From owner-freebsd-security Sun Feb 18 3:47:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id 325C537B491 for ; Sun, 18 Feb 2001 03:47:21 -0800 (PST) Received: from husten.security.at12.de (dial-213-168-88-70.netcologne.de [213.168.88.70]) by mr200.netcologne.de (Mirapoint) with ESMTP id ABM12801; Sun, 18 Feb 2001 12:47:18 +0100 (CET) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.2/8.11.2) with ESMTP id f1IBl9C15677; Sun, 18 Feb 2001 12:47:09 +0100 (CET) (envelope-from pherman@frenchfries.net) Date: Sun, 18 Feb 2001 12:47:09 +0100 (CET) From: Paul Herman To: Ragnar Beer Cc: Subject: Re: Tripwire 2.3 Linux In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 17 Feb 2001, Ragnar Beer wrote: > Is it possible to compile and run the open source version of > Tripwire 2.3 Linux on FreeBSD? To get it to compile natively under FreeBSD, there is a (lengthy) patch. Check the freebsd-security archives: http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=192188+194286+/usr/local/www/db/text/2001/freebsd-security/20010128.freebsd-security Update: Over the last few weeks, I've been correspoding with Ron Forrester who's maintaining the tripwire source now, and the patches for FreeBSD are being integrated into tripwire's CVS tree as we speak. -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 4:46:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 4124037B401 for ; Sun, 18 Feb 2001 04:46:41 -0800 (PST) Received: from ras23-214.gwdg.de ([134.76.23.214] helo=[192.168.0.98]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14UTEe-0003XJ-00 for freebsd-security@freebsd.org; Sun, 18 Feb 2001 13:46:40 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: Date: Sun, 18 Feb 2001 13:46:36 +0100 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: Remote logging Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Howdy! I remember reading about remote logging as a more secure alternative to setting sappnd flags. Can anybody confirm that and could you point me to a howto or so about how it can be done? Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 6: 2:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 019A437B401 for ; Sun, 18 Feb 2001 06:02:56 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA10909; Sun, 18 Feb 2001 06:02:15 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda10907; Sun Feb 18 06:01:58 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1IE1r994222; Sun, 18 Feb 2001 06:01:53 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpda94220; Sun Feb 18 06:01:13 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1IE1CW35992; Sun, 18 Feb 2001 06:01:12 -0800 (PST) Message-Id: <200102181401.f1IE1CW35992@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdr35988; Sun Feb 18 06:00:57 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Paul Herman Cc: Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: Tripwire 2.3 Linux In-reply-to: Your message of "Sun, 18 Feb 2001 12:47:09 +0100." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 18 Feb 2001 06:00:57 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Paul Herman writes: > On Sat, 17 Feb 2001, Ragnar Beer wrote: > > > Is it possible to compile and run the open source version of > > Tripwire 2.3 Linux on FreeBSD? > > To get it to compile natively under FreeBSD, there is a (lengthy) > patch. Check the freebsd-security archives: > > http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=192188+194286+/usr/local/www/db > /text/2001/freebsd-security/20010128.freebsd-security > > Update: > Over the last few weeks, I've been correspoding with Ron Forrester > who's maintaining the tripwire source now, and the patches for FreeBSD > are being integrated into tripwire's CVS tree as we speak. Dave Epperson of Tripwire Security told me last year that there were no plans for a FreeBSD version. It's good to see that there will be a FreeBSD version. Tripwire 2.3 has improved memory management over 1.3.1, allowing it to monitor many more files before croaking. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 7:13:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from madcap.dyndns.org (bb158-53.singnet.com.sg [165.21.158.53]) by hub.freebsd.org (Postfix) with ESMTP id C49AE37B65D; Sun, 18 Feb 2001 07:13:07 -0800 (PST) Received: by madcap.dyndns.org (Postfix, from userid 100) id 771BA1B9; Sun, 18 Feb 2001 15:10:05 +0800 (SGT) Date: Sun, 18 Feb 2001 15:10:05 +0800 From: Ng Pheng Siong To: Hiroaki Etoh Cc: security@FreeBSD.ORG, kris@FreeBSD.ORG, ash@lab.poc.net, kjm@rins.ryukoku.ac.jp, iwamura@muraoka.info.waseda.ac.jp Subject: Re: Base system with gcc stack-smashing protector Message-ID: <20010218151005.B424@madcap.dyndns.org> References: <20001117154551.A77867@citusc17.usc.edu> <20010216182625I.etoh@trl.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010216182625I.etoh@trl.ibm.com>; from etoh@trl.ibm.co.jp on Fri, Feb 16, 2001 at 06:26:25PM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 16, 2001 at 06:26:25PM +0900, Hiroaki Etoh wrote: > We confirmed the protected system blocked the bind TSIG exploit which is > announced from CERT, 31 Jan, 2001. Hmmm, is an exploit in the wild? Are servers being probed actively? I've been hearing people say no exploit has turned up yet. Thanks. -- Ng Pheng Siong * http://www.post1.com/home/ngps To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 8: 4: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from dirac.th.physik.uni-bonn.de (dirac.th.physik.uni-bonn.de [131.220.161.119]) by hub.freebsd.org (Postfix) with SMTP id A97A537B401 for ; Sun, 18 Feb 2001 08:04:01 -0800 (PST) Received: (qmail 63801 invoked from network); 18 Feb 2001 16:03:59 -0000 Received: from merlin.th.physik.uni-bonn.de (131.220.161.121) by dirac.th.physik.uni-bonn.de with SMTP; 18 Feb 2001 16:03:59 -0000 Received: (qmail 78635 invoked by uid 145); 18 Feb 2001 16:03:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Feb 2001 16:03:59 -0000 Date: Sun, 18 Feb 2001 17:03:59 +0100 (CET) From: Jan Conrad To: Cc: Kris Kennaway , , Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? In-Reply-To: <20010217234710.D62368@rfx-216-196-73-168.users.reflex> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 17 Feb 2001, Crist J. Clark wrote: > On Fri, Feb 16, 2001 at 03:49:04PM +0100, Jan Conrad wrote: > > [snip] > > > What I would find reasonable is something like an .shosts mechanism for > > ssh2 or, better, but more complicated, having the keys themselves > > encrypted by some private key of the machine. Why should a user have > > access to a plain key? > > OK, I am still not understanding why you believe SSH1 has advantages > over SSH2 when a user has NFS mounted home directories. The real > vulnerability to SSHx with NFS home directories is the threat that an > attacker may write to .ssh/authorized_keys*. If you can write to that > file, you can write to .shosts or .rhosts. > > What attack is SSH2 vulnerable to which SSH1 is not? So in conclusion, simply the whole contents of the .ssh dir must not appear on NFS shares. Then SSH2 is the only choice, I agree. Thanks for all you comments regards Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 8:31:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.fqdn.com (fqdn.com [204.138.49.210]) by hub.freebsd.org (Postfix) with ESMTP id 8FAD337B4EC; Sun, 18 Feb 2001 08:30:55 -0800 (PST) Received: from fqdn.com (greg [204.138.49.213]) by nova.fqdn.com (SGI-8.9.3/8.9.3) with ESMTP id LAA34445; Sun, 18 Feb 2001 11:18:58 -0500 (EST) Message-ID: <3A90229B.A1E85137@fqdn.com> Date: Sun, 18 Feb 2001 11:29:31 -0800 From: greg X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: squid-users@ircache.net Cc: freebsd-security@FreeBSD.ORG Subject: FTP via squid/firewall setup Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. I have a squid proxy set up behind a firewall. The packets from the squid proxy are diverted threw a NAT dameon on the firewall. Having failed to configure squid to use ftp-gw on the firewall, I am attempting to have ftp work using NAT as well. I understand why normal-mode ftp doesn't work. I've adjusted the squid.conf option "ftp_passive" to "on". When I ftp from netscape (configed to use the proxy) an error is returned after a short while stating " Squid sent the following: NLST and recived the reply: No files found". The packet log below is a capture of this conversation. The logs on the proxy will display the error: "proxy2# Feb 16 15:41:24 proxy2 squid[3137]: ftpTimeout: timeout in SENT_PASV state." If I ftp to the same server from the command prompt on the proxy, I recive an error that looks simular to the error that is returned while attempting the same with normal mode ftp. The error reads "425 Can't build data connection: Connection timed out." Would anyone know what the problem may be, or have a better solution? I really don't want to run any proxy like software on the firewall if it can be advoided, and would rather not have clients connect direct to the firewall, I'd like to have the proxy as the only trusted internal host. ftp-gw was an attempt at gettting around the ftp normal-mode issue. Thanks for your time, please let me know if you require more information. .INTERNAL-NET . | .PROXY . | .FIREWALL---FTP-server--WWW-server--ROUTER2----INTERNET . | .ROUTER-1 . | .INTERNET some information: - 3 NICs in the firewall -two different internet links - FTP, WEB, routers and external NICs on the firewall have internet IPs. -The proxy and internal NIC have registered IPS, but they are not known or in any routing tables on any internet routers. -Web stuff works fine. -natd alias outgoing traffic to the interface that points towards the web and ftp server. -FreeBSD firewall using natd 222.222.222.222= ftp server 222.222.222.111=NIC IP that natd alias to. (I have changed the IPs from what they really are for this letter) [/root] # snort -devaC -i fxp0 host 222.222.222.222 and port 20 or port 21 Initializing Network Interface... => Decoding Ethernet on interface fxp0 -*> Snort! <*- Version 1.6.3 By Martin Roesch (roesch@clark.net, www.snort.org) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:45.337581 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x36 222.222.222.111:1359 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10942 ****R*** Seq: 0xD4324B52 Ack: 0x0 Win: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:45.337862 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x36 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10943 DF ******A* Seq: 0xD483AE46 Ack: 0xC661201 Win: 0x4470 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.365829 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x84 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16888 DF *****PA* Seq: 0xC661201 Ack: 0xD483AE46 Win: 0xC000 220-____________________________________________________________ ____________.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.456562 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x36 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10945 DF ******A* Seq: 0xD483AE46 Ack: 0xC66124F Win: 0x4470 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.457811 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x4E2 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16889 DF *****PA* Seq: 0xC66124F Ack: 0xD483AE46 Win: 0xC000 220-____________________________________________________________ ____________..220-..220-...COMPANY-NAME..220-________________ ________________________________________________________..220-__ ________________________________________________________________ ______..220-..220-..220-This is a private facility. Access for any reason must be specifically..220-authorized by COMPANY . ..220-..220-Unless you are so authorized, your continued acc ess and..220-any other use may subject you to criminal and/or ci vil..220-proceedings, including criminal prosecution under the F ederal ..220-Computer Fraud and Abuse Act, 18 United States Code Section 1030...220-..220-______________________________________ __________________________________..220-..220-Uploads to this ma chine are monitored. Distribution of Copyrighted ..220-material may be reported to your ISP, SPA or to your local authorities. ..220-..220-Questions should be directed to noc@COMPANY..220- ..220-Systems Staff/COMPANY-NAME, ...220-____________ ____________________________________________________________..22 0- ..220-..220 ftp.COMPANY.com FTP server (Version wu-2.6 .1(4) Thu Oct 19 12:22:44 EDT 2000) ready... