First of all thanks to Mark and MArc for making secumod, looks like a nifty little security module. However, it seems like a powerful little module. Actually, had a few (for me) nasty problems. I was following Marc's secure webserver guide. All was going fine until I installed the secumod module. At first I was able to conitnue administrating, then I noticed weird things happening...First it suddenly closed my ssh session, then pop3 and smtp shutdown. Then actually attached a keyboard and monitor, then tried logging in there. I got a libc data file read error message and then a failure to allocate memory. Login was not possible and ctrl-alt-F10 showed me few "non-essential" service shutting down. I managed to save the day by rescue mode... Anyway, after the docs I am kind of worried about repeating it....What did I do wrong? But I like its features.... With many thanks, Matthew
Hi List, Same thing happened to me and id like to have that pointed out. Secumod wouldnt even let me login from the console, since it was killing the login procedure somehow .. That pretty much screws things over =) Regards. -- Mit freundlichen Grüßen Alexander Bien -- PIRONET NDH Alexander Bien - Technical Assistant - SBU Services Josef-Lammerting-Allee 14-18, 50933 Cologne - Germany
-----Original Message----- From: Matthew [mailto:matthew@psychohorse.com] Sent: Monday, January 29, 2001 3:53 PM To: suse-security@suse.com Subject: [suse-security] Help with secumod
First of all thanks to Mark and MArc for making secumod, looks like a nifty little security module.
However, it seems like a powerful little module. Actually, had a few (for me) nasty problems. I was following Marc's secure webserver guide. All was going fine until I installed the secumod module. At first I was able to conitnue administrating, then I noticed weird things happening...First it suddenly closed my ssh session, then pop3 and smtp shutdown. Then actually attached a keyboard and monitor, then tried logging in there. I got a libc data file read error message and then a failure to allocate memory. Login was not possible and ctrl-alt-F10 showed me few "non-essential" service shutting down.
I managed to save the day by rescue mode...
Anyway, after the docs I am kind of worried about repeating it....What did I do wrong? But I like its features....
With many thanks,
Matthew
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Alexander, hello List, seems to me that there are a couple of problems with secumod. In my case (and in another case, that was on the list about 2 weeks ago) the box froze about 10 minutes after booting. Never again expierienced anything like this after deinstalling secumod... But I'd like to thank the SuSE-Team for the firewall-skript. It makes things a lot easier for me. What I'd like to know: Wich possible holes are open, after I configured a router with this skript, closing all ports for inbound packets, blocking ping and traceroute? Is it still possible to "see" that box on the internet, besides from outbound connections? Thanks a lot, Ralf On Mon, 29 Jan 2001, Alexander Bien wrote:
Hi List,
Same thing happened to me and id like to have that pointed out.
Secumod wouldnt even let me login from the console, since it was killing the login procedure somehow .. That pretty much screws things over =)
Regards.
--
Mit freundlichen Grüßen
Alexander Bien
-- PIRONET NDH Alexander Bien - Technical Assistant - SBU Services Josef-Lammerting-Allee 14-18, 50933 Cologne - Germany
-----Original Message----- From: Matthew [mailto:matthew@psychohorse.com] Sent: Monday, January 29, 2001 3:53 PM To: suse-security@suse.com Subject: [suse-security] Help with secumod
First of all thanks to Mark and MArc for making secumod, looks like a nifty little security module.
However, it seems like a powerful little module. Actually, had a few (for me) nasty problems. I was following Marc's secure webserver guide. All was going fine until I installed the secumod module. At first I was able to conitnue administrating, then I noticed weird things happening...First it suddenly closed my ssh session, then pop3 and smtp shutdown. Then actually attached a keyboard and monitor, then tried logging in there. I got a libc data file read error message and then a failure to allocate memory. Login was not possible and ctrl-alt-F10 showed me few "non-essential" service shutting down.
I managed to save the day by rescue mode...
Anyway, after the docs I am kind of worried about repeating it....What did I do wrong? But I like its features....
With many thanks,
Matthew
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Mon, Jan 29, 2001 at 18:29 +0100, Ralf Ronneburger wrote:
But I'd like to thank the SuSE-Team for the firewall-skript. It makes things a lot easier for me. What I'd like to know: Wich possible holes are open, after I configured a router with this skript, closing all ports for inbound packets, blocking ping and traceroute? Is it still possible to "see" that box on the internet, besides from outbound connections?
Try it out for yourself! Run nmap / saint / satan / nessus / place a scanner of your choice here against your own machines from outside (from a dialup account or a neighboured admin's site). Others *will* scan you. Make sure you're first and know what's there to see. And act before others get to know ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
On Mon, 29 Jan 2001, Gerhard Sittig wrote:
What I'd like to know: Wich possible holes are open, after I configured a router with this skript, closing all ports for inbound packets, blocking ping and traceroute? Is it still possible to "see" that box on the internet, besides from outbound connections?
Try it out for yourself! Run nmap / saint / satan / nessus / place a scanner of your choice here against your own machines from outside (from a dialup account or a neighboured admin's site). Others *will* scan you. Make sure you're first and know what's there to see. And act before others get to know ...
