Does it make sense to run sshd confined/protected by apparmor? I get tons of attack/hack attempts on my ssh port daily, I created a white list on my firewall to specify the IP addresses that can ssh into my network. I was also thinking of activating the sshd profile in apparmor for some added protection?
View 5 RepliesAfter I installed a gigabit router, I could not access my nfs server anymore; I tried with the previous physical set-up and all was OK so clearly it is the new router that is the disturbing factor. After some (and then some) experimenting, it would appear that the following specific feature needs to be enabled: Filter Internet NAT Redirection This feature uses port forwarding to block access to local servers from local networked computers. Select this feature to filter Internet NAT redirection. It is not selected by default.
The reason I had simply looked over it is that I did not see how internet nat redirection could be related to the local network. As I read the details, it became clear that it really is but it also raised new questions. Have I now allowed just anyone on the internet to access to my nfs server? Because the description is not very clear either as it mentions both internet and local network. And what is that odd terminology? Filtering allows access, not filtering does not - that seems like the world upside down ...
At home I'm currently running Hardy on a desktop machine and Jaunty (Eeebuntu) on an EeePC. I often connect the desktop to the internet via a cellphone as modem. I also often connect the EeePC to the desktop via crossover cable and SSH into the desktop so I cam watch video files from the desktop on the EeePC from the sofa or bed.
I'd like to be able to use the desktop's internet connection from the EeePC. This means I have to set up the desktop so the EeePC can share its connection - this involves setting up the desktop as a gateway I believe?
Looking around for info on how to do this, I found this guide [URL]...in-ubuntu.html - but unfortunately it seems this guide has not been written correctly. It repeats itself in one section (below: repeated section in bold):
[Code]...
Wallpaper, with a complimentary color scheme for windows decoration, and icons and sound effects inspired thereby, loaded as a set. Is there an app that does this for KDE? It seems like linux gives me more options, but without an important tool to utilize them. I'm sorry to bring a question here that's probably been asked many times over the last dece, but the likely hits on "theme" and "windows" has overwhelmed my search fu.
View 4 Replies View RelatedSet up Novell Apparmor? how to do it.
View 2 Replies View Relatedrecently I am interesting at apparmor, and I have read some docs of it, but I have a question that how to protect apparmor itself? I mean only if gained root privilege then stop apparmor service, all the protection will no longer effect, if I hiding or remove root user then how to remodify profiles if needed that because have not enough privilege.
Is there apparmor maillist? maybe you can email me: <email removed for obvious reasons>
Here's my problem: Clean OpenSUSE 11.3 64 bit installation using default options into a Virtualbox virtual machine for pre-production testing. I want to check whether AppArmor is enabled, so I enter YaST -> AppArmor Control Panel.
This has a check box named 'Enable AppArmor' which is by default un-checked. I check this box, and then click 'Done'. This takes me back to YaST and I would assume AppArmor has now been enabled. However, when I return to AppArmor Control Panel the check box is deselected again.
depending on reading some apparmor docs, I know that apparmor read logs to determine what profile a program will be, that means a profile only can be built when the program have been exec at least a time, or we already how will be executed of a specific program. but if a hack inserts a bad-program such as a back door or virus what should never be executed any time, and at the same time we don't know what's the consequence will happen due to the behaviors of a bad-program. therefore, how could apparmor do to prevent these situations? Can apparmor confine every thing what under a specific directory by default? because use: aa-autodep /path/to/restrict/* is 'complain' by default and everything are allowed, can apparmor deny everything by default?
View 2 Replies View RelatedEmail alerting from Apparmor profile to gmail is possible, but email cannot be forwarded to other email address
View 1 Replies View RelatedIn case this is a thread in the wrong section please move it to the right one. Following situation applies.I am using openSUSE 11.1 with modified kernel. Code:# uname -aLinux linux-2c5j 3.0.4-41-desktop #1 SMP PREEMPT Sun Sep 4 18:51:01 CEST 2011 i686 i686 i386 GNU/Linux The compilation did run flawlessly with the SAKC script.However the module apparmor does not load. Infact:Code:# modprobe apparmorFATAL: Module apparmor not found. I understand that I have to recompile the module, right? There I have the first question: wasn't the apparmor module accepted into the kernel (and therefore should be already compiled and available with the normal kernel compile)? Or is this wrong. How can I recompile the apparmor module for my new kernel.
View 1 Replies View RelatedIs there a particular app listed as apparmor, or is it a series of separate programs that act as a whole? if the latter, which programs are these. i just got really lucky with my installation of 11.2, and I'm trying to confirm my success.
