Dear Linux-security subscribers: ... there will be none (see subject). As most of you probably know by now RedHat has announced that it will not release another free Linux distribution, i.e., RH 9 will be the last. Support for RH 7.x will end at the end of this year, support for RH 9 will end at the end of April. What are the alternatives? Alternative 1: Fedora Linux There exists a product called Fedora Linux, which RedHat seems to promote as the successor of the free RedHat distributions. Currently, you can download "Fedora core 1". Fedora will be a "community supported" product whatever that means. While the transition from RedHat Linux to Fedora Linux will be easy - the two are very similar - there are uncertainties connected with Fedora Linux that make its suitability for production systems questionable: 1) it has been announced that there will be three core releases every year of Fedora Linux. This sounds as if using Fedora Linux will be like living on the edge: always the newest and greatest - not necessarily good for stability. 2) with three core releases every year, it is completely unclear how long older releases will be supported: support for 2 years would mean that at every point in time upto 6 distributions would have to be supported, 9 distributions, if the support lasts over 3 years. Very unlikely. 3) it is completely unclear how how fast the Fedora team will come up with security updates after the discovery of a severe security hole. Note a community based distribution not necessarily has to be slow with security updates - Debian is the best counter example, but Debian also has the opposite strategy than Fedora: stability is more important than new features every few months. Alternative 2: SuSE Despite recently being bought by Novell SuSE support for free distributions still seems to be strong (I receieved on email from SuSE.com confirming that). SuSE is definitely high quality, has fast releases for fixing security problems, is rpm based. Support for older releases seems to be at least 2 years (SuSE still support SuSE 7.2, which came out about 2 years ago). All of that make it the perfect candidate for production systems. However, it will be different and will take some time to get used to. Alternative 3: Debian Debian is a community based distribution. It is high quality. And it has reasonable support for older distributions. However, it is not rpm based. And more importantly, almost no support for Debian systems from commercial vendors exists. If you rely on commercial compilers, software libraries, etc. Debian is not for you. The most appealing plan (at least from my perspective) for the SFU distributions is the following: 1) support for RH 7.1 and 7.2 will disappear at the end of this year. 2) support for RH 9 will disappear at the end of April. 3) we will be supporting Fedora Linux, at least on a test basis. 4) I will try to start supporting SuSE Linux, probably starting with version 9. This will require work - currently we have no experience with building SuSE distributions. 5) ACS runs a large number of systems that run RH 7.3. These systems rely on this particular version of the OS, because they use commercial software packages that only work with this particular version of glibc. For that reason we will be trying to support RH 7.3 (we probably have to rename it to something else) beyond Dec. 31 by backporting security updates to RH 7.3. Right now we cannot say how long we will be able to continue that support, but alternatives to that approach would be very expensive. I would like to hear your comments, suggestions, wishes, etc. with respect to these issues. In any case this will not be an easy transition. Cheers, Martin -- Martin Siegert Manager, Research Services WestGrid Site Manager Academic Computing Services phone: (604) 291-4691 Simon Fraser University fax: (604) 291-4242 Burnaby, British Columbia email: siegert@sfu.ca Canada V5A 1S6
This directory provides parameters for particular devices on the system. Most systems have at least two directories, cdrom and raid, but customized kernels can have others, such as parport, which provides the ability to share one parallel port between multiple device drivers.
