes to the firewall config
a) uncomment the last line in
b) edit that file, I got the following stuff in mine:
for forbidden_string in root.exe cmd.exe .ida; do
iptables -I input_ext -p tcp --dport http -m string \
--string $forbidden_string -m state \
--state ESTABLISHED -j REJECT --reject-with tcp-reset
put that in the last supfunction defined in the custom rc file.
c) change the FW_LOG setting in firewall2.rc.config from reading
-log-level warning to -log-level kernel.warning
14. last: some small changes to /sbin/SuSEfirewall2
search in the script for the parts where the modules are loaded
and unloaded; be sure to add ipt_string (and the other new
modules you created by patching the kernel and enabling them in
make config) to the modules loading/unloading code there.
16. if you try now to access (from outside, of course) one of the
nimda or codered URLS, all you get is a 'connection reset by
peer', and the request doesn't show in apache log files.
btw, no guarantees, and the usual YMMV :)
I have basically a suse samba server setup. Eth0 is for the internet
connection (cable). Eth1 is my internal network. I use eth1 for my samba
server. When i have the shares/ drive letters mapped, whatever, Ill goto
access them and that computer will just lockup or timeout for about 1
minute, then it will resume operation normally. I have approx. 5 comptuers
on the suse server, and they all do this from windows xp to windows 98se. I
am using set up addresses of 192.168.0.x, where is greater than 2. My
question is have or is there something Ive setup wrong to cause this pause
to occur. ? Its becomming very annoying..and frustrating. Im using kernel
2.4.18-64GB-SMP with a dual processor setup. If anyone has any ideas please
let me know. Every package installed is orginal versions from the suse
install cdroms. (no updates done).
Anything come to mind. btw, ive replaced the switch, with a new netgear one,
and all the networks at startech ST100 Realtek 8139 chipsets on 100Tx.
Hi there SuSErs...
Well I must be doing something really wrong because everything that I do with SuSEFirewall2 is just not working!
I have a small network with 5 PCs (all Win9X) and a Linux box (Currently SuSE 7.3) acting as a server. The server is a DHCP server and a Samba server for the entire network. So far everything is working perfect!!! Users log on the network, logon script executes etc....
Then a new task came up: let's input the internet into the network.
Configured a 56Kbps modem on the server with YAST. Manged to get my account setup and running. Made a test connection and netscape works great on the server as well as e-mail (pop3).
I tried configuring SuSEfirewall to manage all incoming requests from the PCs of the network. The firewall warned me about masquerading etc. so I downloaded the latest version of SuSEfirewall2 from the internet and installed it.
Since I only need direct masquerading to be done (no proxies are currently working on the net) I made all the necessary changes as outlined in the examples supplied with the software. Since I needed to have Samba to keep working on the network, I opened (among others) 139 port for samba to work.
Double checked all the changes that I have made and run rcSuSEfirewall2 to see what happens. Strange enough when wvdial executes it tells me that DNS is not functioning properly since www.suse.com cannot be found (or something like that please forgive me I am away from the Linux station now).
Further on, when I open mIRC or other like programs (winmx etc) from a station, I look at the activity of IPtraf (I check this to see what happens) and I see no connections being created whatsoever.... mIRC prompts me that there was an error trying to find the host....
I have made no changes to the Win9X PCs.
Is there something that I am forgeting to do?? I undestand that it is impossible for all of you to react to this since I have no output of the SuSEfirewall.conf file being published to this message.... I understand.
Can someone please send me their configuration file so I can see what you have done, on a system that currently is working fine?? In addition, is there something that I have to do regarding route or routing??
What about the Win9X PCs?? Is there something that I have to do there??
I thank you so very much for all your help is advance!!!! I am killing myself trying to figure this one out for about 2 weeks now and managed nothing more than thin air!!!!!
I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy
require an update of OpenSSH or of OpenSSL, or both?
From: Olaf Kirch [mailto:email@example.com]
Sent: Wednesday, July 31, 2002 4:14 AM
To: Graham Murray
Subject: Re: [suse-security] SuSE Security Announcement: openssl
On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
> Openssh uses openssl. Is openssh vulnerable to any of the openssl
Potentially, yes. It may be possible to trigger the ASN.1 signedness
bug when decoding RSA keys during/after RSA authentication. The other
bugs, no, because OpenSSH doesn't use SSL.
Olaf Kirch | Anyone who has had to work with X.509 has probably
okir(a)suse.de | experienced what can best be described as
---------------+ ISO water torture. -- Peter Gutmann
To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
For additional commands, e-mail: suse-security-help(a)suse.com
Security-related bug reports go to security(a)suse.de, not here
Here is what I get after today's apache update using YOU, on SuSE MAIL III
[error] [Tue Jul 30 16:33:29 2002] RefSecMod.pm: Can't locate RefSecMod.pm in
@INC (@INC contains: /var/www/perllib /usr/lib/perl5/5.6.0/i586-linux
/usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl . /var/www/
/var/www/lib/perl) at (eval 156) line 3.
[Tue Jul 30 16:33:30 2002] [notice] child pid 31044 exit signal Segmentation
Senior Network Engineer
I hope this is the correct list for this question. Since it has to do
with login and authentication, I thought "security" was the closest
match I could find. I've been browsing the SuSE list archives for a week
(along with everything else I could find on Google) with no success. I'm
seriously losing my hair over this.
