It is known that binaries with the SetUID bit enabled are a threat for the system.I saw on this ArchLinux wiki[URL].tead_Of_Setuida way to limit the use of SetUID bit thanks to POSIX capabilities.It looks very interesting.Does anyone of you used it already?Is it a burden for the system afterwards (like binaries not working, needing to be fixed); or is it seamless
View 3 Replies
According to Security standards given in[URL]Quote:Unless otherwise approved the following setuid root binaries are the only ones allowed on production servers:
* /bin/su
* /usr/bin/sudo
* /usr/bin/passwd
[code]....
I'd like to modify a linux distro, specifically Puppy, so that the drivers/mechanisms for mounting local HDDs and Networking is Disabled completely. A step further than simply disabling "auto-mounting" at boot time, I don't even want mounting to be possible (at least by default).Likewise, further than just disabling network devices, I'd like to remove the ability to use network devices. How are these "mounting" and "device drivers" mechanisms implemented, where are they, and what are my options?
View 14 Replies View RelatedA create an application which has to bind to port less than 1024 and must be launched under non-root user. OS: Ubuntu 10.04. Decision 1: Using a firewall to redirect packets. Problem: This decision is not good for me. I need simple way to solve the problem. Decision 2: Use CAP_NET_BIN_SERVICE. Problem: My execution file has 2,7G size. It is very big application with a lot of debug info. setcat command return an error:
[code]...
I am using ubuntu 10.04 on an iMac 7.1. What do the following log entries mean? I recently had a "sbin/init infected" alarm with chkrootkit (or rkhunter, I forget which) and reinstalled, and I thought I was rid of the problem, whatever it was (could have been a kernel panic), but now the checksecurity setuid stuff reappeared (the checksecurity.log only appears in the log file viewer after resetting it with gconftool-2 --recursive-unset /apps/gnome-system-log, which seems suspicious; why is the log hidden by default?); also there are "outbound" messages that I don't understand. I have another ubuntu install on another Mac which seems to be unaffected (and also has checksecurity installed; I just ran it manually and also got setuid stuff, but there is no "outbound" and ufw.log is empty). I can't really think I have a rootkit (I don't notice any effects except these anomalous logfiles, and my browsing habits don't include sleazy websites). And what exactly are bound sockets? There is a lot of information about sockets on the net but it's all rather technical. I continue to look of course. I ran chkrootkit and rkhunter again, and they read clean (if I can trust them).
Is it possible that the trouble is related to the Mac's BIOS emulation? (Apple does not seem to take security very seriously; Snow Leopard does not even ask for a password for Software Update - I asked my premium reseller and he confirmed it. I should not be surprised to find out that the iMac's BIOS emulation is unsafe. I'll need to get a real computer). The MacBook Pro 5.1 has a newer firmware (for instance, it will boot ubuntu from external disks which the iMac will not), and as I said that install seems to be unaffected (The setuid stuff is probably normal, but I'm not sure the "outbound" messages are). I use grub legacy, which seems to install to the Mac's EFI partition as /dev/sda (GParted shows 18.1 MB of 200MB used on both computers with ubuntu on them, whereas an HFS+ disk without ubuntu, or with GRUB in a partition, will show 3.09 MB used).
Does it make sense to reconfigure checksecurity to check for setuid changes daily (change CHECK_WEEKLY="SETUID" in /etc/checksecurity.conf to CHECK_DAILY="SETUID")?
checksecurity.log:
messages (part):
There also was a lot of terminal output similar to the iMac's which I forgot to save, and when I ran checksecurity again it was blank. (Incidentally, the list of setuid programs on Mac OS is a lot longer)
I'd like to limit ps aux command outputs to current user only(the one, who invoked "ps". I've recently saw this feature on FreeBSD systems and on at least one Linux system running on shell.sf.net. I run Linux 2.6.33, I wanted to know how to make that. Any advice? Googling around wasn't too successful, perhaps I don't know how to query that, recently tried with "limit ps outputs" "ps aux current user", etc... had no luck.
View 2 Replies View RelatedDist: Fedora 14
SSHD: OpenSSH 5.5p1
I need to limit the number of ssh connections a user has. All the users are using tunnel only so their shell is set to /sbin/nologin The logins do not open a shell they just create the tunnel so /etc/security/limits.conf has no effect on them at all.
I tried setting 'MaxSessions 1' in sshd_config but either that doesn't not do what I expect it to or it plain does not work as even with a normal user I was able to open an unlimited number of sessions. I need a good secure way to limit each user to 1 ssh session without them having a shell but Im unable to find a solution.
