openSUSE Security January 2004

security@lists.opensuse.org

185 participants
161 discussions

Securing internet access from a WiFi network via login
by J. Theriault 19 Feb '04

19 Feb '04

I am wondering if anyone can help me, I am trying to setup a small limited-use wireless network (web/ftp/email only) and I am trying to find the best way to limit unauthorized access to the Internet from the wireless network. WEP is not an option - I do not want to have to change any settings on a client and I want more than WEP can offer. What I would like to know is; is it possible to set up a proxy server for web/ftp/email using SuSE 8.1 Pro (or higher) that could also issue (expiring) usernames/passwords for many temporary users and force them to login before allowing them access to the Internet? Or, to put it in less words, I need: - A way to keep people off the Internet unless they are allowed. - A way to stop users from accessing services other than http/ftp/imap/pop/smtp. - A way to block certain sites. - An "easy" way to create temporary usernames/passwords for Internet access and to expire them. So, if anyone has ANY information that could help, even if it's just to "RTFM for xyz software and go away", I would greatly appreciate it. Thanks, J. Theriault administrator(a)raven-computer.de -- ~From RFC 1925; ~ (3) With sufficient thrust, pigs fly just fine. However, this is ~ not necessarily a good idea. It is hard to be sure where they ~ are going to land, and it could be dangerous sitting under them ~ as they fly overhead.

3 2

Identical http request in log file
by Andreas Jägermann 03 Feb '04

03 Feb '04

Hi list, I've experienced strange entries in the transfer.log of my apache 1.3.23. This apache is protected via .htaccess files and is the only service I provide to selected users. The entries look like this: aaa.bbb.ccc.ddd - - [31/Jan/2004:00:01:29 +0100] "GET / HTTP/1.1" 401 494 65.166.64.132 - - [31/Jan/2004:00:01:30 +0100] "GET / HTTP/1.1" 401 494 aaa.bbb.ccc.ddd - - [31/Jan/2004:00:09:00 +0100] "GET / HTTP/1.1" 401 494 217.169.46.98 - - [31/Jan/2004:00:09:01 +0100] "GET / HTTP/1.1" 401 494 aaa.bbb.ccc.ddd - - [31/Jan/2004:00:17:41 +0100] "GET / HTTP/1.1" 401 494 65.245.128.68 - - [31/Jan/2004:00:17:42 +0100] "GET / HTTP/1.1" 401 494 aaa.bbb.ccc.ddd is the ip of one of my users who is just accessing the htaccess-dialog. Every request that is made, is doubled from a different ip. If the user logs in with a valid account then the "doubled" request gets a 401. Is this a security problem at my site? How can I prevent this without limiting access to certain ip addresses? I'm using SuSE 8.0 with all patches applied. Any hint is appreciated. Thanks in advance. Regards, Andreas

4 7

RE: [suse-security] Is it iptables enough?
by Sturgis, Grant 03 Feb '04

03 Feb '04

SuSEFirewall is just an administration wrapper for iptables. > -----Original Message----- > From: John [mailto:isofroni@cc.uoi.gr] > Sent: Friday, January 30, 2004 12:49 PM > To: suse-security(a)suse.com > Subject: [suse-security] Is it iptables enough? > > > Is it iptables enough with the built-in firewall to secure a > SL 9.0 box? > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.

8 9

apache2 login question
by piet 31 Jan '04

31 Jan '04

login with htaccess works fine, but as I have root rights: how can I establish login on a apache2 server without making use of htaccess, as the manual refers to a more elegant method, but, I guess I just don't grasp it sofar. further, is it possible to give certain ip-addresses login rights, so they donnot have to make use of login procedure? regards, piet