View 9 Replies View RelatedIs recommended to create a profile in apparmor for applications like amule, firefox, thunderbird, amsn ....?
View 7 Replies View Relatedprohibit execution of any program include shell command, only be profiled program could be executed, can apparmor do that?
View 5 Replies View RelatedCurrently the Apparmor program has the notification logs saved to /etc/apparmor/notify.cfg, however, when I try to save the notification after putting my email address in, I get an error saying "Configuration failed for the following operations: Unable to write config changes to /etc/apparmor/notify.cfg"looking inside the folder, I do not see any file named "notify.cfg" BUT I do see so files called reports.conf, logprof.conf, and reports.crontab. I am guessing that the program is asking to save the notification changes to a file that does not exist and in fact one of those three files are the proper ones to use. Well if that is the case then how would I go about fixing this error?
View 4 Replies View RelatedI have just reinstalled OS 11.2 but this time the 64bit system variant. I installed the real-time kernel and saw that the apparmor module reported an error and wasn't loaded. I have never looked into apparmor and only knows it has something to do with security, and thus I wonder if it is important to do something with this issue? I plan to use the kernel-rt and have more or less always used a variant of this kernel flavour, often self built. Though I can not recall having seen that error before and I have not used a 64bit system before
View 2 Replies View RelatedI have an openSUSE 11.1 and I noticed that after installing a couple of things on it the sshd is not starting anymore on reboot. how can I debug this problem. Is there a log file so that I can see what was the problem? If I want to use ssh I have to start it from yast every time the computer restarts.
View 7 Replies View RelatedRunning 11.4 x64, I've tried everything I can think of (which is not saying a lot) but I can't get sshd started on boot. Running /etc/init.d/sshd starts the service manually with no problem but I really need it started on boot.
I can't find anything different when comparing this instance with other similar instances where sshd does start but this instance is an update from 11.3 where sshd was not enabled and the others are all clean installs where sshd was enabled during installation, if that makes any difference.
I'm testing upgrading from 11.1 to 11.3 and running into a major roadblock. When I try to ssh to the server after upgrading, I am unable to use password or pubkey auth to connect via ssh with my ldap user due to sshd segfault. I can however connect via pubkey to a local account on the system. Both auth methods work (for local users) when I disable UsePAM in sshd_config, but auth via ldap is required. My configuration works fine on fully patched installs of both 11.1 and 11.3, but not a fully patched 11.1 upgraded to 11.3. I've been at this for a while now trying various things but don't seem to be making much progress..
/var/log/messages:
Code:
Oct 6 20:33:15 susetest kernel: [ 1829.251921] sshd[3602]: segfault at 7f4bb0521240 ip 00007f4bb0509354 sp 00007fffdf212850 error 7 in libcrypto.so.1.0.0[7f4bb0449000+188000]/usr/sbin/sshd -ddd:
Code:
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 431
debug2: parse_server_config: config /etc/ssh/sshd_config len 431
[code]....
So I have looked everywhere, I see the ssh script in /etc/init.d everything seems to check out with chkconfig (shows 3 and 5). But for some reason my SSHD server doesn't start on boot till I run either rcsshd start or /etc/init.d/ssh start.
View 7 Replies View RelatedSo since i have installed linux, I have been ready about how virus are not nearly as likely to infect linux system as windows, i am running a dual-boot though and import my profile and have a lot of my files from windows system on linux, can they potentially be infected in the windows sense?
View 2 Replies View RelatedPlease help me to increase web traffic to my site and need hit for ad-sense.
View 1 Replies View RelatedI have an MD3000 storage attached to dell server via sas cables, running ubuntu server.
the kernel keeps throwing these messages every other second on the console, but the drives from MD are fully accessible.
Jan 3 12:04:24 node2 kernel: [71041.035822] sd 5:0:1:0: [sde] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
Jan 3 12:04:24 node2 kernel: [71041.035828] sd 5:0:1:0: [sde] Sense Key : Illegal Request [current]
Jan 3 12:04:24 node2 kernel: [71041.035833] sd 5:0:1:0: [sde] <<vendor>> ASC=0x94 ASCQ=0x1ASC=0x94 ASCQ=0x1
Gateway m275 with Fedora 12 is unable to read DVD+RW media. Media is recognizable on DVD+RW drive.
What do I need to set to make it readable or is the problem the media type?