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.458714 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x46 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10946 DF *****PA* Seq: 0xD483AE46 Ack: 0xC6616FB Win: 0x4470 USER anonymous.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.458935 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16890 DF ******A* Seq: 0xC6616FB Ack: 0xD483AE56 Win: 0xC000 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.461348 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x7A 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16891 DF *****PA* Seq: 0xC6616FB Ack: 0xD483AE56 Win: 0xC000 331 Guest login ok, send your complete e-mail address as passwor d... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.461777 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x45 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10947 DF *****PA* Seq: 0xD483AE56 Ack: 0xC66173F Win: 0x4470 PASS SQUID@.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.464418 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x82 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16892 DF *****PA* Seq: 0xC66173F Ack: 0xD483AE65 Win: 0xC000 230-____________________________________________________________ __________.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.556561 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x36 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10948 DF ******A* Seq: 0xD483AE65 Ack: 0xC66178B Win: 0x4470 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.557139 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x1EC 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16893 DF *****PA* Seq: 0xC66178B Ack: 0xD483AE65 Win: 0xC000 230-____________________________________________________________ __________..230-..230-.Please place all files into the 'incoming ' directory. ..230- Any questions or issues please send emai l to noc@COMPANY.com...230-______________________________________ ________________________________..230-__________________________ ____________________________________________..230-..230-..230-.. 230-..230 Guest login ok, access restrictions apply... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.557762 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x3E 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10949 DF *****PA* Seq: 0xD483AE65 Ack: 0xC661941 Win: 0x4470 TYPE A.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.558505 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x4A 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16894 DF *****PA* Seq: 0xC661941 Ack: 0xD483AE6D Win: 0xC000 200 Type set to A... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.559554 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x50 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10950 DF *****PA* Seq: 0xD483AE6D Ack: 0xC661955 Win: 0x4470 PORT 209,167,51,162,5,82.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.560354 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x54 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16895 DF *****PA* Seq: 0xC661955 Ack: 0xD483AE87 Win: 0xC000 200 PORT command successful... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.560777 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x3C 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10951 DF *****PA* Seq: 0xD483AE87 Ack: 0xC661973 Win: 0x4470 LIST.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.569661 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16896 DF ******A* Seq: 0xC661973 Ack: 0xD483AE8D Win: 0xC000 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:48.570752 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:20 -> 222.222.222.111:1362 TCP TTL:60 TOS:0x8 ID:16897 **S***** Seq: 0xC6DD2E0 Ack: 0x0 Win: 0xC000 TCP Options => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:38:54.590308 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:20 -> 222.222.222.111:1362 TCP TTL:60 TOS:0x8 ID:16898 **S***** Seq: 0xC6DD2E0 Ack: 0x0 Win: 0xC000 TCP Options => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:39:17.065912 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:20 -> 222.222.222.111:1362 TCP TTL:60 TOS:0x8 ID:16899 **S***** Seq: 0xC6DD2E0 Ack: 0x0 Win: 0xC000 TCP Options => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:40:02.018776 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:20 -> 222.222.222.111:1362 TCP TTL:60 TOS:0x8 ID:16900 **S***** Seq: 0xC6DD2E0 Ack: 0x0 Win: 0xC000 TCP Options => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:40:03.725467 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x6E 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16901 DF *****PA* Seq: 0xC661973 Ack: 0xD483AE8D Win: 0xC000 425 Can't build data connection: Connection timed out... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:40:03.726337 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x3C 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10962 DF *****PA* Seq: 0xD483AE8D Ack: 0xC6619AB Win: 0x4470 NLST.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:40:03.727277 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x4B 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16902 DF *****PA* Seq: 0xC6619AB Ack: 0xD483AE93 Win: 0xC000 550 No files found... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:40:03.728384 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x50 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10963 DF *****PA* Seq: 0xD483AE93 Ack: 0xC6619C0 Win: 0x4470 PORT 209,167,51,162,5,83.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:40:03.728857 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x54 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16903 DF *****PA* Seq: 0xC6619C0 Ack: 0xD483AEAD Win: 0xC000 200 PORT command successful... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:40:03.729306 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x3C 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10964 DF *****PA* Seq: 0xD483AEAD Ack: 0xC6619DE Win: 0x4470 LIST.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:40:03.744365 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:20 -> 222.222.222.111:1363 TCP TTL:60 TOS:0x8 ID:16904 **S***** Seq: 0xD013620 Ack: 0x0 Win: 0xC000 TCP Options => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:40:03.825186 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16905 DF ******A* Seq: 0xC6619DE Ack: 0xD483AEB3 Win: 0xC000 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:40:09.645216 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:20 -> 222.222.222.111:1363 TCP TTL:60 TOS:0x8 ID:16906 **S***** Seq: 0xD013620 Ack: 0x0 Win: 0xC000 TCP Options => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:40:32.120903 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:20 -> 222.222.222.111:1363 TCP TTL:60 TOS:0x8 ID:16907 **S***** Seq: 0xD013620 Ack: 0x0 Win: 0xC000 TCP Options => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:41:17.073241 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:20 -> 222.222.222.111:1363 TCP TTL:60 TOS:0x8 ID:16908 **S***** Seq: 0xD013620 Ack: 0x0 Win: 0xC000 TCP Options => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:41:18.980307 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x6E 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16909 DF *****PA* Seq: 0xC6619DE Ack: 0xD483AEB3 Win: 0xC000 425 Can't build data connection: Connection timed out... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:41:18.987603 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x3C 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10965 DF *****PA* Seq: 0xD483AEB3 Ack: 0xC661A16 Win: 0x4470 NLST.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:41:18.988601 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x4B 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16910 DF *****PA* Seq: 0xC661A16 Ack: 0xD483AEB9 Win: 0xC000 550 No files found... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:41:18.989700 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x36 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10966 DF ***F**A* Seq: 0xD483AEB9 Ack: 0xC661A2B Win: 0x4470 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:41:18.989923 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x3C 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16911 DF ******A* Seq: 0xC661A2B Ack: 0xD483AEBA Win: 0xC000 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:41:18.990024 8:0:69:HH:II:JJ -> 0:90:27:EE.FF.GG type:0x800 len:0x5B 222.222.222.222:21 -> 222.222.222.111:1361 TCP TTL:60 TOS:0x10 ID:16912 DF *****PA* Seq: 0xC661A2B Ack: 0xD483AEBA Win: 0xC000 221 You could at least say goodbye... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-15:41:18.990383 0:90:27:EE.FF.GG -> 8:0:69:HH:II:JJ type:0x800 len:0x36 222.222.222.111:1361 -> 222.222.222.222:21 TCP TTL:63 TOS:0x0 ID:10968 ****R*** Seq: 0xD483AEBA Ack: 0x0 Win: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 8:57:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 52B9A37B401 for ; Sun, 18 Feb 2001 08:57:36 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14UXHx-00009m-00; Sun, 18 Feb 2001 10:06:21 -0700 Message-ID: <3A90010D.6F09C6CC@softweyr.com> Date: Sun, 18 Feb 2001 10:06:21 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Cy Schubert - ITSD Open Systems Group Cc: Paul Herman , Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: Tripwire 2.3 Linux References: <200102181401.f1IE1CW35992@cwsys.cwsent.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cy Schubert - ITSD Open Systems Group wrote: > > In message 2.de>, > Paul Herman writes: > > On Sat, 17 Feb 2001, Ragnar Beer wrote: > > > > > Is it possible to compile and run the open source version of > > > Tripwire 2.3 Linux on FreeBSD? > > > > To get it to compile natively under FreeBSD, there is a (lengthy) > > patch. Check the freebsd-security archives: > > > > http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=192188+194286+/usr/local/www/db > > /text/2001/freebsd-security/20010128.freebsd-security > > > > Update: > > Over the last few weeks, I've been correspoding with Ron Forrester > > who's maintaining the tripwire source now, and the patches for FreeBSD > > are being integrated into tripwire's CVS tree as we speak. > > Dave Epperson of Tripwire Security told me last year that there were no > plans for a FreeBSD version. It's good to see that there will be a > FreeBSD version. > > Tripwire 2.3 has improved memory management over 1.3.1, allowing it to > monitor many more files before croaking. Perhaps someone could help them with a kqueue version of tripwire, so it could monitor every file on the system without croaking? ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 9: 2: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id B1C3637B401 for ; Sun, 18 Feb 2001 09:02:02 -0800 (PST) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.11.2/8.10.0) with ESMTP id f1IH0er02120; Sun, 18 Feb 2001 11:00:40 -0600 (CST) Date: Sun, 18 Feb 2001 11:00:39 -0600 (CST) From: Marc Rassbach To: Cy Schubert - ITSD Open Systems Group Cc: Paul Herman , Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: Tripwire 2.3 Linux In-Reply-To: <200102181401.f1IE1CW35992@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 18 Feb 2001, Cy Schubert - ITSD Open Systems Group wrote: > Dave Epperson of Tripwire Security told me last year that there were no > plans for a FreeBSD version. It's good to see that there will be a > FreeBSD version. I was told the same thing, back when they made the 'linux annoucement'. I asked why, and they mentioned the lack of marketshare. *yawn* When I pointed out that FreeBSD have 15% of the total open source marketplace, asked if they would they blow off TurboLinux in the same way, they didn't have an answer for that. Good to see that they are at least willing to accept patches and the work of others. At one time I DLed the 1st 'tripwire' product. I determined the only difference was the copyrite change. They then sent out a e-mail implying because I hadn't paid for DL, I was a thief, and I should pay them. I did end up getting a reply from a VP stating the e-mail was marketing material. