Hi all,
here's a bit of a step-by-step description on how to keep nimda
and codered from filling your apache logs.
Parts used:
- SuSE 7.2 Professional
- SuSEfirewall2
- iptables 1.2.3
- linux kernel 2.4.13-pre5
steps:
1. install kernel sources for a kernel >> 2.4.9, running 2.4.13-
pre5 here, works fine so far
2. get the sources for iptables 1.2.3 from
http://netfilter.samba.org
3. unpack sources somewhere
4. export KERNEL_DIR=$(where you put the kernel tree)
5. cd into unpacked iptables sources, there's a subdirectory
named patch-o-matic there
6. apply wanted patches by running ./runme $(name.of.patch)patch
for this here You'll want the string patch
You can also apply other patches, like the irc-conntrack patch
7. now there's a little bug in this patch...
here's a diff:
--- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21
00:16:29 2001
+++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21
16:54:45 2001
@@ -62,7 +62,7 @@
sk = skip[haystack[right_end - i]];
sh = shift[i];
- right_end = max(int, right_end - i + sk,
right_end + sh);
+ right_end = max(right_end - i + sk, right_end +
sh);
}
return NULL;
8. now, make config/menuconfig/xconfig... as usual. You can
import your running kernel's config first.
9. enable the experimental stuff
10. go to networking options->netfilter, there's an option there
to enable string matching; set that to M
11. compile and install kernel as usual; remember to uncomment
the export INSTALL_PATH=/boot in the main makefile.
12. now build a rpm file for the new iptables stuff by installing
the source rpm which comes with suse, then edit the spec file,
put the iptables source in /usr/src/packages/SOURCE and rebuild.
13. now there are some small changes to the firewall config
files.
a) uncomment the last line in
/etc/rc.config.d/firewall2.rc.config:
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
b) edit that file, I got the following stuff in mine:
for forbidden_string in root.exe cmd.exe .ida; do
iptables -I input_ext -p tcp --dport http -m string \
--string $forbidden_string -m state \
--state ESTABLISHED -j REJECT --reject-with tcp-reset
done
put that in the last supfunction defined in the custom rc file.
c) change the FW_LOG setting in firewall2.rc.config from reading
-log-level warning to -log-level kernel.warning
14. last: some small changes to /sbin/SuSEfirewall2
search in the script for the parts where the modules are loaded
and unloaded; be sure to add ipt_string (and the other new
modules you created by patching the kernel and enabling them in
make config) to the modules loading/unloading code there.
15. reboot
16. if you try now to access (from outside, of course) one of the
nimda or codered URLS, all you get is a 'connection reset by
peer', and the request doesn't show in apache log files.
btw, no guarantees, and the usual YMMV :)
bye
[L]
Hi
Anyone know how to stop X-windows and port 6000 from listening on SuSE
8.2 ? I've already tried changed the line ...
:0 local /usr/X11R6/bin/X :0 vt07
to
:0 local /usr/X11R6/bin/X :0 vt07 --nolisten tcp
but X-windows is still listening on port 6000. What else do I need to
change ?
Thanks
--
Richard
Howdoo all,
I've been looking at trying to secure SSH sessions so that specified users can
only browse their home diretories.
I've found a couple of bodges that can be made to do the trick, but none of
them seem particulalry ideal.
Has anyone got any suggestions on how I could secure SSH in this fashion,
whether using CHROOT or something else entirely I don't mind.
Cheers.
----~~~~==oOo==~~~~----
Duncan Carter
----~~~~==oOo==~~~~----
I think it's much more convinient to use "Password Authentication" then using
keys, but how safe is it.
Also should I use ChallengeResponseAuthentication" or not.
I use SuSE 8.2.
