openSUSE Security January 2003

security@lists.opensuse.org

159 participants
162 discussions

how to keep nimda and code red from filling apache logs

by Mathias Homann

Hi all, here's a bit of a step-by-step description on how to keep nimda and codered from filling your apache logs. Parts used: - SuSE 7.2 Professional - SuSEfirewall2 - iptables 1.2.3 - linux kernel 2.4.13-pre5 steps: 1. install kernel sources for a kernel >> 2.4.9, running 2.4.13- pre5 here, works fine so far 2. get the sources for iptables 1.2.3 from http://netfilter.samba.org 3. unpack sources somewhere 4. export KERNEL_DIR=$(where you put the kernel tree) 5. cd into unpacked iptables sources, there's a subdirectory named patch-o-matic there 6. apply wanted patches by running ./runme $(name.of.patch)patch for this here You'll want the string patch You can also apply other patches, like the irc-conntrack patch 7. now there's a little bug in this patch... here's a diff: --- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21 00:16:29 2001 +++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21 16:54:45 2001 @@ -62,7 +62,7 @@ sk = skip[haystack[right_end - i]]; sh = shift[i]; - right_end = max(int, right_end - i + sk, right_end + sh); + right_end = max(right_end - i + sk, right_end + sh); } return NULL; 8. now, make config/menuconfig/xconfig... as usual. You can import your running kernel's config first. 9. enable the experimental stuff 10. go to networking options->netfilter, there's an option there to enable string matching; set that to M 11. compile and install kernel as usual; remember to uncomment the export INSTALL_PATH=/boot in the main makefile. 12. now build a rpm file for the new iptables stuff by installing the source rpm which comes with suse, then edit the spec file, put the iptables source in /usr/src/packages/SOURCE and rebuild. 13. now there are some small changes to the firewall config files. a) uncomment the last line in /etc/rc.config.d/firewall2.rc.config: FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" b) edit that file, I got the following stuff in mine: for forbidden_string in root.exe cmd.exe .ida; do iptables -I input_ext -p tcp --dport http -m string \ --string $forbidden_string -m state \ --state ESTABLISHED -j REJECT --reject-with tcp-reset done put that in the last supfunction defined in the custom rc file. c) change the FW_LOG setting in firewall2.rc.config from reading -log-level warning to -log-level kernel.warning 14. last: some small changes to /sbin/SuSEfirewall2 search in the script for the parts where the modules are loaded and unloaded; be sure to add ipt_string (and the other new modules you created by patching the kernel and enabling them in make config) to the modules loading/unloading code there. 15. reboot 16. if you try now to access (from outside, of course) one of the nimda or codered URLS, all you get is a 'connection reset by peer', and the request doesn't show in apache log files. btw, no guarantees, and the usual YMMV :) bye [L]

18 years, 9 months

problem with SQUID

by payam payami

Hi, I use suse 7.3 Internal network connect to internet by setting port 3128 in IE but when i set in squid.conf for authenticate_program that get windows login for users, IE don't get any windows and Internal network (clients) connect to internet normally without login I set these options in squid.conf: authenticate_program /usr/sbin/pam_auth acl password proxy_auth payam acl users src 192.168.1.0/255.255.252.0 http_access allow users http_access allow password Is here any problem with this configuration that IE can't get windows login when want to browsing? Thanks for your help, Payam __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com

19 years, 3 months

by Richard Ibbotson

Hi Got a problem with an SuSE 8.1server which is runing in console mode. No X-windows. After running harden_suse I find that I cannot change the password and log back in again. I followed Roman Drahtmueller's advice which appeared on the SuSE security list back on the 9th of October last year.... >Please "touch /etc/rc.config" to work around this. >This is a bug - depending on the selection of packages on your system >it can happen that said file does not exist any more. It slipped >through last time. This worked for me and I was able to run ./harden_suse. However, on re-booting I now find that I can't log back in again. The password is rejected and if I become a user and then try to do 'su root' I find that once again the root password is rejected. Looking in /var/log/messages I see that my login messages which tell me that someone has tried to login reveal this .... "cannot open login.defs [Permission denied]" Anyone suggest a way out of this ? Perhaps I need to remove harden_suse and start again ? -- Thanks Richard www.sheflug.co.uk

19 years, 5 months

I need vulnerability analysis tool, help me.

