openSUSE Security May 2003

security@lists.opensuse.org

146 participants
119 discussions

Log/Audit all user commands
by Ricardo Toma 28 May '03

28 May '03

Hi, I am having a little problem I need to solve quickly. I have one intruder (long to explain now) which edited the passwd file and set his user with 0 id (as root). I don't want to block him. I want to log all his actions, moves, commands, etc. How can I do that? Thanks in advance! ------------ Internet GRATIS es Yahoo! Conexión 4004-1010 desde Buenos Aires. Usuario: yahoo; contraseña: yahoo Más ciudades: http://conexion.yahoo.com.ar

3 5

AW: [suse-security] Blocking ports and services
by Jörg Brandenburg 28 May '03

28 May '03

Hello Stefan, I have a similar problem and tried the FW_TRUSTED_NETS to enable www-access to one special client. But the uSe firewall drops the packets. Do you have any idea?? Jörg -----Ursprüngliche Nachricht----- Von: Peer Stefan [mailto:stefan.peer@tiwag.at] Gesendet: Mittwoch, 28. Mai 2003 13:24 An: suse-security(a)suse.com Betreff: RE: [suse-security] Blocking ports and services[Scanned] Hi Dietmar, > From: Dietmar Stein [mailto:DStein@phoenixcontact.com] > Hi > > I am new to the list but I have gone through archives and > several internet > resources before, but I can't find a detailed answer, so I am > asking ... > > I have a machine running SLES7 (fully updated), which has > only one ethernet > interface (eth0). The machine is running SAP and Oracle and I want to > ensure that only some IP addresses can connect to SAP (which > is running on > ports 3200, 3300, 4800, 3600); all other services except ssh should be > unavailable to the local network. FW_DEV_EXT="eth0" FW_EXT_SERVICES="ssh" FW_TRUSTED_NETS="a.b.c.d/0,tcp,3200 a.b.c.d/0,tcp,3300 a.b.c.d/0,tcp,4800 a.b.c.d/0,tcp,3600" If you can find a subnet for all "allowed" ip addresses this will be very easy. E.g. FW_TRUSTED_NETS="10.100.0.0/16,tcp,80" enables HTTP-access for every ip within the 10.100.0.0 subnet. > What do I want? I want to have access to SAP/Oracle from only a few IP > addresses and all other services blocked (except ssh which should be > public). I have tried to use SuSEfirewall without success (it > won't start > if I do not specify an extrenal device and if I specify it, I > lock myself). A trick of not locking oneself out of the box is to add the ip-address to the FW_TRUSTED_NETS variable ;-) > Any suggestions? > > Thanks, Dietmar You're welcome, Stefan -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here

1 0

RE: [suse-security] Blocking ports and services
by Peer Stefan 28 May '03

28 May '03

Hi Dietmar, > From: Dietmar Stein [mailto:DStein@phoenixcontact.com] > Hi > > I am new to the list but I have gone through archives and > several internet > resources before, but I can't find a detailed answer, so I am > asking ... > > I have a machine running SLES7 (fully updated), which has > only one ethernet > interface (eth0). The machine is running SAP and Oracle and I want to > ensure that only some IP addresses can connect to SAP (which > is running on > ports 3200, 3300, 4800, 3600); all other services except ssh should be > unavailable to the local network. FW_DEV_EXT="eth0" FW_EXT_SERVICES="ssh" FW_TRUSTED_NETS="a.b.c.d/0,tcp,3200 a.b.c.d/0,tcp,3300 a.b.c.d/0,tcp,4800 a.b.c.d/0,tcp,3600" If you can find a subnet for all "allowed" ip addresses this will be very easy. E.g. FW_TRUSTED_NETS="10.100.0.0/16,tcp,80" enables HTTP-access for every ip within the 10.100.0.0 subnet. > What do I want? I want to have access to SAP/Oracle from only a few IP > addresses and all other services blocked (except ssh which should be > public). I have tried to use SuSEfirewall without success (it > won't start > if I do not specify an extrenal device and if I specify it, I > lock myself). A trick of not locking oneself out of the box is to add the ip-address to the FW_TRUSTED_NETS variable ;-) > Any suggestions? > > Thanks, Dietmar You're welcome, Stefan

1 0

Blocking ports and services
by Dietmar Stein 28 May '03

28 May '03

Hi I am new to the list but I have gone through archives and several internet resources before, but I can't find a detailed answer, so I am asking ... I have a machine running SLES7 (fully updated), which has only one ethernet interface (eth0). The machine is running SAP and Oracle and I want to ensure that only some IP addresses can connect to SAP (which is running on ports 3200, 3300, 4800, 3600); all other services except ssh should be unavailable to the local network. What do I want? I want to have access to SAP/Oracle from only a few IP addresses and all other services blocked (except ssh which should be public). I have tried to use SuSEfirewall without success (it won't start if I do not specify an extrenal device and if I specify it, I lock myself). Any suggestions? Thanks, Dietmar

1 0

how do I build iptable-protection for scanners like nmap
by Ruprecht Helms 28 May '03

28 May '03

Hi, how have I to write a iptablerule to protect my box against portscanning with tools like nmap. Regards, Ruprecht