I'm looking for a solution for sendmail to limit the number of emails send per miniute per IP. For example all my local computer user with ip 192.x.x.x need to able to send 10 emails/minite (emails, not connections!. The rest of the world can send for example 200 emails/minute to the mailserver. If the amount of emails per minute is exceeded, sendmail needs to block receiving emails from the spesific IP. I want to do this to stop spaming from my local network. Is it possible?
View 1 Replies View RelatedIs there a way to create a guest account and have Ubuntu "automagically" limit the amount of time the user can access the Internet? So, for example, could she set up an account for her son and limit his Internet access to an hour at a time?
View 9 Replies View RelatedI'm trying to limit the number of the ICMP packets reaching my server, so I'm using the limit module of iptables, unfortunately it seems the limit I set is totally ignored as I can easily send tens of ICMP packets and get a reply in less than 0.3 second Quote:
m3xican@m3xtop:~$ sudo ping -i0 -c20 x.x.x.x 20 packets transmitted, 20 received, 0% packet loss, time 230ms
rtt min/avg/max/mdev = 184.969/185.895/189.732/1.301 ms, pipe 16, ipg/ewma 12.138/186.232 ms This is the rule I'm using to accept ICMP packets (default setting is DROP)
Code:
iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
And these are the kernel modules related to iptables
Code:
Module Size Used by
xt_limit 1382 0
[Code]...
I have a linux firewall. I want to limit a ssh connection number from local network to internet .
Example :
Internal pc (192.168.0.10) start a ssh scan to the external (internet) host.
I want that iptables limit that host (192.168.0.10) and block ssh connection from this host at 3 attempt.
I have been reading guides for a while now and so far have not found an exact solution to my problem.
I want a linux user (dave) to be able to switch to another account (patrol) without a password prompt, but dave must still be denied access to root. Patrol must also be denied root access.
In the sudoers file
Code:
User_Alias Patrol=dave,john
root ALL=(ALL) ALL
Patrol ALL=(patrol) NOPSSWD: ALL
[Code].....
if i wanna to compile the unrealircd ircd server with max 150 users what i have to do i remember is on limits.conf the open filesbut i am comfusing the soft and hardmust have the same number !? or different?the second is if i wanna this shell when the user download the pack and he going to make compile to allow him to have only the option to compile in leaf mode and not hubso
View 1 Replies View RelatedI see on my webserver some logs as follows Quote:
203.252.157.98 - :25:02 "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:03 "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @
[code]....
I have a standard home set-up for my Ubuntu OS, and I would like to know whether its possible to cut out the repetitive prompts to enter the password, as when you connect to the internet or access files on a partition that's not home, or install new software.
View 1 Replies View RelatedI'd like to limit login attempts for specific user. I've found information in manpages: [URL]but I'm not sure if this '@' is purposly there, so would be that correct?
Code:
aparaho - maxlogins 4
or
Code:
@aparaho - maxlogins 4
Maybe '@' is a group syntax? I'm confused.
What happens after 4 failed loggins? Is it enough to restart system to get another login attempts?
Are there any other values that it is reasonable to limit for safety reasons?
I am at a loss how to prevent Denial of Service attacks to port 25 and not block legitimate connections from 2 Barracuda 800(s) and block smart phones such as iPhones/Blackberrys/iPhones that use the server smtp.server.com for email.
Presently for port 25
RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
The 2 Barracuda 800(s) make port 25 connections all the time, plus users with smart_phones have the incoming server type:
IMAP
pop.server.com
smtp.server.com
Is there a way to keep Denial of Service attacks from happening with iptables rules without causing blocking to the Barracuda(s) that make constant port 25 connections & smart phones that poll? I was thinking if I allowed the Barracuda(s) in these lines
-s (barracuda)24.xx.xx.xx -d (emailserver)24.00.xx.xx -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
Where the source would be the Barracuda going to the email server. It would be allowed, then I am left with how to allow other connections like Smart_Phones that connect via Port 25. I am thinking if I put rules in place doing connection counts in a minute it would result in errors connecting to the server and people would start complaining. Plus any limiting may result in blocking real traffic. Then would I need to allow the ISP range in the above example to accept port 25, I am still left with how to drop a flood/denial of service attack.
Can I, with only the use of IPTABLES, limit the incoming bandwith for a protocol? We have for example servers that have a FTP and HTTP server running and whenever HTTP has a lot of connections open, the other uploads/downloads get a timeout. I know I can limit the number of connections but prefer to limit on protocol level. Is this possible using IPTABLES and if so, can someone indicate how to proceed or provide a link? If it's not possible can someone point me to the right tool for the job?