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 10:23: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.numachi.com (numachi.numachi.com [198.175.254.2]) by hub.freebsd.org (Postfix) with SMTP id 5ACEB37B401 for ; Sun, 18 Feb 2001 10:22:58 -0800 (PST) Received: (qmail 21439 invoked by uid 3001); 18 Feb 2001 18:22:55 -0000 Received: from natto.numachi.com (198.175.254.216) by numachi.numachi.com with SMTP; 18 Feb 2001 18:22:55 -0000 Received: (qmail 84728 invoked by uid 1001); 18 Feb 2001 18:22:55 -0000 Date: Sun, 18 Feb 2001 13:22:55 -0500 From: Brian Reichert To: Ragnar Beer Cc: freebsd-security@freebsd.org Subject: Re: Remote logging Message-ID: <20010218132255.L91352@numachi.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rbeer@uni-goettingen.de on Sun, Feb 18, 2001 at 01:46:36PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Feb 18, 2001 at 01:46:36PM +0100, Ragnar Beer wrote: > Howdy! > > I remember reading about remote logging as a more secure alternative > to setting sappnd flags. Can anybody confirm that and could you point > me to a howto or so about how it can be done? What? Syslog? Set up a secured box, with syslogd: loghost# syslogd -a 192.186/16 Have this machine configured to write many machines' logs into whatever scheme you find useful for analysis. Have your other boxes have syslogd configured with something as simple as: *.* @loghost There are additional steps you can take to keep syslogd immune from DNS outages; read the manpages. Make sure all fo your boxes are syncroninzed via NTP. > > Ragnar > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 10:39:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from cc762335-a.ebnsk1.nj.home.com (cc762335-a.ebnsk1.nj.home.com [24.3.219.36]) by hub.freebsd.org (Postfix) with SMTP id B6DCC37B4EC for ; Sun, 18 Feb 2001 10:39:13 -0800 (PST) Received: (qmail 38412 invoked from network); 18 Feb 2001 18:39:21 -0000 Received: from athena.faerunhome.com (HELO athena) (192.168.0.2) by cc762335-a.ebnsk1.nj.home.com with SMTP; 18 Feb 2001 18:39:21 -0000 Message-Id: <4.2.2.20010218133626.00c04f00@netmail.home.com> X-Sender: damascus@netmail.home.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sun, 18 Feb 2001 13:40:21 -0500 To: Brian Reichert From: Carroll Kong Subject: Re: Remote logging Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20010218132255.L91352@numachi.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:22 PM 2/18/01 -0500, you wrote: >What? Syslog? > >Set up a secured box, with syslogd: > > loghost# syslogd -a 192.186/16 > >Have this machine configured to write many machines' logs into >whatever scheme you find useful for analysis. > >Have your other boxes have syslogd configured with something as >simple as: > > *.* @loghost > >There are additional steps you can take to keep syslogd immune from >DNS outages; read the manpages. > >Make sure all fo your boxes are syncroninzed via NTP. > > > > > Ragnar > >-- >Brian 'you Bastard' Reichert That is a good idea, however, what is to stop the enemy from killing syslogd as his first option? I do not think syslogd logs when it gets killed? So, despite the secure log host, he might not get the valuable info he needs. I suppose you could then start speculating a break in if there are no more MARKs since syslogd is dead. Even that could be fabricated I suppose. Ugh. Security sure is tough to implement fully. Not trying to say you are wrong, just that I am curious how does one stop this possible problem? Have you found a way to avoid it? -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 13:51:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (ppp-134.nbi.com.ua [194.153.87.134]) by hub.freebsd.org (Postfix) with ESMTP id 798EA37B491 for ; Sun, 18 Feb 2001 13:51:11 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.2/8.11.2) id f1IJOhN68356; Sun, 18 Feb 2001 21:24:43 +0200 (EET) (envelope-from never) Date: Sun, 18 Feb 2001 21:24:42 +0200 From: Nevermind To: Carroll Kong Cc: Brian Reichert , freebsd-security@FreeBSD.ORG Subject: Re: Remote logging Message-ID: <20010218212442.A68304@nevermind.kiev.ua> References: <20010218132255.L91352@numachi.com> <4.2.2.20010218133626.00c04f00@netmail.home.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.2.2.20010218133626.00c04f00@netmail.home.com>; from damascus@home.com on Sun, Feb 18, 2001 at 01:40:21PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, Carroll Kong! On Sun, Feb 18, 2001 at 01:40:21PM -0500, you wrote: > That is a good idea, however, what is to stop the enemy from killing=20 > syslogd as his first option? I do not think syslogd logs when it gets=20 > killed? So, despite the secure log host, he might not get the valuable= =20 > info he needs. I suppose you could then start speculating a break in if= =20 > there are no more MARKs since syslogd is dead. Even that could be=20 > fabricated I suppose. Ugh. Security sure is tough to implement=20 > fully. Not trying to say you are wrong, just that I am curious how does= =20 > one stop this possible problem? Have you found a way to avoid it? I sometimes think about some flag on process so that once launched it canno= t be killed without specifying password... I don't know if it will be correct to existing process model... What are you thinking about that? --=20 NEVE-RIPE The instructions said to install Windows 98 or better, so I installed FreeBSD. --ReaqsoxgOBHFXBhH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6kCF5pCk6epJSQlIRAqlMAJ4/1oBMG2Nq/CcTY8hXjflGYdhVSACgoBHQ Rjq2gGD0t+FJ8LnmwNaySVw= =9Lhm -----END PGP SIGNATURE----- --ReaqsoxgOBHFXBhH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 14: 8: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.numachi.com (numachi.numachi.com [198.175.254.2]) by hub.freebsd.org (Postfix) with SMTP id 7BDB837B401 for ; Sun, 18 Feb 2001 14:07:55 -0800 (PST) Received: (qmail 23830 invoked by uid 3001); 18 Feb 2001 22:07:53 -0000 Received: from natto.numachi.com (198.175.254.216) by numachi.numachi.com with SMTP; 18 Feb 2001 22:07:53 -0000 Received: (qmail 85813 invoked by uid 1001); 18 Feb 2001 22:07:53 -0000 Date: Sun, 18 Feb 2001 17:07:53 -0500 From: Brian Reichert To: freebsd-security@FreeBSD.ORG Subject: Re: Remote logging Message-ID: <20010218170753.A85795@numachi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Date: Sun, 18 Feb 2001 17:05:07 -0500 From: Brian Reichert To: Carroll Kong Subject: Re: Remote logging On Sun, Feb 18, 2001 at 01:40:21PM -0500, Carroll Kong wrote: > At 01:22 PM 2/18/01 -0500, you wrote: > >What? Syslog? > > > >Set up a secured box, with syslogd: > > > > loghost# syslogd -a 192.186/16 > > > >Have this machine configured to write many machines' logs into > >whatever scheme you find useful for analysis. > > > >Have your other boxes have syslogd configured with something as > >simple as: > > > > *.* @loghost > > > >There are additional steps you can take to keep syslogd immune from > >DNS outages; read the manpages. > > > >Make sure all fo your boxes are syncroninzed via NTP. > > > > > > > > Ragnar > > > >-- > >Brian 'you Bastard' Reichert > > That is a good idea, however, what is to stop the enemy from killing > syslogd as his first option? To develop this further: people trying to handle these issues have _multiple_ networks. Each important (public) host has two NICs and is on both. The loghost is on that private 'administrative' network, and is locked down to death. Along with any terminal servers, backup servers, etc. These are machines that are the support structure of your LAN. If you allow logins at all, you would have in place strict access controls. Mind you, if one of the dual-homed hosts gets compromised, then the attacker could take steps to congest that administrative network, or congest the loghost. That's where an adaptive switch comes in, however you implement that. > I do not think syslogd logs when it gets > killed? Correct. > So, despite the secure log host, he might not get the valuable > info he needs. I suppose you could then start speculating a break in if > there are no more MARKs since syslogd is dead. I'm not certain which syslogd you're referring to, here. - The loghost could have the syslogd process watchdogged in any number of ways. Presumably, you also have log rotation and auditing going on. - The host(s) generating syslog packets: your log auditing would involve looking for traffic anomalies. Absence of syslog packets from any one host is an anomaly. :) > Even that could be > fabricated I suppose. Checking for falsified syslog records is a different issue. :/ Relying _exclusively_ on syslog records to notice a compromise is a loss. > Ugh. Security sure is tough to implement > fully. 'Fully'? What problems are you trying to solve? Security is, at best, an exercise in risk analysis. Any security you impose introduces inconveniences for your legitimate users. When those impositions outweigh the risks/costs of a compromise, you've misunderstood your needs. >Not trying to say you are wrong, just that I am curious how does > one stop this possible problem? Have you found a way to avoid it? Which particular problem? (I'm not being snide; you introduced several issues above...) > > -Carroll Kong > -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 14:28:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 8381D37B401 for ; Sun, 18 Feb 2001 14:28:44 -0800 (PST) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA81840; Mon, 19 Feb 2001 09:28:43 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA22169; Mon, 19 Feb 2001 09:28:42 +1100 (EST) Message-Id: <200102182228.JAA22169@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: Brian Reichert Cc: freebsd-security@FreeBSD.ORG Subject: Re: Remote logging In-Reply-To: Message from Brian Reichert of "Sun, 18 Feb 2001 17:07:53 CDT." <20010218170753.A85795@numachi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 19 Feb 2001 09:28:42 +1100 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > To develop this further: people trying to handle these issues have > _multiple_ networks. Each important (public) host has two NICs > and is on both. > > The loghost is on that private 'administrative' network, and is > locked down to death. Along with any terminal servers, backup > servers, etc. These are machines that are the support structure > of your LAN. If you allow logins at all, you would have in place > strict access controls. > > Mind you, if one of the dual-homed hosts gets compromised, then > the attacker could take steps to congest that administrative network, > or congest the loghost. That's where an adaptive switch comes in, > however you implement that. One way I was thinking of doing this at one stage was to set up a "stealth" filtering box which was configured as a bridge (it didn't even have IP addresses), and basically let almost all traffic straight through, except syslog stuff which it punted to a special machine off to the side which did the logging (which could even be duplicating an internal IP address, given that the filtering box wasn't doing layer 3 routing). At the time I had been looking at ipfilter, but I think ipfw has all the bits that are needed. > > So, despite the secure log host, he might not get the valuable > > info he needs. I suppose you could then start speculating a break in if > > there are no more MARKs since syslogd is dead. > > I'm not certain which syslogd you're referring to, here. I assume he's referring to the "mark" facility, which causes syslogd to generate messages every twenty minutes. Cheers, Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 14:30: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from io.cox-internet.com (io-cox.cox-internet.com [208.180.118.41]) by hub.freebsd.org (Postfix) with ESMTP id B1CC437B491 for ; Sun, 18 Feb 2001 14:30:06 -0800 (PST) Received: from main ([66.76.48.87]) by io.cox-internet.com (InterMail vK.4.02.00.10 201-232-116-110 license d1ebd4f8b91132ed01cf0e3e933da025) with SMTP id <20010218222926.STGP5193.io@main> for ; Sun, 18 Feb 2001 16:29:26 -0600 Message-ID: <007d01c099fa$320f2160$57304c42@main.cox-internet.com> From: "Brandon Hicks" To: Subject: Fw: Killing Processes - was (Re: Remote logging) Date: Sun, 18 Feb 2001 16:29:01 