Ubuntu Security :: Tor Users Urged To Update In Wake Of Breach
Jan 21, 2010
If you use Tor, you're cautioned to update now due to a security breach. In a message:URL.. on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: "In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers." Tor users should visit the download page and update ASAP!URL...
Currently I'm looking into implementing mod_security on all our apache servers. The installation on CentOS 5.5 comes directly with the "Core Rule Set" by the mod_security devs (curiously Debian and Ubuntu do not carry these) They also offer the Enhanced Rule Set for mod_security in a commercial package [URL] The main point there in their info link is the first point
Quote:
Tracking Credit Card Usage as required by the Payment Card Industry Data Security Standard However acc. to this wiki article ( http://en.wikipedia.org/wiki/Payment...urity_Standard ) that specific requirement isn't stated anywhere, as well as my colleague who's working on the PCI-DSS compliance for our code/servers/etc. mentioned that he hasn't heard of this specific requirement either. So my question would be if anyone has any experience with their ERS package and if it's needed for the PCI-DSS compliance compared to the requirements given in bullet points @ wiki article.
I've had a password on my 10.04 installation since I installed it (when it was released) and since last week it has disappeared. My computer seems to log in automatically. When I check the login screen settings, it is set to "show the screen for choosing who will log in".
My debian server has been attacked due to a security breach in exim4 4.69-9 (probably applies to loads of other versions too). The security breach allows the attacker to get root access by creating a buffer overflow in a header which then can be used to inject code.
[URL]
The securtiy breach is fixed with 4.69-9+lenny1 I want to share my actions with you on what I did to (hopefully) get rid of it. However at the time of writing this, the above website is down due to too much load (DDOS Attack?). How you can check if you've been attacked:
The attack creates a buffer overflow in exim4, which results in paniclog entries.
$ cat /var/log/exim4/paniclog 2010-12-17 07:34:11 string too large in xxxyyy() 2010-12-19 10:42:10 string too large in xxxyyy()
this would be an example of two attacks. One on 2010-12-17 and the other two days later 2010-12-19.with this information you can start find potentially infected files. There may be a better way, but I searched for them with this command:
$ find / -mtime 31 2>/dev/null # files,directories,links created 31 days ago (i.e. 2010-12-17)
I am running 11.04. After an update about a week and a half ago, the time to wake from suspend increased from about 3 seconds to well over 40 seconds. It now, sometimes, takes me longer to wake from suspend than a normal boot takes. Has anyone else encountered this problem/found a fix or workaround?
We are trying to set up a classroom training environment where our SIG can hold classes for prospective converts from Microsoft/Mac. The ten machines will have /home/student01..10 and /home/linsig01..10 as users. We want /home/student01 to be able to explore and sudo so they can learn to administer their personal machines at home. We don't want them to be able to modify (sudo) /home/linsig01. I've seen the tutorial on Access Control Lists but I'd like other input so we get it right the first time.
Upgraded online from 10.04 to 10.10 this morning....went OK I think! Was offered option to upgrade further to 11.04...and went for it!! Returned later to a blank screen.....unable to wake the machine....no disk activity Now have some function via a live CD......any thoughts on how I can proceed from here? I would like to persevere with the 'upgrade' route, as a fresh install will result in much loss of files
To avoid having to input a password for the keyring each time I connect to the net via wireless, I enabled the 'Available to all users' option in Network Manager. Now, my question is this. Are the 'users' it refers to just those created on this machine? Would a drive-by be able to use my network without entering the password?
I have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.
We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.
i updated both browsers i have and lost my secure log-in pages (no padlocks showing ) concerning different Web mail accounts.Just before i did these updates i checked an unrelated thing on-line regarding my sound card of which i kept a copy of and got this message below :
!!ALSA/HDA dmesg !!------------------ [ 12.762633] cfg80211: Calling CRDA for country: AM
I am from India, and I tried to update my Ubuntu system today. Code: $sudo apt-get update The update failed because the connection to the India mirror timed out: Code: [URL] Could not connect to in.archive.ubuntu.com:80 (111.91.91.37). - connect (110: Connection timed out) I tried the update a few times, with the same result every time.
I had firestarter running at this time, and noticed that I would get new security events every time I tried an update. I checked the events list, and it turned out that the machine at the ip address 111.91.91.37 (the in.archive.ubuntu.com machine, to go by the above error message) had been trying to make connections to seemingly random ports on the machine every time I tried the update: see the attached screenshot. I then changed my repositories to the Main Server using Synaptic, and tried the update again (from the command-line). This time it worked without a hitch, and firestarter did not report any unwanted incoming connection. why is the India mirror trying to open connections that the Main server apparently does not need in order for me to do the update? Should I (we) be concerned?
I was running 10.04 LTS and had decided to stick to the LTS versions as I'm now running my machine as a server and don't want to be updating regularly.Every time I logged in via SSH I got a message telling me there where packages to update including a security update. So I did a search to find out how to perform an update on Ubuntu server from the command line.What I found was to do this:sudo apt-get updatesudo apt-get dist-upgradeAfter doing that I rebooted but now my machine gives me this message:
init: ureadahead-other main process (794) terminated with status 4Your disk drives are being checked for errors, this may take some timePress C to cancel all checks currently inprogressI'm not pressing C yet and leaving it alone to finish, but I noticed when the machine booted that one of the options for booting talked about Ubuntu 10.10, so I'm worried that I've updated from 10.04 LTS to 10.10 by accident?
Libnss3-1d xulrunner-1.9.1 xulrunner-1.9.1-gnome support
After click on install updates and entering password, a message says "Some of the packages could not be retrieved from the server(s). Do you want to continue, ignoring these packages? Yes/No.
