more dsl log questions

Eric Eisenhart eric at eisenhart.com
Mon Jan 31 08:59:34 PST 2000


On Mon, Jan 31, 2000 at 04:28:23AM +0000, E Frank Ball wrote:
> Also does anyone know of any vulnerabilities of port 37 (time tcp) or
> port 515 (printer).

Your other questions seem to have been answered adequately, but not this
one...

lpr (printer on port 515) does have a vulnerability:
http://www.redhat.com/support/errata/RHSA2000002-01.html
Actually, two separate vulnerabilities that add up to a remote attacker with
control of their reverse DNS being able to successfully pretend to be you
and then being able to have a certain amount over sendmail in a way that
could easily lead to a root compromise.  (This is for RedHat 6.x, 5.2 and
probably, earlier versions.  The same hole existed in Debian, to the best of
my knowledge.)

If you're running RedHat, go to http://www.redhat.com/support/errata/ and at
least update any package you're running that are in the "security"
section...  RedHat still releases security fixes for RedHat 4.2, so as long
as you update to RH4.2, RH5.2 or RH6.x you can continue to get security
fixes.

Also, I strongly suggest going to
http://www.redhat.com/community/list_subscribe.html and subscribing to
redhat-watch-list or redhat-announce-list, possibly as well as linux-alert.

If you run Debian, go to:
http://www.debian.org/security/
(where, yes, the same lpr hole is listed with a date within days of RedHat's
security announcement of the same problem.)  Subscribe to
debian-security-announce if you run debian.

As a general rule, I suggest putting this in your /etc/hosts.deny
ALL: ALL except 127.0.0. 10.0.0. # (or whatever your internal net is)

Then in /etc/hosts.allow you can allow specific protocols, such as:
sshd sshd2 identd in.identd auth: ALL except PARANOID

(I could never figure out what identd wanted to call itself for this
purpose)

This might not have helped for the lpr/lpd problem, since it doesn't appear
to me that lpd uses the /etc/hosts.(allow|deny) file and instead uses
/etc/hosts.lpd, but it's a good general thing to do, anyways...  (In
*addition* to firewalling of all the ports you don't want the outside world
to be able to use)

And either subscribing to the appropriate security announce list for your
Linux distribution (also the CERT list is a good idea) or setting up
something (up2date, autorpm, apt, ...) that runs automatically or you run
frequently and will tell you when new "errata" are available for your
distribution.
-- 
    Eric Eisenhart   Freedom is slavery.      http://eric.eisenhart.com/
 ^  ICQ#: 48217244   Ignorance is strength.   eric-dot-sig at eisenhart.com
/e\ Perl&SQL Coder   War is peace.            IRC Nicks: Falsch Freiheit
---                        -- George Orwell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://nblug.org/pipermail/talk/attachments/20000131/a759a317/attachment.pgp


More information about the talk mailing list