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----Original Message----- From: Brandon Hicks To: Nevermind Date: Sunday, February 18, 2001 4:27 PM Subject: Killing Processes - was (Re: Remote logging) >> I sometimes think about some flag on process so that once launched it >cannot be >> killed without specifying password... I don't know if it will be correct >to >> existing process model... >> What are you thinking about that? > > >I decided to make this it's own thread..... Is this possible... This >suggestion here >would improve the security measures on every FreeBSD machine out there. >I know that there is a chmod command to make a file unremovable, can there >be >a new command to make a process unkillable... I know that it would take >quite a >bit of work, and Sorry, I'm not that good of a programer or I would take it >on. >Great idea.. Anyone have a reasonable way of doing this? > > >> The instructions said to install Windows 98 or better, >> so I installed FreeBSD. >Haha - anything is better then windows > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 14:30:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from europa.cox-internet.com (europa-cox.cox-internet.com [208.180.118.40]) by hub.freebsd.org (Postfix) with ESMTP id D307037B4EC for ; Sun, 18 Feb 2001 14:30:17 -0800 (PST) Received: from main ([66.76.48.87]) by europa.cox-internet.com (InterMail vK.4.02.00.10 201-232-116-110 license d1ebd4f8b91132ed01cf0e3e933da025) with SMTP id <20010218222854.RQEL29901.europa@main> for ; Sun, 18 Feb 2001 16:28:54 -0600 Message-ID: <008201c099fa$38ab5480$57304c42@main.cox-internet.com> From: "Brandon Hicks" To: Subject: Fw: Remote logging Date: Sun, 18 Feb 2001 16:29:13 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----Original Message----- From: Brandon Hicks To: Carroll Kong Date: Sunday, February 18, 2001 1:29 PM Subject: Re: Remote logging >My FreeBSD box is down, so i can't check this out.... We are moving around >some things in the new server room. But I'm about to have 8 FreeBSD Boxes >up, and plus one here in my office... with no daemon running on it and only >to monitor the others. So, I would like this Information as well. Can >someone see if syslogd says something when killed? If not can someone write >a patch for it, to make it says something like "Syslogd: Killed" at >least.... > >Brandon Hicks >bjh > > >-----Original Message----- >From: Carroll Kong >To: Brian Reichert >Cc: freebsd-security@FreeBSD.ORG >Date: Sunday, February 18, 2001 12:42 PM >Subject: Re: Remote logging > > >>At 01:22 PM 2/18/01 -0500, you wrote: >>>What? Syslog? >>> >>>Set up a secured box, with syslogd: >>> >>> loghost# syslogd -a 192.186/16 >>> >>>Have this machine configured to write many machines' logs into >>>whatever scheme you find useful for analysis. >>> >>>Have your other boxes have syslogd configured with something as >>>simple as: >>> >>> *.* @loghost >>> >>>There are additional steps you can take to keep syslogd immune from >>>DNS outages; read the manpages. >>> >>>Make sure all fo your boxes are syncroninzed via NTP. >>> >>> > >>> > Ragnar >>> >>>-- >>>Brian 'you Bastard' Reichert >> >>That is a good idea, however, what is to stop the enemy from killing >>syslogd as his first option? I do not think syslogd logs when it gets >>killed? So, despite the secure log host, he might not get the valuable >>info he needs. I suppose you could then start speculating a break in if >>there are no more MARKs since syslogd is dead. Even that could be >>fabricated I suppose. Ugh. Security sure is tough to implement >>fully. Not trying to say you are wrong, just that I am curious how does >>one stop this possible problem? Have you found a way to avoid it? >> >>-Carroll Kong >> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 15:25:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id 6550137B503 for ; Sun, 18 Feb 2001 15:25:15 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 02C0066B00; Sun, 18 Feb 2001 15:25:14 -0800 (PST) Date: Sun, 18 Feb 2001 15:25:14 -0800 From: Kris Kennaway To: Ng Pheng Siong Cc: security@FreeBSD.ORG Subject: Re: Base system with gcc stack-smashing protector Message-ID: <20010218152514.A37519@mollari.cthul.hu> References: <20001117154551.A77867@citusc17.usc.edu> <20010216182625I.etoh@trl.ibm.com> <20010218151005.B424@madcap.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010218151005.B424@madcap.dyndns.org>; from ngps@post1.com on Sun, Feb 18, 2001 at 03:10:05PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 18, 2001 at 03:10:05PM +0800, Ng Pheng Siong wrote: > On Fri, Feb 16, 2001 at 06:26:25PM +0900, Hiroaki Etoh wrote: > > We confirmed the protected system blocked the bind TSIG exploit which is > > announced from CERT, 31 Jan, 2001. >=20 > Hmmm, is an exploit in the wild? Are servers being probed actively? >=20 > I've been hearing people say no exploit has turned up yet. Yes, an exploit has been publically distributed for several weeks, and judging by the number of reports of people with old versions of BIND having it suddenly crash, it is actively being used. Kris --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6kFnaWry0BWjoQKURAkimAJ0eaVHkYbdagjIZfU33M3o9pfmB/gCdGtbf inlOkIUQ7vTwQtkE8rg/z5c= =Lbm6 -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 15:30:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id 7DD0E37B503 for ; Sun, 18 Feb 2001 15:30:08 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 1BB0166B32; Sun, 18 Feb 2001 15:30:08 -0800 (PST) Date: Sun, 18 Feb 2001 15:30:08 -0800 From: Kris Kennaway To: Wes Peters Cc: Cy Schubert - ITSD Open Systems Group , Paul Herman , Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: Tripwire 2.3 Linux Message-ID: <20010218153007.C37519@mollari.cthul.hu> References: <200102181401.f1IE1CW35992@cwsys.cwsent.com> <3A90010D.6F09C6CC@softweyr.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="QRj9sO5tAVLaXnSD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A90010D.6F09C6CC@softweyr.com>; from wes@softweyr.com on Sun, Feb 18, 2001 at 10:06:21AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --QRj9sO5tAVLaXnSD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 18, 2001 at 10:06:21AM -0700, Wes Peters wrote: > > Tripwire 2.3 has improved memory management over 1.3.1, allowing it to > > monitor many more files before croaking. >=20 > Perhaps someone could help them with a kqueue version of tripwire, so it > could monitor every file on the system without croaking? ;^) This would be truly awesome, and a perfect application of kqueue. Kris --QRj9sO5tAVLaXnSD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6kFr/Wry0BWjoQKURAu9sAKD0B0YOCOzMUmwvX0CltXvH5srbdACggbeD mJZNuEyeuRQsmQiSvxGSazc= =a9fH -----END PGP SIGNATURE----- --QRj9sO5tAVLaXnSD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 15:48:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 6C25637B65D for ; Sun, 18 Feb 2001 15:48:05 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14UdfV-0000Gn-00; Sun, 18 Feb 2001 16:55:05 -0700 Message-ID: <3A9060D9.65B47A4@softweyr.com> Date: Sun, 18 Feb 2001 16:55:05 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Brian Reichert Cc: freebsd-security@FreeBSD.ORG Subject: Re: Remote logging References: <20010218170753.A85795@numachi.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brian Reichert wrote: > > To develop this further: people trying to handle these issues have > _multiple_ networks. Each important (public) host has two NICs > and is on both. > > The loghost is on that private 'administrative' network, and is > locked down to death. Along with any terminal servers, backup > servers, etc. These are machines that are the support structure > of your LAN. If you allow logins at all, you would have in place > strict access controls. > > Mind you, if one of the dual-homed hosts gets compromised, then > the attacker could take steps to congest that administrative network, > or congest the loghost. That's where an adaptive switch comes in, > however you implement that. You don't even necessarily have to compromise one of the dual-homed host. Remember the multicast SYN attack? It would flood RSTs onto all attached networks on each box that came under attack. That code is a lot stronger now, but I have no doubt somebody will someday find another similar attack. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 17:52:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id AF63637B503 for ; Sun, 18 Feb 2001 17:52:12 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 18 Feb 2001 17:50:15 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1J1q6J63249; Sun, 18 Feb 2001 17:52:06 -0800 (PST) (envelope-from cjc) Date: Sun, 18 Feb 2001 17:52:06 -0800 From: "Crist J. Clark" To: Brandon Hicks Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fw: Remote logging Message-ID: <20010218175205.L62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <008201c099fa$38ab5480$57304c42@main.cox-internet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <008201c099fa$38ab5480$57304c42@main.cox-internet.com>; from fbsdsec@killaz-r-us.com on Sun, Feb 18, 2001 at 04:29:13PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Feb 18, 2001 at 04:29:13PM -0600, Brandon Hicks wrote: > > -----Original Message----- > From: Brandon Hicks > To: Carroll Kong > Date: Sunday, February 18, 2001 1:29 PM > Subject: Re: Remote logging > > > >My FreeBSD box is down, so i can't check this out.... We are moving around > >some things in the new server room. But I'm about to have 8 FreeBSD Boxes > >up, and plus one here in my office... with no daemon running on it and only > >to monitor the others. So, I would like this Information as well. Can > >someone see if syslogd says something when killed? If not can someone > write > >a patch for it, to make it says something like "Syslogd: Killed" at > >least.... Not much point. You can always send a SIGKILL which cannot be caught by the process. The attacker would have to cooperate by sending syslogd(8) a SIGTERM or SIGINT, but why would he do that? There really is nothing you can do about getting logs from a machine once it is 0wn3d. Your only hope is that the attack itself will leave some traces before the attacker has the accesses necessary to disrupt the logging or that the changes the attacker makes leaves some noticable signature (e.g., lack of mark messages). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 18 20:13:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 6BB9537B4EC for ; Sun, 18 Feb 2001 20:13:41 -0800 (PST) Received: from localhost ([202.249.11.124]) by mine.kame.net (8.9.3/3.7W) with ESMTP id NAA51837; Mon, 19 Feb 2001 13:26:01 +0900 (JST) To: tsoi@xocah.dhs.org Cc: freebsd-security@freebsd.org Subject: Re: Racoon startup at boot problem In-Reply-To: Your message of "Wed, 14 Feb 2001 17:29:29 +0900" <20010214172929.A76809@xocah.holywar.net> References: <20010214172929.A76809@xocah.holywar.net> X-Mailer: Cue version 0.6 (010125-0306/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20010219131622Q.sakane@ydc.co.jp> Date: Mon, 19 Feb 2001 13:16:22 +0900 From: "Shoichi 'Ne' Sakane" X-Dispatcher: imput version 990905(IM130) Lines: 9 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > When one server is rebooted and re-initialized racoon, > they do not communicate at all, (in my opinion) because of mis-match of > SPI on each server's SAD entries. Does the problem happen by using the latest racoon ? We know that there are some problem such a SPI mismatch when the system using automated SA negotiation reboots. The problem when the initiator rebooted was solved the latest racoon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 0: 9:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from virginia.yamato.ibm.co.jp (virginia.yamato.ibm.co.jp [203.141.89.165]) by hub.freebsd.org (Postfix) with ESMTP id A83A437B491 for ; Mon, 19 Feb 2001 00:09:26 -0800 (PST) Received: from ns.trl.ibm.com (ns.trl.ibm.com [9.116.48.18]) by virginia.yamato.ibm.co.jp (8.9.3/3.7W/GW3.3) with ESMTP id RAA15786 for ; Mon, 19 Feb 2001 17:09:24 +0900 Received: from localhost by ns.trl.ibm.com (8.9.3/TRL4.5SRV) id RAA22448; Mon, 19 Feb 2001 17:09:24 +0900 To: security@FreeBSD.ORG Subject: Re: Base system with gcc stack-smashing protector In-Reply-To: <001801c099a5$2274afe0$cc01a8c0@xyf> References: <20010216182625I.etoh@trl.ibm.com> <001801c099a5$2274afe0$cc01a8c0@xyf> X-Mailer: Mew version 1.94b48 on Emacs 20.5 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010219170924T.etoh@trl.ibm.com> Date: Mon, 19 Feb 2001 17:09:24 +0900 From: Hiroaki Etoh X-Dispatcher: imput version 990813(IM119) Lines: 26 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At Sun, 18 Feb 2001 20:20:02 +0800, "bsddiy" wrote: > will the patch be merged to FreeBSD 4.3 or FreeBSD 5.0? > > Regards, > David Xu I think you can merge the patch to FreeBSD 4.3 or others, because the patch consists of the following three parts and we don't change the source code of base system except gcc. 1. gcc extension, which is periodically submitted to gcc-patch mailing list by Hiroaki Etoh. 2. patch to the Makefile in src/libexec/rtld-elf, which doesn't change the source code itself. It links the object file "stack_smash_handler" compiled with position independent option. 