6 10

Re: [suse-security] how do I build iptable-protection for scanners like nmap
by Azman Salleh 28 May '03

28 May '03

RE: [suse-security] how do I build iptable-protection for scanners like nmapMichael, Seems to me that ipchains equivalent to "! --syn" is "! -y", but wouldn't "iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP " drop ANY incoming connections from internet? This would even drop valid http requests, not just the stealth portscans. Thank you, Azman Salleh ----- Original Message ----- From: Paxton, Michael To: 'Azman Salleh' Sent: 28 May, 2003 11:41 AM Subject: RE: [suse-security] how do I build iptable-protection for scanners like nmap Hi Azman Basically it says: If you are not establishing a new connection (! --syn) and you are not an established connection (-m state --state NEW) drop the packet. The stateful side of things I dont think you can do with ipchains.. Michael > -----Original Message----- > From: Azman Salleh [mailto:azmansal@nti.com.my] > Sent: Wednesday, 28 May 2003 11:32 AM > To: suse-security(a)suse.com > Subject: Re: [suse-security] how do I build iptable-protection for > scanners like nmap > > > Sounds like something I can adapt into my *ipchains* rules. > But why use "!--syn -m state --state"? Anybody can explain? > > Thank you, > Azman Salleh > ----- Original Message ----- > From: "Πλαστήρας Αθανάσιος" <t.plastiras(a)gsis.gov.gr> > To: <suse-security(a)suse.com> > Sent: 27 May, 2003 1:27 PM > Subject: Re: [suse-security] how do I build > iptable-protection for scanners > like nmap > > > > > > Good Mornning... > > > > To Drop Stealth Scan like nmap you can use the following > rules in a simple > > firewall with iptables: > > > > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j > > LOG --log-prefix "Stealth scan" > > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > > > > Thanos... > > > > > > Athanasios Plastiras > > Greece > > Athens > > > > > > > > -- > > Check the headers for your unsubscription address > > For additional commands, e-mail: suse-security-help(a)suse.com > > Security-related bug reports go to security(a)suse.de, not here > > > > > > > > > -- > Check the headers for your unsubscription address > For additional commands, e-mail: suse-security-help(a)suse.com > Security-related bug reports go to security(a)suse.de, not here >