The cdrom directory contains a file called info, which reveals a number of important CD-ROM parameters:
Issue the following responses to the queries from the command:
n (create a new partition)
p (will make it a "primary" partition)
1 (starting cylinder)
w (write partition table and quit)
/sbin/mke2fs -b 2048 /dev/hdd
mkdir /mnt/dvd
mount /dev/hdd /mnt/dvd
You can create, delete, and edit files & directories under /mnt/dvd in the same way that you would for any other file systems
Unmount the disk with the command:
umount /mnt/dvd
(Make ATAPI CD/DVD Devices look like SCSI devices under Linux)
/sbin/modprobe ide-scsi
ln -sf /dev/scd0 /dev/cdrom
ln -sf /dev/scd1 /dev/cdrom1
cdrecord -scanbus
cdrecord -scanbus dev=ATAPI
cdrecord -dao -v speed=24 dev=ATAPI:0,0
mke2fs -b 2048 /dev/scd1
mke2fs -b 2048 /dev/hdd
mount /dev/hdd /storage/dvd
mondoarchive -L -s 2220m -E /web_disc -Oi -d /storage/dvd
mondoarchive -L -s 2220m -E "/web_disc /web_logs" -g -Oi -d /storage/dvd
mondoarchive -L -E /web_disc -Oi -d /storage/dvd -g -B "mount /storage/dvd" -A "umount /storage/dvd" -s 2220m
mondoarchive -L -g -E "/web_disc /web_logs" -Oi -d /web_disc/ccp14/temp
mondoarchive -S /tmp -T /tmp -L -E "/web_disc /web_logs" -S /web_disc/ccp14/temp -Oi -d /web_disc/ccp14/temp
mondoarchive -Oi -d /mnt/zip -g -B "mount /mnt/zip" -A "umount /mnt/zip" -s 100m
mondoarchive -L -s 2220m -E "/web_disc /web_logs" -Ow -d 1,1,0
mondoarchive -S /tmp -T /tmp -Ow 1 -d /dev/scd1 -L -s 2220m -E "/web_disc /web_logs"
Verify an existing archive (16 is speed):
mondoarchive -Vc 16
mondoarchive -S /tmp -T /tmp -L -s 2220m -E "/web_disc /web_logs" -Oi -d /tmp/isos
cdrecord dev=1,1,0 -v blank=fast
cdrecord -dao -v dev=1,1,0 -data -eject 1.iso
Mount and view an ISO image:
mkdir /mnt/isoimage
mount -t iso9660 -o loop 1.iso /mnt/isoimage
information on MATSHITA DVD-RAM LF-D310
Panasonic LF-D311 IDE DVD-RAM/R
http://www.cdrinfo.com/hardware/panasonic-lfd311/page2.shtml
Burn Baby Burn - Setting up and burning DVD-Rs on your linux workstation
http://www.comet.ucar.edu/strc/wes/documents/dvd-r_setup.htm
If you are experiencing pop-ups generated by one of these malicious programs, you may want to remove the pop-up program from your computer. One program that attempts to detect and to uninstall pop-up programs is available at http://download.cnet.com/downloads/0-10106-108-63806.html. We have no relationship with the individuals who created this software and cannot vouch for it ourselves.
> HOW do I "set the sticky bit" of /tmp?
It is indicated by a t in the executable bit of the ls listing
drwxrwxrwt 6 root root 1024 May 28 00:04 /tmp
^ small `t' mean sticky and executable
and you set it chmod as usual.
chmod o+t /tmp
See the chmod man page for more information.
To enable plain-text passwords:
1. Start->Run.
2. Type regedit.
3. Add the DWORD value to the Registry entry EnablePlainTextPassword (reg Dword) 1 in the following Registry location:
Win98: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSETUP
WinNT: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters
NOTE: In the string "EnablePlainTextPassword"there are no spaces and case is important.
A system of simultaneous linear equations is written
Ax = b
where A is the coefficient matrix, b is the right hand side, and x is the solution. A is assumed to be a square matrix of order n, but some of the individual routines allow A to be rectangular. If there are several right hand sides, the system is
AX = B
where the columns of B are the individual right hand sides, and the columns of X are the corresponding solutions. The basic task is to compute X, given A and B.
djbdns is a DNS package by DJ Bernstein that consists of
From: werner@visaw.rus.uni-stuttgart.de (Andreas Werner)
Newsgroups: comp.sys.sgi.admin
Subject: Re: sshd
Date: 8 Apr 2000 19:42:51 GMT
Organization: Comp.Center (RUS), U of Stuttgart, FRG
there are lots of ways to do this, but the SGI typical way is:
1. Create a file /etc/init.d/sshd containing the following:
====================================
#! /bin/sh
#
# start up ssh server at boot
#
case "$1" in
'start')
if /sbin/chkconfig sshd ; then
if test -x /usr/local/sbin/sshd; then
/usr/local/sbin/sshd
fi
fi
;;
'stop')
/sbin/killall sshd sshd1
;;
*)
echo "usage: $0 {start|stop}"
;;
esac
#
====================================
2. Create two links:
# ln -s ../init.d/sshd /etc/rc0.d/K01sshd
# ln -s ../init.d/sshd /etc/rc2.d/S99sshd
3. Create a config variable:
# chkconfig -f sshd on
That's all, including the possibility to configure the daemon
on or off woth the 'chkconfig' command.
