July 2002 - openSUSE Security - openSUSE Mailing Lists

sshd log problem
by webmaster＠kreorg.hu 28 Jul '02

28 Jul '02

Hi List, Please, help me understand these ssh logs below> 1) how it is logged normally Jul 28 09:45:23 mand sshd2[159]: connection from "213.163.25.176" - # me logging in from remote Jul 28 09:45:24 mand sshd[628]: log: Generating 768 bit RSA key. Jul 28 09:45:25 mand sshd[628]: log: RSA key generation complete. Jul 28 09:45:25 mand sshd[628]: log: Connection from 213.163.25.176 port 1075 Jul 28 09:45:36 mand sshd[628]: log: Password authentication for antal accepted. Jul 28 09:45:46 mand su: (to root) antal on /dev/pts/0 Jul 28 09:46:05 mand sshd[628]: log: Closing connection to 213.163.25.176 2) now what puzzles me Jul 28 13:42:11 mand sshd2[159]: connection from "209.151.75.1" - # unknown IP Jul 28 13:52:17 mand sshd2[1284]: LoginGraceTime exceeded. Nothing between the two sshd2 processes. How could it be tarced back what did happen between? Thanx> Antal ++++++++++++++++++++ Kreorg Oktat�k�zpont Hunyadi t�r 8, Budapest 1067 ++++++++++++++++++++ kreorg(a)kreorg.hu http://www.kreorg.hu ++++++++++++++++++++ Grid - Er� a v�ltoz�shoz.

2 1

No Ping from FW with SuSE FW2
by Christian Weickhmann 28 Jul '02

28 Jul '02

Hi folks! I'm wondering how I get SuSE FW2 to let me ping from the firewall PC itself. (With SuSE 7.4) PCs on the masqueraded net can ping via routing but the firewall itself can't. /etc/rc.config.d/firewall2.rc.config: # 2.) # Which is the interface that points to the internet/untrusted networks? FW_DEV_EXT="ppp0" # # 3.) # Which is the interface that points to the internal network? FW_DEV_INT="eth0" # # 4.) # Which is the interface that points to the dmz or dialup network? FW_DEV_DMZ="" # # 5.) # Should routing be enabled? FW_ROUTE="yes" # # 6.) # Do you want to masquerade internal networks to the outside? FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" # Which internal computers/networks are allowed to access the internet # directly (not via proxys on the firewall)? FW_MASQ_NETS="192.168.0.0/24" # # 7.) # Do you want to protect the firewall from the internal network? FW_PROTECT_FROM_INTERNAL="no" # # 8.) # Do you want to autoprotect all running network services on the firewall? FW_AUTOPROTECT_SERVICES="yes" # # 9.) # Which services ON THE FIREWALL should be accessible from either the internet # (or other untrusted networks), the dmz or internal (trusted networks)? # # Common: smtp domain FW_SERVICES_EXT_TCP="" # Common: domain FW_SERVICES_EXT_UDP="" # Common: domain # For VPN/Routing which END at the firewall!! FW_SERVICES_EXT_IP="" # # Common: smtp domain FW_SERVICES_DMZ_TCP="" # Common: domain FW_SERVICES_DMZ_UDP="" # For VPN/Routing which END at the firewall!! FW_SERVICES_DMZ_IP="" # # Common: ssh smtp domain FW_SERVICES_INT_TCP="ssh domain" # Common: domain syslog FW_SERVICES_INT_UDP="domain" # For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP="" # # 10.) # Which services should be accessible from trusted hosts/nets? FW_TRUSTED_NETS="" # # 11.) # How is access allowed to high (unpriviliged [above 1023]) ports? # Common: "ftp-data", better is "yes" to be sure that everything else works :-( FW_ALLOW_INCOMING_HIGHPORTS_TCP="" # Common: "DNS" or "domain ntp", better is "yes" to be sure ... FW_ALLOW_INCOMING_HIGHPORTS_UDP="" # # 12.) # Are you running some of the services below? FW_SERVICE_AUTODETECT="no" # Autodetect the services below when starting FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" # # 13.) # Which services accessed from the internet should be allowed to the # dmz (or internal network - if it is not masqueraded)? FW_FORWARD="" # Beware to use this! # # 14.) # Which services accessed from the internet should be allowed to masqueraded # servers (on the internal network or dmz)? FW_FORWARD_MASQ="" # Beware to use this! # # 15.) # Which accesses to services should be redirected to a localport on the # firewall machine? FW_REDIRECT="" # # 16.) # Which logging level should be enforced? FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" # # 17.) # Do you want to enable additional kernel TCP/IP security features? FW_KERNEL_SECURITY="yes" # # 18.) # Keep the routing set on, if the firewall rules are unloaded? FW_STOP_KEEP_ROUTING_STATE="no" # # 19.) # Allow (or don't) ICMP echo pings on either the firewall or the dmz from # the internet? FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_PING_INTERNET="yes" # 20.) FW_ALLOW_FW_TRACEROUTE="yes" # 21.) # Allow ICMP sourcequench from your ISP? FW_ALLOW_FW_SOURCEQUENCH="yes" # 22.) # Allow/Ignore IP Broadcasts? FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" # # 23.) # Allow same class routing per default? FW_ALLOW_CLASS_ROUTING="no" # # 25.) #FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" ## end of file Thanks, Christian -- A neighbor came to Nasrudin, asking to borrow his donkey. "It is out on loan," the teacher replied. At that moment, the donkey brayed loudly inside the stable. "But I can hear it bray, over there." "Whom do you believe," asked Nasrudin, "me or a donkey?"

