Hi list,
Been getting a ton of attempts on my ssh/ftp connections as of late, first they started with the usual script kids trying the admin/guest/etc on the ssh connection, now i get people trying all sorts of stupid usernames with blank passwords on the ftp connection.
1. Is there a way to block an IP, either perm. or for set period of time for SSH attempts
2. Is there a simular way for VSFTP
I'm sure i could block the address's manually, but i'd like it if it was automated? say for 6 attempts?
Matt
SuSE 9.1
---------------------------------
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
Hi folks,
maybe someone could give me a hint...
I switched from:
fetchmail->sendmail->sendmail.milter->Amavis->.forward->procmail->spamc(SpamAssasin)->INBOX
which did global virus checking and per user spam checking with Bayes testing
to
fetchmail->postfix->amavisd-new->perl-spamassassin->cyrus-imapd
which does global virus and global spam checking BUT NO PER USER spam
checking, so without Bayes testing! :-(
So the rate of unreconised spam did increase.
I fiddled around with options in the /etc/mail/spamassassin/local.cf, but they
were ignored because amavisd-new calls spamassin via perl interface and takes
some SA parameters from the /etc/amavisd.conf (beginning with $sa_).
I tried calling a SUIDed cyrus deliver (without SUID deliver hasn't got the
right: deliver[3876]: connect(/var/lib/imap/socket/lmtp) failed: Permission
denied) to user cyrus via .forward and a .procmailrc. The log said that lmtpd
was called, but depending on the syntax of deliver in the .procmailrc the
mail was delivered to the INBOX-file in /var/spool/mail or just vanished!
One example for my .promailrc:
:0 fw
|/usr/bin/spamc -f
|/usr/lib/cyrus/bin/deliver -e -a david -m user.david
and the .forward:
"|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #user"
Could someone give me a hint using sieve or procmail for a per user
SpamAssassin check?
Thanks in advance.
--
Eat, sleep and go running,
David Huecking.
Encrypted eMail welcome!
GnuPG/ PGP-Key: 0x57809216. Fingerprint:
3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
I was told that this was a resource for security questions to be answered. Could someone please help me.
thanks
Tom Fulton
Novell
San Jose, CA
> On Mon, 09 Aug 2004 22:44:42 +0000, tfulton9909(a)comcast.net
> wrote:
> > Hello,
> > What is that status of harden_suse in SLES 9 in light of Bastille being
> released?
> > thanks
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help(a)suse.com
> Security-related bug reports go to security(a)suse.de, not here
>
Hallo!
Stieß vorhin auf http://www.metadatarisk.org/
Sind vergleichbare Sicherheitsrisiken in (unsichtbaren?) Metadaten auch
in OO-Dokumenten bekannt?
Weiß jemand was dazu?
Danke erstmal, Axel
--
Dr. A. Krebs <Axel.Krebs(a)T-Online.de>
Hi,
I've setup the SuseFirewall2 on my web server, allowing access just via http
and ssh, that was very easy with the GUI.
Now if I need to block a specific domain, let say *.123.123.123, is there a
simple way to do it in /etc/sysconfig/SuSEfirewall2 ?
I was expecting something like:
FW_REJECT_IP="*.123.123.123"
but nothing like that in the examples provided
in /usr/share/doc/packages/SuSEfirewall2/
I guess there is a simple way to do it.
Thanks in advance.
Raphael
--
___________________________________________________________
Raphael Leplae, Ph.D.
Research Scientist
SCMBB - ULB Tel: +32 2 6505499
Blvd du Triomphe - CP 263 Fax: +32 2 6505425
1050 Brussels
Belgium
SCMBB Home Page http://www.scmbb.ulb.ac.be
ACLAME - The Prokaryotic Mobilome http://aclame.ulb.ac.be
___________________________________________________________
If one knows how, yes, it's easy. Alas, SuSE's firewall documentation is
not well documented in that aspect. Besides IPv6 problems, the firewall
itself is configured out of the box to deny nearly all network traffic,
which is not very practicable for a typical Web/LAN Server box, indeed.
