openSUSE Security September 2003

security@lists.opensuse.org

139 participants
124 discussions

Secure Mail Server
by João Reis 04 Oct '03

04 Oct '03

Hi to all. I would like to implement a secure Mail server. This is an internal mail server and belongs to the network behind the external firewall. I also would like to have a system which permits external users to connect to the internal mail server in order to fetch their internal mail or to send their mail througth this server (POP with SSL and SMTP). The only way i see to have external connection is to add a rule to my firewall teling it to redirect all POP and SMTP traffic to this internal server. Is there a more secure way to do this? Is it secure to implement this scheme? I think this way my internal mail is exposed to the world, but i don't see other solution to do what i pretend.... Any suggestion ? Thanks in advance, P.S : sorry about my english João Reis ==========================================================

4 3

How to apply IPSec NAT-Traversal Patch to SuSE8.2-Kernel ?
by Elmar Marschke 02 Oct '03

02 Oct '03

Hi all, i installed a VPN with a SuSE8.2 2.4.20-4GB kernel and a freeswan_1.99_0.9.23-20 as provided by the 8.2 distribution. Everything including x509-Support is tested and working fine. Now i want to add NAT-Traversal functionality. As written in /u/s/d/p/freeswan/README.SuSE the NAT-Traversal Patches (written by Mathieu Lafon) for the *freeswan-package* are already inserted in the package provided by SuSE. But to get it running one has also to patch the *kernel* with the fswan-nat-t-kernel.diff, they write, and which is provided in the same directory. I applied the patch to my kernel-sources (Return Code=0) and recompiled the kernel: - make oldconfig (perhaps wrong?? don't know what this exactly is doing..) -i took a look in make xconfig and noticed that there were no possibilities to do configuration for IPSec, but at that moment i did'nt care - changed the Makefile's Extraversion Number.. - make dep - make clean - make bzImage - make modules - make modules_install I prepared my bootloader and did mkinitrd for that kernel. Booting with that kernel was ok, but ipsec did'nt start anymore: "ipsec_setup:modprobe: can't locate module ipsec. Kernel appears to lack KLIPS." I booted my old kernel again and according to some mails of this list i took a look into .../kernel_modules/zz_freeswan/Makefile and tried: in that directory: - make insert Result: make xconfig in /usr/src/linux did'nt work anymore. - make kmodule Result: make xconfig didn't work yet. - make klink Result: make xconfig worked again! And it had configuration-options for IPSec!! I configured this -i took all the defaults i found there, the only thing i changed was the IPSec-Stuff- and compiled another kernel exactly as described above (except that i used xconfig instead oldconfig). Every step gave a Return Code of 0. Result when booting this new kernel: "Kernel panic: unresolved symbol reiserfs.o" (which is my boot partition). Question: can anyone give me a hint about the correct way to apply this patch and get a working kernel? *Which* make -steps / targets do i have to take in .../zz_freeswan/ (e.g. what about oldmod?) and perhaps in /usr/src/linux, and **in which order**? Any help would be greatly appreciated.. thnxalot! Kind regards Elmar

1 1

Tripwire Config
by Sturgis, Grant 01 Oct '03

01 Oct '03

Greetings All, Sorry if this has been covered, I have googled a bit and haven't really come up with anything relevant. Does anyone have a working Tripwire config for a SuSE 8.1 system? The SuSE 8.1 ships with Tripwire 1.2-597. Thanks! Grant This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.

2 1

Re: [suse-security] Sendmail / SuSEfirewall2 Woes
by santri.ml＠zugernet.ch 30 Sep '03

30 Sep '03

Grant > Greetings all, > > We are configuring a sendmail relay server and are having some problems. > Sendmail was all setup and working nicely, until I came along to install > and configure SuSEfirewall2. Even with the firewall shutdown, > sendmail fails to respond to remote connections. When you stop SuSEfirewall2 the kernel modules are still loaded. You have to unload the modules or to reboot without starting SuSEfirewall2 at startup. > Actually, the banner appears, but sendmail won't respond to a helo or > any other SMTP commands. When attempted locally, this works fine. > Again, this is with the firewall shutdown (SuSEfirewall2 stop). > The same symptoms occur with the firewall loaded. Did you check the log-files (messeges/warn)? > > Any ideas on what I should be looking for? For e.g. 8.2: In '/etc/sysconfig/SuSEfirewall2': FW_SERVICES_EXT_TCP="smtp" In '/etc/sysconfig/mail': SMTPD_LISTEN_REMOTE="yes" In the '/etc/hosts.allow': sendmail: ALL : ALLOW > > TIA, > > Grant > > rgds, Sandro