I have recently installed SuSE Linux 8.0 on two separate machines. My
other machines at home are both running FreeBSD (4.6-STABLE). They are
the NIS master and slave servers, respectively.
I have used YAST2 to initiate an "NIS Client" on the Linux boxes. Ypbind
and ypwhich are both running successfully and returning proper
information. I can "finger" all of the NIS users and I can ypcat passwd,
master.passwd, etc. However, I cannot login with an NIS user. I have
turned "debug" on in security/pam_unix2.conf, and here is the
Jul 26 09:44:25 horace sshd: pam_unix2: pam_sm_authenticate()
Jul 26 09:44:25 horace sshd: pam_unix2: username=[glen]
Jul 26 09:44:25 horace sshd: pam_unix2: wrong password, return
Jul 26 09:44:25 horace sshd: Failed password for glen from ::1
port 32772 ssh2
In this case, it's from sshd, but I get the same results from login and
kdm as well.
Here's what "ypcat passwd" returns (just a sample):
Here's what "ypcat master.passwd.byname" returns (again, a sample):
(1) it has been suggested that the MD5 encryption used in the FreeBSD
password file is causing the problem. However, I have been able to cut a
password from the BSD password file into the Linux password file and it
worked just fine (for a local user). I don't think that's the problem.
(2) The BSD password file has "*" in the second field, which indicates
the password is stored in master.passwd. SuSE Linux uses an "x" in the
second field to indicate that the password is stored in /etc/shadow.
Could this be the source of the conflict? If so, how do I configure SuSE
to recognize the "*" instead of the "x"?
(3) Beyond this, I'm at a total loss. I really have no idea how to debug
or fix this. I hate to have to set the Linux box as a standalone machine
because it does not support NIS.
Thanks in advance for your help,
Someone know how to run Ipchains in SuSE 8.0?, I know that it run in
kernel 2.2.x, I installed the SuSE 8.0 and it is with kernel 2.4.18
How can I install kernel 2.2.x in SuSE 8 ??, but I should like to use my
own script writen in 2.2 kernel
sorry the mistakes,
I just tried -unsuccesfully- to update a 7.2 box with online-update when
it started barfing, and eventually crashing on me. Upon retry I let a
'top' run alongside and it seems that yast2 / you is / was the culprit.
I think the 'top' screendump below speaks for itself. Another minute and
yast2 will have consumed all mem+swap. It's just luck the kernel didn't
panic but killed yast2 instead.
I understand that having 128 MB in a machine is not state-of-the-art
nowadays, but come on, it's a firewall running named+sshd, nothing more.
Do I have a corrupted install, or is this A) normal and B) unavoidable ?
I realise this is somewhat out of place at suse-security, but since it
directly concerns the online update facility, I posted here nonetheless.
The updates concerned were apache, bzip(?) glibc and openssl. However,
yast2 crashed before it could start updating glibc.*
Oh, P.S.: I'd like to express my concern at the disappearance of Yast1
with Suse version 8. Yast2 is all very gooey and nice and stuff, but I
can easily break my [TAB] key on my keyboard just trying to do anything
with yast2 over a remote link. For instance, searching, selecting and
installing 1 simple package with yast2 from the DVD takes at least 10-20
tab- events. Changing some things in the runlevel editor is so bad I
cannot even start counting the seemingly endless
But yeah, this IS misplaced at this mailinglist... true... excuse me.
44 processes: 43 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: 0.6% user, 2.5% system, 0.0% nice, 96.7% idle
Mem: 125224K av, 122276K used, 2948K free, 0K shrd, 2980K
Swap: 136544K av, 135996K used, 548K free 18696K
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
9137 root 9 0 211M 84M 3572 S 0.0 69.1 2:42 y2bignfat
9138 root 9 0 211M 84M 3572 S 0.0 69.1 0:00 y2bignfat
9139 root 9 0 211M 84M 3572 S 0.0 69.1 0:03 y2bignfat
10693 root 17 0 5684 5684 516 D 1.1 4.5 0:00 rpm
9124 root 9 0 2420 1364 792 S 0.0 1.0 0:00 named
9125 root 9 0 2420 1364 792 S 0.0 1.0 0:00 named
9126 root 9 0 2420 1364 792 S 0.0 1.0 0:00 named
9127 root 9 0 2420 1364 792 S 0.0 1.0 0:00 named
9128 root 9 0 2420 1364 792 S 0.0 1.0 0:00 named
8858 maarten 12 0 552 504 492 R 1.0 0.4 0:14 top
8844 maarten 9 0 552 304 244 S 0.0 0.2 0:01 sshd
3581 maarten 9 0 552 292 224 S 0.0 0.2 0:01 sshd
835 root 9 0 248 204 180 S 0.0 0.1 0:14 syslogd
2893 root 9 0 212 164 132 S 0.0 0.1 0:00 cron
This email has been scanned for the presence of computer viruses.
Maarten J. H. van den Berg ~~//~~ network administrator
VBVB - Amsterdam - The Netherlands - http://vbvb.nl
T +31204233288 F +31204233286 G +31651994273