Thanks in advance
Bo Jacobsen
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: glibc
Announcement-ID: SuSE-SA:2003:027
Date: Monday, May 26th 2003 16:12 MET
Affected products: 7.1, 7.2, 7.3, 8.0, 8.1
SuSE Linux Database Server,
SuSE eMail Server III, 3.1
SuSE Linux Enterprise Server 7,
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
Vulnerability Type: remote system compromise
Severity (1-10): 6
SuSE default package: yes
Cross References: CAN-2003-0028
Content of this advisory:
1) security vulnerability resolved: integer overflow in XDR code
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- ethereal
- XFree4
- vnc
- bitchx
- lv
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
Another integer overflow was found in glibc' XDR code. This bug is equal
to the one described in advisory SuSE-SA:2002:031. The overflow occurs in
the function xdrmem_getbytes() and can be used by external attackers to
execute arbitrary code.
There is no temporary workaround for this security problem other than
disabling all RPC based server and client programs. The permanent
solution is to update the glibc packages with the update packages
listed below.
Notes, Special installation instructions:
* PRECAUTIONS
The shared libraries package of the glibc is the most sensitive
part of a running Linux system, and modifications to it should be
handled with special care. During the update of the shlibs/glibc
package, runtime-linking the shared libraries is likely to fail for
processes that execute a new binary with the execve(2) system call.
Therefore, we recommend to bring a system to single user mode
("init S") to perform the package update. If this is not applicable
for operational reasons, a system receiving the update should be kept
as quiet as possible (no shell scripts of any kind, no cron jobs, no
incoming email).
* After performing the update, you should run the following command
on your system:
/sbin/ldconfig
ldconfig will rebuild the runtime linker cache. If you use YOU
(Yast2 Online Update), the ldconfig command will be executed
automatically at the end of the update.
The shared libraries that were installed on the system before the
update have been removed from the filesystem, but they are still
in use by the running applications. Therefore, the disk-space as well
as the memory will not be freed until the last process that uses
these files exits. We recommend to reboot the system to workaround
this problem.
Listed below you find the URLs for the update packages for the SuSE Linux
products. We only list the packages that are relevant for the security update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
Intel i386 Platform:
SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i686/glibc-2.2.5-177.i686.r…
1cf549fa52427710c7dc3316fc5df4a6
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i686/glibc-2.2.5-177.i686.p…
f87601fd71edf54928104581684dae8f
SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/glibc-2.2.5-177.i386.rpm
da51402d30c37dd5dc6d5444c37f4dc3
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/glibc-2.2.5-177.i386.patch.r…
0b5ea57d89c31d923cfb56cb1f951bac
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/glibc-2.2.5-177.src.rpm
6fecec2ed42fb792b6e9cb2a5602fe23
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/a1/glibc-2.2.4-78.i386.rpm
11cc1ceb173b18fc82d8500b1528663e
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/glibc-2.2.4-78.src.rpm
38527e5f75d94c016659c71028c37c52
SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/a1/glibc-2.2.2-68.i386.rpm
82f4c3ee8ba0cf3feef5e0ba7321a230
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/glibc-2.2.2-68.src.rpm
34114134cb51d706989c45306f4fdde3
SuSE-7.1:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/a1/glibc-2.2-26.i386.rpm
ffe7c422727ee98b8191facbbf40b9d7
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/glibc-2.2-26.src.rpm
1c5b778ff60a82f03e412239b907671b
Sparc Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/a1/glibc-2.2.4-46.sparc.rpm
dc577491e13344411462603b6fe83d3f
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/glibc-2.2.4-46.src.rpm
0a0a5dd6ee76e6b0ef866b500d6537b2
AXP Alpha Platform:
SuSE-7.1:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/a1/glibc-2.2-34.alpha.rpm
d250c254668e02b9f23341903f2f3a5e
source rpm(s):
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/glibc-2.2-34.src.rpm
d89b4a1ff27227a085e516b48ccdb1cf
PPC Power PC Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/a1/glibc-2.2.4-69.ppc.rpm
5bf4edf432c996b3e38ef085122e1e8
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- ethereal
Several one-byte buffer overflows and integer overflows are fixed.
These bugs lead to remote denial-of-service or even remote code
execution.
New packages are available on our FTP servers.