I'm trying to build a shared library, and am receiving several undefined reference linking errors. Specifically, ffmpeg linked with libx264. I'm aware that this is not an appropriate forum for questions specific to ffmpeg or libx264. In order for one library / application (ffmpeg) to reference another library (libx264), the linker has to know where the referenced library (libx264.so) is located in the file system.
I'm pretty sure the linker knows where libx264.so is, because I receive a different error message when I run ffmpeg's configure script if the linker can't find libx264.so. In general, should running the install target of a make file be preferred over specifying the appropriate paths in the CFLAGS and LDFLAGS environment variables? I've tried both, and it doesn't seem to make a difference in regard to my error which method I choose.
How exactly is a library referenced? My error messages are
/root/ffmpeg/libavcodec/libavcodec.so: undefined reference to `d26'
/root/ffmpeg/libavcodec/libavcodec.so: undefined reference to `d22'
/root/ffmpeg/libavcodec/libavcodec.so: undefined reference to `d2'
/root/ffmpeg/libavcodec/libavcodec.so: undefined reference to `d20'
/root/ffmpeg/libavcodec/libavcodec.so: undefined reference to `d24'
/root/ffmpeg/libavcodec/libavcodec.so: undefined reference to `d0'
/root/ffmpeg/libavcodec/libavcodec.so: undefined reference to `q1'
If I can find out what library 'd26', 'd22', etc. are declared in, I should be able to resolve the undefined references. What exactly are 'd26', 'd22', etc.? Are these functions, classes, or something else? How can I find out what functions / classes are defined in a particular library?
I noticed my Internet slows to a crawl when I'm running bittorrent, but when I look at my torrent app (Transmission), the upload/download speeds are mere kilobytes per second, and my Internet has much higher bandwidth capabilities than that.So I tested it:No torrent running
(ping: 13 ms, down: 11.39 mb/s, up: 2.80 mb/s)
Torrent running
(ping: 752 ms, down: 4.30 mb/s, up: 0.19 mb/s)
[code]....
both audio inputs (I use the integrated mic on my notebook) and jack-sense (integrated speakers/headphones) work properly, as they should. But after some time (from few minutes up to several hours) both of them cease to work simultaneously. After that the mic input levels turning gray and speakers don't work at all (when headphones were connected at that moment) or speakers don't mute when I connect my headphones (if headphones were not connected then). After I reboot, everything is okay again for some time, but then it happens again. Setting mixer levels manually with alsamixer doesn't help at all. I also tried different snd-hda-intel model settings in alsa.conf, but that just made things messed up, so I stayed with auto setting. This way everything (inputs/outputs/sense) works as should until it simply stops working.
It's maverick, ALC268, ATI Azalia (Intel HDA), alsa 1.0.23, but I had this problem with karmic and lucid as well when I tried them. Now I want to switch from Win7, but this is the only thing keeping me from it.
I'm using an Acer Aspire 5536g and Ubuntu 10.10 x64. I can't get any sound from my mic with PulseAudio installed and the headphone jack sense function doesn't work either - when I plug my headphones I get sound from both them and my built-in speakers. I don't have any problems with PulseAudio removed.
View 9 Replies View RelatedThe audio plays both on speakers and headphones, try all varients of snd-hda-intel model=[ref, auto, dell, dell-bios, etc] but doesn't fix this problem.
cat /proc/asound/card0/codec#* | grep Codec
Codec: Conexant ID 5067
Laptop: Vostro 1014
OS: Jaunty
Kernel: 2.6.28-18-generic
ALSA : 1.0.18-ubuntu11
After kernel upgrade to latest version I get a lot of failure messages in syslog and dmesg:
Code:
Mar 16 22:50:30 s6 kernel: [515925.148335] megasas: Failed to copy out to user sense data
Mar 16 23:07:57 s6 kernel: [516970.118242] megasas: Failed to copy out to user sense data
[code]....
I have noticed that a common issue to several distros is the fact that the networking subsystem doesn't automatically detect the link if an ethernet connection is disconnected and then re-connected to the NIC after boot. If the ethernet cable is connected after the system is up and running, nothing happens - ethtool eth0 shows link detected: no, and you have to restart the network service to let the NIC know that there is in fact a link, and actually connect. I have a Fedora14 (KDE) box with a brand new Asus motherboard with embedded NIC. Everything works great except the auto-detect of a freshly connected ethernet connection if the link is down to begin with.
Am I missing a ethernet link sentinel utility or something, or is this just the way linux works? I have done plenty of research on plenty of posts, and it seems this is a common problem, with no solution other than manually or programatically restarting the network service in a script to detect the link after a disconnect.