May 2005 - openSUSE Security - openSUSE Mailing Lists

Bad MD5 & GPG on XFree86 SRC
by Bernie Hoefer 26 May '05

26 May '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I noticed the x86_64 XFree86 source has a bad MD5 sum and GPG signature. I've check a mirror and get the same result. I hadn't seen anybody else mention it on the list, so I thought I'd just ask about it. === > # wget ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/XFree86-4.3.99.902-43… > > # rpm --checksig XFree86-4.3.99.902-43.42.5.src.rpm > XFree86-4.3.99.902-43.42.5.src.rpm: sha1 MD5 GPG NOT OK === - -- Bernie Hoefer PGP e-mail is welcome! Get my 1024 bit signature key from: <http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x446A6F93>. "The more I know, the more I realize how much I do not understand." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFClVznckGmqURqb5MRAvMIAJ0SeG7+vHjTfcuDjv8e+1Kjcdz7cACfS2lc RKrDYAVtyTKkNgnC3tSdt9k= =bCPd -----END PGP SIGNATURE-----

2 2

RE: [suse-security] Iptables rules for nat to apache ip based virtual hosts
by Kummer, Ben 25 May '05

25 May '05

Hi Stefan, > I have got one official ip address and a dmz with an apache > webserver with ip based virtual hosts config. > iptables -t nat -A PREROUTING -i $INF -p tcp --sport 1024: -d > www.mydomain.com --dport 80 -j DNAT --to 1.2.3.4:80 > > iptables -A FORWARD -p tcp -d 1.2.3.4 --dport 80 -i $INF -j ACCEPT > > Do I need an application level gateway for this config or >From my point of view you need for each private ip an official ip to setup the ip tables solution. Either you use an application level gateway eg apache with rewrite/proxy rules to check the HTTP header, or you setup apache with named based virtual host, which should be more simple. Best regards Ben -- Ben Kummer, VDIVDE-IT, Rheinstr. 10b, 14513 Teltow Germany fon: +493328/435106 fax: +493328/435281 email:kummer@vdivde-it.de

1 0

OpenOffice_org1-1.1.3-4.2 released TWICE (?)
by pelibali 25 May '05

25 May '05

Hi, I couldn't find a logical explanation, maybe someone could help me to understand the situation: Last month the youpdated version '1.1.3-4.2' of OpenOffice_org1 was released and few days ago '1.1.3-4.3' appeared on the mirrors. Until this point everything seems be fine, but while comparing the .spec files of the above source rpms, interestingly only a single line, containing the version numbers differs in them. Is there an explanation to release the same YOU update actually twice with different version numbers or do I miss something? Thanks, Pelibali

2 1

Iptables rules for nat to apache ip based virtual hosts
by Stefan.Junge＠ssi-schaefer.de 24 May '05

24 May '05

Hello together, I have got one official ip address and a dmz with an apache webserver with ip based virtual hosts config. Now I have got the problem, that my prerouting / forward rule does not work properly. E.g. iptables -t nat -A PREROUTING -i $INF -p tcp --sport 1024: -d www.mydomain.com --dport 80 -j DNAT --to 1.2.3.4:80 iptables -A FORWARD -p tcp -d 1.2.3.4 --dport 80 -i $INF -j ACCEPT This does work for one domain. But of course any further prerouting rule is set to the first nat ip address. Do I need an application level gateway for this config or could this feature be achieved by iptables? Thanks for any advice! Regards, Stefan

1 0

Re: [suse-security] Banning dynamic IPs (Was: *SPAM* Tuerkei in die EU)
by Carlos E. R. 24 May '05