1 0

8.2, UW IMAP-2002 and Squirrelmail - SSL...
by Niclas Arndt 27 May '03

27 May '03

This posting concerns how to connect Squirrelmail (imap only) to UW IMAP-2002 (imaps only). Please see the questions further down. I have a fully functioning installation of 8.2 Pro, Postfix, UW IMAP-2002, Apache, OpenSSL and modSSL with self-signed working certificates. All software as included on the CDs and Online Update. I have also followed the instructions given in the mailing lists and on the SuSE support database regarding SSL, certificate and UW IMAP-2002. I can access UW IMAP-2002 with a Netscape 7 mail client using SSL, so everything is set up correctly. Finally, I need webmail and guess that Squirrelmail would be a good solution. However, since UW IMAP-2002 by default is built with imaps only and Squirrelmail only supports imap, I am stuck. Various people have suggested using * UW IMAP-2001 from SuSE 8.1 (I would rather not use an older software) * Building your own IMAP-2002 with imap support (Somebody had had problems building UW IMAP-2002 himself. I have sent a request to SuSE support about them building a second version (including supporting it via Online Update) and am waiting for the reply.) * stunnel (but does it support communication in the desired direction? Isn't it intended to work in the opposite way?) * SSH session ---> Questions: ---> Suggestions/arguments about how to solve or work around this problem? ---> Do you know if stunnel would do the trick and how I would have to configure it? Regards /Niclas Arndt ================ >From: Björn Róbertsson <bjornr(a)iceland2000.com> >To: "'David Soltero-Lugo'" <david(a)cnnet.upr.edu> >CC: <R.Vickers(a)cs.rhul.ac.uk>, <bobv(a)cs.rhul.ac.uk>,<vbru(a)entu.cas.cz>, ><suse-security(a)suse.com> >Subject: RE: [suse-security] IMAP and 8.2 >Date: Sat, 17 May 2003 16:19:07 -0000 > >Just have a look at then config file in /etc/stunnel/stunnel.conf > >It has a [ ] section for imaps, uncomment and start the service, >/etc/init.d/stunnel start > >You should see a listening port on 993, netstat an |grep 993 > >And then you should be able to configure your mail client to use SSLed >imap. > > > >For maximum security you should only allow imap connections from localhost. > > > >Next is to use smtps (secure smtp) to send mail... > > > >Bjorn Robertsson > > > >-----Original Message----- >From: David Soltero-Lugo [mailto:david@cnnet.upr.edu] >Sent: 17. maí 2003 14:20 >To: Björn Róbertsson >Cc: R.Vickers(a)cs.rhul.ac.uk; bobv(a)cs.rhul.ac.uk; vbru(a)entu.cas.cz; >suse-security(a)suse.com >Subject: Re: [suse-security] IMAP and 8.2 > > > > >I tried the inet option (on xinetd) and did not work, can you provide mor >information on the stunnel option?? > >Thanks >David > >Björn Róbertsson wrote: > > > >I also discovered that my ssl'd imapd service had stopped working. I'd >created stunnel connection and I found in /etc/stunnel a config file which >allowed for a very simple configuration... > >This however requires the service stunnel started and you need to remove >the corresponding imap/pop lines from /etc/inetd.conf > >Hope to help :) > >Bjorn Robertsson > >p.s. I use cyrus so the cyrus config does not need to know imaps if you >use stunnel. > > > >Vaclav, > >Yesterday we too upgraded our mail server and discovered this change >that SuSE quietly introduced. It sounds like you have done the hard >part; to configure inetd.conf to support SSL-enabled IMAP and POP you >just need lines > imaps stream tcp nowait root /usr/sbin/tcpd imapd > pop3s stream tcp nowait root /usr/sbin/tcpd ipop3d > >I've found it very hard to find good documentation on how to set up an >IMAP service that does not use plaintext passwords. > >Bob > > >On Wed, 14 May 2003, Vaclav Brunnhofer wrote: > > > >Being prevented here in this group that the support for 7.2 would >finish in the near future (see another thread), I have purchased and >upgraded to 8.2. > >So far, almost everything is working as expected, expect for IMAP (the >same case would be POP3, if I would not use qpopper). >In the mean time, I have found information that the IMAP rpm, shipped >with 8.2 (IMAP 2002) is a major release, enabling to disable fulltext >passwords for identification. Apparently the rpm shipped with 8.2 is >compiled with this in mind. So far it is good, but I cannot find any >information, how to make it work. I have found that it is necessary to >use starttls - a ssl based authentification. > >Just I cannot find (may be I am using incorrect queries in google) how >to setup the IMAP server - I have found how to configure the clients, >how to compile IMAP for disabling authetification by plaintext >passwords, but I am missing information, how to configure inetd (or >even xinetd) to work with this imap daemon. The same applies for >ipop3, just I have installec qpopper and this works fine. > >SuSE installation support claims it is beyond the scope of >installation support. > >Does anyone know how to make the imap over startls or ssl work? >Thanks a lot > >S pozdravem > >Vaclav Brunnhofer > >======================================================== >======= >| Entomologicky ustav e-mail: vbru(a)entu.cas.cz | >| Akademie Ved Ceske Republiky tel.: 038 7775251 >| >| Branisovska 31 fax: 038 5310354 | >| 370 05 Ceske Budejovice mobil: +420 606 632822 | >======================================================== >====== > > >-- >Check the headers for your unsubscription address >For additional commands, e-mail: suse-security-help(a)suse.com >Security-related bug reports go to security(a)suse.de, not here > > > >============================================================== >Bob Vickers R.Vickers(a)cs.rhul.ac.uk >Dept of Computer Science, Royal Holloway, University of London >WWW: http://www.cs.rhul.ac.uk/home/bobv >Phone: +44 1784 443691 > > > >-- >Check the headers for your unsubscription address >For additional commands, e-mail: suse-security-help(a)suse.com >Security-related bug reports go to security(a)suse.de, not here > > > > ---------------------- > > From: Jethro Cramp <jsc_lists(a)rock-tnsc.com> Reply-To: jsc_lists(a)rock-tnsc.com To: "suse-linux-e(a)suse.com" <suse-linux-e(a)suse.com> Subject: Re: [SLE] Squirrelmail & Imap Login Error, SuSE 8.2 - Authentication Date: Mon, 19 May 2003 10:13:07 +0800 FYI, this is how I setup imap to work on SuSE8.2 so that I could log in. Firstly I added the following section to /etc/xinetd.d/imap # imaps - imap mail daemon with ssl service imaps { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/imapd flags = IPv4 } # Then I created a new ssl certificate with: openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 365 The resulting file is called imapd.pem which I then copied to /etc/ssl/certs. And bingo authentication worked. I'm using Kmail 1.5.1 and I can't make new imap folders, but I can from Mozilla. Anyone know if this is just not yet developed in kmail yet, or we need to do some voodoo to make it work. Thanks, Jethro > _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail

1 0

KMail - Authorization
by Istvan Hollo 27 May '03

27 May '03

Hello List, SuSE 8.2, KMmail -> Receive mails... I got an error message: "Unknown AUTHORIZATION state command". Can someone of you explain me what could be the problem? thanks, istvan

2 1

host ignores redirects
by Stelios 27 May '03

27 May '03

Hello guys I have a server running SuSE 8.1/Sendmail and squirrelmail for web access on imap mailboxes. The problem is that noone can log on successfully through the squirrelmail, i am taking the error : You must be logged in to access this page and at the same time my logs are showing the following: host 192.0.2.244/if2 ignores redirects for 155.63.247.208 to 155.219.155.161 (examples ips) Any suggestions? Thanks

2 2

question to iptables with ippp0
by Ruprecht Helms 26 May '03

26 May '03

Hi, how can I use a selfdefined iptables ruleset with ippp0. The firewallsetting must be able react by changing the ipaddress of my isdn-card after connecting with my isp and the receipt of the new ipaddress Regards, Ruprecht

3 2

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security May 2003