Hi all,
here's a bit of a step-by-step description on how to keep nimda
and codered from filling your apache logs.
Parts used:
- SuSE 7.2 Professional
- SuSEfirewall2
- iptables 1.2.3
- linux kernel 2.4.13-pre5
steps:
1. install kernel sources for a kernel >> 2.4.9, running 2.4.13-
pre5 here, works fine so far
2. get the sources for iptables 1.2.3 from
http://netfilter.samba.org
3. unpack sources somewhere
4. export KERNEL_DIR=$(where you put the kernel tree)
5. cd into unpacked iptables sources, there's a subdirectory
named patch-o-matic there
6. apply wanted patches by running ./runme $(name.of.patch)patch
for this here You'll want the string patch
You can also apply other patches, like the irc-conntrack patch
7. now there's a little bug in this patch...
here's a diff:
--- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21
00:16:29 2001
+++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21
16:54:45 2001
@@ -62,7 +62,7 @@
sk = skip[haystack[right_end - i]];
sh = shift[i];
- right_end = max(int, right_end - i + sk,
right_end + sh);
+ right_end = max(right_end - i + sk, right_end +
sh);
}
return NULL;
8. now, make config/menuconfig/xconfig... as usual. You can
import your running kernel's config first.
9. enable the experimental stuff
10. go to networking options->netfilter, there's an option there
to enable string matching; set that to M
11. compile and install kernel as usual; remember to uncomment
the export INSTALL_PATH=/boot in the main makefile.
12. now build a rpm file for the new iptables stuff by installing
the source rpm which comes with suse, then edit the spec file,
put the iptables source in /usr/src/packages/SOURCE and rebuild.
13. now there are some small changes to the firewall config
files.
a) uncomment the last line in
/etc/rc.config.d/firewall2.rc.config:
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
b) edit that file, I got the following stuff in mine:
for forbidden_string in root.exe cmd.exe .ida; do
iptables -I input_ext -p tcp --dport http -m string \
--string $forbidden_string -m state \
--state ESTABLISHED -j REJECT --reject-with tcp-reset
done
put that in the last supfunction defined in the custom rc file.
c) change the FW_LOG setting in firewall2.rc.config from reading
-log-level warning to -log-level kernel.warning
14. last: some small changes to /sbin/SuSEfirewall2
search in the script for the parts where the modules are loaded
and unloaded; be sure to add ipt_string (and the other new
modules you created by patching the kernel and enabling them in
make config) to the modules loading/unloading code there.
15. reboot
16. if you try now to access (from outside, of course) one of the
nimda or codered URLS, all you get is a 'connection reset by
peer', and the request doesn't show in apache log files.
btw, no guarantees, and the usual YMMV :)
bye
[L]
Hi,
I use suse 7.3
Internal network connect to internet by setting port
3128 in IE but when i set in squid.conf for
authenticate_program that get windows login for users,
IE don't get any windows and Internal network
(clients) connect to internet normally without login
I set these options in squid.conf:
authenticate_program /usr/sbin/pam_auth
acl password proxy_auth payam
acl users src 192.168.1.0/255.255.252.0
http_access allow users
http_access allow password
Is here any problem with this configuration that IE
can't get windows login when want to browsing?
Thanks for your help,
Payam
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
Hi
Got a problem with an SuSE 8.1server which is runing in console mode.
No X-windows. After running harden_suse I find that I cannot change
the password and log back in again.
I followed Roman Drahtmueller's advice which appeared on the SuSE
security list back on the 9th of October last year....
>Please "touch /etc/rc.config" to work around this.
>This is a bug - depending on the selection of packages on your system
>it can happen that said file does not exist any more. It slipped
>through last time.
This worked for me and I was able to run ./harden_suse. However, on
re-booting I now find that I can't log back in again. The password
is rejected and if I become a user and then try to do 'su root' I
find that once again the root password is rejected.
Looking in /var/log/messages I see that my login messages which tell
me that someone has tried to login reveal this ....
"cannot open login.defs [Permission denied]"
Anyone suggest a way out of this ? Perhaps I need to remove
harden_suse and start again ?
--
Thanks
Richard
www.sheflug.co.uk
Hello,
First, I'm very sorry for my poor English.
We are building internet banking system with IBM zSeries and SuSE Linux.
