July 2002 - openSUSE Security - openSUSE Mailing Lists

vsftpd in chroot enviromend
by Matthias Krauss 02 Jul '02

02 Jul '02

Hello List, does anybody noticed a way howto configure vsftpd in that way that i can run eg. 3 different usergroups in independent chroot areas, so that they not only have their home drive, like a own directory structure but jailed in a chroot area, this config was possible with wu-ftp, like configuring a guest group and jail them like /intern/./home/user . Thanks Matthias

2 1

SuSEFirewall Redirector Problem
by mbauer＠in-sight.de 02 Jul '02

02 Jul '02

Hi there List, I'm trying to redirect all hosts in my intranet through a squid, that also runs the firewall box. Here ist the line I used for redirecting: #****************************************************************************************************** FW_REDIRECT="198.201.201.0/24,0/0,tcp,80,8080" #****************************************************************************************************** I should work, but the only answer I get from my squid is this: While trying to retrieve the URL: / The following error was encountered: Invalid URL Some aspect of the requested URL is incorrect. Possible problems: Missing or incorrect access protocol (should be `http://'' or similar) Missing hostname Illegal double-escape in the URL-Path Illegal character in hostname; underscores are not allowed Your cache administrator is mbauer(a)in-sight.de. What have I done wrong ? Ain't it possible to redirect normal traffic from port 80 to 8080 ? thanks........ maX Bauer InSight Education GmbH 069 - 587098-90 mbauer(a)in-sight.de

3 2

Re: [suse-security] SuSEFirewall Redirector Problem
by mbauer＠in-sight.de 02 Jul '02

02 Jul '02

thank you for the quick answer. here's the URL to a good howto (german). It works. maX Bauer InSight Education GmbH 069 - 587098-90 mbauer(a)in-sight.de

1 0

Re: [suse-security] APACHE_access_log
by Oliver Bleutgen 02 Jul '02

02 Jul '02

> Greetings, > anyone know what these are? > 208.198.164.131 - - [28/Jun/2002:15:37:41 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:15:39:12 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:15:40:42 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:17:07:43 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:17:09:13 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:17:10:43 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:17:12:14 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:17:13:44 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:17:15:14 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:17:16:44 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:17:18:17 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:17:19:46 -0700] "-" 408 - > 208.198.164.131 - - [28/Jun/2002:17:21:16 -0700] "-" 408 - > I know what 408 means... > 408 The Request timed out. For some reason the Server took too much time > processing your Request. Net congestion is the most likely reason. > Show me how to make the above entries in the access logs. I don't need to > be > educated about Status Codes, I need to know what kind of attack this is. > (I > know others that have it in their logs also) > Trying 192.168.10.2... > Connected to silver. > Escape character is '^]'. > - > and this gave me a log with this: > 192.168.0.2 - - [01/Jul/2002:16:13:30 -0700] "-" 200 2447 > which is similar, but not quite the same. So that makes me think it's not > a > browser doing it. cause a browser puts a "GET /- HTTP/1.2" 404 7240 > in the log. Try http://localhost/- and see what I mean. Are you filtering incoming http-request somehow? Like for nimda requests or stuff? This could mean that you just see the syn/ack part of an attack. Or perhaps just a nimda infected host which has a memory leak ;-) and can't compete the requests. As for how to produce a log entry like that: 1. bleutgen@baal:~ > telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 2. do nothing 3. repeat 2 until something happens 4. the shell will close after some time (apache's timeout, can be up to 5mins) 5. apache log: 127.0.0.1 - - [02/Jul/2002:08:18:02 +0200] "-" 408 - cheers, oliver

1 0

RE: [suse-security] What's the length of ssh keys? - Breakability of 1024bit RSA keys
by bliss＠attbi.com 02 Jul '02