3. patch to the Makefile in src/sys/booti386/loader, which adds the library "-lgcc -lc" for linking loader. I'll appreciate receiving the result whether the patche is applied to FreeBSD 4.3 or FreeBSD 5.0. Regards, Hiroaki Etoh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 0:53:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 885E137B401 for ; Mon, 19 Feb 2001 00:53:23 -0800 (PST) Received: (qmail 5945 invoked by uid 1000); 19 Feb 2001 08:51:30 -0000 Date: Mon, 19 Feb 2001 10:51:30 +0200 From: Peter Pentchev To: Nevermind Cc: Carroll Kong , Brian Reichert , freebsd-security@FreeBSD.ORG Subject: Re: Remote logging Message-ID: <20010219105130.A2946@ringworld.oblivion.bg> Mail-Followup-To: Nevermind , Carroll Kong , Brian Reichert , freebsd-security@FreeBSD.ORG References: <20010218132255.L91352@numachi.com> <4.2.2.20010218133626.00c04f00@netmail.home.com> <20010218212442.A68304@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010218212442.A68304@nevermind.kiev.ua>; from never@nevermind.kiev.ua on Sun, Feb 18, 2001 at 09:24:42PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Feb 18, 2001 at 09:24:42PM +0200, Nevermind wrote: > Hello, Carroll Kong! > > On Sun, Feb 18, 2001 at 01:40:21PM -0500, you wrote: > > > That is a good idea, however, what is to stop the enemy from killing > > syslogd as his first option? I do not think syslogd logs when it gets > > killed? So, despite the secure log host, he might not get the valuable > > info he needs. I suppose you could then start speculating a break in if > > there are no more MARKs since syslogd is dead. Even that could be > > fabricated I suppose. Ugh. Security sure is tough to implement > > fully. Not trying to say you are wrong, just that I am curious how does > > one stop this possible problem? Have you found a way to avoid it? > > I sometimes think about some flag on process so that once launched it cannot be > killed without specifying password... I don't know if it will be correct to > existing process model... > > What are you thinking about that? I'd think some kind of process ACL's would be a better approach - something like 'yeah, you're root, but you don't have this-and-this capability/token/ whatever, so there!'.. I don't know how far the ACL work has progressed, and if there are any ideas to go in that direction, but ACL control over sending signals certainly sounds interesting. G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 2: 5: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id D473137B401 for ; Mon, 19 Feb 2001 02:05:01 -0800 (PST) Received: from partner.uni-psych.gwdg.de ([134.76.136.114]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14UnBa-0005ft-00; Mon, 19 Feb 2001 11:04:50 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: In-Reply-To: <20010218170753.A85795@numachi.com> References: <20010218170753.A85795@numachi.com> Date: Mon, 19 Feb 2001 11:04:41 +0100 To: Brian Reichert From: Ragnar Beer Subject: Re: Remote logging Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Date: Sun, 18 Feb 2001 17:05:07 -0500 >From: Brian Reichert >To: Carroll Kong >Subject: Re: Remote logging > snip >- The host(s) generating syslog packets: your log auditing would > involve looking for traffic anomalies. Absence of syslog packets > from any one host is an anomaly. :) That's another thing I'm not familiar with: What are good tools for log auditing? Are there any that do anomaly analysis? Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 2: 9:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from xocah.holywar.net (xocah.holywar.net [211.232.152.22]) by hub.freebsd.org (Postfix) with SMTP id 3337637B491 for ; Mon, 19 Feb 2001 02:09:14 -0800 (PST) Received: (qmail 6810 invoked by uid 101); 19 Feb 2001 10:09:11 -0000 Date: Mon, 19 Feb 2001 19:09:11 +0900 From: "ho-sang, yoon" To: Shoichi 'Ne' Sakane Cc: freebsd-security@FreeBSD.ORG Subject: Re: Racoon startup at boot problem Message-ID: <20010219190910.A4429@xocah.holywar.net> Reply-To: Tsoi Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010219131622Q.sakane@ydc.co.jp>; from sakane@ydc.co.jp on Mon, Feb 19, 2001 at 01:16:22PM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What version do you mean? I have tried 'racoon-20010215a' from ftp.kame.net, but it didn't work. Maybe it's because of my fault. But, I don't know. Anyway, I have get backed to the strict SPI definition way not using racoon at all.(Direct SAD entry input by setkey) But, anyway, thanks for your information. xocah Thus spake Shoichi 'Ne' Sakane (sakane@ydc.co.jp) ::::: : > When one server is rebooted and re-initialized racoon, : > they do not communicate at all, (in my opinion) because of mis-match of : > SPI on each server's SAD entries. : : Does the problem happen by using the latest racoon ? : : We know that there are some problem such a SPI mismatch when : the system using automated SA negotiation reboots. : The problem when the initiator rebooted was solved the latest racoon. -- no signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 2:11:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 6797837B4EC for ; Mon, 19 Feb 2001 02:11:09 -0800 (PST) Received: from partner.uni-psych.gwdg.de ([134.76.136.114]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14UnHe-0002UY-00; Mon, 19 Feb 2001 11:11:06 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: In-Reply-To: <008201c099fa$38ab5480$57304c42@main.cox-internet.com> References: <008201c099fa$38ab5480$57304c42@main.cox-internet.com> Date: Mon, 19 Feb 2001 11:10:54 +0100 To: "Brandon Hicks" From: Ragnar Beer Subject: Re: Fw: Remote logging Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >-----Original Message----- >From: Brandon Hicks >To: Carroll Kong >Date: Sunday, February 18, 2001 1:29 PM >Subject: Re: Remote logging > > >>My FreeBSD box is down, so i can't check this out.... We are moving around >>some things in the new server room. But I'm about to have 8 FreeBSD Boxes >>up, and plus one here in my office... with no daemon running on it and only >>to monitor the others. So, I would like this Information as well. Can >>someone see if syslogd says something when killed? If not can someone >write >>a patch for it, to make it says something like "Syslogd: Killed" at > >least.... Good idea! But if you have a remote intruder and you're logging via another NIC then he can take that interface down without cutting himself off and so the "killed" message wouldn't get where it should, would it? Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 2:18:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id A18A437B401 for ; Mon, 19 Feb 2001 02:18:31 -0800 (PST) Received: from partner.uni-psych.gwdg.de ([134.76.136.114]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14UnOn-0006ht-00; Mon, 19 Feb 2001 11:18:29 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: In-Reply-To: <20010218132255.L91352@numachi.com> References: <20010218132255.L91352@numachi.com> Date: Mon, 19 Feb 2001 11:18:22 +0100 To: Brian Reichert From: Ragnar Beer Subject: Re: Remote logging Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Sun, Feb 18, 2001 at 01:46:36PM +0100, Ragnar Beer wrote: >> Howdy! >> >> I remember reading about remote logging as a more secure alternative >> to setting sappnd flags. Can anybody confirm that and could you point >> me to a howto or so about how it can be done? > >What? Syslog? > >Set up a secured box, with syslogd: > > loghost# syslogd -a 192.186/16 snip Would there be any advantage in logging via serial interface instead of IP? Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 9:32:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 6F09037B4EC for ; Mon, 19 Feb 2001 09:32:31 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id OAA72628 for security@freebsd.org; Mon, 19 Feb 2001 14:35:05 -0300 (ART) From: Fernando Schapachnik Message-Id: <200102191735.OAA72628@ns1.via-net-works.net.ar> Subject: Inconsistent behavior on openssh To: security@freebsd.org Date: Mon, 19 Feb 2001 14:35:04 -0300 (ART) Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org After installing the latest versions of openssh I noted that ssh will not request rhost authentication if run by an user other than root. This is because it can't bind to a low port, as it lost the suid bit. This wasn't like this before. What is supposed to be the standard way of remote ssh logging without password? TIA! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 9:39: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id CD55537B491 for ; Mon, 19 Feb 2001 09:38:53 -0800 (PST) Received: (qmail 4811 invoked by alias); 19 Feb 2001 17:37:02 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 19 Feb 2001 17:37:02 -0000 Message-ID: <000501c09a9a$ffcf7140$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: "Fernando Schapachnik" , References: <200102191735.OAA72628@ns1.via-net-works.net.ar> Subject: Re: Inconsistent behavior on openssh Date: Mon, 19 Feb 2001 12:40:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org won't this line in /etc/syslog.conf log all logins whether via password or not? I know this logs password-authenticated ssh connection attempts. I don't trust rhosts anymore than I used to (probably because I run more passwords-authentication than firewalling boxen). auth.*,authpriv.* /var/log/authlog ----- Original Message ----- From: "Fernando Schapachnik" To: Sent: Monday, February 19, 2001 12:35 PM Subject: Inconsistent behavior on openssh > After installing the latest versions of openssh I noted that ssh will > not request rhost authentication if run by an user other than root. > This is because it can't bind to a low port, as it lost the suid bit. > This wasn't like this before. > > What is supposed to be the standard way of remote ssh logging > without password? > > TIA! > > Fernando P. Schapachnik > Administración de la red > VIA NET.WORKS ARGENTINA S.A. > fschapachnik@vianetworks.com.ar > Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 9:43:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 2A13137B401 for ; Mon, 19 Feb 2001 09:43:28 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id OAA79827; Mon, 19 Feb 2001 14:45:59 -0300 (ART) From: Fernando Schapachnik Message-Id: <200102191745.OAA79827@ns1.via-net-works.net.ar> Subject: Re: Inconsistent behavior on openssh In-Reply-To: <3A915937.598CCFD8@sarenet.es> "from Borja Marcos at Feb 19, 2001 06:34:47 pm" To: Borja Marcos Date: Mon, 19 Feb 2001 14:45:59 -0300 (ART) Cc: security@freebsd.org Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Borja Marcos escribió: > Fernando Schapachnik wrote: > > > > After installing the latest versions of openssh I noted that ssh will > > not request rhost authentication if run by an user other than root. > > This is because it can't bind to a low port, as it lost the suid bit. > > This wasn't like this before. > > > > What is supposed to be the standard way of remote ssh logging > > without password? > > Public key authentication, perhaps? Yes, I realized after typing send. The thing was that just recently we -non-US citizen- were allowed to use RSA. This was not a valid option before. Thanks! > > > > > Borja. > Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 10:12:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.ruhr.de (in-ruhr4.ruhr.de [212.23.134.2]) by hub.freebsd.org (Postfix) with SMTP id 089FA37B69D for ; Mon, 19 Feb 2001 10:12:40 -0800 (PST) Received: (qmail 23081 invoked by uid 10); 19 Feb 2001 18:12:34 -0000 Received: (from ue@localhost) by nathan.ruhr.de (8.11.2/8.11.2) id f1JIBT055843 for freebsd-security@FreeBSD.ORG; Mon, 19 Feb 2001 19:11:29 +0100 (CET) (envelope-from ue) Date: Mon, 19 Feb 2001 19:11:29 +0100 From: Udo Erdelhoff To: freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation Message-ID: <20010219191129.C2171@nathan.ruhr.de> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200102151422.f1FEM1J70621@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102151422.f1FEM1J70621@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Thu, Feb 15, 2001 at 06:21:23AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, > Agreed, -bd is not mandatory. One could run Sendmail out of inetd > using -bs or hide it behind Obtuse Systems Smtpd (smtpd) port, which > implements a Qmail-like or postfix-like approach using Sendmail. or you could tell sendmail to listen on lo0 only. In other words, start it with -bd -oOA=127.0.0.1. Which results in: tcp4 0 0 127.0.0.1.25 *.