August 2004 - openSUSE Security - openSUSE Mailing Lists

Failed attempts, block address
by MB 02 Jan '05

02 Jan '05

Hi list, Been getting a ton of attempts on my ssh/ftp connections as of late, first they started with the usual script kids trying the admin/guest/etc on the ssh connection, now i get people trying all sorts of stupid usernames with blank passwords on the ftp connection. 1. Is there a way to block an IP, either perm. or for set period of time for SSH attempts 2. Is there a simular way for VSFTP I'm sure i could block the address's manually, but i'd like it if it was automated? say for 6 attempts? Matt SuSE 9.1 --------------------------------- Do you Yahoo!? Yahoo! Mail - You care about security. So do we.

7 7

Per user config for SpamAssassin with amavisd-new and cyrus-imapd
by David Huecking 26 Sep '04

26 Sep '04

Hi folks, maybe someone could give me a hint... I switched from: fetchmail->sendmail->sendmail.milter->Amavis->.forward->procmail->spamc(SpamAssasin)->INBOX which did global virus checking and per user spam checking with Bayes testing to fetchmail->postfix->amavisd-new->perl-spamassassin->cyrus-imapd which does global virus and global spam checking BUT NO PER USER spam checking, so without Bayes testing! :-( So the rate of unreconised spam did increase. I fiddled around with options in the /etc/mail/spamassassin/local.cf, but they were ignored because amavisd-new calls spamassin via perl interface and takes some SA parameters from the /etc/amavisd.conf (beginning with $sa_). I tried calling a SUIDed cyrus deliver (without SUID deliver hasn't got the right: deliver[3876]: connect(/var/lib/imap/socket/lmtp) failed: Permission denied) to user cyrus via .forward and a .procmailrc. The log said that lmtpd was called, but depending on the syntax of deliver in the .procmailrc the mail was delivered to the INBOX-file in /var/spool/mail or just vanished! One example for my .promailrc: :0 fw |/usr/bin/spamc -f |/usr/lib/cyrus/bin/deliver -e -a david -m user.david and the .forward: "|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #user" Could someone give me a hint using sieve or procmail for a per user SpamAssassin check? Thanks in advance. -- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216

2 2

Re: [suse-security] harden_suse
by tfulton9909＠comcast.net 23 Sep '04

23 Sep '04

I was told that this was a resource for security questions to be answered. Could someone please help me. thanks Tom Fulton Novell San Jose, CA > On Mon, 09 Aug 2004 22:44:42 +0000, tfulton9909(a)comcast.net > wrote: > > Hello, > > What is that status of harden_suse in SLES 9 in light of Bastille being > released? > > thanks > > -- > Check the headers for your unsubscription address > For additional commands, e-mail: suse-security-help(a)suse.com > Security-related bug reports go to security(a)suse.de, not here >

3 2

Metainformationen in Dokumenten als Sicherheitsrisiko- auch unter Linux?
by Axel.Krebs＠t-online.de 01 Sep '04

01 Sep '04

Hallo! Stieß vorhin auf http://www.metadatarisk.org/ Sind vergleichbare Sicherheitsrisiken in (unsichtbaren?) Metadaten auch in OO-Dokumenten bekannt? Weiß jemand was dazu? Danke erstmal, Axel -- Dr. A. Krebs <Axel.Krebs(a)T-Online.de>

4 3

Blocking a domain with SuseFirewall2
by Raphael Leplae 30 Aug '04

30 Aug '04

Hi, I've setup the SuseFirewall2 on my web server, allowing access just via http and ssh, that was very easy with the GUI. Now if I need to block a specific domain, let say *.123.123.123, is there a simple way to do it in /etc/sysconfig/SuSEfirewall2 ? I was expecting something like: FW_REJECT_IP="*.123.123.123" but nothing like that in the examples provided in /usr/share/doc/packages/SuSEfirewall2/ I guess there is a simple way to do it. Thanks in advance. Raphael -- ___________________________________________________________ Raphael Leplae, Ph.D. Research Scientist SCMBB - ULB Tel: +32 2 6505499 Blvd du Triomphe - CP 263 Fax: +32 2 6505425 1050 Brussels Belgium SCMBB Home Page http://www.scmbb.ulb.ac.be ACLAME - The Prokaryotic Mobilome http://aclame.ulb.ac.be ___________________________________________________________