02 Jul '02

There has been a fair amount of discussion about the Bernstein paper which was published last fall. Here are a few articles I founds which give both sides. You can decide for your self. The question is, are you secrets worth someone spending hundreds of millions (or billions) of dollars to crack to key to receive? If not, then there is probably no worry TODAY (but there is always tomorrow). Articles: http://www.vnunet.com/News/1130451 http://www.rsasecurity.com/rsalabs/technotes/bernstein.html http://www.eweek.com/article2/0,3959,99158,00.asp For some REALLY lite reading, here is a link to Bernstein's paper: http://cr.yp.to/papers.html#nfscircuit Enjoy the reading. Jim > There was a thread on Bugtraq, the initial post of which I cant seem to > find, but one had this link to an article: > > http://www.eweek.com/article2/0,3959,99158,00.asp > > I do recall the estimated cost to implement using off-the-shelf components > to be incredibly (phenomenally, astronomically) high, but on a par with the > money already invested by certain government's security organizations in > satellite surveillance technology. It is, after all, all relative :) > > Wish I could find you the original post, but for some reason I only kept the > replies.. > > -----Original Message----- > From: arawak [mailto:arawak@blueyonder.co.uk] > Sent: Tuesday, July 02, 2002 10:07 AM > To: suse-security(a)suse.com > Subject: RE: [suse-security] What's the length of ssh keys? > > > > > How much computing power would it take to crack an 1024bit key in a > reasonable amount of time? > > I thought it would be many years before it could be done, for it to be > of any use to anyone? > > I have not seen nor heard any info that it has been done as yet... > > Dre :o) > > Luck is my game ;-) > Linux is my aim :) > > -----Original Message----- > From: Austin Morgan [mailto:admorgan@morgancomputers.net] > Sent: 02 July 2002 00:24 > To: suse-security(a)suse.com > Subject: Re: [suse-security] What's the length of ssh keys? > > > While it is true it is possible to break an 1024bit key, it is also > difficult. While I am not saying that going to an higher bit key is a > bad idea it is also proabably not really necessary. Also ssh is based > on ssl so what effects one (as far as keys) effects the other. > > Austin Morgan > > On Mon, Jul 01, 2002 at 06:23:45PM +0200, Praise wrote: > > A friend of mine told me that 1024bit keys were broken, and he advised > > > me to use 4096bit keys... I think he is confusing ssl with ssh. > > Do you have similar information on this? > > > > Praise > > -- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com > Security-related bug reports go to security(a)suse.de, not here > > > -- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com > Security-related bug reports go to security(a)suse.de, not here

1 0

MD5 password confirmation fails after update to OpenSSH 3.3 on SuSE 7.3
by Thomas Föcking 02 Jul '02

02 Jul '02

Hello, this morning I updated all linux servers running SuSE 7.3 to OpenSSH 3.3. Now I am not able to login via ssh anymore - password confirmation fails. First I tought, that sshd is not allowed to read /etc/shadow, but this was not the case. "harden_suse" made my /etc/shadow passwords be encrypted with MD5. After adding a new user with yast the new user's password was only DES encrypted. With this user I am able to login, with users who has got MD5 encrypted passwords I'm not able to login via ssh. Am I right, that the new sshd has got problems with MD5 password? What can I do now? Regards, Thomas

3 2

RE: [suse-security] What's the length of ssh keys? - Breakability of 1024bit RSA keys
by Paxton, Michael 02 Jul '02

02 Jul '02

There was a thread on Bugtraq, the initial post of which I cant seem to find, but one had this link to an article: http://www.eweek.com/article2/0,3959,99158,00.asp I do recall the estimated cost to implement using off-the-shelf components to be incredibly (phenomenally, astronomically) high, but on a par with the money already invested by certain government's security organizations in satellite surveillance technology. It is, after all, all relative :) Wish I could find you the original post, but for some reason I only kept the replies.. -----Original Message----- From: arawak [mailto:arawak@blueyonder.co.uk] Sent: Tuesday, July 02, 2002 10:07 AM To: suse-security(a)suse.com Subject: RE: [suse-security] What's the length of ssh keys? How much computing power would it take to crack an 1024bit key in a reasonable amount of time? I thought it would be many years before it could be done, for it to be of any use to anyone? I have not seen nor heard any info that it has been done as yet... Dre :o) Luck is my game ;-) Linux is my aim :) -----Original Message----- From: Austin Morgan [mailto:admorgan@morgancomputers.net] Sent: 02 July 2002 00:24 To: suse-security(a)suse.com Subject: Re: [suse-security] What's the length of ssh keys? While it is true it is possible to break an 1024bit key, it is also difficult. While I am not saying that going to an higher bit key is a bad idea it is also proabably not really necessary. Also ssh is based on ssl so what effects one (as far as keys) effects the other. Austin Morgan On Mon, Jul 01, 2002 at 06:23:45PM +0200, Praise wrote: > A friend of mine told me that 1024bit keys were broken, and he advised > me to use 4096bit keys... I think he is confusing ssl with ssh. > Do you have similar information on this? > > Praise -- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here -- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here

