mrmagoo

Is it possible to change the permission of "ping" command from root to user.

 

If so, how can I do it?

What do you mean?

The ping command needs a raw socket to send & receive packets. For this, it's usually installed setuid to root so any user can run it. If you can't run it as user, then check first that it's in your PATH or turn on the setuid bit :o

Well, /lib/modules/`uname -r`/* are installed by the kernel rpm,

and /lib/iptables-mandrake/* are installed by iptables...

My iptables seems to use the ones installed by the kernel, since I can not specify the TTL target with -j:

# /sbin/iptables -t mangle -I PREROUTING -j TTL --ttl-inc 1

iptables: No chain/target/match by that name

A module exists for this target in my system:

/lib/iptables-mandrake/libipt_TTL.so

It's strange because /sbin/iptables -j TTL -h returns:

TTL target v1.2.9 options

--ttl-set value Set TTL to <value>

--ttl-dec value Decrement TTL by <value>

--ttl-inc value Increment TTL by <value>

and when I try to use it, I get the error above "No chain/target/match by that name"

Hi, I'm using a 2.6.8 kernel & a 2.4.28

The two kernels installed netfilter modules at:

/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/

The 2.6's are *.ko.gz & 2.4's are *.o.gz

There are more in /lib/iptables-mandrake & /lib/iptables-vanilla

/lib/iptables is a symbolic link to /lib/iptables-mandrake

These modules are *.so

There are many patch-o-matic modules in the mandrake directory...

How can I instruct iptables(8) to use these modules instead of the kernel's?

Thanks mrmagoo! X11 is no longer listening on TCP however I still have KDM listening on port 1024. What can I do to stop it?

 

Dakota

Try this bit from http://www.oneeyedcrow.net/tech/securex.html

Often, you'll see kdm (the desktop manager) listening on port 1024, or kde-init listening on a high-numbered port. To turn this off, delete the line

 

X-KDE-Init=xmlrpcd

 

from /usr/share/services/kxmlrpcd.desktop, and then create /usr/share/services/kmlrpcdrc (if it doesn't already exist), and add the lines

 

[General]

StartServer=fal

 

Kill -HUP all the services involved, and use netstat -pl and perhaps an external nmap to make sure that you're no longer listening on those ports. Voila.

Check to see if your kdm has 177/udp open. To disable it:

Search the line "[Xdmcp]" in /etc/kde/kdm/kderc and put:

Enable=false

Try the psad portscan detector at http://www.cipherdyne.org/psad/

Perhaps, you may want to try some security through obscurity by configuring sshd to make it listen to another port. Most ssh clients let you specify another port to connect to.

I forgot to mention the iptables psd (portscan detection) match. See its description at http://www.netfilter.org/patch-o-matic/pom-base.html

I haven't tried it (Status: Stable for 2.4.x)

Neither msyslog, nor syslog-ng, nor metalog clears the kernel log buffer, and it would be worth to patch them too since they appear to be more security-driven. It would be even more interesting if Mandrake support these packages. Only syslog-ng is in contrib.

Anyway, the patch for sysklogd-1.4.1-6mdk (shipped with Mandrake 10.1) is this:

diff -u -p klogd.c klogd.c.orig

--- klogd.c     2005-06-03 23:59:27.000000000 -0400
+++ klogd.c.orig        2005-06-03 23:11:59.000000000 -0400
@@ -302,8 +302,6 @@ static int  use_syscall = 0,
               symbol_lookup = 1,
               no_fork = 0;    /* don't fork - don't run in daemon mode */

-static int     clear_kernbuf = 0;
-
static char    *symfile = (char *) 0,
               log_buffer[LOG_BUFFER_SIZE];

@@ -999,15 +997,12 @@ int main(argc, argv)
       chdir ("/");
#endif
       /* Parse the command-line. */
-       while ((ch = getopt(argc, argv, "Cc:df:iIk:nopsvx2")) != EOF)
+       while ((ch = getopt(argc, argv, "c:df:iIk:nopsvx2")) != EOF)
               switch((char)ch)
               {
                   case '2':           /* Print lines with symbols twice. */
                       symbols_twice = 1;
                       break;
-                   case 'C':           /* Clear kernel ring buffer */
-                       clear_kernbuf = 1;
-                       break;
                   case 'c':           /* Set console message level. */
                       log_level = optarg;
                       break;
@@ -1194,18 +1189,6 @@ int main(argc, argv)
                               pause();
                               break;
               }
-               if (clear_kernbuf) {
-                       int x;
-                       /* 9 -- Return number of unread characters */
-                       if ((x = ksyslog(9, NULL, 0)) == 0) {
-                               /* 5 -- Clear ring buffer. */
-                               x = ksyslog(5, NULL, 0);
-                               if (debugging && (x < 0))
-                                       perror("klogctl(5, NULL, 0");
-                       }
-                       else if (debugging && (x < 0))
-                               perror("klogctl(9, NULL, 0)");
-               }
       }
}
/*

Well, I finally found a way...