- XFree4
A buffer overflow in the Xlib code can be triggered while handling
the environment variable XLOCALEDIR. The X version affected is 4.2.0
(SuSE Linux 8.0 and 8.1).
New packages are available on our FTP servers.
- vnc
VNC (Virtual Network Computing) uses a weak cookie generation process
which can be exploited by an attacker to bypass authentication.
New packages are available on our FTP servers.
- bitchx
Several buffer overflows got fixed that can be exploited remotely by
a malicious IRC servers.
New packages are available on our FTP servers.
- lv
lv reads config files from the current directory without verifying the
ownership. If lv is called in world-writeable directories like /tmp it
can be tricked into executing commands by putting a malicious config-
file there.
New packages are available on our FTP servers.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an un-installed rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security(a)suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe(a)suse.com>.
suse-security-announce(a)suse.com
- SuSE's announce-only mailing list.
Only SuSE's security announcements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe(a)suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info(a)suse.com> or
<suse-security-faq(a)suse.com> respectively.
=====================================================================
SuSE's security contact is <security(a)suse.com> or <security(a)suse.de>.
The <security(a)suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iQEVAwUBPtNwVney5gA9JdPZAQGgRwf+Jb5OmG6zuqPPAE9nf31SVOUXKY1aO+D0
eHqEM/7VbSaCQ2TAx28mYfyek1NaGudwyqDBGxyVYrrlwz0z9jkGRP/GUY4h2mBk
vff5xnlzSbvetFCnoHtR/RqXXRPvnDe3GDgeJXoPpZtRYnDb/Rw/4UOKnIyev7QP
iw8yupuYGEQt6yDHwMatSJAHOT3QOmYbsqy6N8GcQ2KwttaVWmHw8bm5eoJKrAAM
HR0YjLAu371ZO4pfV4r3Vl2HhaQ+r+/tm4VHnySqA5YdDyM1QiX1AEi5RXqD3L0U
ERYYwSc/h/jG6aqKcqAurFIdoGUqAvzevJv0quQAYRWNwbik8jzv8g==
=BUi3
-----END PGP SIGNATURE-----
Bye,
Thomas
--
Thomas Biege <thomas(a)suse.de>
SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg
Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/contact/thomas.asc | gpg --import"
Key fingerprint = 7254 B15D B3C4 943F 485E 0BBD 8ECC D7CB C200 A213
--
Das erste Opfer einer Schlacht ist immer der Schlachtplan.
Hi List,
Is the err below harmless? And what a way to cure it? SuSe 7.1 box
scanlogd uses obsolete (PF_INET,SOCK_PACKET)
Thanks
Antal
Kreorg Oktatóközpont
Grid International Magyarország
kreorg(a)kreorg.hu
+36-1-321-0031
Hello,
I am new to the SuSEfirewall, but have quite a bit of experience with
iptables. There are a few rules I used in iptables that I can't seem to find
equivalents for with the SuSEfirewall. Specifically the following:
-A INPUT -i eth0 -p tcp --syn -j DROP (This drops all TCP syn packets
received on eth0)
-A INPUT -i eth0 -p tcp -m state --state INVALID,NEW -j DROP (This drops any
TCP traffic received on eth0 not generated by my firewall or internal
network)
Is there any way I can accomplish the same with the SuSEfirewall? Any help
is greatly appreciated. Thanks!
Greg Jamison
Hi,
as I received once in a while bug reports/feedback et al wrt
AMaViS/samba-vscan from readers of this list (send directly to me), here's
a short announcement:
* SuSE-related issues (e.g. RPM packaging, YaST/SuSEconfig) should be
reported via http://www.suse.com/feedback
* general AMaViS issues should be send to the amavis-user mailing list
(see http://www.amavis.org); security issues should be directed to
security at amavis dot org
* general/security issues wrt samba-vscan should be send to
rainer at openantivirus dot org
Reason: today will be my last day working for SuSE. So, the new
RPM maintainer of AMaViS won't be a member of the AMaViS Core Team.
Thank you very much for your co-operation.