by 정정모

Hello, First, I'm very sorry for my poor English. We are building internet banking system with IBM zSeries and SuSE Linux. But Now, We need internal vulnerability analysis tool such as ISS Internet Scanner, Symantec ESM. But they did not support SuSE Linux for IBM zSeries. Do you know any other commercial vulnerability analysis tool support SuSE linux for zSeries? If any, Please help me with your advice. I'm very sorry for bothering you with this and looking forward to hearing from you soon. With my best wishes for your prosperity. Thank you in advance. --------------------------------------- Jeongl, Jeong-Mo Solution Service LAC Korea, Inc. Tel: +82-2-3444-2355 Fax: +82-2-3444-6945

19 years, 5 months

SuSEfirewall2 & Checkpoint software

by T. Ermlich

Hello there, I've got a question, and I found no answer related to this topic - or maybe I'm simply too stupid and didn't get it .... Short story: Home LAN - SuSEfirewall2 System (SuSE 8.1 via DSL) - internet - Checkpoint FW - Companies LAN Long story: Well, my employer has a Checkpoit FW running to protect the companies LAN. We all got so called tokens (looks like an calculator) and some software to be installed on our PCs. The software is called SecuRemote. At home I have a small LAN (one SuSE 8.1 acting as a gateway, 3 MS based clients). I installed the software, checked the Checkpoint website for information how to configure an iptables fw, and I think I did it: the neccessary ports are udp 50, udp 51, udp 500 & udp 2746. So I added the lines: FW_FORWARD="212.212.212.212/32,192.168.10.100/24,udp,50 212.212.212.212/32,192.168.10.100/24,udp,51 \ 212.212.212.212/32,192.168.10.100/24,udp,500 212.212.212.212/32,192.168.10.100/24,udp,2746" FW_FORWARD_MASQ="212.212.212.212/32,192.168.10.100/24,udp,50 212.212.212.212/32,192.168.10.100/24,udp,51 \ 212.212.212.212/32,192.168.10.100/24,udp,500 212.212.212.212/32,192.168.10.100/24,udp,2746" (In both cases 212.212.212.212 is just a place holder!!! ... not the real ip adress.) But it does not work ...... no VPN connection is established between my MS client and a system on the companies LAN. When I connect to the internet directly (eg. via an ISDN dial-up connection) it works fine. Well, one of my thoughts was to modify the MTU/MRU values - but setting them eg. to 1404 didn't solve it. Has anyone around there an idea? Can I use the SuSEfirewall2 for this? Thanks in advance!!!! c y Torsten

19 years, 5 months

rbash and sftp

by Thorsten Marquardt

Hi, I tried to use rbash to restrict a users capabilities but need to allow filetransfer (sftp). Unfortunatly the sftp-session is termianated immediately. Is there a chance to enable this combination? Thanks Thom -- ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM(a)kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------

