AW: [suse-security] squid: timeout in SENT_PASV state
Hi Bastian Thank you for answering. I already started to believe noone ever will answer my request. As you say it was a misconfigured FW not accepting pasv ftp on high ports. I found out after I slept over it one night. Thank you Philipp
-----Ursprüngliche Nachricht----- Von: Bastian.Epting@helaba.de [mailto:Bastian.Epting@helaba.de] Gesendet: Dienstag, 2. Oktober 2001 17:16 An: mailinglists@belfin.ch Betreff: AW: [suse-security] squid: timeout in SENT_PASV state
Hi Philipp,
may be a misconfigured firewall, which not recognize FTP - PORT command.
Greetings
Bastian Epting
-----Ursprüngliche Nachricht----- Von: Philipp Snizek [mailto:mailinglists@belfin.ch] Gesendet: Samstag, 29. September 2001 21:38 An: suse-security@suse.com Betreff: [suse-security] squid: timeout in SENT_PASV state
Hi all,
please can somebody tell me what to do against this. Is this a ftp server that is not accepting pasv ftp? Or is it a misconfigured squid?
Sep 29 21:23:54 gate squid[406]: ftpTimeout: timeout in SENT_PASV state Sep 29 21:24:18 gate squid[406]: ftpTimeout: timeout in SENT_PASV state Sep 29 21:24:41 gate squid[406]: ftpTimeout: timeout in SENT_PASV state Sep 29 21:29:03 gate squid[406]: ftpTimeout: timeout in SENT_PASV state
Thank you all,
Philipp
************************************************************** ****************** Bitte nutzen Sie die E-Mail-Verbindung mit uns ausschliesslich zum Informationsaustausch. Wir koennen auf diesem Wege keine rechtsgeschaeftlichen Erklaerungen (Auftraege etc.) entgegennehmen. Der Inhalt dieser Nachricht ist vertraulich und nur fuer den angegebenen Empfaenger bestimmt. Jede Form der Kenntnisnahme oder Weitergabe durch Dritte ist unzulaessig. Sollte diese Nachricht nicht fur Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
Please use your E-mail connection with us exclusively for the exchange of information. We do not accept legally binding declarations (orders, etc.) by this means of communication. The contents of this message is confidential and intended only for the recipient indicated. Taking notice of this message or disclosure by third parties is not permitted. In the event that this message is not intended for you, please contact us via E-mail or phone.
Landesbank Hessen-Thueringen Girozentrale ************************************************************** ******************
Hi, i am using SuSE 7.2, OpenSSH_2.9p1, SSH protocols 1.5/2.0. When i connect the ssh-server the client gets a unprivileged port. I want the client to get a port between 1000-1023. How can i do that. I read something about a -p parameter, that let the client use ports greater than 1024, but ssh is running without it. (I read the man page) mit freundlichen Grüßen Jörg Zimmermann ------------------------------------------- .xsiteing agentur für netzkommunikation 42117 wuppertal - friedrich-ebert-str. 141b tel: 0202/3097070 - fax: 0202/3097072
On Tuesday 02 October 2001 11:28 am, Jörg Zimmermann wrote:
Hi,
i am using SuSE 7.2, OpenSSH_2.9p1, SSH protocols 1.5/2.0. When i connect the ssh-server the client gets a unprivileged port. I want the client to get a port between 1000-1023. How can i do that. I read something about a -p parameter, that let the client use ports greater than 1024, but ssh is running without it. (I read the man page)
Why do you want that Jorg? The server connects back to the client in a secure way after initial connection on port 22, no? Why restrict it to privledged port? -- __________________________________________ J.Andersen
i am using SuSE 7.2, OpenSSH_2.9p1, SSH protocols 1.5/2.0. When i connect the ssh-server the client gets a unprivileged port. I want the client to get a port between 1000-1023. How can i do that. I read something about a -p parameter, that let the client use
Hi John,
From: "John Andersen"
greater than 1024, but ssh is running without it. (I read the man page)
Why do you want that Jorg? The server connects back to the client in a secure way after initial connection on port 22, no? Why restrict it to privledged port?