But Now, We need internal vulnerability analysis tool such as ISS Internet Scanner,
Symantec ESM.
But they did not support SuSE Linux for IBM zSeries.
Do you know any other commercial vulnerability analysis tool support SuSE linux
for zSeries?
If any, Please help me with your advice.
I'm very sorry for bothering you with this and looking forward to hearing from you soon.
With my best wishes for your prosperity.
Thank you in advance.
---------------------------------------
Jeongl, Jeong-Mo
Solution Service LAC Korea, Inc.
Tel: +82-2-3444-2355
Fax: +82-2-3444-6945
Hello there,
I've got a question, and I found no answer related to this topic - or maybe
I'm simply too stupid and didn't get it ....
Short story:
Home LAN - SuSEfirewall2 System (SuSE 8.1 via DSL) - internet - Checkpoint
FW - Companies LAN
Long story:
Well, my employer has a Checkpoit FW running to protect the companies LAN.
We all got so called tokens (looks like an calculator) and some software to
be installed on our PCs.
The software is called SecuRemote.
At home I have a small LAN (one SuSE 8.1 acting as a gateway, 3 MS based
clients).
I installed the software, checked the Checkpoint website for information how
to configure an iptables fw, and I think I did it: the neccessary ports are
udp 50, udp 51, udp 500 & udp 2746.
So I added the lines:
FW_FORWARD="212.212.212.212/32,192.168.10.100/24,udp,50
212.212.212.212/32,192.168.10.100/24,udp,51 \
212.212.212.212/32,192.168.10.100/24,udp,500
212.212.212.212/32,192.168.10.100/24,udp,2746"
FW_FORWARD_MASQ="212.212.212.212/32,192.168.10.100/24,udp,50
212.212.212.212/32,192.168.10.100/24,udp,51 \
212.212.212.212/32,192.168.10.100/24,udp,500
212.212.212.212/32,192.168.10.100/24,udp,2746"
(In both cases 212.212.212.212 is just a place holder!!! ... not the real ip
adress.)
But it does not work ...... no VPN connection is established between my MS
client and a system on the companies LAN.
When I connect to the internet directly (eg. via an ISDN dial-up connection)
it works fine.
Well, one of my thoughts was to modify the MTU/MRU values - but setting them
eg. to 1404 didn't solve it.
Has anyone around there an idea?
Can I use the SuSEfirewall2 for this?
Thanks in advance!!!!
c y
Torsten
Hi,
I tried to use rbash to restrict a users capabilities but need to allow
filetransfer (sftp). Unfortunatly the sftp-session is termianated immediately.
Is there a chance to enable this combination?
Thanks
Thom
--
-------------------------------------------------------------------
bye bye (c) by Thom | Thorsten Marquardt
| EMail: THOM(a)kaupp.chemie.uni-oldenburg.de
| Member of the pzt project.
| http://kaupp.chemie.uni-oldenburg.de/pzt
-------------------------------------------------------------------
Hi,
I have a FTP running. and now i have a problem now whit it. .
I can login to my FP server i see this:
ftp ftp.server.com
Connected to ftp.server.com (62.216.9.174).
220 ProFTPD 1.2.8rc1 Server (ftp.server.com) [phyton.addrenaline.com]
Name (ftp.server.com:wouter): wouter
331 Password required for wouter.
Password:
230 User wouter logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (62,216,9,174,9,218).
receive aborted
waiting for remote to finish abort
ftp> bye
221-
bye
221
When i stop my firewall then is there now problem.
/var/log/messages say the follow:
Jan 31 11:02:12 phyton proftpd[19269]: phyton.addrenaline.com (sonic.nl3gta.nl[217.67.230.34]) - FTP session opened.
Jan 31 11:02:18 phyton proftpd[19269]: phyton.addrenaline.com (sonic.nl3gta.nl[217.67.230.34]) - USER wouter: Login successful.