1 0

APACHE_access_log
by phil 02 Jul '02

02 Jul '02

Greetings, anyone know what these are? 208.198.164.131 - - [28/Jun/2002:15:37:41 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:15:39:12 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:15:40:42 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:07:43 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:09:13 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:10:43 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:12:14 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:13:44 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:15:14 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:16:44 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:18:17 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:19:46 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:21:16 -0700] "-" 408 - I know what 408 means... 408 The Request timed out. For some reason the Server took too much time processing your Request. Net congestion is the most likely reason. Show me how to make the above entries in the access logs. I don't need to be educated about Status Codes, I need to know what kind of attack this is. (I know others that have it in their logs also) Trying 192.168.10.2... Connected to silver. Escape character is '^]'. - and this gave me a log with this: 192.168.0.2 - - [01/Jul/2002:16:13:30 -0700] "-" 200 2447 which is similar, but not quite the same. So that makes me think it's not a browser doing it. cause a browser puts a "GET /- HTTP/1.2" 404 7240 in the log. Try http://localhost/- and see what I mean. I start thinkin...hmm It COULD be that since that bastard has his ping turned off that it takes so long to get a response that apache times out. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all telnet silver 80 Trying 192.168.10.2... Connected to silver. Escape character is '^]'. - same result: 192.168.0.2 - - [01/Jul/2002:16:37:05 -0700] "-" 200 2447 so it ain't that. (Be sure and do echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all ) I tried netcat echo - | netcat -i 60 192.168.10.2 80 and it looks just like those telnet results. I tried compiling apache-worm.c http://dammit.lt/apache-worm/apache-worm.c I don't get nothing in my logs at all from apache-worm and besides it's writes totally diferent than what I am talking about anyway. Please, what kind of attack is this? regards phil

1 0

RE: [suse-security] What's the length of ssh keys?
by arawak 02 Jul '02

02 Jul '02

How much computing power would it take to crack an 1024bit key in a reasonable amount of time? I thought it would be many years before it could be done, for it to be of any use to anyone? I have not seen nor heard any info that it has been done as yet... Dre :o) Luck is my game ;-) Linux is my aim :) -----Original Message----- From: Austin Morgan [mailto:admorgan@morgancomputers.net] Sent: 02 July 2002 00:24 To: suse-security(a)suse.com Subject: Re: [suse-security] What's the length of ssh keys? While it is true it is possible to break an 1024bit key, it is also difficult. While I am not saying that going to an higher bit key is a bad idea it is also proabably not really necessary. Also ssh is based on ssl so what effects one (as far as keys) effects the other. Austin Morgan On Mon, Jul 01, 2002 at 06:23:45PM +0200, Praise wrote: > A friend of mine told me that 1024bit keys were broken, and he advised > me to use 4096bit keys... I think he is confusing ssl with ssh. > Do you have similar information on this? > > Praise -- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here

1 0

firewall problem
by Thomas Nyman 01 Jul '02

01 Jul '02

Hi, I have a problem with my SuSEfirewall2..despite reading the examples and faq I cant get it to allow incoming and otugoing traffic on port 25 the firewall is run on a machine configured as follows eth0 = external network (internet) eth1 = internal network (192.168.1.1) the machine runs postfix and postfix can't open port 25. I've enclosed my firewall script..I'm hoping someone can see what I've done wrong. Thomas -------------------------------------------------------

4 4