here's a bit of a step-by-step description on how to keep nimda
and codered from filling your apache logs.
- SuSE 7.2 Professional
- iptables 1.2.3
- linux kernel 2.4.13-pre5
1. install kernel sources for a kernel >> 2.4.9, running 2.4.13-
pre5 here, works fine so far
2. get the sources for iptables 1.2.3 from
3. unpack sources somewhere
4. export KERNEL_DIR=$(where you put the kernel tree)
5. cd into unpacked iptables sources, there's a subdirectory
named patch-o-matic there
6. apply wanted patches by running ./runme $(name.of.patch)patch
for this here You'll want the string patch
You can also apply other patches, like the irc-conntrack patch
7. now there's a little bug in this patch...
here's a diff:
--- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21
+++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21
@@ -62,7 +62,7 @@
sk = skip[haystack[right_end - i]];
sh = shift[i];
- right_end = max(int, right_end - i + sk,
right_end + sh);
+ right_end = max(right_end - i + sk, right_end +
8. now, make config/menuconfig/xconfig... as usual. You can
import your running kernel's config first.
9. enable the experimental stuff
10. go to networking options->netfilter, there's an option there
to enable string matching; set that to M
11. compile and install kernel as usual; remember to uncomment
the export INSTALL_PATH=/boot in the main makefile.
12. now build a rpm file for the new iptables stuff by installing
the source rpm which comes with suse, then edit the spec file,
put the iptables source in /usr/src/packages/SOURCE and rebuild.
13. now there are some small changes to the firewall config
a) uncomment the last line in
b) edit that file, I got the following stuff in mine:
for forbidden_string in root.exe cmd.exe .ida; do
iptables -I input_ext -p tcp --dport http -m string \
--string $forbidden_string -m state \
--state ESTABLISHED -j REJECT --reject-with tcp-reset
put that in the last supfunction defined in the custom rc file.
c) change the FW_LOG setting in firewall2.rc.config from reading
-log-level warning to -log-level kernel.warning
14. last: some small changes to /sbin/SuSEfirewall2
search in the script for the parts where the modules are loaded
and unloaded; be sure to add ipt_string (and the other new
modules you created by patching the kernel and enabling them in
make config) to the modules loading/unloading code there.
16. if you try now to access (from outside, of course) one of the
nimda or codered URLS, all you get is a 'connection reset by
peer', and the request doesn't show in apache log files.
btw, no guarantees, and the usual YMMV :)
-----BEGIN PGP SIGNED MESSAGE-----
Has anyone implemented LSM into a SuSE box as of yet? I tried a quick text
search through the last 6 months or so of the list archive, but found no
instance of this topic.
I am particularly interested in utilizing the SELinux module. Possibly LIDS as
Linux-Howtos Network Administrator
OpenGPG Key: 0x6A3DF6E9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
-----END PGP SIGNATURE-----
I've got some machines running as NIS clients very fine. Files like hosts,
networks, auto.master, ... are used by all these machines. The passwd-file is
also allocated by NIS and I can change the passwd by yppasswd an some
minutes later I have the new password on all other machines. Everything is fine,
but there is one thing I cannot change and maybe it's just a small entry in one
The NIS server should be a NIS client at the same time so that I can logon
to my NIS server by using the same password as I use for the NIS clients. I
configured all files in the same way as I configured the other client machines
but when I log on the server I have to give the password I gave the server
when I installed the linux system. Using passwd (or yppasswd) on the server
will change the NIS password so that I have to login on every nis client with
the new apssword except the server/client. I don't see any possibility to
change this password (or to login to server using the same password I am using for
One more thing attract my attention: In the nsswitch.conf file the order to
lookup for the passwd is 'nis files'. I can login my server by using the
'local' passwd (not the nis passwd). If I delete the 'files' entry, so that all
passwds should be talken from nis it makes no differences. But, I am not able
to change to root any longer (whcih seems to be normal).
Maybe someone can help me ? Or do you have a good link to get a solution for
Here are some of my configurations:
Using SuSE 8.2 on alle machines.
