openSUSE Security May 2003

security@lists.opensuse.org

146 participants
119 discussions

AW: [suse-security] chkrootkit and consorts
by Ulrich Roth 05 May '03

05 May '03

Hi Andreas, > 3 - which of the tools should i have running deamonized? I ran rkdet daemonized. > 4 - which files should i protect/have watched by rkdet? I added /usr/bin/lsof, /sbin/lsmod and /bin/df to xstrings.txt. > 5 - what do you think of the idea of creating and regularly running a > customized shellscript that would unzip the tools plus a > set of trusted binaries and then uses these instead of the > always-installed ones? But that would mean i had to make special > setups/'make install's, wouldn't it? and it wouldn't work with resident > tools (rkdet) at all, right? I do this with tripwire. I compiled and installed it on the machines to be checked as if it was a permanent installation. And now I copy the executable, the config files and the database every night to the machines to be checked, do the check and then delete the files again. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth(a)impact.de

1 0

Looking for a tool (Diese Mail wurde auf Viren gepr?ft.)
by dhoffmann＠obg-bau.de 05 May '03

05 May '03

Hi folks, Problem: In our company we have a pool of online resources which are protected via basic http-auth, some of them use https. Our employees should be able to use these urls without knowing the credentials. Our internet gateway is running SuSE 8.0. My idea is to install or script something on this box which is called with the desired link and then does the authentication transparently to the user. Does anyone know about some kind of software to handle this? -- Denis Hoffmann IT OBG Bau GmbH & Co.KG Illinger Straße 150 66564 Ottweiler Tel.: 06824 3000 351 Fax: 06824 3000 500 http://www.obg-bau.de/

4 5

chkrootkit and consorts
by Andreas Wagner 05 May '03

05 May '03

Hi list, i have downloaded chkrootkit, check_ps and rkdet, but i have a hard time in figuring out how (best) to use them. As far as you don't see your own security compromised, i'd like to know some of your thoughts or configurations of these tools... 1 - are any of the tools redundant and can be dropped (i think i understood that the functionality of check_ps is provided by chkrootkit as well which does even more...)? 2 - is any anti-rootkit tool missing (not speaking of tripwire etc.)? 3 - which of the tools should i have running deamonized? 4 - which files should i protect/have watched by rkdet? 5 - what do you think of the idea of creating and regularly running a customized shellscript that would unzip the tools plus a set of trusted binaries and then uses these instead of the always-installed ones? But that would mean i had to make special setups/'make install's, wouldn't it? and it wouldn't work with resident tools (rkdet) at all, right? and so on, i could go on asking for hours, but i'll appreciate just about any help. TIA, Andreas -- To know recursion, you must first know recursion. -- My Public PGP Keys: 1024 Bit DH/DSS: 0x869F81BA 768 Bit RSA: 0x1AD97BA5

3 4

iptables config
by Grutsch, Gerhard 03 May '03

03 May '03

Hi, i have got : network A with ip adress room 192.168.x.x (this side also connects to the internet) network B with ip adress room 10.x.x.x (my internal LAN) and a router with is a Linux box to connect the 2 lans via routing. So far so good, the traffic is running between the 2 networks, since i configures the routes on both networks. ------------| |------------ | | LAN A |-----------------------ROUTER---------------| LAN B | | ------------- -------------- My problem is though, i have no restrictions! I know the first few commands like : iptables -P FORWARD DROP, but i want to regulate, that WKS_A from LAN_A can communicate with WKS_1 from LAN_B but not with WKS_2 from LAN_B. Or that WKS_1 on LAN_A is allowed to use SSH ánd nothing else, but WKS_2 on LAN_A can use all tcp/ip services....... Thanx a lot in advance Gerhard Grutsch Support services Tel : 089/55878-151 Mobile : 0172-8391368 E-mail : ggrutsch(a)statestreet.com

4 3

eSignal
by Gooly 03 May '03

03 May '03

This weekend I have to (want to) install eSignal-Software on Windows behind a Linux Firewall. It will collect data (real-time exchange-quotes) from different servers: "The communications between the client and server use both the "query-response" type and active/streaming technology (TCP). " First question, does anybody on this list has allreday experience with this (copy and paste some settings of firewall and/or squid?). The second question-part is about the power that has to have the firewall-pc (right now a little bit old) if squid is installed. - Does squid consume a lot 'power' memory and diskspace, what would be a recommandation? There is no need to save the data on the firewall for another pc. - The real-time data shold be handed to the program as soon as possible, of course. Now some questions about things I haven't heared so far. "You may use a proxy server if it is SOCKS v4, v4.3A or v5 compliant." Is that ok with Squid? This is a special note form the eSignal-site - what does this mean? How can I make the firewall/squid to 'toggle' between IP- and user-Identification? - Please note: eSignal applications do not support authentication queries from - the firewall/proxy server. It is strongly recommended that you use IP - authentication instead of user authentication; otherwise, the eSignal - application program on the client machine will not be able to access its - Internet servers. Thanks to all in advance, Carl

4 3

Just a problem with 'Online-Update'
by Christof Schmitt 02 May '03

02 May '03

Hi list, i am sorry, if i am wrong and it isn't a security question at all. But maybe i made a mistake while i was trying to update my SuSE 8.0 System by Yast and 'Online Update'. I tried 'auto update' and 'manual update' with different ftp-Servers: Patch-Descriptions were downloaded to 100%, but the next step: installation brake down (after yast-module-autoinst-833 is not downable -> installation). At least Online Update shows a list of 63 recommended patches and 95 security patches, but i can't get them. What did i do wrong? regards, Christof Schmitt

2 1

Can't make losetup mount a crypto file to the loopback device (SuSE 8.2)
by Bo Jacobsen 01 May '03

01 May '03

I'm trying to mount a file to the loopback device but the losetup command complains about it. I'm using the command line: losetup -e twofish /dev/loop0 /root/testfile losetup asks for a password but returns: ioctl: LOOP_SET_STATUS: invalid argument when one is entered "losetup -e none" works I have tried with the standard kernel in SuSE 8.2 but also kernel 2.4.20-13 with both "loopback device support" and "Twofish encryption for loopback device" compiled into the kernel. Any suggestions. Thanks in advance Bo Jacobsen

3 4

Snort
by Richard Ibbotson 01 May '03

01 May '03

Hi Would anyone at SuSE or anyone else like to make a comment about the following on the Snort home pages ... http://www.snort.org/ .... news page Snort Advisory: Integer Overflow in Stream4 Brian @ Wed Apr 16 14:52:33 EDT 2003 Affected Versions: # All versions of the following products are affected: Snort 1.8 through 1.9.1 # Snort CVS - current branch up to version 2.0.0 beta I notice that SuSE 8.2 uses Snort Version 1.9.1 (Build 231) By Martin Roesch (roesch(a)sourcefire.com, www.snort.org). Will there be an update soon or is the SuSE version of Snort not vulnerable to this bug ? Thanks -- Richard www.sheflug.co.uk

2 2

updatedb@locate
by Sourian 01 May '03

01 May '03

I understand. Why is it no longer installed by default? Is it replaced by something else? If I need to search for a command, how can I do it? Best regards, Sourian

4 3

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security May 2003