If I answer No, this message appears:
W: Failed to fetch http://security.ubuntu.com/ubuntu/po....10.1_i386.deb 404 Not Found [IP: 91.189.88.31 80]
If Yes, it tries to download but immediately:
W: Failed to fetch http://security.ubuntu.com/ubuntu/po....10.1_i386.deb 404 Not Found [IP: 91.189.88.31 80]
It has always installed the updates with no problems, until these 3 updates remain in pending installation status.
I've installed Ubuntu Desktop Ed 9 and I want to add a user account that would be very restricted. I would only want them to access the internet and run several programs. I do not want them to have access to the destkop, anything under preferences, administration etc... Is this possible?
I'm currently running tests on my SAM file on my XP partition. Partly because I want a password that is hard to crack, and also out of curiosity. While running John the Ripper (no options used) I'm noticing that there are 8 pasword hashes, yet only 4 users associated with WinXP. I know that JTR only does 7(?) characters when it check for a solution. Is the 8 hashes because it separates passwords longer than 7 into 2 hashes, and then cracks them individually as 2 parts? I did try googling this,
I created a new user desktop user for my girlfriend to use my netbook, but when she logs in, it doesn't show the wireless network icon. Under users and groups, I gave her access to wired and wireless networks, and under the network settings,I changed our wireless to "available to all users". I'm not sure what the problem is here.I'm using ubuntu netbook remix 10.04.
I need to be able to capture a users password when they login. I am well aware of the security issues with this and I'm ok with this.
We run a call center and I am working on migrating from windows to Kubuntu for the callers. It's policy that all callers must report their password to me, so I already know of everyone's password. There has to be some variable/script that I can "hack" to get the password they typed in to the login screen.
What I'm trying to do is that when a user logs in in for the first time, their profile is automatically created and set up. Setting up network drives, email, pidgin (which the password is stored in plain text anyway, so forget about security on that one), web apps, etc.
Trying to find information on How to capture a users password and all have been responded with the usual lecture on why you shouldn't do this. So I've heard it all before and I know of the risks. Like I said, I already have the callers password on file. If I could capture it, I wouldn't have to manually setup each profile every time we get a new caller, which is often since turnover is quite high in call centers.
Just got a message about critical security holes for phpmyadmin (see e.g. [URL]) and wondering, when I'd get an update for my ubuntu server Lucid Lynx 10.04.3?
Currently installed version is 4:3.3.2-1, published on 2010-04-16.
How can I make the security applet stop showing an update for firefox 3.5.9? I have a more recent version installed from mozilla repo: firefox 3.6. The mozilla repo already has a higher priority (95 instead of 99), so I don't know what to do.
Thought about posting in the Networking board, but I believe this is a much more security-oriented thread. So let's say I bring my computer to a public place, say a library with one open, public, shared wireless network. I connect to that network. Let's assume that everyone else who's connected is using Windows. Can they see my computer (through Network Manager or other software) and attack it (SYN flood or something)? Or does it depend on the network settings?
I have 2 servers, web server & mail server. they show 2 users in the summary area when I run w or top commands. But the actual list of users logged in (using either w or who) shows only 1 user. ps -ef |grep username only shows my current login as a running sshd process.
So I can find no trace of this other user except in the summary line for w or top. I have no shells or other logins left running elsewhere or abruptly terminated, no gui sessions (these are servers), no tty logins. Do I have another user logged in? Has someone hacked me & covered up most of their trail? Why do these commands show 2 users when everything else points to 1 user?
The line in bold is the security issue. There is only 1 user account on the system. There should only be 1 user logged in, not 2 users logged in. The remainder of the log file lists 1 user logged in, for similar log output. 2 users logged in does not appear again in the log file.
Does the second line of bold indicate that an attempt was made to log in to the system using SSH?
There was an internet connection interruption (no service) around the time of the log file event. The service did return, later.
Does that line indicate that an unauthorized user logged in to the system?
I am looking for the best method to implement SSL for my sites but without users having to accept the CERT and I'm small so I'd want to use the cheapest method like signing my own certs. Is there an automatic way of doing it or best practice?
I am stuck in a weird situation and could definitely use some help from gurus in security area.
I have categorized my users into 3: 1. root user 2. other local users 3. LDAP users
I want to setup following 2 usecases:
a) 1. Allow keybased ssh and scp to root users 2. Allow ssh but disallow scp service to other local users 3. Disallow ssh and scp to LDAP users
b)
1. Allow keybased ssh and scp to root users 2. Disallow both ssh and scp to other local users 3. Disallow ssh but allow scp to LDAP users
For the 1. in both cases, I think PermitRootLogin in sshd_config could . For the 3. I am thinking of deploying rssh to control scp service access, since ssh will be restricted anyways.
Problem area is 2. primarily.
i) How to allow ssh but disallow scp to 'other local users' ii) How to disallow both ssh and scp to 'other local users'
I have a new server with Fedora 10. The root user can log in by SSH using an RSA key but for any other user the RSA key is ignored and a password required.Ultimately I wish to access an SVN server over SSH and would like to to have to keep entering a password. I have Googled this issue and found nothing.If I log on as root the /var/log/secure file shows that the key is accepted, for any other user no message is added and the password is requested.I have checked all the config files and as far as I can see they are all correct so I am at a complete loss as to why SSH will not use the users RSA key.
I want to restrict some of my Operating System users running unwanted commands. I just want them to run specified commands only. How can i achieve this?
Block Users from USB Drive/Devices and CD-Rom I am using Ubuntu 9.10- the Karmic Koala(64 bit) in my company. I would like to block the users(except Super user) from using USB Drive/Devices and CD-Rom for security resons and to prevent my employees from copying data.
In Users Settings, I tried unchecking some items in User Privileges tab but it didn't work.