2 5

SuSE-FW-NO_ACCESS_INT->FWEXT
by j0nas 27 Jul '02

27 Jul '02

I'm using SuSE 8.0 with SuSEfirewall2, and on my firewall I have ports for ssh,smtp,http and identd open to the outside, and the same ports plus pop3+samba open for the internal network. I also have an extra port (not 21) opened for my ftp service. My problem is that I can access all resources from the inside using the internal ip-adress of the firewall, ie I can view the web pages when calling http://192.168.0.1/ from any other machine on the internal network. It also works when I try to access the web server from the outside (using the external ip), BUT when I try to access the web server using the external ip (or the domain pointing to my firewall) nothing happens and i get this logged in /var/log/firewall: Jul 27 14:25:22 linux kernel: SuSE-FW-NO_ACCESS_INT->FWEXT IN=eth0 OUT= MAC=00:50:8b:03:d1:60:00:c0:26:59:d9:56:08:00 SRC=192.168.0.5 DST=213.66.148.171 LEN=64 TOS=0x08 PREC=0x00 TTL=128 ID=33688 DF PROTO=TCP SPT=3802 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B4010303000101080A000000000000000001010402) Same goes for when I try to access any of the other services from the inside using the external ip. How can I make this work? Here is my /etc/sysconfig/SuSEfirewall2 setup: FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth1" FW_MASQ_NETS="192.168.0.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="113 8000 http smtp ssh" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="113 139 445 8000 http pop3 pop3s smtp ssh" FW_SERVICES_INT_UDP="137:138" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="192.168.0.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="8000" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="yes" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" Any help would be appreciated, thank you! Jonas

1 0

Re: [SLE] Security Help needed
by Joe & Sesil Morris (NTM) 27 Jul '02

27 Jul '02

Anders Johansson wrote: >On Saturday 27 July 2002 11.59, Joe & Sesil Morris (NTM) wrote: > > >>I found out yesterday that our server has been intruded. The intruder >>even was able to su to root (according to the logs). They logged in via >>/dev/console, and via the bash history I was able to get the commands >>they typed in. They are as follows. >> >> ><snip bash_history> > >This is what you get when you use mc in a bash shell. Try it. The initial >prompt command is to give mc control over the shell, and the cd commands are >just that. They cd to various directories. > > Thanks Anders and others. You all are correct. The escape sequences were mc's doing. That's a relief. >/dev/console is on your local machine. As far as I know you can't get to it >over the net. Do you have your box physically secure? > > After looking again at the logs, and comparing them to my box here at home, I guess it wasn't a hack, but an unexplained reboot. I saw the following first: Jul 26 00:35:21 server kernel: klogd 1.4.1, ---------- state change ---------- followed by another reboot at 6:35, ie. Jul 26 06:35:23 server syslogd 1.4.1: restart. In the sequence at 6:35, I noticed an su to root on /dev/console. I guess it is one of the services, not a hacker. It just corresponded with a lot of firewall rejects. >What was in your logfile that made you suspect you had had an intruder? > See above. I will start looking at hardware reasons for the reboot, now that I know the strange codes in root's bash history was made by mc. Thanks much for all of your help, once more... :-) BTW, I have all security patches applied (I just ran YOU again today to make sure). I also checked again, and I do have ports 53, 68, and 123 UDP open, all TCP blocked internet side. At least I will sleep better tonight. Thanks again. -- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris(a)ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace God, I am what I am.