* LISTEN If you want sendmail to listen on more interfaces, add more -oOA options. /s/Udo -- "The only reasonable alternative we can come up with is to close off the Internet to America Online users until they have passed an entrance test. But that would break federal laws that prohibit discrimination against the intellectually challenged." - hhahn@boardwatch.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 10:35:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 4D46A37B401 for ; Mon, 19 Feb 2001 10:35:40 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.9.3) id f1JIYl937444; Mon, 19 Feb 2001 10:34:47 -0800 (PST) (envelope-from dillon) Date: Mon, 19 Feb 2001 10:34:47 -0800 (PST) From: Matt Dillon Message-Id: <200102191834.f1JIYl937444@earth.backplane.com> To: Fernando Schapachnik Cc: security@FreeBSD.ORG Subject: Re: Inconsistent behavior on openssh References: <200102191735.OAA72628@ns1.via-net-works.net.ar> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :After installing the latest versions of openssh I noted that ssh will :not request rhost authentication if run by an user other than root. :This is because it can't bind to a low port, as it lost the suid bit. :This wasn't like this before. : :What is supposed to be the standard way of remote ssh logging :without password? : :TIA! : :Fernando P. Schapachnik :Administración de la red :VIA NET.WORKS ARGENTINA S.A. :fschapachnik@vianetworks.com.ar :Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA Simply install your ~/.ssh/identity.pub in your remote account's ~/.ssh/authorized_keys file. That's why I use. I've never in my life used .rhosts or .shosts with ssh. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 11:30:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (lc4-lfd3.law5.hotmail.com [216.32.243.22]) by hub.freebsd.org (Postfix) with ESMTP id AF45737B491 for ; Mon, 19 Feb 2001 11:30:09 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 19 Feb 2001 11:30:09 -0800 Received: from 192.122.209.42 by www.hotmail.msn.com with HTTP; Mon, 19 Feb 2001 19:30:09 GMT X-Originating-IP: [192.122.209.42] From: "Edward W. M." To: cjclark@reflexnet.net Cc: fbsdsec@killaz-r-us.com, freebsd-security@FreeBSD.ORG Subject: Re: Fw: Remote logging Date: Mon, 19 Feb 2001 11:30:09 -0800 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 19 Feb 2001 19:30:09.0434 (UTC) FILETIME=[5EF0EFA0:01C09AAA] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Crist J. Clark writes: >Not much point. You can always send a SIGKILL which cannot be caught >by the process. The attacker would have to cooperate by sending >syslogd(8) a SIGTERM or SIGINT, but why would he do that? Exactly, so here's an idea. What if we moved syslogd into the kernel and set up a sysctl knob for turning syslog on and off (syslog.active for example). Each activity change would be logged, of course. So what's the use of that, you might wonder. If remote logging is set up, the intruder could write a script that would take down the network interface(s), turn syslog off and bring the network interface(s) up again. He could also use ipf or ipfw to block outgoing syslog traffic. Well, that's where 3 other sysctl knobs come into play: - net.ifs_immutable (boolean) if set to 1, the active network interfaces cannot be brought down or changed in any way - syslog.net.incoming.prevent_block (boolean) if set to 1, any attempt to block incoming syslog packets (with ipf/ipfw) would fail - syslog.net.outgoing.prevent_block (boolean) if set to 1, any attempt to block outgoing syslog packets (with ipf/ipfw) would fail Perhaps there would be a syslogctl, which would take arguments like: - start, stop, restart, status and other standard syslogd arguments this is all self-explanatory (status would display remote logging settings and the relevant sysctl values, among other things) - secure options the following matrix explains best what each option would do to the sysctl values: syslog. syslog. net. net. net. incoming. outgoing. ifs_immutable prevent_block prevent_block secure 1 1 1 secure in 1 1 X secure in only 1 1 0 secure out 1 X 1 secure out only 1 0 1 secure off 0 0 0 All changes would first be logged, then attempted and then the change status would be reported (success/failure). That way if someone does take over your machine, they will have to turn off at least one of the sysctl values, which cannot go undetected anymore. And if the status change report after the attempted change report message is missing, you can be sure that the attacker has done something to prevent further networking activity. If they take the network interface down, they will not be able to forge the status change report message. If they block outgoing syslog packets with ipf/ipfw, they will have to inject the forged syslog status report packet at a lower level in order to circumvent ipf/ipfw rules. Even if they were successful, you would notice that something is wrong because there would be no syslog activity from that host (no mark for example). Last, but not least, the kernel would prevent any attempts to bind the syslog socket when syslogd would not be running, so syslog spoofing to remote machines would become more difficult. The bottom line is, regardless of whether the attacker would manage to make it look as if syslog were still active on a certain host, you would know for sure that a syslog status change has occurred, so you could set up a script which would send you an SMS upon detecting any such change. That would give an attacker a few minutes at best, so they would have to be really well prepared and organized to be able to pull off anything that goes beyond rendering the system useless. In any case, you would know that something is wrong, what you would do with that information is entirely up to your security policy (or should I say vigilance and diligence). Well, it was just an idea. Edward W. M. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 11:49:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from rly-ip01.mx.aol.com (rly-ip01.mx.aol.com [205.188.156.49]) by hub.freebsd.org (Postfix) with ESMTP id A2E7637B65D for ; Mon, 19 Feb 2001 11:49:25 -0800 (PST) Received: from tot-wa.proxy.aol.com (tot-wa.proxy.aol.com [205.188.192.1]) by rly-ip01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id OAA25032 for ; Mon, 19 Feb 2001 14:49:01 -0500 (EST) Received: from jmsws (AC807D2D.ipt.aol.com [172.128.125.45]) by tot-wa.proxy.aol.com (8.10.0/8.10.0) with SMTP id f1JJn0C28280 for ; Mon, 19 Feb 2001 14:49:00 -0500 (EST) Message-ID: <001f01c09aad$9e8c7a00$6a06fea9@jmsws> From: "Jonathan Slivko" To: Subject: Differences on Securelevels? Date: Mon, 19 Feb 2001 14:53:24 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 X-Apparently-From: JMS19NYC@aol.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I was wondering, is there any place on the Internet that I can read up on the differences with securelevel? I have been trying to get my machine into a more secure mode (level 1) and rebooted. However, this seems to have only killed the services running on the machine where even I can't get in. -- Jonathan M. Slivko P.S. Any ideas on how to fix the problem would be appreciated. -- Jonathan M. Slivko Systems Administrator, APPL Technologies Global IRC Operator, AsylumNet IRC Network website: http://webpage.pace.edu/js43064n/ "Microsoft, is that some kind of toilet paper?" -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 11:50:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 8CFE637B491 for ; Mon, 19 Feb 2001 11:50:23 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id CEF511360C; Mon, 19 Feb 2001 14:50:22 -0500 (EST) Date: Mon, 19 Feb 2001 14:50:22 -0500 From: Chris Faulhaber To: Jonathan Slivko Cc: freebsd-security@freebsd.org Subject: Re: Differences on Securelevels? Message-ID: <20010219145022.A97778@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Jonathan Slivko , freebsd-security@freebsd.org References: <001f01c09aad$9e8c7a00$6a06fea9@jmsws> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001f01c09aad$9e8c7a00$6a06fea9@jmsws>; from js43064n@pace.edu on Mon, Feb 19, 2001 at 02:53:24PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 19, 2001 at 02:53:24PM -0500, Jonathan Slivko wrote: > Hello, >=20 > I was wondering, is there any place on the Internet that I can read up on > the differences with securelevel? I have been trying to get my machine in= to > a more secure mode (level 1) and rebooted. However, this seems to have on= ly > killed the services running on the machine where even I can't get in. -- > Jonathan M. Slivko >=20 man init --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjqReP4ACgkQObaG4P6BelBtkQCgnlGF9UcMulMElxHt/Ul7RYoK lX0An27Fdk2WzByjyf/Y51297zGMStdY =O9J1 -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 12:27:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id F3C9D37B401; Mon, 19 Feb 2001 12:27:30 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id VAA30147; Mon, 19 Feb 2001 21:27:30 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: security@freebsd.org Cc: phk@freebsd.org Subject: ftpd's read-only mode From: Dag-Erling Smorgrav Date: 19 Feb 2001 21:27:29 +0100 Message-ID: Lines: 10 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A while ago, Poul-Henning implemented a read-only option in ftpd that makes the server refuse any command that would write, remove or modify a file or directory. Currently, the server will send a 202 reply with the reason "Command ignored. Server is in readonly mode.", but I think that a "550 Permission denied" would be much more appropriate. Does anybody object to this change? DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 13:18:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.safeserver.com (admin.mail.safeserver.com [216.122.69.100]) by hub.freebsd.org (Postfix) with SMTP id CD84437B401 for ; Mon, 19 Feb 2001 13:18:10 -0800 (PST) Received: (qmail 3616 invoked from network); 19 Feb 2001 21:18:09 -0000 Received: from unknown (HELO ANDYKIM) (207.23.243.200) by mail2.mail.safeserver.com with SMTP; 19 Feb 2001 21:18:09 -0000 Message-ID: <007901c09ab9$77d5c720$7300a8c0@DOMAIN> From: "Andy Kim" To: Subject: ICMP floods Date: Mon, 19 Feb 2001 13:18:12 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0076_01C09A76.694DD1E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0076_01C09A76.694DD1E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Some of the servers have been getting hit several times with ICMP floods = from our FreeBSD server and we can't figure out why. They believe that = someone had hacked in and put a trojan on our box. Is there any way of = finding out what's going on and more importantly, how to fix the = problem? Any help would be greatly appreciated as I am rather new to = FreeBSD. Andy Kim ------=_NextPart_000_0076_01C09A76.694DD1E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Some of the servers have been getting = hit several=20 times with ICMP floods from our FreeBSD server and we can't figure out=20 why.  They believe that someone had hacked in and put a trojan = on our=20 box.  Is there any way of finding out what's going on and more = importantly,=20 how to fix the problem?  Any help would be greatly appreciated as I = am=20 rather new to FreeBSD.