Last but not least I'd like to thank SuSE very much for funding my work
for three years. I really enjoyed working for one of the
best OSS/Linux company around [1] :-)
best regards,
Rainer Link
R&D, SuSE Labs
--
Rainer Link | SuSE Linux AG - The Linux Experts
link(a)suse.de | Developer of A Mail Virus Scanner (www.amavis.org)
www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> > -----Original Message-----
> > From: Eduard Avetisyan [mailto:dich_ed@yahoo.com]
> > Sent: Viernes, 30 de Mayo de 2003 06:34
> >
> > Dear friends,
> >
> > I followed this discussion a little bit, and here's my 2 cents:
> >
> > bash_history logs only commands one typed in bash. What if he changes to
> > tcsh or whatever else? "Whatever else" includes also graphical helpers,
> > like konqueror or nautilus that give you a lot of freedom to run or
> > modify any files, while you can't log any actions... and tty sniffer
> > won't help either.
> >
> > I agree with the statement that you don't have to let any intruder play
> > with your machine, since it may well be that he HAS already installed
> > sniffers (tty or network) and stuff like that, so any action you take
> > now will be well known to him. So better really unplug the network, shut
> > off the machine, boot from CD (if you'd like to trace back changes he
> > made to your system), and reinstall...
> >
> > Good luck,
> > Eduard
> >
> > __________________________________
> > Do you Yahoo!?
> >
> On Fri, 30 May 2003, Ricardo wrote:
>
> > It's OK that he plays with the network. I am using two net's and that
> > one he's using isn't important. This can help me to see what he is
> > trying to do, what a hacker does, etc. and more important how to act and
> > correct. So, this is just a "demo" for me. It's real, but I can see that
> > as a demo. So, if you want to help and participate (I give you all the
> > info he is doing)... Thanks again,
> >
> > Ricardo
>
> -----Original Message-----
> From: Jeff Harris [mailto:linux@rallycentral.us]
> Sent: Friday, May 30, 2003 9:34 AM
>
> IMO, it's never OK that unauthorized users "play with the network." They
> might be setting up a grand DOS that when the FBI tracks down, is
> originating with your server, and _you_ may spend time in the pokey.
>
> It would be much more beneficial to unplug the network and reinstall the
> OS and all security updates. If you really want to know how a cracker
> works, you might want to try a legally cracking into systems:
> http://www.happyhacker.org/wargame/index.shtml
>
> --
On Fri, 30 May 2003, Sturgis, Grant wrote:
> But this situation, from what Ricardo wrote, is more like a honeypot than an
> exploit.
>
If you're operating a Honeypot in the US or where other comparable laws
exist, you might still spend some time in the pokey:
http://www.securityfocus.com/printable/news/4004
(Apparently, there's some naughty text in this message. I keep getting a
"content denied" message from someone.)
- --
Registered Linux user #304026.
"lynx -source http://www.rallycentral.us/~linux/jharris.asc | gpg --import"
or "gpg --keyserver pgp.mit.edu --recv-key BD23A31E"
Key fingerprint = FB8C 3210 8DE1 78F4 6505 5918 0C34 BE94 BD23 A31E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQE+15pADDS+lL0jox4RAkLIAJ9VuPdwMlB3CbIt2ANoE+9xUa57MgCdFbBU
RQMVT5GArzwmWzGKOReK7Cc=
=4YCi
-----END PGP SIGNATURE-----
Hi Ricardo,
> Hi, I am having a little problem I need to solve
> quickly. I have one intruder (long to explain now)
> which edited the passwd file and set his user with 0
> id (as root). I don't want to block him. I want to log
> all his actions, moves, commands, etc. How can I do
> that?
If he didn't disable it or uses another shell, you can
have a look at his ~/.bash_history.
Bye
Uli
--
Ulrich Roth
IMPACT Business & Technology Consulting GmbH
Im Mediapark 8 / KölnTurm
D-50670 Koeln
Phone +49-221-93 70 80-29
Fax +49-221-93 70 80-15
E-Mail: roth(a)impact.de