24 May '05

El 2005-05-23 a las 12:27 +0200, Rainer Duffner escribió: > Carlos, > > it's not about blocking dynamic ips sending mail (or surfing the web). > Just dynamic ips sending mail without going through a mailserver that is not > an MX! Dana Hudes said just that, block all traffic: |> Your issue is permanent blocking. This is controversial. |> The idea has been to exert pressure on ISPs whose users complain. |> This is of limited success. the idea is that if dialup and dhcp (cable, |> dsl) users found they could not access major portions of the internet |> -- not just for e-mail but web browsing as well -- then they would be |> motivated to complain to their ISPs who would act more forcefully and |> quickly against spammers etc. . If somoene could get yahoo and hotmail |> and google to "sign on" to such a program then yes there would be a |> dramatic amount of complaints. > Normaly, it should go like this: > > | customer with dyn.IP|------>|MX of provider/hoster/whoever|------>|my > | MX|<-----|me myself via IMAP on dynamic IP| > > (SMTP)................................(SMTP) > > I myself do SMTP-AUTH to allow relaying. > > OK, so I have my own mailserver - but if I didn't have that, I'd subscribe to > some online mail-service that allowed me to relay through their MX via > SMTP-AUTH. The problem, or problems, are several. For one thing, the smtp relay servers my ISPs provide are not reliable: they may fail to send an email, and worse, they don't inform me of that, or they do several days late. But even if I use the relay, they have policies that impede my use of them seriously, like only accepting email with a "From" address of theirs. Therefore, I can not send all my email through only one relay server, or not at all for redirection accounts (like sourceforge). Unfortunately, Postfix transport file does not has rules to select which relay server to choose based on the FROM address, only on the TO part. I need that feature. I was told (thanks, Arjen) to try 'esmtp' (http://esmtp.sourceforge.net/) - I've downloaded it, waiting for compilation -but a comment I read makes me afraid that it will not work well with non permanent connections. Thus, I have no alternative (yet?) but to use Postfix for direct sending. In my opinion, the best solution would be a method to really identify who is sending, regardless of the type of IP he is using. A cryptographic signature, probably, for the "FROM" header, not the contents (signing the contents is a problem with domainkeys with lists like SuSE's) At least in Spain, with a court order, it is possible to identify the spammer with the IP, because there are listings correlating each IP and timestamp to the phone used, and thus, the person responsible. > Please don't cc to the SuSE-list. Ein? You mean, email you direct, without a CC to the list? :-o I'll try, but I'm sure your server will reject my dynamic IP server. [...] Impossible, it rejected me: (host mail.** [*.*.*.26] said: 451 Dynamic IP Addresses See: http://www.dnsbl.sorbs.net/lookup.shtml?213.94.2.24 (in reply to RCPT TO command)) Thus, I resend to the list instead. Sorry. -- Saludos Carlos Robinson

3 2

RE: [suse-security] *****SPAM***** Tuerkei in die EU
by Dörfler Andreas 23 May '05

23 May '05

in general blocking ips isnt the best and blocking dynamic ips is more then a stupid idea. on another mailinglist someone wrote rules for spamassassin http://mailscanner.prolocation.net/german.cf. isnt a good idea to activate the rule forever but for a few weeks it will be ok greetings andy --free your mind, use open source http://www.mono-project.com ASCII ribbon campaign ( ) - against HTML email X & vCards / \ > -----Original Message----- > From: Robert Schiele [mailto:rschiele@uni-mannheim.de] > Sent: Thursday, May 19, 2005 6:15 AM > This list seems rather useless to me because most of these > IPs are dial-ins > and thus will change frequently. > > Robert

9 15

Spoofing email address
by Farmer, Alan 23 May '05

23 May '05

Since subscribing to this list I have been getting NDRs that indicate that someone is spoofing my email address. Has anyone else on the list noticed a similar problem? I am not suggesting that the email list has been compromised. It could be a coincidence but I thought that I would ask. Thanks

3 2

SSH connection problem
by Laboratorio Civitanova 23 May '05

23 May '05

Hi all! I've a server with six ethernet devices of the same brand. They manage six different networks. I've, also, a SuSeFirewall2 with ssh service open from the internal networks. Everything works well, but sometime I'm not able to connect to the ssh service on the server, even if it forwards the packets (http, ftp...) nicely!!!! All stranges, I noticed, were collisions on two network devices maded, probably, from a damaged switch or samething like! Who know the cause? Anyone may help me?

1 0

Fou4s 0.13.0 released
by Markus Gaugusch 22 May '05

22 May '05

Hi, Today I've released a new version of fou4s (Fast OnlineUpdate for SuSE). For everyone who has not seen it yet, it is a cron-job optimized version of YOU (YaST online update), very powerful, but still very easy to use. The latest version includes support for delta-RPMs, resulting in a much smaller download size (especially on new installations). Other fixes include improvement of source rpm handling and a better kernel update reboot notification. Markus Gaugusch http://fou4s.gaugusch.at/ -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \

1 0

Strange traffic.
by Wade Grant 20 May '05

20 May '05

I have reports of traffic hitting through a few iptable boxen that seems kind of interesting. Has anyone seen or heard of traffic on udp 1148? I am thinking it may just be some spy or mal ware. Any info you know of would be appreciated. wade G.

8 8