 
Andy Kim
------=_NextPart_000_0076_01C09A76.694DD1E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 13:20:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 4C6A437B401 for ; Mon, 19 Feb 2001 13:20:31 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f1JLKTp23491; Mon, 19 Feb 2001 13:20:29 -0800 (PST) Date: Mon, 19 Feb 2001 13:20:29 -0800 From: Alfred Perlstein To: Andy Kim Cc: freebsd-security@FreeBSD.ORG Subject: Re: ICMP floods Message-ID: <20010219132029.P6641@fw.wintelcom.net> References: <007901c09ab9$77d5c720$7300a8c0@DOMAIN> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <007901c09ab9$77d5c720$7300a8c0@DOMAIN>; from andy@internetesl.com on Mon, Feb 19, 2001 at 01:18:12PM -0800 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Andy Kim [010219 13:18] wrote: > Some of the servers have been getting hit several times with ICMP > floods from our FreeBSD server and we can't figure out why. They > believe that someone had hacked in and put a trojan on our box. > Is there any way of finding out what's going on and more importantly, > how to fix the problem? Any help would be greatly appreciated as > I am rather new to FreeBSD. First off, please wrap lines at 70 characters. As far as "recovering" this machine, your best bet is to do a backup of all the _data_ (NOT executables) on the mahcine, ie, html, or whatever, then do a complete reinstall. Otherwise you risk a backdoor remaining in the system and wasting even more of your time and reasources. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 13:26:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (flutter.freebsd.dk [212.242.40.147]) by hub.freebsd.org (Postfix) with ESMTP id 8654037B401 for ; Mon, 19 Feb 2001 13:26:27 -0800 (PST) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.1/8.11.1) with ESMTP id f1JLQZx87018; Mon, 19 Feb 2001 22:26:35 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Dag-Erling Smorgrav Cc: security@FreeBSD.ORG Subject: Re: ftpd's read-only mode In-Reply-To: Your message of "19 Feb 2001 21:27:29 +0100." Date: Mon, 19 Feb 2001 22:26:35 +0100 Message-ID: <87016.982617995@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Dag-Erling Smorgrav writes: >A while ago, Poul-Henning implemented a read-only option in ftpd that >makes the server refuse any command that would write, remove or modify >a file or directory. Currently, the server will send a 202 reply with >the reason "Command ignored. Server is in readonly mode.", but I think >that a "550 Permission denied" would be much more appropriate. Does >anybody object to this change? No, go ahead if you think that is better. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 13:29:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with ESMTP id 573E137B401 for ; Mon, 19 Feb 2001 13:29:05 -0800 (PST) Received: from localhost (tcannon@localhost) by sonar.noops.org (8.9.3/8.9.3) with ESMTP id NAA01496; Mon, 19 Feb 2001 13:29:30 -0800 (PST) (envelope-from tcannon@noops.org) X-Authentication-Warning: sonar.noops.org: tcannon owned process doing -bs Date: Mon, 19 Feb 2001 13:29:30 -0800 (PST) From: Thomas Cannon To: Andy Kim Cc: freebsd-security@FreeBSD.ORG Subject: Re: ICMP floods In-Reply-To: <20010219132029.P6641@fw.wintelcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > * Andy Kim [010219 13:18] wrote: > > Some of the servers have been getting hit several times with ICMP > > floods from our FreeBSD server and we can't figure out why. They > > believe that someone had hacked in and put a trojan on our box. > > Is there any way of finding out what's going on and more importantly, > > how to fix the problem? Any help would be greatly appreciated as > > I am rather new to FreeBSD. Hi Andy. What is being used to detect these ICMP floods? What version of FreeBSD do you have? Also, do you see anything in the FBSD machine's logs about icmp source-quench or bandwidth-limit icmp packets being issued? It's possible that the machine is broken, yes, but it's also possible that the measuring device is broken, or that something is misconfigured, or god only knows what. Cheers, tcannon Richard Feynman was a hacker; read any of his books. -Bruce Schneier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 13:46: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (helpful.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id AC28F37B503 for ; Mon, 19 Feb 2001 13:45:53 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.13 #1) id 14Uy6f-0004ri-00; Mon, 19 Feb 2001 23:44:29 +0200 Date: Mon, 19 Feb 2001 23:44:29 +0200 (IST) From: Roman Shterenzon To: Lars Hecking Cc: Subject: Re: Announcement draft for amavisd In-Reply-To: <20010219211540.A23910@nmrc.ie> Message-ID: Organization: Xpert UNIX Systems Ltd. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I hope that you don't mind if I forward it to FreeBSD security list, perhaps people will give it a try. Unfortunately I don't have time for it now. P.S. For those that don't know amavis - it's antivirus program for SMTP gateways. http://www.amavis.org/ On Mon, 19 Feb 2001, Lars Hecking wrote: > > Check this out before I throw it to the pack. Is anyone except Geoff > and myself actually running amavisd? > > This will go to amavis-user, and a few selected newsgroups/mailing lists. > > >> > > We are looking for beta testers for amavis-perl before the next release. > > amavis-perl-11 represents the first major break in amavis development > since amavis-perl was branched off: it now runs as a daemon process, and > communicates with the MTA by means of a small client program, written > in C. The daemonisation was performed by Geoff Winkless, who also wrote > the sendmail milter interface for amavis-perl. > > This version is not a drop-in replacement for scanmails or amavis-perl. > There are known issues (see below), and it would be ideal if the > people testing it don't mind hacking a line of code or two if necessary. > Familiarity with amavis-perl is also a big plus. > > As the documentation hasn't been updated yet, this post is the only > available document on how to set up and configure amavisd. It is > probably incomplete. Nevertheless, read all of it, especially the known > bugs section, before proceeding! > > Feedback should go to amavis-dev@amavis.org. > > getting it > ---------- > > Anonymous CVS > > cvs -d:pserver:anonymous@cvs.amavis.sourceforge.net:/cvsroot/amavis login > > When prompted for a password for anonymous, simply press the Enter key. > > cvs -z3 -d:pserver:anonymous@cvs.amavis.sourceforge.net:/cvsroot/amavis \ > co -r amavisd amavis > > If people have problems with cvs, I could be talked into producing a > snapshot archive. > > configure and build it > ---------------------- > > See ./configure --help for available configure options. A brief description > of these options is in INSTALL (which is up to date, incidentally). > > To allow testing under a non-privileged user id, I recommend something like > --with-runtime-dir=/tmp/amavis. The directory must exist before you run > amavis. I also recommend --disable-syslog to avoid cluttering the system > logs while testing. > > For sendmail milter, you need --enable-milter. See README.milter, too. > NB: There are two client programs, one for milter (amavis-milter), and > one for all other configs (amavis). > > For the config file to install under /etc, use --sysconfdir=/etc. > > When configure is finished, inspect the configure report to see whether > the software was configured the way you want. After that, a simple > "make" should do. > > DISCLAIMER: > Don't run the software on a production machine before you've tested it. > You risk loss of email, floods, mud slides, nuclear war. The Shrike may > appear and stick all PHB's on the Tree of Pain (you wish ...). > > install it (not strictly required for testing) > ---------- > > amavisd and amavis (or amavis-milter) live in /usr/sbin. The daemon config > file is /etc/amavisd.conf. > > The "real" runtime-dir (/var/amavis by default) must exist before running > amavis. It should be chmod'd 0700 and chown'd by the user id amavis daemon > and client run as. > > "make install" should take care of setting up everything corerctly, but > it must be run as root (chown stuff), which is not required for testing. > > post-install configuration > -------------------------- > > Ideally, it should not be necessary to make any changes in the daemon > (except for testing, see below). > > IMPORTANT: the MTA now interfaces with the client instead of amavisd. > Client synopsis: > > amavis sender recipient [recipient ...] [-- lda [lda-args]] > > This is where the documentation is not up to date: your MTA configuration > must be changed to match the above! > > The lda part is only relevant if you use sendmail and replace Mlocal > with amavis. In this configuration, the A equate changes to > A=amavis $f $u -- /bin/mail.local -d $u > I have no idea whether this works properly with "m" in the F equate > (it could :) > > For postfix (master.cf entry) > ... user=vscan argv=/usr/sbin/amavis ${sender} ${recipient} > ie. drop the -f before $sender if present. > > For exim, drop the -f/-d flags. > > testing > ------- > > amavis-perl-11 sports vastly improved debugging and logging facilities. > The do_debug function is gone, it was integrated into do_log. > > - all runtime files are generated under the same directory (the one > configured with --with-runtime-dir=DIR): socket, log file, temporary > scan directories > - logging goes to syslog or to DIR/amavis.log; if $DEBUG is yes, logging > goes to stdout! > - the amount of information logged is controlled by $log_level in the > config file > > The test suite is disabled; I haven't found a good way yet to make it > work. Some simple tests can be run out of the source directory without > actually installing the software. > > Edit amavisd and set $DEBUG and $TESTING to yes. Set the path to the > config file to Source_Dir/amavis/amavisd.conf. Edit this config file > and set $log_level to 5. > > Now you can run some simple tests. For convenient viewing, daemon and > client should be running in separate windows/vc's. > > - start the daemon; it should print a startup message and some lines > about socket setup > - run the client: > > amavis sender recipient > and a bunch of logging messages should appear in the daemon window. > > known bugs > ---------- > > o qmail is not supported by the client; patches are welcome (I _think_ > all that is needed is code to read sender and recipients from stdout) > o the test suite is disabled > o the documentation is not up to date > o daemon issues: > - it doesn't detach itself from the terminal (yet) > - it doesn't clean up on exit (doesn't remove the socket) > - it needs a SIGHUP handler to re-read the config file (the one I wrote > kills the daemon, flat ...) > - on some systems, notably Solaris, /usr/include/sys/socket.h:SOMAXCONN > is awfully small. If the mail logs show a lot of deferrals ("failed to > connect()"), you may need to replace SOMAXCONN in amavisd with a higher > value; but you still should remain within the limits set by the OS > (I'm not terribly sure, but I think on Solaris the max values are: > ndd /dev/tcp tcp_conn_req_max_q and tcp_conn_req_max_q0). > HP-UX may be another candidate. DU/Tru64, Irix, Linux, the *BSDs > should be OK. > > new features (relative to amavis-perl-10) > ------------ > > o support for sendmail milter (by Geoff Winkless) > o support for Command AntiVirus (CSAV) for Linux (by Jeffrey C. Ollie) > o many small bug fixes and improvements; a big Thanks! to all who > contributed via amavis-user and our web pages at SourceForge. > o performance :-) > - it is slightly faster than amavis-perl-10 (on my test machine, up > to 30%) > - memory usage is reduced significantly, especially if many mails are > scanned in parallel > - not really a useful metric, but I have observed that cpu load is > reduced by up to 67%, again for the case of many parallel scans > > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 14:27:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from lark.capnet.state.tx.us (lark.capnet.state.tx.us [204.65.39.249]) by hub.freebsd.org (Postfix) with ESMTP id E53F137B503 for ; Mon, 19 Feb 2001 14:27:08 -0800 (PST) Received: from localhost (bbradsby@localhost) by lark.capnet.state.tx.us (8.11.1/8.10.0-NO UCE) with ESMTP id f1JMQRA11958; Mon, 19 Feb 2001 16:26:28 -0600 (CST) Date: Mon, 19 Feb 2001 16:26:27 -0600 (CST) From: Bryan Bradsby To: Thomas Cannon Cc: Andy Kim , Subject: Re: ICMP floods In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One of our Certified NT techs installed a personal firewall at home that was reporting an ICMP "DOS flood" from one of our DNS servers. So he sent an e-mail to my boss saying he was sure the server was hacked including 10 Megabytes of bitmaps to "prove" it. I checked the logs and saw 9 packets per second from his box from port 137 to port 137 on the FreeBSD DNS server. Of course the FreeBSD server was sending back ICMP port unreach, just as it should, for each of these Netbios queries. It seems to me these personal firewalls are (by default) set too sensitive and lump together dangerous and innocuous packet types, resulting in the customer being very surprised to see all those "people hacking my computer". The vendor looks "good" because their product reports "attacks", the customer feels comfortable that "he is now protected", and legitimate infrastructure operators repeatedly explain to very skeptical consumers that one ICMP echo return (per day) is not an attack on their computer. -bryan bradsby ================================ On Mon, 19 Feb 2001, Thomas Cannon wrote: > > * Andy Kim [010219 13:18] wrote: > > > Some of the servers have been getting hit several times with ICMP > > > floods from our FreeBSD server and we can't figure out why. They > > > believe that someone had hacked in and put a trojan on our box. > > > Is there any way of finding out what's going on and more importantly, > > > how to fix the problem? Any help would be greatly appreciated as > > > I am rather new to FreeBSD. > > Hi Andy. > > What is being used to detect these ICMP floods? What version of FreeBSD do > you have? Also, do you see anything in the FBSD machine's logs about icmp > source-quench or bandwidth-limit icmp packets being issued? > > It's possible that the machine is broken, yes, but it's also possible that > the measuring device is broken, or that something is misconfigured, or god > only knows what. > > Cheers, > > tcannon > > > Richard Feynman was a hacker; read any of his books. > -Bruce Schneier > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 14:35:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id DD52237B65D for ; Mon, 19 Feb 2001 14:35:40 -0800 (PST) Received: (qmail 75744 invoked by uid 1000); 19 Feb 2001 22:35:39 -0000 Date: Mon, 19 Feb 2001 17:35:39 -0500 From: Chris Johnson To: security@freebsd.org Subject: Firewall rules with natd and IPSEC VPN Message-ID: <20010219173539.A75521@palomine.