I am wondering if anyone can help me, I am trying to setup a small
limited-use wireless network (web/ftp/email only) and I am trying to
find the best way to limit unauthorized access to the Internet from the
WEP is not an option - I do not want to have to change any settings on a
client and I want more than WEP can offer.
What I would like to know is; is it possible to set up a proxy server
for web/ftp/email using SuSE 8.1 Pro (or higher) that could also issue
(expiring) usernames/passwords for many temporary users and force them
to login before allowing them access to the Internet?
Or, to put it in less words, I need:
- A way to keep people off the Internet unless they are allowed.
- A way to stop users from accessing services other than
- A way to block certain sites.
- An "easy" way to create temporary usernames/passwords for Internet
access and to expire them.
So, if anyone has ANY information that could help, even if it's just to
"RTFM for xyz software and go away", I would greatly appreciate it.
~From RFC 1925;
~ (3) With sufficient thrust, pigs fly just fine. However, this is
~ not necessarily a good idea. It is hard to be sure where they
~ are going to land, and it could be dangerous sitting under them
~ as they fly overhead.
I've experienced strange entries in the transfer.log of my apache 1.3.23.
This apache is protected via .htaccess files and is the only service I
provide to selected users.
The entries look like this:
aaa.bbb.ccc.ddd - - [31/Jan/2004:00:01:29 +0100] "GET / HTTP/1.1" 401 494
18.104.22.168 - - [31/Jan/2004:00:01:30 +0100] "GET / HTTP/1.1" 401 494
aaa.bbb.ccc.ddd - - [31/Jan/2004:00:09:00 +0100] "GET / HTTP/1.1" 401 494
22.214.171.124 - - [31/Jan/2004:00:09:01 +0100] "GET / HTTP/1.1" 401 494
aaa.bbb.ccc.ddd - - [31/Jan/2004:00:17:41 +0100] "GET / HTTP/1.1" 401 494
126.96.36.199 - - [31/Jan/2004:00:17:42 +0100] "GET / HTTP/1.1" 401 494
aaa.bbb.ccc.ddd is the ip of one of my users who is just accessing the
htaccess-dialog. Every request that is made, is doubled from a different ip.
If the user logs in with a valid account then the "doubled" request gets a
Is this a security problem at my site? How can I prevent this without
limiting access to certain ip addresses? I'm using SuSE 8.0 with all patches
Any hint is appreciated. Thanks in advance.
SuSEFirewall is just an administration wrapper for iptables.
> -----Original Message-----
> From: John [mailto:firstname.lastname@example.org]
> Sent: Friday, January 30, 2004 12:49 PM
> To: suse-security(a)suse.com
> Subject: [suse-security] Is it iptables enough?
> Is it iptables enough with the built-in firewall to secure a
> SL 9.0 box?
This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is intended
to be for the use of the individual or entity named above. If you are not the
intended recipient, please be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited. Please notify the
sender of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.
login with htaccess works fine, but as I have root rights: how can I
establish login on a apache2 server without making use of htaccess, as
the manual refers to a more elegant method, but, I guess I just don't
grasp it sofar.
further, is it possible to give certain ip-addresses login rights, so
they donnot have to make use of login procedure?
At 12:54 PM 1/31/04, Evert Smit wrote:
> if you check the files below, they are owned by the apache user.
>My apache is linux:/tmp # rpm -q apache -> apache-1.3.27-82
Ever hear the joke about someone trying to get linux running as an emulator
it is the version of Linux, Perl, mod_perl, PHP, SSH, and so forth.
>-rwxrwxrwx 1 wwwrun nogroup 16798 Jan 28 07:51 webphp
I'd start by seeing what known security issues might exist for whatever
version of PHP you're running, as well as review any and all CGIs for
Somebody else may be able to tell you exactly what you're looking at.
Hi to all again, thanks for all the ideas!
What I did at the end is a mix of some things you guys said:
1.- created a .bashrc fila with a logout on the first line for all users
2.- Change shell to bash for all this users.
3.- chown root .bashrc
4.- chmod 555 .bashrc
And there you go!
Do you find a hole on that?
> Ben Yau wrote:
> >>-----Original Message-----
> >>From: Sven 'Darkman' Michels [mailto:email@example.com]
> >>Ben Yau wrote:
> >>>Another thing to try is put "logout" at the beginning of ~/.bash_login.
> >>>Upon ssh login it will run the .bash_login and log them out.
> >>On sftp, it
> >>>won't run ~/.bash_login so they can still sftp
> >>ssh user(a)remote.sftp.server rm .bash_login
> >Ruin my day .. go ahead :)
> >I started thinking of another solution (along the lines of alias
> >rm='logout') when I realized that a smart user could just sftp and put in
> >new ~/.bash_profile.
> >Provided they were clever enough to figure out how you auto logged them
> Depends on what's acceptable at your place. You could give the person
> (people) a home dir that is owned by root, and all files in the home dir
> owned by root, with perms of 555 (basically a shell home, just enough to
> make whatever you need work); then you could set things up that way. It
> seems to me there should be a more elegant way, but my point is you
> should be able to make the above work. That is assuming you're allowed
> to lock it down that tight (by management).
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help(a)suse.com
> Security-related bug reports go to security(a)suse.de, not here
How can I confirm that I have support for 3c509 ISA ethernet card configured in my SuSE Linux V8.2 system.
Yast2 does not recognise the card I have fitted.
Can I manually configure the card ? through Yast2.
I have configured the newest proftp server and when I type the "ps ax"
command I see the password and login for all the user who has login in the
same time. Is it a general thing or something wrong in my configuration?
It depends on how much security you need.
For more security use a IDS-Software, Aplication-Proxys and the newest patches.
Von: John [mailto:firstname.lastname@example.org]
Gesendet: Freitag, 30. Januar 2004 20:49
Betreff: [suse-security] Is it iptables enough?
Is it iptables enough with the built-in firewall to secure a SL 9.0 box?