For the experts: Yes, I know that the 'killall' command will
kill user ssh daemons, too, but that's exactly the thing I want
when the machine shuts down ;-)
To: Exploit-Dev
Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable
Date: Mon Nov 08 1999 21:24:17
Author: Daniel Jacobowitz
Message-ID: [19991109112417.A30046@drow.res.cmu.edu]
On Tue, Nov 09, 1999 at 01:48:53AM -0000, Frank wrote:
> This is submitted to the Freebsd bug tracking system, although there
> are doubtless other vendors who leave this package, despite the
> existence of the ssh-2.X. While Debian appears to be immune, I was
> able to crash my ssh daemon (much to my dismay), and there appears
> the potential to execute arbitrary code, as long as you encrypt it
> first...
>
> Here is the freebsd report.. it describes the method to crash a
> remote Ssh daemon (lets hope you ran sshd from your xinetd, etc).
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=14749
>
And here's a patch. Not tested, as I don't use the rsaref glue on any
machine here.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
--- rsaglue.c.orig Tue Nov 9 11:12:32 1999
+++ rsaglue.c Tue Nov 9 11:17:58 1999
@@ -139,6 +139,10 @@
input_bits = mpz_sizeinbase(input, 2);
input_len = (input_bits + 7) / 8;
+ if(input_bits > MAX_RSA_MODULUS_BITS)
+ fatal("Attempted to encrypt a block too large (%d bits, %d max) (malicious?).",
+ input_bits, MAX_RSA_MODULUS_BITS);
+
gmp_to_rsaref(input_data, input_len, input);
rsaref_public_key(&public_key, key);
@@ -172,6 +176,10 @@
input_bits = mpz_sizeinbase(input, 2);
input_len = (input_bits + 7) / 8;
+ if(input_bits > MAX_RSA_MODULUS_BITS)
+ fatal("Received session key too long (%d bits, %d max) (malicious?).",
+ input_bits, MAX_RSA_MODULUS_BITS);
+
gmp_to_rsaref(input_data, input_len, input);
rsaref_private_key(&private_key, key);
So you can install the bzipped JDE, obtain bzip2 and install this extraction software.
MIMEDefang can inspect and modify e-mail messages as they pass through your mail relay. MIMEDefang is written in Perl, and its filter actions are expressed in Perl, so it's highly flexible.
Summary posted on the WGET Mailing List
SUMMARY:
Any strength encryption can be exported without a license to anybody
except governments in all countries but the terrorist 7 (Cuba, Iran,
Iraq, North Korea, Libya, Syria, Sudan).
"Government" is limited to entities performing governmental functions or
producing munitions.
"Retail" products can be exported to Governments without a license.
"Retail" products now include web-based products with equivalent
functionality to those you would traditionally consider to be retail
(generally available, and not easily morphed into something or so
complicated that you need a service agreement--but this standard
doesn't apply to web-based products, so long as the functionality is
equivalent)
Publically available source code can be downloaded without restriction
(you have to give the Bureau of Export Administration (BXA) the url),
but if you enter into an license to allow someone to commercially
develop a product based on the software AND you charge a royalty or
license fee, you have to report the name, address and description of
the intended product to BXA.
You can sell anything to ISPs and telcos without a license, and they
can provide services based on this to all entities except governments.
A license is required if the ISP or telco wants to provide a non-retail
service specific to government end-users.
