March 2003 - openSUSE Security - openSUSE Mailing Lists

how to keep nimda and code red from filling apache logs
by Mathias Homann 25 Sep '03

25 Sep '03

Hi all, here's a bit of a step-by-step description on how to keep nimda and codered from filling your apache logs. Parts used: - SuSE 7.2 Professional - SuSEfirewall2 - iptables 1.2.3 - linux kernel 2.4.13-pre5 steps: 1. install kernel sources for a kernel >> 2.4.9, running 2.4.13- pre5 here, works fine so far 2. get the sources for iptables 1.2.3 from http://netfilter.samba.org 3. unpack sources somewhere 4. export KERNEL_DIR=$(where you put the kernel tree) 5. cd into unpacked iptables sources, there's a subdirectory named patch-o-matic there 6. apply wanted patches by running ./runme $(name.of.patch)patch for this here You'll want the string patch You can also apply other patches, like the irc-conntrack patch 7. now there's a little bug in this patch... here's a diff: --- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21 00:16:29 2001 +++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21 16:54:45 2001 @@ -62,7 +62,7 @@ sk = skip[haystack[right_end - i]]; sh = shift[i]; - right_end = max(int, right_end - i + sk, right_end + sh); + right_end = max(right_end - i + sk, right_end + sh); } return NULL; 8. now, make config/menuconfig/xconfig... as usual. You can import your running kernel's config first. 9. enable the experimental stuff 10. go to networking options->netfilter, there's an option there to enable string matching; set that to M 11. compile and install kernel as usual; remember to uncomment the export INSTALL_PATH=/boot in the main makefile. 12. now build a rpm file for the new iptables stuff by installing the source rpm which comes with suse, then edit the spec file, put the iptables source in /usr/src/packages/SOURCE and rebuild. 13. now there are some small changes to the firewall config files. a) uncomment the last line in /etc/rc.config.d/firewall2.rc.config: FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" b) edit that file, I got the following stuff in mine: for forbidden_string in root.exe cmd.exe .ida; do iptables -I input_ext -p tcp --dport http -m string \ --string $forbidden_string -m state \ --state ESTABLISHED -j REJECT --reject-with tcp-reset done put that in the last supfunction defined in the custom rc file. c) change the FW_LOG setting in firewall2.rc.config from reading -log-level warning to -log-level kernel.warning 14. last: some small changes to /sbin/SuSEfirewall2 search in the script for the parts where the modules are loaded and unloaded; be sure to add ipt_string (and the other new modules you created by patching the kernel and enabling them in make config) to the modules loading/unloading code there. 15. reboot 16. if you try now to access (from outside, of course) one of the nimda or codered URLS, all you get is a 'connection reset by peer', and the request doesn't show in apache log files. btw, no guarantees, and the usual YMMV :) bye [L]

7 7

Kernel Panic after Security Update
by Stefan Proels 14 Apr '03

14 Apr '03

Hello, after installing the latest kernel update for the ptrace security issue on a SuSE 8.0 system, the new kernels panics while booting with the message "VFS: unable to mount root fs". My possibilities to analyze this problem are very limited since the system in question is an important 24x7 production system to which I only have remote access and when the system fails to boot this can only be fixed with the help of a local engineer. This is why I'm asking this list if anyone has experienced this problem before and possibly even has a solution for it. As a note, the new kernel works fine on two SuSE 7.1 systems. Some information on the system: SuSE 8.0, SuSE SMP Kernel 2.4.18-64GB-SMP for 2 P-III CPUs, 1 GB RAM, 2 SCSI drives with Adaptec SCSI controller. Root-Filesystem is ext3 INITRD_MODULES="aic7xxx usbcore jbd ext3" Bootloader lilo mk_initrd und lilo after installation of the new kernel ran without any error messages. After re-installing the old SuSE 2.4.18 Kernel with the security leak the systems boots up fine again. Thanks in advance Stefan

10 11

Linux-Server is frozen after security update of kernel
by Habichtsberg, R. 07 Apr '03

07 Apr '03

Hi, I'm not sure if it is the reason but the probability is high: After the security update of the linux kernel, in my case from k_deflt-2.4.18-57 to k_deflt-2.4.18-261, I have two frozen systems. In the first case we are running a program that starts some stored procedures in a Informix Database (IDS 9.30.UC1). After a few minutes there are no more actions possible on that server. You can't find any message in /var/log/messages or online.log. Even recursively started commands like ps or onstat -g ses sid -r 1>protfile does not generate any output. In the second case the similar happened during daily cronjob which builds and loads a database of ca. 8 GB size. My question: Has anybody else problems with these kernel updates related to Informix Dynamic Server. Reinhard.