1 0

Sendmail / SuSEfirewall2 Woes
by Sturgis, Grant 30 Sep '03

30 Sep '03

Greetings all, We are configuring a sendmail relay server and are having some problems. Sendmail was all setup and working nicely, until I came along to install and configure SuSEfirewall2. Even with the firewall shutdown, sendmail fails to respond to remote connections. Actually, the banner appears, but sendmail won't respond to a helo or any other SMTP commands. When attempted locally, this works fine. Again, this is with the firewall shutdown (SuSEfirewall2 stop). The same symptoms occur with the firewall loaded. Any ideas on what I should be looking for? TIA, Grant This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.

3 2

Re: [suse-security] How to apply IPSec NAT-Traversal Patch to SuSE8.2-Kernel ?
by J J 30 Sep '03

30 Sep '03

Is your new kernel missing reiserfs.o in the /lib/modules/<kernel version>/kernel/fs/reiserfs/ directory? If not then you have probably got a faulty config. If it is there then skip this next section (skip to the ***s)... Fixing your config *** One thing that I found which helped and that might help you too. You've already patched the kernel so future compiles will give you all the Ipsec options that you need. Now you need to get a good config file to use! This is the trick I did (was also backed up by others on this mailing list on this trick)... Boot using a working kernel, like the one that came with the distribution. After booting you'll see a file called /proc/config.gz, copy that somewhere to play with, unzip it and then check the resulting file. It should be a kernel configuration file, similar to /usr/src/linux/.config - the latter is the current kernel configuration as written by make xconfig (run in /usr/src/linux/). You've guessed it! Copy the unzipped file over /usr/src/linux/.config before running make xconfig again. Then you should have a configuration that's identical to your working configuration but with any changes you choose to make. The obvious changes are to switch on Ipsec, the NAT traversal and X509 patches, you can also switch on KLIPS debugging here, which I would recommend - it doesn't run unless you set it to run anyway so it *should* be built into KLIPS by default I think! After this make a kernel as before and you should get full KLIPS with the patches and your reiserfs.o! *** If the build process did make reiserfs.o but you're still getting a kernel panic then the problem is probably in the initrd. I don't have SuSE 8.2 here so you'll have to RTFM for me! If you do man -k initrd you should find the commands that make initrd and install it, etc. Come back to the group if that doesn't help. Carl >From: Elmar Marschke <elmar.marschke(a)epost.de> >To: suse-security(a)suse.com >Subject: [suse-security] How to apply IPSec NAT-Traversal Patch to >SuSE8.2-Kernel ? >Date: Sat, 27 Sep 2003 18:15:04 +0200 > >Hi all, >i installed a VPN with a SuSE8.2 2.4.20-4GB kernel and a >freeswan_1.99_0.9.23-20 as provided by the 8.2 distribution. >Everything including x509-Support is tested and working fine. > >Now i want to add NAT-Traversal functionality. As written in >/u/s/d/p/freeswan/README.SuSE the NAT-Traversal Patches (written by >Mathieu Lafon) for the *freeswan-package* are already inserted in >the package provided by SuSE. >But to get it running one has also to patch the *kernel* with the >fswan-nat-t-kernel.diff, they write, and which is provided in the >same directory. > >I applied the patch to my kernel-sources (Return Code=0) and >recompiled the kernel: > >- make oldconfig (perhaps wrong?? don't know what this exactly is >doing..) >-i took a look in make xconfig and noticed that there were no >possibilities to do configuration for IPSec, but at that moment i >did'nt care >- changed the Makefile's Extraversion Number.. >- make dep >- make clean >- make bzImage >- make modules >- make modules_install > >I prepared my bootloader and did mkinitrd for that kernel. Booting >with that kernel was ok, but ipsec did'nt start anymore: >"ipsec_setup:modprobe: can't locate module ipsec. Kernel appears to >lack KLIPS." >I booted my old kernel again and according to some mails of this >list i took a look into .../kernel_modules/zz_freeswan/Makefile and >tried: >in that directory: >- make insert >Result: make xconfig in /usr/src/linux did'nt work anymore. >- make kmodule >Result: make xconfig didn't work yet. >- make klink >Result: make xconfig worked again! And it had configuration-options >for IPSec!! I configured this -i took all the defaults i found >there, the only thing i changed was the IPSec-Stuff- and compiled >another kernel exactly as described above (except that i used >xconfig instead oldconfig). Every step gave a Return Code of 0. >Result when booting this new kernel: >"Kernel panic: unresolved symbol reiserfs.o" (which is my boot >partition). > >Question: >can anyone give me a hint about the correct way to apply this patch >and get a working kernel? >*Which* make -steps / targets do i have to take in .../zz_freeswan/ >(e.g. what about oldmod?) and perhaps in /usr/src/linux, and **in >which order**? >Any help would be greatly appreciated.. thnxalot! >Kind regards >Elmar > > > > > >-- >Check the headers for your unsubscription address >For additional commands, e-mail: suse-security-help(a)suse.com >Security-related bug reports go to security(a)suse.de, not here > _________________________________________________________________ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger

1 0

Re: Re: Re: [suse-security] Dial timeout on isdn router with ip-tables logging
by BLeonhardt＠analytek.de 30 Sep '03

30 Sep '03

Yes, that's it. I don't know why... all possible outgoing traffic has been blocked ( for testing ) but he will not hangup... :-( bruno Keith Roberts <keith(a)topaz5.worldonline.co.uk> schrieb am 30.09.2003 15:48:57: > > > > On Tue, 30 Sep 2003 BLeonhardt(a)analytek.de wrote: > > > > > > > > > > > Hi, > > > > > What are you trying to do before timeout is reached? > > -> just surfing > > > > > What happens before timeout is reached? > > -> some icmp messages from outside and some other requests (i.e. worms, etc.) > > > > > What are you trying to do after timeout is reached? > > -> nothing / just doing some other works and if he hang up he won't dial > until I request it ( so my local blocking rules are working correctly.. i.e. > netbios, multicast messages, etc. ) > > > > > What is hapening when timeout is reached? > > -> nothing - the isdn-int. won't hangup // I saw some icmp messages ( type 8 > code 0 // just a ping I think ) and other stuff from worms, etc. > > Is this the problem then - Your ISDN connection not going > down after a certain amount of inactivity on the ISDN > line? > > Regards - Keith > > > > > > > > > >

1 0

Antw: [suse-security] How to apply IPSec NAT-Traversal Patch to SuSE8.2-Kernel ?
by Andreas Thierer 30 Sep '03