This firewall even requires custom rules to allow unlimited access from
the internal network to external networks, such as the Internet, go figure.
Here's the only way how to do it with SuSE firewall:
1. Open /etc/sysconfig/scripts/SuSEfirewall2-custom in a text editor
2. Seek to the section "fw_custom_before_antispoofing()"
3. Enter your custom firewall rules. I.e., block a specific address:
iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
Philippe Wiede
Raphael Leplae wrote:
> Hi,
>
> I've setup the SuseFirewall2 on my web server, allowing access just
via http and ssh, that was very easy with the GUI.
> Now if I need to block a specific domain, let say *.123.123.123, is
there a simple way to do it in /etc/sysconfig/SuSEfirewall2 ?
> I was expecting something like:
> FW_REJECT_IP="*.123.123.123"
> but nothing like that in the examples provided in
/usr/share/doc/packages/SuSEfirewall2/
>
> I guess there is a simple way to do it.
> Thanks in advance.
>
> Raphael
Also, if you have set up
FW_SERVICES_EXT_TCP="80"
this expressley allows all connections, and so will be a conflicting rule.
You need to take port 80 out of that string and create a trust rule in: -
# 10.)
# Which services should be accessible from trusted hosts/nets?
#
# Define trusted hosts/networks (doesnt matter if they are internal or
# external) and the TCP and/or UDP services they are allowed to use.
# Please note that a trusted host/net is *not* allowed to ping the firewall
# until you set it to allow also icmp!
#
# Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
# networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16"
# Optional, enter a protocol after a comma, e.g. "1.1.1.1,icmp"
# Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""
In other rules you can use ! to make an exception, can anyone confirm if that
will work in this rule?
--
Reader, suppose you were an idiot. And suppose you were a member of
Congress. But I repeat myself.
-- Mark Twain
One other thing, is your apache server on the same machine?
I have had issue with blocking access before because of conflicting rules.
I had a forwarder set up to direct traffic to my web server in the DMZ, set up
a block on the firewall and found that the traffic was still being forwarded.
I then had to alter my forwarding rule to forward only from designated ranges,
so that my blocks would have effect.
what do your log files say about the accepted sessions?
--
You own a dog, but you can only feed a cat.
On Saturday 28 August 2004 05:15, Christian Boltz wrote:
> aka "symlink attack", i assume.
Yup... :o)
> > TDIR=${TMPDIR:-/tmp}/aview_$$
>
> Insecure. $$ is guessable (or, worst case: for i in `seq 2 33000 ; do
> ln -s /home/victim/Mail/inbox /tmp/aview_$i ; done - no more need to
> guess ;-)
>
> Use mktemp instead:
>
> TDIR=`mktemp -d /tmp/aview.XXXXXXXXXX` || {
> echo "unable to create temp dir" >&2;
> exit 1;
> }
I avoided using mktemp because the aalib code runs on lots of different
platforms. From what I've read, I can't be sure that mktemp is available on
all of them. So....:
> > trap clear 0
> > (umask 077 && mkdir $TDIR) || {
> > echo "Unable to create temp directory $TDIR"
> > exit 1
> > }
> > mkfifo $FIFO || {
> > echo "Unable to create FIFO $FIFO"
> > exit 1
> > }
>
> These blocks are no longer needed because mktemp already creates the
> temp dir and fifo.
...these blocks are needed! I think that's the platform independent, secure
way to create a temporary directory, and if there's a nasty link in place it
will fail.
> > if anytopnm $1 >$FIFO 2>/dev/null ; then
>
> ^^
> Variables should be quoted: "$1"
Good point! I only worried about the symlink issues (slaps own wrists)!
> > while true; do
> > echo "0 "
> > done
>
> This is an endless loop just printing "0 " on your screen.
Yeah, weird eh? I decided to only concentrate on the security aspects of the
script. Presumably the original author felt good reason to fill the screen
with 0s!
> Yours,
>
> Christian Boltz
Thanks, I've learnt more useful stuff... :o)