The 'domainname' is the same on all machines.
/etc/nsswitch.conf (on all machines):
passwd: nis files
shadow: nis files
group: nis files
hosts: nis [NOTFOUND=return] files
networks: nis [NOTFOUND=return] files
yp.conf contains the IP of the server or 127.0.0.1 (on all machines)
/var/yp/securenets allows access for
/etc/passwd contains no 'normal users'. The last line is +:::::: (same for
/etc/nis/passwd contains all 'normal users' and /var/yp/Makefile includes
/etc/nis for passwd, shadow and groups.
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
I have a issue concerning the usage of an ssh keypair.
With that keypair it should only be possible to:
1.) scp, if possible restrict it to a specifiy directory
2.) ssh -R ...
Any ideas how to do that?
thanks / greets
GiS - Gesellschaft fuer integrierte Systemplanung mbH
Michael Scherer mscherer(a)gis-systemhaus.de Tel: 06201-503-74
Junkersstr.2 69469 Weinheim Fax: 06201-503-66
It's a book about a Spanish guy called Manual, you should read it.
I should have been clearer.
I want subnet-to-subnet.
It doesn't work on a ping between machines in the subnets, so I am
Uli Wurst wrote:
>Von: John Lederer [mailto:email@example.com]
>Gesendet: Sonntag, 29. Juni 2003 19:52
>Betreff: [suse-security] IPSEC plus SuSEFfrewall2
>>I am struggling to get a vpn working between two Suse 8.2 boxes.
>> leftrsasigkey=[keyid AQOyimW2p]
>> rightsubnet=10.1.0.0/255.255.0.0 #
>> rightid=(a)stpeter.ipsec.con #
>> rightrsasigkey=[sums to 7873...]
>IIRC this will only create a tunnel between the networks, NOT between your
>two IPSEC-Gateways. Try to ping between two machines within the right- and
>leftsubnet and it should work. If you want tunneled communication beween the
>two gateway-machines you will have to add a section
> leftrsasigkey=[keyid AQOyimW2p]
> rightsubnet=10.1.0.0/255.255.0.0 #
> rightid=(a)stpeter.ipsec.con #
> rightrsasigkey=[sums to 7873...]
>on both ends of the tunnel (the "leftsubnet" on the left gateway's side has
>been left out, so this would be from golum's ipsec.conf). On stpeter's side
>you have to delete the rightsubnet line.
Hi it's possible to do this.
1. Use DynDNS for the nameresolution with dynamic addresses.
2. You need a script (perl could be a good choice) to crate a dynamic
ipsec.conf. You should ping the name of the other side of the tunnel and cut
the received ip address. You can then rewrite the ipsec.conf file and reload
the freeswan daemon.
I tried it once and it works. I used a cronjob to check if the tunnel is up
and running and to rewrite the config-file.
Mit freundlichen Grüßen / Best regards
ZEDA GmbH & Co. KG , Dept. ZDT
D - 42270 Wuppertal
Tel.: +49 202 564-1175
Fax : +49 202 564-1384
Email: jens.neumann(a)zeda.de <mailto:firstname.lastname@example.org>
Von: Backhausen, Sven [SMTP:email@example.com]
Gesendet am: Montag, 30. Juni 2003 09:16
An: SuSE-Security ML
Betreff: Re: [suse-security] Need hints for FreeSwan
we are running a lan-to-lan vpn with freeswan and dynamic ip
both sides. it works, but you have to restart the tunnels on both
if one end goes down. We are using a small script run by cron on
gateways which is pinging into the remote lan to see if the tunnel
still existing and taking action if not.
Am Fre, 2003-06-27 um 23.30 schrieb Andreas Fießer:
> Hi list,
> I'd like to connect a remote Win2K box to a internal LAN which has
> a dynamic IP via DSL.
> I allready have dyndns.org domain, that gets updated on DSL
> Now I glimpsed at free-swan's documentation and - as far as I
> - the setup-guide says I needed fixed IPs und update the DNS with
> info and so on.