Jan 31 11:02:18 phyton kernel: filtered on OUTPUT IN= OUT=eth1 SRC=62.216.9.174 DST=194.109.5.241 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=41
Jan 31 11:02:20 phyton kernel: filtered on INPUT IN=eth1 OUT= MAC=00:a0:d2:16:f7:93:00:10:67:00:f8:8e:08:00 SRC=217.67.230.34 DST=62.216.9.174 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=24022 DF PROTO=TCP SPT=47561 DPT=2531 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 31 11:02:26 phyton proftpd[19269]: phyton.addrenaline.com (sonic.nl3gta.nl[217.67.230.34]) - FTP session closed.
and /var/log/proftpd.paranoid_log
sonic.nl3gta.nl UNKNOWN nobody [31/Jan/2003:11:03:39 +0100] "USER wouter" 331 -
sonic.nl3gta.nl UNKNOWN wouter [31/Jan/2003:11:03:42 +0100] "PASS (hidden)" 230 -
sonic.nl3gta.nl UNKNOWN wouter [31/Jan/2003:11:03:42 +0100] "SYST " 215 -
sonic.nl3gta.nl UNKNOWN wouter [31/Jan/2003:11:03:44 +0100] "PASV " 227 -
sonic.nl3gta.nl UNKNOWN wouter [31/Jan/2003:11:03:54 +0100] "QUIT " 221 -
Then here my firewall settings to open the ftp poorts
here is $FTP_SERVER set to yes somewhere else in the config file ;)
## ftp server openstellen voor buitenwereld
if [ $FTP_SERVER = yes ] ; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR -m state --state NEW,ESTABLISHED \
--source-port $UNPRIVPORTS --destination-port 21 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \
--source-port 21 --destination-port $UNPRIVPORTS -j ACCEPT
## ftp server - active
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR -m state --state ESTABLISHED,RELATED ! --syn \
--destination-port 20 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \
--source-port 20 -j ACCEPT
## ftp server - passive
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE -d $IPADDR -m state --state ESTABLISHED,RELATED \
--destination-port $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \
--source-port $UNPRIVPORTS -j ACCEPT
fi
Have someone a idea what is wrong ?
i have no idea he have work for a few moths and i have nothing change in my config or firewall files.
Thanks Wouter
try88out(a)netscape.net wrote:
>On my Computer I have installed a standard SuSE Linux 8.1 Pro with Grafik-Login.
>I want to detach the binding of my X-Server to an IP-Socket or restirct it to some IP-Adresses (localhost, ...)
>
>In the config-file "/etc/X11/xdm/XServers" I have changed ":0 local /usr/X11R6/bin/X :0 vt07"
>to ":0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp". But nothing happens.
>After a reboot the X-Server ist still listening on port 6000.
>
>Does any one knows how I can solve the problem?
>
>Wolfgang
>
The solution for my problem is very simple:
I have to change the file "/etc/opt/kde3/share/config/kdm/Xservers" and not the file "/etc/X11/xdm/XServers". It works fine!
;-)
Does any one know how I can the binding of my X-Server to only some IP-Adresses (localhost, ...)?
Wolfgang
__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp
Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
On my Computer I have installed a standard SuSE Linux 8.1 Pro with Grafik-Login.
I want to detach the binding of my X-Server to an IP-Socket or restirct it to some IP-Adresses (localhost, ...)
In the config-file "/etc/X11/xdm/XServers" I have changed ":0 local /usr/X11R6/bin/X :0 vt07"
to ":0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp". But nothing happens.
After a reboot the X-Server ist still listening on port 6000.
Does any one knows how I can solve the problem?
Wolfgang
__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp
Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
Not as easy as that on versions prior to 8.1* since mod_frontpage is all packaged up as part of apache_contrib.rpm so if you want any of the other 26 mod_* packages that are listed as being a part of this then you get frontpage extension installed when you're not looking. Ok, it may not be enabled in the config file but it's installed and on the system.
* I can't check 8.1 since I don't have that release but this is true for 8.0 and 7.3 that I have checked. Is it different in 8.1?
-----Original Message-----
From: Steffen Dettmer [mailto:steffen@dett.de]
Sent: Thu 1/30/2003 12:49 AM
To: suse-security(a)suse.com
Cc:
Subject: Re: [suse-security] Apache with mod_frontpage
* Olsson Mattias wrote on Wed, Jan 29, 2003 at 16:17 +0100:
> Can somebody pls tell me how to enable the mod_frontpage for
> apache within SuSE 8.1.
You ask how to *enable* frontpage on a security list?!
"rpm -e mod_frontpage" *may* be sufficient to *disable* it, BTW :)
SCNR.
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help(a)suse.com
Security-related bug reports go to security(a)suse.de, not here