1 0

[SLE] Security Help needed
by Joe & Sesil Morris (NTM) 27 Jul '02

27 Jul '02

I found out yesterday that our server has been intruded. The intruder even was able to su to root (according to the logs). They logged in via /dev/console, and via the bash history I was able to get the commands they typed in. They are as follows. PROMPT_COMMAND='pwd>&7;kill -STOP $$' cd "`echo -e '\057\150\157\155\145\057\152\157\145'`" cd "`echo -e '\057\150\157\155\145'`" cd "`echo -e '\057'`" cd "`echo -e '\057\166\141\162'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\154\151\145\156\164\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\163\141\155\142\141'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156\057\166\151\162\165\163\155\141\151\154\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\165\160\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" Do any of you recognize these commands, and can tell me what they do? BTW, this is SuSE 8.0. I still haven't figured out how they got in. I run SUSEfirewall2, and all incoming ports are blocked on the internet interface. I tried to compile chkrootkit and no go, so I need some help, if you would be so kind. Thanks. -- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris(a)ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace God, I am what I am.

5 4

ssh tunnel question
by Thorsten Marquardt 26 Jul '02

26 Jul '02

hi, I like to use somthing like this via ssh: +-----------+ +---------------+ +-----------+ | DB-Client |---------| Tunnel-Server |==========| DB-Server | | | | Port 3333 | | Port 9876 | +-----------+ +---------------+ +-----------+ A tunnel between Tunnel-Sever and DB Server is installed with: ssh -L 3333:DB-Server:9876 DB-Server Is it possible to have DB-Client use Port 3333 on Tunnel-Server to access Port 9876 (my database daemon) on DB-Server? Clues are welcome. Thanks Thom -- ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM(a)kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------

3 3

TransProxy on Sec-Gateway
by GentooRulez 26 Jul '02

26 Jul '02

Hi list, one little question before getting all the weekends lazyness :O) I've got a squid running on firewall and i disabled nat in order to constrain client boxes using it. I do : ipchains -I input -i $DEV_INT -d 0.0.0.0/0 80 -p tcp -j REDIRECT 8080 --log all works fine and the log shows client access that is redirected. Then i do ipchains -I input --dport 8080 -p tcp -j ACCEPT --log ipchains -I output -i $DEV_INT -p tcp -j ACCEPT --log and no log entrys comes up and clients browser fail. Called address was http://193.99.144.71/, so DNS is irrelevant. Using 2.2.19 and just know, that transproxy support has to be enabled. Kernel sources are not on the box and i dont know how to determine, whether its compiled like that. Is there any chance to check that out, e.g. via /proc ? *AND* , if support is enabled, where else may problem lie. Squid works fine using it directly on port 8080 :O) Yours Michael