View 6 Replies View RelatedHow to number of connections for a single ip on port 80 to CentOS 5.5 with iptables? connlimit did not work on CentOS and nginx does not provide a module for that
View 4 Replies View RelatedI was searching around and I stumbled upon a Linux Kernelix Sockets Local Denial of Service exploit.I downloaded the exploit, compiled it ran it to check if I am vulnerable.As I was expecting, the exploit instantly "killed" my Maverick system and I had to use the power button to reset my computer...Is there any way to limit the numberof allowed open sockets?I don't think that this can be done using /etc/security/limits.conf in a similar way of preventing the fork bombs
View 1 Replies View RelatedThis might sound really stupid, so you'll all have to excuse my lacking knowledge. I read that USB attacks get more and more common, like putting in an USB stick with a malicious autorun script on it, and it's game over. Can AppArmor protect devices and limit their access to the file system?
View 5 Replies View RelatedI installed Gnome Nanny. I can choose the times when the computer can be used and limit the internet. However, these times are not being enforced. Is there some other settings that are used to enforce these settings?
View 9 Replies View RelatedI'm trying to limit access to port 8443 on our server to 2 specific IP addresses. For some reason, access is still being allowed even though I drop all packets that aren't from the named IP addresses. The default policy is ACCEPT on the INPUT chain and this is how we want to keep it for various reasons I wont get into here. Here's the output from iptables -vnL
[Code]...
Note the actual IP we are using is masked here with 123.123.123.123. Until I can get everything working properly, we're only allowing access from 1 IP instead of 2. We can add the other one once it all works right. I haven't worked with iptables very much. So I'm quite confused about why packets matching the DROP criteria are still being allowed.
setuid bit allows the process to execute the file with the uid of the file. But, what is the purpose of setting setuid without execute bit? The man page tells that if a file is setuid without execute flag, the permission will be displayed as 'S' (capital s) in ls command. Why should anyone set the setuid without execute flag? Does setting setuid without execute flag have any special meaning?
View 1 Replies View RelatedI have a root process (on linux) that forks a child and the child process then drops privileges by doing a setuid() to a normal user. After the child setuid()'s, it is of course impossible for it to gain root again by itself. But since the main process is still running as root, i was wondering if there was a simple/smart way of getting the root-master-process to elevate the child back to root (or maybe just to another non-privi uid). Is there some way to do a setuid() on another pid? or maybe something can be done through /proc/<pid>/? Killing the child is not an option (because its what it does today and im trying to find a smarter way). (The program is apache2's mpm-itk worker and the "child" is the actual apache2 process serving a page.)
View 11 Replies View Relatedmy secure log is flooding with these messages..
sudo: pam_limits(sudo:session): wrong limit value 'unlimited' for limit type 'hard'
Dec 28 22:42:29 yn54 sudo: pam_limits(sudo:session): wrong limit value 'unlimited' for limit type 'soft'
Dec 28 22:42:29 yn54 sudo: pam_limits(sudo:session): wrong limit value 'unlimited' for limit type 'hard'
I would like to give a non-root user (nicollet) the ability to detect and send a signal to processes started by Apache2 (those processes are FastCGI scripts and the signal tells them to empty their cache). The processes are owned by the web user (www-data), and I'm running on Debian unstable.
I can't find any way to have the nicollet user see those processes.
The processes are running and can see by both root and www-data:
root@linux-01:~# ps -Af | grep baryton
www-data 17649 17648 0 10:27 ? 00:00:00 baryton
www-data 28145 1 0 Nov01 ? 00:00:12 baryton --bot
root 18701 18700 0 10:46 pts/0 00:00:00 grep baryton
root@linux-01:~#
[Code]....
The most surprising is that the grep process is indeed run by www-data (because it's started from a setuid executable) and is visible, but the baryton process isn't.
What's going on here? Why can ps run by www-data show those processes, but ps run by a setuid executable running as www-data cannot, when it's started by nicollet?
I have a VPS server with 512 MB memory. The php.ini is set so script memory limit = 16 MB. However, I have noticed in my top report, instances like the following:
Quote:
5484 coldclim 25 0 46476 32m 5920 R 0.0 6.4 0:00.93 php
The bold number of 6.4 is the % of sever memory this process is using. 6.4 % of 512 MB of memory is about 32 MB of memory, so it appears that this isn't being limited by php.ini. Am I correct? This leads to the next question: Is there some way to limit the amount of memory a single suphp process can use? (Basically, something like the setting in php.ini which limits suphp processes in the same way.)
I've been looking for this feature for months and couldn't find a solution for this. Does anyone know how to create users and limit the user to a specified directory?
View 6 Replies View RelatedI am trying to compile splasutis in my debian wheezy. ./configure run well, but during make I get the following error
make --silent all-recursive
Making all in libs
CONF libjpeg.a
[code]....
