mrmagoo

What do you mean? The ping command needs a raw socket to send & receive packets. For this, it's usually installed setuid to root so any user can run it. If you can't run it as user, then check first that it's in your PATH or turn on the setuid bit :o

Well, /lib/modules/`uname -r`/* are installed by the kernel rpm, and /lib/iptables-mandrake/* are installed by iptables... My iptables seems to use the ones installed by the kernel, since I can not specify the TTL target with -j: # /sbin/iptables -t mangle -I PREROUTING -j TTL --ttl-inc 1 iptables: No chain/target/match by that name A module exists for this target in my system: /lib/iptables-mandrake/libipt_TTL.so It's strange because /sbin/iptables -j TTL -h returns: TTL target v1.2.9 options --ttl-set value Set TTL to <value> --ttl-dec value Decrement TTL by <value> --ttl-inc value Increment TTL by <value> and when I try to use it, I get the error above "No chain/target/match by that name"

Hi, I'm using a 2.6.8 kernel & a 2.4.28 The two kernels installed netfilter modules at: /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ The 2.6's are *.ko.gz & 2.4's are *.o.gz There are more in /lib/iptables-mandrake & /lib/iptables-vanilla /lib/iptables is a symbolic link to /lib/iptables-mandrake These modules are *.so There are many patch-o-matic modules in the mandrake directory... How can I instruct iptables(8) to use these modules instead of the kernel's?

Try this bit from http://www.oneeyedcrow.net/tech/securex.html Check to see if your kdm has 177/udp open. To disable it: Search the line "[Xdmcp]" in /etc/kde/kdm/kderc and put: Enable=false

Try the psad portscan detector at http://www.cipherdyne.org/psad/ Perhaps, you may want to try some security through obscurity by configuring sshd to make it listen to another port. Most ssh clients let you specify another port to connect to. I forgot to mention the iptables psd (portscan detection) match. See its description at http://www.netfilter.org/patch-o-matic/pom-base.html I haven't tried it (Status: Stable for 2.4.x)

Neither msyslog, nor syslog-ng, nor metalog clears the kernel log buffer, and it would be worth to patch them too since they appear to be more security-driven. It would be even more interesting if Mandrake support these packages. Only syslog-ng is in contrib. Anyway, the patch for sysklogd-1.4.1-6mdk (shipped with Mandrake 10.1) is this: diff -u -p klogd.c klogd.c.orig --- klogd.c 2005-06-03 23:59:27.000000000 -0400 +++ klogd.c.orig 2005-06-03 23:11:59.000000000 -0400 @@ -302,8 +302,6 @@ static int use_syscall = 0, symbol_lookup = 1, no_fork = 0; /* don't fork - don't run in daemon mode */ -static int clear_kernbuf = 0; - static char *symfile = (char *) 0, log_buffer[LOG_BUFFER_SIZE]; @@ -999,15 +997,12 @@ int main(argc, argv) chdir ("/"); #endif /* Parse the command-line. */ - while ((ch = getopt(argc, argv, "Cc:df:iIk:nopsvx2")) != EOF) + while ((ch = getopt(argc, argv, "c:df:iIk:nopsvx2")) != EOF) switch((char)ch) { case '2': /* Print lines with symbols twice. */ symbols_twice = 1; break; - case 'C': /* Clear kernel ring buffer */ - clear_kernbuf = 1; - break; case 'c': /* Set console message level. */ log_level = optarg; break; @@ -1194,18 +1189,6 @@ int main(argc, argv) pause(); break; } - if (clear_kernbuf) { - int x; - /* 9 -- Return number of unread characters */ - if ((x = ksyslog(9, NULL, 0)) == 0) { - /* 5 -- Clear ring buffer. */ - x = ksyslog(5, NULL, 0); - if (debugging && (x < 0)) - perror("klogctl(5, NULL, 0"); - } - else if (debugging && (x < 0)) - perror("klogctl(9, NULL, 0)"); - } } } /*