1 0

Re: [suse-security] IDS goes off at /etc
by GentooRulez 26 Jul '02

26 Jul '02

>> What exactly says /var/log/messages comes up e.g. at 22:05, charles ? >Jul 16 22:04:00 p15089763 /USR/SBIN/CRON[14405]: (mailman) CMD (/usr/bin/python -S /home/mailman/cron/qrunner) >Jul 16 22:04:37 p15089763 popper[14406]: connect from 213.183.161.234 (213.183.161.234) >Jul 16 22:05:00 p15089763 /USR/SBIN/CRON[14408]: (mailman) CMD (/usr/bin/python -S /home/mailman/cron/qrunner) >Jul 16 22:06:00 p15089763 /USR/SBIN/CRON[14410]: (mailman) CMD (/usr/bin/python -S /home/mailman/cron/qrunner) >It's definitily NOT qrunner, because mailman has no permission to change /etc and it should not be popper. So offer a wider range of the log prior to 22:04, cauze - as roman wrote - e.g. a mount cmd ends up with such modified [c|m]times. And ... its not a good idea to present your ip without any emergency, in order to prevent social engineering. 213.183.161.234 is adsl1-234-1-nc.nordcom.net with password-protected-service at port 80 :O) and a dnsalias.org with your clearname ? Yours Michael

3 3

AUTH SMTP with POSTFIX
by jja wikon 26 Jul '02

26 Jul '02

Hi, I configure for small firm (with locally network) a mail server with postfix first I wanted to do Authefizierung only with DIGEST-MD5, CRAM-MD5 and nobody plain, login. But Outlook Express and Netscape unterstüzen only plain, login Authefizierung. Then I wanted to do Authefizierung with IP Address (e.g., only email only from our Router (local netz) farther to escorts may), but also no sure(safe) solution. What is sure(safe), Authefizierung with plain or with IP address, or I can combine this? First of all how I can deduce in parameter "smtpd_recipient_restriction" "permit_mynetworks" and "permit_auth_destination" examinations.

1 0

Fw: Fw: FTP and SuSEFirewall 2
by Markus Noch 26 Jul '02

26 Jul '02

Begin forwarded message: Date: Thu, 25 Jul 2002 14:49:59 +0200 From: Markus Noch <markus.noch(a)bsk-info.de> To: suse-security(a)suse.com Subject: Fw: FTP and SuSEFirewall 2 Begin forwarded message: Date: Thu, 25 Jul 2002 12:51:46 +0200 From: Markus Noch <markus.noch(a)bsk-info.de> To: suse-security(a)suse.com Subject: FTP and SuSEFirewall 2 hi list, i have a suse linux 7.3 box with susefirewall2 running. everything works fine, but i can`t connect to any ftp server. i have opened port 21 and 20 in /etc/rc.config.d/firewall2.rc.config but still have no ftp connect. any hint ?? thanks and greets, -- ----------------------------------------------------- Markus Noch SysAdmin bsk IT Systemhaus GmbH .-. Tel.: +49 6241 / 94650-21 /v\ Klosterstrasse 23 // \\ 67547 Worms /( )\ ^^-^^ _ _ _ _ ___ ____ | |__ ___| | __ | \ | |/ _ \ / ___| | '_ \/ __| |/ /____| \| | | | | | | |_) \__ \ <_____| |\ | |_| | |___ |_.__/|___/_|\_\ |_| \_|\___/ \____| Network-Operation-Centre POP Worms noc(a)bsk-info.de ---Home is where ever those login prompts shine !---- -- ----------------------------------------------------- Markus Noch SysAdmin bsk IT Systemhaus GmbH .-. Tel.: +49 6241 / 94650-21 /v\ Klosterstrasse 23 // \\ 67547 Worms /( )\ ^^-^^ _ _ _ _ ___ ____ | |__ ___| | __ | \ | |/ _ \ / ___| | '_ \/ __| |/ /____| \| | | | | | | |_) \__ \ <_____| |\ | |_| | |___ |_.__/|___/_|\_\ |_| \_|\___/ \____| Network-Operation-Centre POP Worms noc(a)bsk-info.de ---Home is where ever those login prompts shine !---- -- ----------------------------------------------------- Markus Noch SysAdmin bsk IT Systemhaus GmbH .-. Tel.: +49 6241 / 94650-21 /v\ Klosterstrasse 23 // \\ 67547 Worms /( )\ ^^-^^ _ _ _ _ ___ ____ | |__ ___| | __ | \ | |/ _ \ / ___| | '_ \/ __| |/ /____| \| | | | | | | |_) \__ \ <_____| |\ | |_| | |___ |_.__/|___/_|\_\ |_| \_|\___/ \____| Network-Operation-Centre POP Worms noc(a)bsk-info.de ---Home is where ever those login prompts shine !----

1 0