12 18

Kernel update problem yet again
by Mathias Homann 03 Apr '03

03 Apr '03

the latest kernel updates are bad, not only my SuSE 8.1 with the latest update crashes when starting X11 with nvidia drivers, but my 8.0 firewall can't do frees/wan anymore because /lib/modules/`uname -r`/kernel/net/ipv4/ipsec.o is missing, and the sources from km_freeswan don't compile... bye, [MH] -- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C

2 2

ip6tables
by Jon Hoffman 03 Apr '03

03 Apr '03

Hello, I have just finished setting up a 6to4 tunnel to start using IPv6. But I am trying to find a decent ip6tables tutorial/howto/sample firewalls...... But I am not having very much luck. Does anyone know of any good web sites for ip6tables? Thanks in advance. Jon Hoffman

2 1

problem with SQUID
by payam payami 02 Apr '03

02 Apr '03

Hi, I use suse 7.3 Internal network connect to internet by setting port 3128 in IE but when i set in squid.conf for authenticate_program that get windows login for users, IE don't get any windows and Internal network (clients) connect to internet normally without login I set these options in squid.conf: authenticate_program /usr/sbin/pam_auth acl password proxy_auth payam acl users src 192.168.1.0/255.255.252.0 http_access allow users http_access allow password Is here any problem with this configuration that IE can't get windows login when want to browsing? Thanks for your help, Payam __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com

7 6

iptables on SuSE 7.3, webserver and our intranet
by Manfred Rebentisch 02 Apr '03

02 Apr '03

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, a customer of mine is using suse 7.3 and iptables v1.2.2. The iptables command are called direct, not with SuSEfirewall. Normally I use shorewall, I am not a specialist for iptables commands, I did not write the commands, but have to support them now. The server is an internet-webserver. Because of some attacs the firewall is important. There are a postfix E-Mail-Server and there are Websites on the Server. Accessing in no problem from the internet. BUT: from the intranet we cannot call the websites and load the E-Mails from the server. I think, it is not a DNS problem, but a firewall problem. With "iptables -t nat -L" I get (names changed for public) for PREROUTING - Chain: DNAT tcp -- anywhere linus.localnet.de tcp dpt:http to:172.21.85.11 DNAT tcp -- anywhere linus.localnet.de tcp dpt:domain to:172.21.85.11 DNAT udp -- anywhere linus.localnet.de udp dpt:domain to:172.21.85.11 DNAT tcp -- anywhere linus.localnet.de tcp dpt:smtp to:172.21.85.11 DNAT tcp -- anywhere linus.localnet.de tcp dpt:pop3 to:172.21.85.11 DNAT tcp -- 172.21.85.0/24 linus.localnet.de tcp dpt:http to:172.21.85.11:80 DNAT udp -- 172.21.85.0/24 linus.localnet.de udp dpt:http to:172.21.85.11:80 DNAT tcp -- anywhere linus.localnet.de tcp dpt:smakynet to:172.21.85.11:22 ((I did not now, what "smakynet" is)). The INPUT-Chain shows (here a part of all): ACCEPT tcp -- 172.21.85.0/24 linuso.localnet.de tcp dpt:http ACCEPT tcp -- 172.21.85.0/24 linus.localnet.de tcp dpt:http ACCEPT tcp -- 172.21.85.0/24 anywhere tcp dpt:http THe OUTPUT-Chain shows (a part too): ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http Under the POSTROUTING I get: MASQUERADE all -- 172.21.85.0/24 anywhere Which iptables command is nessacary for getting access from the intranet (172.21.85.0) to the webserver (172.21.85.11)? Many thanks in advance. Manfred Rebentisch - -- COMPARAT Software-Entwicklungs-GmbH Mobile Voice Solutions Prießstr. 16, 23558 Lübeck Tel: 0451/479 56 60 http://www.comparat.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+iJ6c385pq8Zuir4RAqcMAKCLh4sTz72LgFxT6NxQY+PbfvCNhACfWkZY V7TJBaV80T5hFIlGRQvpfTw= =hdyt -----END PGP SIGNATURE-----

2 1

vsftpd (too secure for me)
by Mario Neubert 01 Apr '03

01 Apr '03

Hello list, does anyone know, how can I show dotted(hidden) files in a ftpclient. Users on my server with vsftpd should can access files like .htaccess. Thanks in advance Mario

3 5

OT? Some moderation, behaviour on this list...
by grobe＠gmx.net 31 Mar '03

31 Mar '03

Hi! I just want to ask if there is anybody out there feeling responsible for some kind of moderation here. The point is that I have asked one of the subscribers who is sending all messages to the list with high-priority-flag to change this setting, but instead of a reply, I still get these annoying "alerts". I do not know if there is something like a moderation here, and maybe I am the only person who doesn't like to get all these mails marked as "urgent" here. For me, on a security list, only urgent mails (e.g. newly found exploits etc) are to be marked like this. And I would really like to know how you see this and how to keep this list a useful ressource of information and discussion. I really don't want to set subscribers on my filters just because of technical issues. CU, Lars. -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

4 3

Re: [suse-security] SuSE Security Announcement: kernel (SuSE-SA:2003:021)
by Robert Schiele 31 Mar '03

31 Mar '03

On Mon, Mar 31, 2003 at 05:43:02PM +0200, tobiwan wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Hi Robert and List, > > one question again. In the case not having done a backup and want to ga back > to the unpatched kernel, is it sufficient to uninstall the patch via RPM and > do the mk_initrd && lilo? Just to be sure... No, you must reinstall the old one, i.e. fetch the RPM of the old one from the distribution CDs or whereever your old kernel was from and do # rpm -Uvh --oldpackage oldkernel.rpm Robert -- Robert Schiele Tel.: +49-621-181-2517 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de

1 0