Well, I finally found a way... I just patched klogd(8) to clear the kernel ring buffer everytime when there are no bytes unread... Here's the diff for sysklogd-1.4.1-6mdk 305,306d304 < static int clear_kernbuf = 0; < 1002c1000 < while ((ch = getopt(argc, argv, "Cc:df:iIk:nopsvx2")) != EOF) --- > while ((ch = getopt(argc, argv, "c:df:iIk:nopsvx2")) != EOF) 1008,1010d1005 < case 'C': /* Clear kernel ring buffer */ < clear_kernbuf = 1; < break; 1197,1208d1191 < if (clear_kernbuf) { < int x; < /* 9 -- Return number of unread characters */ < if ((x = ksyslog(9, NULL, 0)) == 0) { < /* 5 -- Clear ring buffer. */ < x = ksyslog(5, NULL, 0); < if (debugging && (x < 0)) < perror("klogctl(5, NULL, 0"); < } < else if (debugging && (x < 0)) < perror("klogctl(9, NULL, 0)"); < } Added a brand new option -C which should be in /etc/sysconfig/syslog too

I forgot to add the X Font Server (XFS) which uses TCP port 7100 firewall it with iptables, and add this entry to /usr/X11R6/lib/X11/fs/config: no-listen = tcp

For KDE, some versions of Mandrake uses mdkkdm, which uses xdm... Try modifying /etc/X11/xdm/Xservers This file is specified in /etc/X11/xdm/xdm-config with DisplayManager.servers Note: sometimes the /etc/X11 path is /usr/X11R6/lib/X11 This is not true. The Xserver(1) manpage says: The combo I use to disable the x11 ports is this: # iptables -A INPUT -p tcp --dport 6000:6063 -j DROP # sed -i 's/^\(serverargs="\)/\1-nolisten tcp/' /usr/X11R6/bin/startx # sed -i '/^:[0-9]/s/$/ -nolisten tcp/' /etc/X11/xdm/Xservers # sed -i '/^:[0-9]/s/$/ -nolisten tcp/' /etc/kde/kdm/Xservers # echo "DisallowTCP=true" >> /etc/X11/gdm/gdm.conf Don't skip the iptables hack, because users may execute X(1) directly or via xinit(1), and there is no configuration file to avoid this... xinit reads a ~/.xserverrc if it exists, skipping /etc/X11/xinit/xserverrc If you're using xdm, check to see if you have the port 177 (xdmcp) open and block it with iptables. The actual port it uses is specified in /etc/X11/xdm/xdm-config with the DisplayManager.requestPort directive and with the -udpPort option. To disable it, run: # echo 'DisplayManager.requestPort: 0' >> /etc/X11/xdm/xdm-config # sed -i 's/xdm/xdm -udpPort 0/' /etc/inittab

Well, it's not a solution either, because it's trivial to download the rpm or compile a C program that calls klogctl(2) Moreover, I could just copy it to /tmp and execute it (since you didn't turn off the read bits)... The situation is worse, and the klogctl manpage is misleading... It says: Quoting from kernel/printk.c: /* * Commands to sys_syslog: * * 0 -- Close the log. Currently a NOP. * 1 -- Open the log. Currently a NOP. * 2 -- Read from the log. * 3 -- Read up to the last 4k of messages in the ring buffer. ..... Only function 3 is allowed to non-root processes. and my kernel source says: * 3 -- Read all messages remaining in the ring buffer. So, the solution would be recompiling the kernel (overkill), a daemon that calls dmesg repeatedly (ugly), or using ULOG (which I think adds a little overhead) I prefer #2, is there some other way ?

Hi! Is there a way to make firewall logs unreadable by users? In general: is there a way to restrict dmesg(8) output to only the superuser? One way would be a daemon that runs "dmesg -c" every second, but this can't be the better way... Is there a device file I can chmod(1) to accomplish this?

Hi. Is there a way of breaking out from bootsplash at boot time to specify some kernel options (a.k.a. boot-time parameters) ?