There are certain review and reporting requirements, which should be
reviewed with the full text of the regulation at:
http://www.bxa.doc.gov/Encryption/pdfs/Crypto.pdf
Most companies implement a Reverse DNS check to see where the download
is coming from and compare that against a Restricted Countries and Parties
("terrorist" countries and known terrorists). This mechanism can certainly
be spoofed, but it is a best effort approach. Kinda silly in some cases,
but it is U.S. Export Law.
|
5.6. Can I use ssh to protect services like FTP or POP?If you want to avoid sending FTP passwords in cleartext over the net, you can use ssh to encrypt your command channel. This will still leave your data channel open to all attacks on TCP, and will not work through a firewall. You can either use ftpsshd by Per-Erik Martin at http://www.docs.uu.se/~pem/hacks/ for SSH1, or you can do this by hand. SSH1: Suppose you are on a host called myhost and want to initiate a ftp connection to ftphost. On myhost, you do myhost$ ssh -L 1234:ftphost.example.com:21 ssh-serverThis logs you on to ftphost and also forwards connections to 1234 on myhost to ftphost. Note: You need to use -g if you're forwarding to localhost (SSH1 only). Then, in another window, you do myhost$ ftp localhost 1234 220 ftphost FTP server (Foonix 08/15) ready. Name: (myhost:yourname): 331 Password required for yourname Password: 230 User yourname logged in.This works if the remote ftp daemon accepts PORT commands which specify a different host from the one the command channel appears to come from, and if the ftp client always uses PORT. This is true for vanilla UNIX ftp client and ftpd servers; it may not work for more advanced ftpds, such as wu-ftpd. For servers which do not accept this, you can see wether you ftp client supports passive mode, and wether the ftp server accepts PASV. Note, however, that unencrypted ftp data connections are still vulnerable to session hijacking and snooping. SSH2: Just use sftp instead. :-) For POP, Stephane Bortzmeyer (bortzmeyer@pasteur.fr) has written a script which protects the mail transfer and passwords ussing ssh. It requires no modification to existing POP servers or clients, and is available from ftp://ftp.internatif.org/pub/unix/gwpop/ . Or, you can use similar means for secure POP: myhost$ ssh -L 1234:popserver.example.com:110 ssh-server Other services could be secured by similar means.
5.7. Can I use ssh across a Socks firewall?
Socks 4 and 5 support should work in 1.2.16 or later. Socks support in version 2.0.11 and later should work.
|
Newsgroups: comp.security.unix Subject: Re: secure pop from sniffing From: [bglbv@my-deja.com] X-Newsreader: Gnus v5.7/Emacs 20.6 Date: 06 Jun 2000 20:29:54 +0100 "Bernd Dürrer" [duerrer@ika.ruhr-uni-bochum.de] writes: > "kukulkan" [isman@fsksm.utm.my] schrieb im Newsbeitrag > news:393C65B2.5A676C14@fsksm.utm.my... > > any software/methods to secure pop(esp. Eudora users) from being sniff?I > > have ssh here to protect remote login and file transfer, but still it > > has no meaning If I cannot have the pop to be secure .. > You want to use the port forwarding capabilities of SSH: Have a look at > http://www.employees.org/~satch/ssh/faq/ssh-faq-5.html#ss5.6 > > If this doesn't help you, please post what SSH implementation on what OS > your pop users are using. I don't think Eudora supports the SSH protocol at all. What it might support is: (a) APOP (Authenticated POP), which involves transmitting a (non-replayable) hash of the POP password and of a challenge sent by the POP server. The POP password is distinct from the password used for interactive logins. (b) POP over an SSL tunnel (to port 995 rather than 110). If I remember correctly, Eudora can do (a) but not (b), while Netscape Messenger can do (b) [but not (a)?]. It's probably wise to support both. And to make the POP passwords different from the login passwords in any case. Also make sure your POP server has no known security holes. (Some versions of Qpopper are to be avoided, for example.) |
From: eitz@weh.rwth-aachen.de (Holger Eitzenberger) Newsgroups: comp.security.unix Subject: Re: secure pop from sniffing Date: 7 Jun 2000 09:22:00 GMT Organization: RWTH Aachen Lines: 16 On Tue, 06 Jun 2000 10:45:06 +0800, isman@fsksm.utm.my (kukulkan) wrote: >any software/methods to secure pop(esp. Eudora users) from being sniff?I >have ssh here to protect remote login and file transfer, but still it >has no meaning If I cannot have the pop to be secure .. You may want to use APOP (authenticated POP3), which i use also. Both QPopper (on server side) and fetchmail (on client side) support it. APOP uses an encrypted one-time key to get mail. Holger -- + GnuPG Public Key -> finger eitz@jonathan.weh.rwth-aachen.de + |
|
Using APOP at NCSA - What is APOP?