19 years, 5 months

FTP and firewall

by Wouter

Hi, I have a FTP running. and now i have a problem now whit it. . I can login to my FP server i see this: ftp ftp.server.com Connected to ftp.server.com (62.216.9.174). 220 ProFTPD 1.2.8rc1 Server (ftp.server.com) [phyton.addrenaline.com] Name (ftp.server.com:wouter): wouter 331 Password required for wouter. Password: 230 User wouter logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (62,216,9,174,9,218). receive aborted waiting for remote to finish abort ftp> bye 221- bye 221 When i stop my firewall then is there now problem. /var/log/messages say the follow: Jan 31 11:02:12 phyton proftpd[19269]: phyton.addrenaline.com (sonic.nl3gta.nl[217.67.230.34]) - FTP session opened. Jan 31 11:02:18 phyton proftpd[19269]: phyton.addrenaline.com (sonic.nl3gta.nl[217.67.230.34]) - USER wouter: Login successful. Jan 31 11:02:18 phyton kernel: filtered on OUTPUT IN= OUT=eth1 SRC=62.216.9.174 DST=194.109.5.241 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=41 Jan 31 11:02:20 phyton kernel: filtered on INPUT IN=eth1 OUT= MAC=00:a0:d2:16:f7:93:00:10:67:00:f8:8e:08:00 SRC=217.67.230.34 DST=62.216.9.174 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=24022 DF PROTO=TCP SPT=47561 DPT=2531 WINDOW=5840 RES=0x00 SYN URGP=0 Jan 31 11:02:26 phyton proftpd[19269]: phyton.addrenaline.com (sonic.nl3gta.nl[217.67.230.34]) - FTP session closed. and /var/log/proftpd.paranoid_log sonic.nl3gta.nl UNKNOWN nobody [31/Jan/2003:11:03:39 +0100] "USER wouter" 331 - sonic.nl3gta.nl UNKNOWN wouter [31/Jan/2003:11:03:42 +0100] "PASS (hidden)" 230 - sonic.nl3gta.nl UNKNOWN wouter [31/Jan/2003:11:03:42 +0100] "SYST " 215 - sonic.nl3gta.nl UNKNOWN wouter [31/Jan/2003:11:03:44 +0100] "PASV " 227 - sonic.nl3gta.nl UNKNOWN wouter [31/Jan/2003:11:03:54 +0100] "QUIT " 221 - Then here my firewall settings to open the ftp poorts here is $FTP_SERVER set to yes somewhere else in the config file ;) ## ftp server openstellen voor buitenwereld if [ $FTP_SERVER = yes ] ; then $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE -d $IPADDR -m state --state NEW,ESTABLISHED \ --source-port $UNPRIVPORTS --destination-port 21 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \ --source-port 21 --destination-port $UNPRIVPORTS -j ACCEPT ## ftp server - active $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE -d $IPADDR -m state --state ESTABLISHED,RELATED ! --syn \ --destination-port 20 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \ --source-port 20 -j ACCEPT ## ftp server - passive $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE -d $IPADDR -m state --state ESTABLISHED,RELATED \ --destination-port $UNPRIVPORTS -j ACCEPT $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR -d $ANYWHERE -m state --state ESTABLISHED,RELATED \ --source-port $UNPRIVPORTS -j ACCEPT fi Have someone a idea what is wrong ? i have no idea he have work for a few moths and i have nothing change in my config or firewall files. Thanks Wouter

19 years, 5 months

RE: [suse-security] How can I stop the Xserver listening on port 6000?

by try88out＠netscape.net

try88out(a)netscape.net wrote: >On my Computer I have installed a standard SuSE Linux 8.1 Pro with Grafik-Login. >I want to detach the binding of my X-Server to an IP-Socket or restirct it to some IP-Adresses (localhost, ...) > >In the config-file "/etc/X11/xdm/XServers" I have changed ":0 local /usr/X11R6/bin/X :0 vt07" >to ":0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp". But nothing happens. >After a reboot the X-Server ist still listening on port 6000. > >Does any one knows how I can solve the problem? > >Wolfgang > The solution for my problem is very simple: I have to change the file "/etc/opt/kde3/share/config/kdm/Xservers" and not the file "/etc/X11/xdm/XServers". It works fine! ;-) Does any one know how I can the binding of my X-Server to only some IP-Adresses (localhost, ...)? Wolfgang __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

19 years, 5 months

How can I stop the Xserver listening on port 6000?

by try88out＠netscape.net

On my Computer I have installed a standard SuSE Linux 8.1 Pro with Grafik-Login. I want to detach the binding of my X-Server to an IP-Socket or restirct it to some IP-Adresses (localhost, ...) In the config-file "/etc/X11/xdm/XServers" I have changed ":0 local /usr/X11R6/bin/X :0 vt07" to ":0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp". But nothing happens. After a reboot the X-Server ist still listening on port 6000. Does any one knows how I can solve the problem? Wolfgang __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

19 years, 5 months

RE: [suse-security] Apache with mod_frontpage

by Hemsley, Trevor

Not as easy as that on versions prior to 8.1* since mod_frontpage is all packaged up as part of apache_contrib.rpm so if you want any of the other 26 mod_* packages that are listed as being a part of this then you get frontpage extension installed when you're not looking. Ok, it may not be enabled in the config file but it's installed and on the system. * I can't check 8.1 since I don't have that release but this is true for 8.0 and 7.3 that I have checked. Is it different in 8.1? -----Original Message----- From: Steffen Dettmer [mailto:steffen@dett.de] Sent: Thu 1/30/2003 12:49 AM To: suse-security(a)suse.com Cc: Subject: Re: [suse-security] Apache with mod_frontpage * Olsson Mattias wrote on Wed, Jan 29, 2003 at 16:17 +0100: > Can somebody pls tell me how to enable the mod_frontpage for > apache within SuSE 8.1. You ask how to *enable* frontpage on a security list?! "rpm -e mod_frontpage" *may* be sufficient to *disable* it, BTW :) SCNR. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here

19 years, 5 months

Jump to page:

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security January 2003