5 6

Re: [suse-security] Blocking a domain with SuseFirewall2
by PW 30 Aug '04

30 Aug '04

If one knows how, yes, it's easy. Alas, SuSE's firewall documentation is not well documented in that aspect. Besides IPv6 problems, the firewall itself is configured out of the box to deny nearly all network traffic, which is not very practicable for a typical Web/LAN Server box, indeed. This firewall even requires custom rules to allow unlimited access from the internal network to external networks, such as the Internet, go figure. Here's the only way how to do it with SuSE firewall: 1. Open /etc/sysconfig/scripts/SuSEfirewall2-custom in a text editor 2. Seek to the section "fw_custom_before_antispoofing()" 3. Enter your custom firewall rules. I.e., block a specific address: iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP Philippe Wiede Raphael Leplae wrote: > Hi, > > I've setup the SuseFirewall2 on my web server, allowing access just via http and ssh, that was very easy with the GUI. > Now if I need to block a specific domain, let say *.123.123.123, is there a simple way to do it in /etc/sysconfig/SuSEfirewall2 ? > I was expecting something like: > FW_REJECT_IP="*.123.123.123" > but nothing like that in the examples provided in /usr/share/doc/packages/SuSEfirewall2/ > > I guess there is a simple way to do it. > Thanks in advance. > > Raphael

3 2

Re: [suse-security] Blocking a domain with SuseFirewall2
by b＠rry.co.za 30 Aug '04

30 Aug '04

Also, if you have set up FW_SERVICES_EXT_TCP="80" this expressley allows all connections, and so will be a conflicting rule. You need to take port 80 out of that string and create a trust rule in: - # 10.) # Which services should be accessible from trusted hosts/nets? # # Define trusted hosts/networks (doesnt matter if they are internal or # external) and the TCP and/or UDP services they are allowed to use. # Please note that a trusted host/net is *not* allowed to ping the firewall # until you set it to allow also icmp! # # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or # networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16" # Optional, enter a protocol after a comma, e.g. "1.1.1.1,icmp" # Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22" # FW_TRUSTED_NETS="" In other rules you can use ! to make an exception, can anyone confirm if that will work in this rule? -- Reader, suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself. -- Mark Twain

2 1

suse-linux-e
by ecobel 30 Aug '04

30 Aug '04

Sorry for this OT, but I do not receive mails from suse-linux-e anymore! Is there someone that can give any news? Thank you. ecobel

1 0

Re: [suse-security] Blocking a domain with SuseFirewall2
by b＠rry.co.za 30 Aug '04

30 Aug '04

One other thing, is your apache server on the same machine? I have had issue with blocking access before because of conflicting rules. I had a forwarder set up to direct traffic to my web server in the DMZ, set up a block on the firewall and found that the traffic was still being forwarded. I then had to alter my forwarding rule to forward only from designated ranges, so that my blocks would have effect. what do your log files say about the accepted sessions? -- You own a dog, but you can only feed a cat.

1 0

Re: [suse-security] Insecure temp file creation fix - peer review please
by Derek's Lists 29 Aug '04

29 Aug '04

On Saturday 28 August 2004 05:15, Christian Boltz wrote: > aka "symlink attack", i assume. Yup... :o) > > TDIR=${TMPDIR:-/tmp}/aview_$$ > > Insecure. $$ is guessable (or, worst case: for i in `seq 2 33000 ; do > ln -s /home/victim/Mail/inbox /tmp/aview_$i ; done - no more need to > guess ;-) > > Use mktemp instead: > > TDIR=`mktemp -d /tmp/aview.XXXXXXXXXX` || { > echo "unable to create temp dir" >&2; > exit 1; > } I avoided using mktemp because the aalib code runs on lots of different platforms. From what I've read, I can't be sure that mktemp is available on all of them. So....: > > trap clear 0 > > (umask 077 && mkdir $TDIR) || { > > echo "Unable to create temp directory $TDIR" > > exit 1 > > } > > mkfifo $FIFO || { > > echo "Unable to create FIFO $FIFO" > > exit 1 > > } > > These blocks are no longer needed because mktemp already creates the > temp dir and fifo. ...these blocks are needed! I think that's the platform independent, secure way to create a temporary directory, and if there's a nasty link in place it will fail. > > if anytopnm $1 >$FIFO 2>/dev/null ; then > > ^^ > Variables should be quoted: "$1" Good point! I only worried about the symlink issues (slaps own wrists)! > > while true; do > > echo "0 " > > done > > This is an endless loop just printing "0 " on your screen. Yeah, weird eh? I decided to only concentrate on the security aspects of the script. Presumably the original author felt good reason to fill the screen with 0s! > Yours, > > Christian Boltz Thanks, I've learnt more useful stuff... :o)

3 2