|
http://www.cert.org/incident_notes/IN-99-01.html Automated Scanning and Exploitation http://www.cert.org/incident_notes/IN-98-06.html Probes with Spoofed IP Addresses http://www.cert.org/incident_notes/IN-98-05.html Advanced Scanning http://www.cert.org/incident_notes/IN-98.04.html New Tools Used for Widespread Scans http://www.cert.org/incident_notes/IN-98.02.html The most frequent reports involve well-known vulnerabilities in mountd, IMAP, and POP3. These services are installed and enabled by default in some operating systems. See the following advisories for more information: sunrpc (TCP port 111) and mountd (635) http://www.cert.org/advisories/CA-98.12.mountd.html IMAP (TCP port 143) http://www.cert.org/advisories/CA-98.09.imapd.html POP3 (TCP port 110) http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
(23) telnet (53) dns (79) finger (80) web (110) pop (111) SunRPC & NFS (UDP and TCP) (143) imap (1080) socks (2049) nfs (UDP) (6000) X
From: Barry Margolin [barmar@bbnplanet.com] Newsgroups: comp.security.unix Subject: Re: Port Numbers List. Enjoy. In article [37de9d3b.528020403@news1.cal.metronet.ca], Jim Hutchison [Jim Hutchison] wrote: >There's a few posters wanting to know what services are associated >with certain port numbers. Here's a list I've been working with that >has been a great help. What's the Yes/No at the end of each line? >0 ICMP Click attack Yes ICMP doesn't have a port number, since it's not TCP or UDP. >19 UDP Chargen Yes >21 TCP Detects if someone is trying to FTP to you. No >23 TCP Detects if someone is trying to Telnet to you. No >53 TCP DNS Yes >129 TCP Password Generator Protocol Yes >137 TCP Netbios name (DoS attacks) Yes >138 TCP Netbios datagram (DoS attacks) Yes >139 TCP Netbios session (DoS attacks) Yes >555 TCP Stealth Spy - Beta 3 No >666 TCP Attack FTP No >1027 TCP ICQ Yes >1029 TCP ICQ Yes >1032 TCP ICQ Yes >1080 TCP Used to detect Wingate sniffers. Yes >1243 TCP Sub Seven (Also see TCP 6776 and TCP 6711) No >1981 TCP Shockrave No >2140 UDP Deep Throat No >2989 UDP Rat No >3150 UDP Deep Throat No >5000 2 TCP Detects & blocks Sokets de Trois v1. Yes >5001 TCP Detects & blocks Sokets de Trois v1. Yes >6711 TCP Sub Seven (Also see TCP 1243 and TCP 6776) No >6776 TCP Sub Seven (Also see TCP 1243 and TCP 6711) No >6969 TCP Gate Crasher No >7300 TCP Net Monitor No >7301 TCP Net Monitor No >10067 UDP Portal of Doom No >10167 UDP Portal of Doom No >12076 TCP GJamer No >12345 TCP Netbus No >12346 TCP Netbus No >20000 TCP Millennium No >20001 TCP Millennium No >21554 TCP GirlFriend No >23456 TCP EvilFTP No >30100 TCP NetSphere No >30102 TCP NetSphere No >31337 UDP Backorifice (BO) No >31337 TCP Netpatch No >31338 UDP Deep BO No >31785 TCP Hack'a'Tack No >31789 UDP Hack'a'Tack No >31791 UDP Hack'a'Tack No >40421 TCP Master's Paradise - Hacked No >40422 TCP Master's Paradise - Hacked No >40423 TCP Master's Paradise - Hacked No >40425 TCP Master's Paradise - Hacked No >50505 TCP Detects & blocks Sokets de Trois v2. No >54320 TCP Backorifice 2000 No >54321 UDP Backorifice 2000 No >65000 TCP Devil No
7777 Unreal, Klingon Honor Guard 22450 Sin 26000 Quake 26900 Hexen 2 26950 HexenWorld 27015 Half-life 27500 QuakeWorld 27910 Quake 2 28910 Heretic 2
"You can diagnose most memory leaks with Performance Monitor and several Microsoft Windows NT Server 4.0 Resource Kit utilities. (For a list of resource kit tools, see the sidebar "Resource Kit Tools for Diagnosing and Monitoring Memory Leaks.")"