> So it is not possible for me to use it ?
> I currently have:
> - SuSE 8.2 and the provided freeswan 1.99 on the gateway
> - Win2K SP4 on the outside boxes
> Later there should be 2 Linux gateways connecting 2 LANs but still
> dynamic IPs.
> Is there someone who could point me to a HowTo or at least verify
> what I'd like to do is possible with free-swan ?
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help(a)suse.com
> Security-related bug reports go to security(a)suse.de, not here
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help(a)suse.com
Security-related bug reports go to security(a)suse.de, not here
I'd like to connect a remote Win2K box to a internal LAN which has only
a dynamic IP via DSL.
I allready have dyndns.org domain, that gets updated on DSL login.
Now I glimpsed at free-swan's documentation and - as far as I understand
- the setup-guide says I needed fixed IPs und update the DNS with key
info and so on.
So it is not possible for me to use it ?
I currently have:
- SuSE 8.2 and the provided freeswan 1.99 on the gateway
- Win2K SP4 on the outside boxes
Later there should be 2 Linux gateways connecting 2 LANs but still
Is there someone who could point me to a HowTo or at least verify that
what I'd like to do is possible with free-swan ?
I am struggling to get a vpn working between two Suse 8.2 boxes.
This is a ipsec-vpn between two subnets. Both gateway servers (stpeter
and golum)are Suse 8.2, ipsec version is 1.99.
here is a simple sketch of the setup:
I do not want to use certificates for now. I seem to be getting a
tunnel established with little trouble. My on;ly problem is that no
packets use it <g>.
With all the ipsec shut down, I can ping from 10.1.1.236 to
192.168.204.30 and vice versa.
With ipsec up, a ping from either end shows nothing.
The Susefirewall2 doesn't seem to show any dropped packets at either end.
Ifconfig shows no packets received by ipsec0, but with the firewall
tagged to show accepted packets , I show packets being delivered to ipsec0.
So my suspicion has been routing. It looks like something happens
between ethx sending the packets to the ipsec enabled interface and that
interface receiving them. Tcpdump is not very illuminating -- it shows
packets going out of the internal interface to ispec0, but nothing being
received at the the external ethernet interface or the ipsec interface.
I am mystified and confused. I have sort of run out of places to look.
I ran "ipsec barf" on both gateways.
To save bandwidth I uploaded stpeter's barf to:
and golum's to
I would appreciate any help at all. I likely am missing something obvious.
i encounter the followinf problem since i updated from suse 8.0 to suse 8.2
on my mailserver.
I used pop3 with ssl with the qpopper on a SuSE 8.0 with the following
entry in /etc/inetd.conf:
pop3s stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sslwrap
-cert /usr/ssl/certs/mymailserver.pem -port 110
I created a key/certificate with the following command:
openssl req -new -x509 -days 365 -nodes -out
/usr/ssl/certs/mymailserver.pem -keyout /usr/ssl/certs/mymailserver.pem
Then i started Eudora (my mailclient) and set it to use an alternate port
for SLL. It the told me the certificate is not trusted. I imported the
certificate to the trusted certificates and checked mail again. Now
anything worked fine.
This worked fine for nearly half a year. So no problems with this!
Now i updated the mailserver to SuSE 8.2 and i encounter the following:
1. I can still connect to the machine.
2. My certificate is still valid and trusted.
3. I can not download any mail - even if my /var/spool/mail/user mailbox
has some mails in it.
4. I can connect to port 110 (without SSL) and can download the mail. (So
popper is still working fine)
5. The message log displays entries with SSL connections and POP3
connections (from localhost) just as allways.
and now for the problem:
6. the /var/log/mail.warn displays the following:
popper: Possible probe of account info from host 127.0.0.1
This seems to be a result from a connection that just send the username and
the issues a QUIT command.
Why does my connection via port 110 work fine but via the SSL wrapper not?
(And why did it work before the update?)
Thanks in advance
- rossi -