Thanks for your help! I've already tried nmap, but I guess I was not patient enough, because I quit after waiting for 30 minutes. After almost 3 hours I got this from "nmap -sS -P0 -O <IP-Adress>": Interesting ports on (<IP-Adress>): (Not showing ports in state: filtered) Port State Protocol Service No OS matches for this host. TCP fingerprints: T5(Resp=N) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=N) Nmap run completed -- 1 IP address (1 host up) scanned in 9262 seconds Looks good to me! But what could a Cracker (patient enough to wait that long) make out of this and what are the weaknesses I still have to be aware of? Can I do anything else to hide this computer and how does nmap still figure out, that my box is online? Thanks a lot, Ralf Ronneburger
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Usually nmap shows much more detailed information in much less time, usually about 2-3 minutes. It tells you what ports are open. And from that knowledge, someone knows what is being run, therefore they will know if a certain security hole is available. Do not take that lightly, it happened to my lab at Argonne national laboratory. Someone used nmap to find an identd exploit and broke in. So nmap is a very important tool for exploiters. michael On Tue, 30 Jan 2001, Ralf Ronneburger wrote:
On Mon, 29 Jan 2001, Gerhard Sittig wrote:
What I'd like to know: Wich possible holes are open, after I configured a router with this skript, closing all ports for inbound packets, blocking ping and traceroute? Is it still possible to "see" that box on the internet, besides from outbound connections?
Try it out for yourself! Run nmap / saint / satan / nessus / place a scanner of your choice here against your own machines from outside (from a dialup account or a neighboured admin's site). Others *will* scan you. Make sure you're first and know what's there to see. And act before others get to know ...
Thanks for your help! I've already tried nmap, but I guess I was not patient enough, because I quit after waiting for 30 minutes. After almost 3 hours I got this from "nmap -sS -P0 -O <IP-Adress>":
Interesting ports on (<IP-Adress>): (Not showing ports in state: filtered) Port State Protocol Service
No OS matches for this host. TCP fingerprints: T5(Resp=N) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 9262 seconds
Looks good to me! But what could a Cracker (patient enough to wait that long) make out of this and what are the weaknesses I still have to be aware of? Can I do anything else to hide this computer and how does nmap still figure out, that my box is online? Thanks a lot,
Ralf Ronneburger
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Right, but if no ports are open, and the host isn't making any kind of response nmap will take forever to tell you its results. -miah On Tue, Jan 30, 2001 at 06:13:42PM -0600, Michael Chletsos wrote:
Usually nmap shows much more detailed information in much less time, usually about 2-3 minutes. It tells you what ports are open. And from that knowledge, someone knows what is being run, therefore they will know if a certain security hole is available. Do not take that lightly, it happened to my lab at Argonne national laboratory. Someone used nmap to find an identd exploit and broke in.
So nmap is a very important tool for exploiters.
michael
On Tue, 30 Jan 2001, Ralf Ronneburger wrote:
On Mon, 29 Jan 2001, Gerhard Sittig wrote:
What I'd like to know: Wich possible holes are open, after I configured a router with this skript, closing all ports for inbound packets, blocking ping and traceroute? Is it still possible to "see" that box on the internet, besides from outbound connections?
Try it out for yourself! Run nmap / saint / satan / nessus / place a scanner of your choice here against your own machines from outside (from a dialup account or a neighboured admin's site). Others *will* scan you. Make sure you're first and know what's there to see. And act before others get to know ...
Thanks for your help! I've already tried nmap, but I guess I was not patient enough, because I quit after waiting for 30 minutes. After almost 3 hours I got this from "nmap -sS -P0 -O <IP-Adress>":
Interesting ports on (<IP-Adress>): (Not showing ports in state: filtered) Port State Protocol Service
No OS matches for this host. TCP fingerprints: T5(Resp=N) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 9262 seconds
Looks good to me! But what could a Cracker (patient enough to wait that long) make out of this and what are the weaknesses I still have to be aware of? Can I do anything else to hide this computer and how does nmap still figure out, that my box is online? Thanks a lot,
Ralf Ronneburger
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Tue, Jan 30, 2001 at 22:46 +0100, Ralf Ronneburger wrote:
I've already tried nmap, but I guess I was not patient enough, because I quit after waiting for 30 minutes. After almost 3 hours I got this from "nmap -sS -P0 -O <IP-Adress>":
You might as well try the other methods. You used just one of many TCP variants and no UDP scan at all. Depending on the packets sent out results might be totally different! It's all a matter of the host's IP stack. I guess "regular" packets are handled in a manner you can expect. But the "irregular" ones make a difference and allow for OS fingerprinting since every vendor seems to have his own way of answering / not answering in the edge scenarios. And keep in mind that nmap is "only" a network scanner. You could use it to identify open ports. Once you find them, you will have to check the *services* too by means of nessus and friends.
Interesting ports on (<IP-Adress>): (Not showing ports in state: filtered) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Port State Protocol Service
Although the list of "interesting ports" is empty, one might want to run against the filter and test its proper configuration. After all it's just software and probably has bugs and "features". Anyone remember the scenario where one could inject UDP packets through the masq system from outside into the LAN? Although the "obvious" configuration told otherwise? No matter if these (should) get discarded at the destination hosts since the socket is not bound -- they should never have made it to the host at all!
Nmap run completed -- 1 IP address (1 host up) scanned in 9262 seconds
Do yourself a favour and write a script running all the nmap methods in sequence while logging its output. You don't want to sit besides. And you would regret it when after some eight hours twenty screens worth of output run by making you run the test _again_ from beginning. :)
Looks good to me! But what could a Cracker (patient enough to wait that long) make out of this [ ... ]
Patience is not necessary here. Just have them scan some hundred machines in parallel and efficiency is acceptable again (and they do). You're not the only one around. And all the action is not done against you personally, but "by chance" since you're connected. :> virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (6)
-
Alexander Bien -
Gerhard Sittig -
Jeremiah Johnson -
Matthew -
Michael Chletsos -
Ralf Ronneburger