30 Sep '03

Hi Elmar, I also needed NAT-Traversal with FreeSWAN. First i wanted to apply the NAT-Traversal-Patch, like you, but then i saw, that the X.509-Patch has also an NAT-Traversal- functionality. This X.509-Patch is applied to the FreeSWAN- paket shipped with SuSE 8.2. See http://www.freeswan.ca/patches/www.strongsec.com/freeswan/install.htm#secti… Best regards Andy >>> Elmar Marschke <elmar.marschke(a)epost.de> 27.09.2003 18:15:04 >>> Hi all, i installed a VPN with a SuSE8.2 2.4.20-4GB kernel and a freeswan_1.99_0.9.23-20 as provided by the 8.2 distribution. Everything including x509-Support is tested and working fine. Now i want to add NAT-Traversal functionality. As written in /u/s/d/p/freeswan/README.SuSE the NAT-Traversal Patches (written by Mathieu Lafon) for the *freeswan-package* are already inserted in the package provided by SuSE. But to get it running one has also to patch the *kernel* with the fswan-nat-t-kernel.diff, they write, and which is provided in the same directory. I applied the patch to my kernel-sources (Return Code=0) and recompiled the kernel: - make oldconfig (perhaps wrong?? don't know what this exactly is doing..) -i took a look in make xconfig and noticed that there were no possibilities to do configuration for IPSec, but at that moment i did'nt care - changed the Makefile's Extraversion Number.. - make dep - make clean - make bzImage - make modules - make modules_install I prepared my bootloader and did mkinitrd for that kernel. Booting with that kernel was ok, but ipsec did'nt start anymore: "ipsec_setup:modprobe: can't locate module ipsec. Kernel appears to lack KLIPS." I booted my old kernel again and according to some mails of this list i took a look into .../kernel_modules/zz_freeswan/Makefile and tried: in that directory: - make insert Result: make xconfig in /usr/src/linux did'nt work anymore. - make kmodule Result: make xconfig didn't work yet. - make klink Result: make xconfig worked again! And it had configuration-options for IPSec!! I configured this -i took all the defaults i found there, the only thing i changed was the IPSec-Stuff- and compiled another kernel exactly as described above (except that i used xconfig instead oldconfig). Every step gave a Return Code of 0. Result when booting this new kernel: "Kernel panic: unresolved symbol reiserfs.o" (which is my boot partition). Question: can anyone give me a hint about the correct way to apply this patch and get a working kernel? *Which* make -steps / targets do i have to take in .../zz_freeswan/ (e.g. what about oldmod?) and perhaps in /usr/src/linux, and **in which order**? Any help would be greatly appreciated.. thnxalot! Kind regards Elmar

1 0

Re: Re: [suse-security] Dial timeout on isdn router with ip-tables logging
by BLeonhardt＠analytek.de 30 Sep '03

30 Sep '03

Hi, > What are you trying to do before timeout is reached? -> just surfing > What happens before timeout is reached? -> some icmp messages from outside and some other requests (i.e. worms, etc.) > What are you trying to do after timeout is reached? -> nothing / just doing some other works and if he hang up he won't dial until I request it ( so my local blocking rules are working correctly.. i.e. netbios, multicast messages, etc. ) > What is hapening when timeout is reached? -> nothing - the isdn-int. won't hangup // I saw some icmp messages ( type 8 code 0 // just a ping I think ) and other stuff from worms, etc. bruno Keith Roberts <keith(a)topaz5.worldonline.co.uk> schrieb am 30.09.2003 12:27:39: > > > On Tue, 30 Sep 2003 BLeonhardt(a)analytek.de wrote: > > > > > > > > > > > Hi, > > > > I'm running a self-made linux-isdn-router at home and wondering that the > idle timeout isn't working correctly. I see several inbound connections ( in > the fw-log ) which will be dropped after logging. now, usually the idel- > timeout will wait for 300 secon > ds until no traffic was gone through the isdn-interface. > > > > I am logging Portscans, etc. on the isdn-interface - could this be the > reason why the idle timeout won't work correctly ? I didn't try to not log > incoming syn's on the isdn-interface ( it's very important for me to see - who > wants to come in .. ). > > > > What should / could I else do to prevent that the timeout won't be reached ? > > > What are you trying to do before timeout is reached? > > What happens before timeout is reached? > > > What are you trying to do after timeout is reached? > > What is hapening when timeout is reached? > > Kind Regards - Keith Roberts > > > > > > > > > > > > yours, > > bruno > > > > > > -- > > Check the headers for your unsubscription address > > For additional commands, e-mail: suse-security-help(a)suse.com > > Security-related bug reports go to security(a)suse.de, not here > > > > >

1 0

Dial timeout on isdn router with ip-tables logging
by BLeonhardt＠analytek.de 30 Sep '03

30 Sep '03

Hi, I'm running a self-made linux-isdn-router at home and wondering that the idle timeout isn't working correctly. I see several inbound connections ( in the fw-log ) which will be dropped after logging. now, usually the idel-timeout will wait for 300 seconds until no traffic was gone through the isdn-interface. I am logging Portscans, etc. on the isdn-interface - could this be the reason why the idle timeout won't work correctly ? I didn't try to not log incoming syn's on the isdn-interface ( it's very important for me to see - who wants to come in .. ). What should / could I else do to prevent that the timeout won't be reached ? yours, bruno

1 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security September 2003