2 1

Re: [suse-security] Apache Hole?
by m3047＠inwa.net 31 Jan '04

31 Jan '04

At 12:54 PM 1/31/04, Evert Smit wrote: > if you check the files below, they are owned by the apache user. > >My apache is linux:/tmp # rpm -q apache -> apache-1.3.27-82 Ever hear the joke about someone trying to get linux running as an emulator under JavaScript? Sorry, a bit of a reach. But "Apache" is not just apache: it is the version of Linux, Perl, mod_perl, PHP, SSH, and so forth. >[...] >-rwxrwxrwx 1 wwwrun nogroup 16798 Jan 28 07:51 webphp ^^^^^^ I'd start by seeing what known security issues might exist for whatever version of PHP you're running, as well as review any and all CGIs for unsafe behavior. Somebody else may be able to tell you exactly what you're looking at. -- Fred Morris fredm3047(a)inwa.net (I-ACK)

1 0

Fw: [suse-security] sftp with no ssh login
by Manuel Balderrábano 31 Jan '04

31 Jan '04

Hi to all again, thanks for all the ideas! What I did at the end is a mix of some things you guys said: 1.- created a .bashrc fila with a logout on the first line for all users (Just one) 2.- Change shell to bash for all this users. 3.- chown root .bashrc 4.- chmod 555 .bashrc And there you go! Do you find a hole on that? Regards. > Ben Yau wrote: > > >>-----Original Message----- > >>From: Sven 'Darkman' Michels [mailto:sven@darkman.de] > >> > >>Ben Yau wrote: > >> > >> > >>>Another thing to try is put "logout" at the beginning of ~/.bash_login. > >>>Upon ssh login it will run the .bash_login and log them out. > >>> > >>> > >>On sftp, it > >> > >> > >>>won't run ~/.bash_login so they can still sftp > >>> > >>> > >>ssh user(a)remote.sftp.server rm .bash_login > >> > >>;) > >> > >> > > > >Ruin my day .. go ahead :) > > > >I started thinking of another solution (along the lines of alias > >rm='logout') when I realized that a smart user could just sftp and put in a > >new ~/.bash_profile. > > > >Provided they were clever enough to figure out how you auto logged them out. > >... > > > > > > Depends on what's acceptable at your place. You could give the person > (people) a home dir that is owned by root, and all files in the home dir > owned by root, with perms of 555 (basically a shell home, just enough to > make whatever you need work); then you could set things up that way. It > seems to me there should be a more elegant way, but my point is you > should be able to make the above work. That is assuming you're allowed > to lock it down that tight (by management). > > HTH, > Kevin > > > -- > Check the headers for your unsubscription address > For additional commands, e-mail: suse-security-help(a)suse.com > Security-related bug reports go to security(a)suse.de, not here >

8 7

3C509 Ethernet Adaptor Support
by Philip B Cook 31 Jan '04

31 Jan '04

How can I confirm that I have support for 3c509 ISA ethernet card configured in my SuSE Linux V8.2 system. Yast2 does not recognise the card I have fitted. Can I manually configure the card ? through Yast2. Thanks .. Philip

4 4

Proftp
by Tom Fazakas 30 Jan '04

30 Jan '04

Hi, I have configured the newest proftp server and when I type the "ps ax" command I see the password and login for all the user who has login in the same time. Is it a general thing or something wrong in my configuration? Thx, Tom

2 2

AW: [suse-security] Is it iptables enough?
by Rasp, Robert 30 Jan '04

30 Jan '04

It depends on how much security you need. For more security use a IDS-Software, Aplication-Proxys and the newest patches. -----Ursprungliche Nachricht----- Von: John [mailto:isofroni@cc.uoi.gr] Gesendet: Freitag, 30. Januar 2004 20:49 An: suse-security(a)suse.com Betreff: [suse-security] Is it iptables enough? Is it iptables enough with the built-in firewall to secure a SL 9.0 box?

1 0

Is it iptables enough?
by John 30 Jan '04

30 Jan '04

Is it iptables enough with the built-in firewall to secure a SL 9.0 box?

1 0

Jump to page:

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security January 2004