I just patched klogd(8) to clear the kernel ring buffer everytime when there are no bytes unread...

Here's the diff for sysklogd-1.4.1-6mdk

305,306d304
< static int    clear_kernbuf = 0;
<
1002c1000
<       while ((ch = getopt(argc, argv, "Cc:df:iIk:nopsvx2")) != EOF)
---
>       while ((ch = getopt(argc, argv, "c:df:iIk:nopsvx2")) != EOF)
1008,1010d1005
<                   case 'C':           /* Clear kernel ring buffer */
<                       clear_kernbuf = 1;
<                       break;
1197,1208d1191
<               if (clear_kernbuf) {
<                       int x;
<                       /* 9 -- Return number of unread characters */
<                       if ((x = ksyslog(9, NULL, 0)) == 0) {
<                               /* 5 -- Clear ring buffer. */
<                               x = ksyslog(5, NULL, 0);
<                               if (debugging && (x < 0))
<                                       perror("klogctl(5, NULL, 0");
<                       }
<                       else if (debugging && (x < 0))
<                               perror("klogctl(9, NULL, 0)");
<               }

Added a brand new option -C which should be in /etc/sysconfig/syslog too

I forgot to add the X Font Server (XFS) which uses TCP port 7100

firewall it with iptables, and add this entry to /usr/X11R6/lib/X11/fs/config:

no-listen = tcp

For KDE, some versions of Mandrake uses mdkkdm, which uses xdm...

Try modifying /etc/X11/xdm/Xservers

This file is specified in /etc/X11/xdm/xdm-config with DisplayManager.servers

Note: sometimes the /etc/X11 path is /usr/X11R6/lib/X11

Well it's a X-server. It is supposed to be open so the X-client can connect to it. If it's closed you wouldn't be able to use it. If you want it to be closed you have to shutdown X.

This is not true. The Xserver(1) manpage says:

NETWORK CONNECTIONS

      The X server supports client connections via a platform-dependent  sub-

      set  of the following transport types: TCPIP, Unix Domain sockets, DEC-

      net, and several varieties of SVR4 local connections.

The combo I use to disable the x11 ports is this:

# iptables -A INPUT -p tcp --dport 6000:6063 -j DROP

# sed -i 's/^\(serverargs="\)/\1-nolisten tcp/' /usr/X11R6/bin/startx

# sed -i '/^:[0-9]/s/$/ -nolisten tcp/' /etc/X11/xdm/Xservers

# sed -i '/^:[0-9]/s/$/ -nolisten tcp/' /etc/kde/kdm/Xservers

# echo "DisallowTCP=true" >> /etc/X11/gdm/gdm.conf

Don't skip the iptables hack, because users may execute X(1) directly or via xinit(1), and there is no configuration file to avoid this... xinit reads a ~/.xserverrc if it exists, skipping /etc/X11/xinit/xserverrc

If you're using xdm, check to see if you have the port 177 (xdmcp) open and block it with iptables. The actual port it uses is specified in /etc/X11/xdm/xdm-config with the DisplayManager.requestPort directive and with the -udpPort option.

To disable it, run:

# echo 'DisplayManager.requestPort: 0' >> /etc/X11/xdm/xdm-config

# sed -i 's/xdm/xdm -udpPort 0/' /etc/inittab

#chmod o-x /bin/dmesg

that will remove the x or execute capabitlity of other users, and only root and root group can  run it

<{POST_SNAPBACK}>

Well, it's not a solution either, because it's trivial to download the rpm or compile a C program that calls klogctl(2)

Moreover, I could just copy it to /tmp and execute it (since you didn't turn off the read bits)...

The situation is worse, and the klogctl manpage is misleading... It says:

       Quoting from kernel/printk.c:
      /*
       * Commands to sys_syslog:
       *
       *      0 -- Close the log.  Currently a NOP.
       *      1 -- Open the log. Currently a NOP.
       *      2 -- Read from the log.
       *      3 -- Read up to the last 4k of messages in the ring buffer.
       .....
      Only  function  3  is  allowed  to non-root processes.

and my kernel source says:

 *      3 -- Read all messages remaining in the ring buffer.

So, the solution would be recompiling the kernel (overkill), a daemon that calls dmesg repeatedly (ugly), or using ULOG (which I think adds a little overhead)

I prefer #2, is there some other way ?

Hi!

Is there a way to make firewall logs unreadable by users?

In general: is there a way to restrict dmesg(8) output to only the superuser?

One way would be a daemon that runs "dmesg -c" every second, but this can't be the better way...

Is there a device file I can chmod(1) to accomplish this?

Hi.

Is there a way of breaking out from bootsplash at boot time to specify some kernel options (a.k.a. boot-time parameters) ?