I'm using a host with iptables on it. My intention is, to allow a connect from a specific host outside our lan. Therefore i want to restrict the client-port's, to 1000-1023. mit freundlichen Grüßen Jörg Zimmermann ------------------------------------------- .xsiteing agentur für netzkommunikation 42117 wuppertal - friedrich-ebert-str. 141b tel: 0202/3097070 - fax: 0202/3097072
My intention is, to allow a connect from a specific host outside our lan. Therefore i want to restrict the client-port's, to 1000-1023. never ever restict the client's source port. it is unnecessary. it can be faked. it just isn't useful at all. The client is untrusted until it is authenticated. if you want to connect from a specific host, why not allow the whole IP for ssh?
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
Hi Markus,
From: "Markus Gaugusch"
My intention is, to allow a connect from a specific host outside our lan. Therefore i want to restrict the client-port's, to 1000-1023. never ever restict the client's source port. it is unnecessary. it can be faked. it just isn't useful at all.
maybe you're right.
The client is untrusted until it is authenticated. if you want to connect from a specific host, why not allow the whole IP for ssh?
that's right, and of course, i do so. mit freundlichen Grüßen Jörg Zimmermann ------------------------------------------- .xsiteing agentur für netzkommunikation 42117 wuppertal - friedrich-ebert-str. 141b tel: 0202/3097070 - fax: 0202/3097072
* Jörg Zimmermann wrote on Wed, Oct 03, 2001 at 11:04 +0200:
I'm using a host with iptables on it. My intention is, to allow a connect from a specific host outside our lan.
Outside your LAN there are people that happily use any port you open.
Therefore i want to restrict the client-port's, to 1000-1023.
I cannot see why this should increase security. Better filter by IP source (and destination), use tcp wrapper and good protected keys. Usually linux local port range is 1024-4999 IIRC, you can set this up via /proc but I don't think that this is useful. This settings affect the whole system. I assume it would break many things if you set local port range below 1023, BTW. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Outside your LAN there are people that happily use any port you open.
Therefore i want to restrict the client-port's, to 1000-1023.
I cannot see why this should increase security. Better filter by IP source (and destination), use tcp wrapper and good protected keys.
Usually linux local port range is 1024-4999 IIRC, you can set this up via /proc but I don't think that this is useful. This settings affect the whole system. I assume it would break many things if you set local port range below 1023, BTW.
If the application does not set a source port for the connection, the
kernel will provide the first available port. Non-root users
(CAP_NET_BIND) can only use ports starting with 1024.
The good old ssh-1.2.27 /usr/bin/ssh1 uses a port below 1024 by default if
the option "-P" has not been used on the commandline. The manpage of ssh
in the openssh implementation should be able to provide information about
an equally suited option for openssh.
As Steffen already said, using a local port range below 1024 doesn't
really suit security a lot. Actually, the only thing you can be sure about
is that something sitting on a low-port was root when it bound to that
socket, but not more, and only on unix-systems. You have to trust the root
user on the machine that you impose port-dependent filter rules to,
otherwise it doesn't make sense.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
* Jörg Zimmermann wrote on Tue, Oct 02, 2001 at 21:28 +0200:
i am using SuSE 7.2, OpenSSH_2.9p1, SSH protocols 1.5/2.0. When i connect the ssh-server the client gets a unprivileged port.
SSH client uses a privileged port if you forgot to disable *rhostsauthentication.
I want the client to get a port between 1000-1023.
There is no such feature to use a limited port range.
How can i do that.
Well, get the sources and modify the local socket binding code?! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (6)
-
John Andersen -
J�rg Zimmermann -
Markus Gaugusch -
Philipp Snizek -
Roman Drahtmueller -
Steffen Dettmer