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I followed the how-to at http://www.mutex.org/aaron/tips/ipsec and set up an encrypted VPN between two RFC 1918 networks. Each has a FreeBSD 4.2 box running natd, with a private interface and a public interface. The private network on one end is 192.168.11.0/24, and on the other end is 192.168.5.0/24. It mostly works as I'd hoped, but I'm a little hazy on what firewall rules need to be in place. Before I implemented the VPN, I had: add divert 8668 ip from any to any via dc0 [a bunch of other stuff] I found that in order to make the VPN work, I had to change this to: ipfw add allow ip from 192.168.11.0/24 to 192.168.5.0/24 ipfw add allow ip from 192.168.5.0/24 to 192.168.11.0/24 add divert 8668 ip from any to any via dc0 [a bunch of other stuff] With the above rules, things seem to work. But the two rules I added before the divert rule make me a little nervous. Should they? Is there something more restrictive that will still work? My ipsec.conf file has the following: spdadd 192.168.5.0/24 192.168.11.0/24 any -P in ipsec esp/tunnel/1.2.3.4-5.6.7.8/require; spdadd 192.168.11.0/24 192.168.5.0/24 any -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require; Does this protect me from someone spoofing a 192.168.5.0/24 address and getting something through my firewall, since any packet arriving from 192.168.5.0/24 will have the above security policy applied to it? (Obviously my understanding of this IPSEC stuff is a little vague; thanks for your patience.) Chris Johnson --vtzGhvizbBRQ85DL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6kZ+6yeUEMvtGLWERAtmXAJ4ot0YMqJ9uMWBUj9LgRUmqbi1DIgCfa2lk v0UejH9C+jIeIlD1ewz+jgE= =tQ6k -----END PGP SIGNATURE----- --vtzGhvizbBRQ85DL-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 15: 4:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from dom.fc.u-tokai.ac.jp (dom.fc.u-tokai.ac.jp [150.7.244.115]) by hub.freebsd.org (Postfix) with ESMTP id 9BF5337B401 for ; Mon, 19 Feb 2001 15:04:16 -0800 (PST) Received: (from bsd-ml@localhost) by dom.fc.u-tokai.ac.jp (8.9.3/3.7Wpl2/000825) id IAA21221 for freebsd-security@FreeBSD.ORG; Tue, 20 Feb 2001 08:05:08 +0900 (JST) Date: Tue, 20 Feb 2001 08:05:08 +0900 (JST) From: User bsd-ml Message-Id: <200102192305.IAA21221@dom.fc.u-tokai.ac.jp> To: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth 33b0f917 unsubscribe freebsd-security bsd-ml@dom.fc.u-tokai.ac.jp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 15:11:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from hand.dotat.at (sfo-gw.covalent.net [207.44.198.62]) by hub.freebsd.org (Postfix) with ESMTP id 7B5AF37B503 for ; Mon, 19 Feb 2001 15:11:09 -0800 (PST) Received: from fanf by hand.dotat.at with local (Exim 3.20 #3) id 14UQfx-0005YY-00; Sun, 18 Feb 2001 10:02:41 +0000 Date: Sun, 18 Feb 2001 10:02:41 +0000 From: Tony Finch To: Jan Conrad Cc: Kris Kennaway , freebsd-security@freebsd.org, Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? Message-ID: <20010218100241.M2746@hand.dotat.at> References: <20010215133000.A12807@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: Organization: Covalent Technologies, Inc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jan Conrad wrote: > >I mean I just checked some University systems running ssh2 and ssh1 and I >found really *lots* of keys in NFS mounted users homes... (sometimes 10% >of the users had keys in their homes....) If the users don't encrypt their ssh keys then they deserve to lose. That doesn't make ssh2 less secure than ssh1. Tony. -- f.a.n.finch fanf@covalent.net dot@dotat.at To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 15:21: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from panther.unisys.com.br (panther.unisys.com.br [200.220.64.10]) by hub.freebsd.org (Postfix) with ESMTP id 2DE3537B401 for ; Mon, 19 Feb 2001 15:20:52 -0800 (PST) Received: from router111sul (ppp205-bsace7009.telebrasilia.net.br [200.181.88.205]) by panther.unisys.com.br (8.11.1/8.11.1) with SMTP id f1JNJ3H12562 for ; Mon, 19 Feb 2001 20:19:07 -0300 (BDB) Message-ID: <007001c09ac9$9576f8c0$cd58b5c8@isiteleinformatica.com.br> From: "Romualdo Arcoverde" To: Subject: WAVELAN IBSS 2 cards Date: Mon, 19 Feb 2001 20:13:29 -0300 Organization: UNINet Brasilia MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_006D_01C09AB0.6CF08EC0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_006D_01C09AB0.6CF08EC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi. I am trying to put two pccards running in one unique machine and i get = this message: Feb 19 21:16:48 roteador111sul /kernel: wi0: Ethernet address: = 00:02:2d:02:83:59 Feb 19 21:16:48 roteador111sul pccardd[49]: wi0: Lucent Technologies = (WaveLAN/IE EE) inserted. Feb 19 21:16:51 roteador111sul /kernel: wi0: failed to allocate 1594 = bytes on NI C Feb 19 21:16:51 roteador111sul /kernel: wi0: tx buffer allocation failed Feb 19 21:16:51 roteador111sul /kernel: wi0: failed to allocate 1594 = bytes on NI C Feb 19 21:16:51 roteador111sul /kernel: wi0: mgmt. buffer allocation = failed=20 everytime, they are running anyway but something its wrong any help will = be good. Files: PCCARD.CONF # Generally available IO ports io 0x240-0x360 # Generally available IRQs (Built-in sound-card owners remove 5) irq 7 10 11 13 15 # Available memory slots memory 0xd0000 96k # Lucent WaveLAN/IEEE card "Lucent Technologies" "WaveLAN/IEEE" config auto "wi0" 7 config auto "wi1" 9 insert echo WaveLAN/IEEE inserted insert /etc/pccard_ether wi0 insert /etc/pccard_ether wi1 insert . /etc/wavelan.conf remove echo WaveLAN/IEEE removed remove /sbin/ifconfig wi0 delete remove /sbin/ifconfig wi1 delete=20 WAVELAN.CONF # Servidor AP wicontrol -i wi0 -p 1 wicontrol -i wi0 -c 1 wicontrol -i wi0 -n Servidor-AP wicontrol -i wi0 -s Router1 wicontrol -i wi0 -t 1 wicontrol -i wi0 -f 1 # Client AP wicontrol -i wi0 -p 1 wicontrol -i wi0 -n RedeTest wicontrol -i wi0 -s Test wicontrol -i wi0 -t 3=20 =20 Thanks Romualdo Arcoverde Unisys Network - Brasilia +55 (61) 4432768 ------=_NextPart_000_006D_01C09AB0.6CF08EC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi.


I am trying to put two pccards running in one = unique=20 machine and i get this message:
 
 
Feb 19 21:16:48 roteador111sul /kernel: = wi0:=20 Ethernet address: 00:02:2d:02:83:59
Feb 19 21:16:48 roteador111sul=20 pccardd[49]: wi0: Lucent Technologies (WaveLAN/IE
EE) = inserted.
Feb 19=20 21:16:51 roteador111sul /kernel: wi0: failed to allocate 1594 bytes on=20 NI
C
Feb 19 21:16:51 roteador111sul /kernel: wi0: tx buffer = allocation=20 failed
Feb 19 21:16:51 roteador111sul /kernel: wi0: failed to = allocate 1594=20 bytes on NI
C
Feb 19 21:16:51 roteador111sul /kernel: wi0: mgmt. = buffer=20 allocation failed
 
everytime, they are running anyway but something its wrong any help = will be=20 good.
 
Files:
 
PCCARD.CONF
 
# Generally available IO=20 ports
io      0x240-0x360
# Generally = available=20 IRQs (Built-in sound-card owners remove = 5)
irq     7 10=20 11 13 15
# Available memory slots
memory  0xd0000 =20 96k
 
# Lucent WaveLAN/IEEE
card "Lucent = Technologies"=20 "WaveLAN/IEEE"
        = config  auto=20 "wi0" 7
        config  auto = "wi1"=20 9
        insert  echo = WaveLAN/IEEE=20 inserted
        insert =20 /etc/pccard_ether wi0
        = insert =20 /etc/pccard_ether wi1
        = insert =20 . /etc/wavelan.conf
        = remove =20 echo WaveLAN/IEEE removed
       =20 remove  /sbin/ifconfig wi0=20 delete
        remove  = /sbin/ifconfig=20 wi1 delete

WAVELAN.CONF
 
# Servidor AP
wicontrol -i wi0 -p = 1
wicontrol=20 -i wi0 -c 1
wicontrol -i wi0 -n Servidor-AP
wicontrol -i wi0 -s = Router1
wicontrol -i wi0 -t 1
wicontrol -i = wi0 -f=20 1
 
# Client AP
wicontrol -i wi0 -p = 1
wicontrol=20 -i wi0 -n RedeTest
wicontrol -i wi0 -s Test
wicontrol -i wi0 -t 3=20
           &nb= sp;       =20
Thanks
 
Romualdo Arcoverde
Unisys Network - Brasilia
+55 (61) 4432768
 
------=_NextPart_000_006D_01C09AB0.6CF08EC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 15:35:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id 5F52937B4EC for ; Mon, 19 Feb 2001 15:35:43 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 63E2D66D46; Mon, 19 Feb 2001 15:35:42 -0800 (PST) Date: Mon, 19 Feb 2001 15:35:42 -0800 From: Kris Kennaway To: Matt Dillon Cc: Fernando Schapachnik , security@FreeBSD.ORG Subject: Re: Inconsistent behavior on openssh Message-ID: <20010219153542.A54742@mollari.cthul.hu> References: <200102191735.OAA72628@ns1.via-net-works.net.ar> <200102191834.f1JIYl937444@earth.backplane.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102191834.f1JIYl937444@earth.backplane.com>; from dillon@earth.backplane.com on Mon, Feb 19, 2001 at 10:34:47AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 19, 2001 at 10:34:47AM -0800, Matt Dillon wrote: > :After installing the latest versions of openssh I noted that ssh will > :not request rhost authentication if run by an user other than root. > :This is because it can't bind to a low port, as it lost the suid bit. > :This wasn't like this before. > : > :What is supposed to be the standard way of remote ssh logging > :without password? > : > :TIA! > : > :Fernando P. Schapachnik > :Administraci=F3n de la red > :VIA NET.WORKS ARGENTINA S.A. > :fschapachnik@vianetworks.com.ar > :Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA >=20 > Simply install your ~/.ssh/identity.pub in your remote account's > ~/.ssh/authorized_keys file. That's why I use. I've never in my > life used .rhosts or .shosts with ssh. Or if you really want to use RhostsRSAAuthentication, rebuild sshd with ENABLE_SUID_SSH=3Dtrue in /etc/make.conf Kris --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ka3OWry0BWjoQKURAirJAJ9zM4S8keUpmg5BF4Z3VInxZ8+0jgCguH+r +N7y9HPh6hYRWiTWtbGKUNw= =ht3c -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 16:21:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f227.law9.hotmail.com [64.4.9.227]) by hub.freebsd.org (Postfix) with ESMTP id 22B9837B491 for ; Mon, 19 Feb 2001 16:21:36 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 19 Feb 2001 16:21:35 -0800 Received: from 12.20.190.1 by lw9fd.law9.hotmail.msn.com with HTTP; Tue, 20 Feb 2001 00:21:35 GMT X-Originating-IP: [12.20.190.1] From: "gerald stoller" To: phk@critter.freebsd.dk, des@ofug.org Cc: security@FreeBSD.ORG Subject: Re: ftpd's read-only mode Date: Mon, 19 Feb 2001 19:21:35 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 20 Feb 2001 00:21:35.0964 (UTC) FILETIME=[15B9A9C0:01C09AD3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From: Poul-Henning Kamp >To: Dag-Erling Smorgrav >CC: security@FreeBSD.ORG >Subject: Re: ftpd's read-only mode >Date: Mon, 19 Feb 2001 22:26:35 +0100 > >In message , Dag-Erling Smorgrav writes: > >A while ago, Poul-Henning implemented a read-only option in ftpd that > >makes the server refuse any command that would write, remove or modify > >a file or directory. Currently, the server will send a 202 reply with > >the reason "Command ignored. Server is in readonly mode.", but I think > >that a "550 Permission denied" would be much more appropriate. Does > >anybody object to this change? > >No, go ahead if you think that is better. > SNIP ftp (the ones I've seen so far) never writes to STDERR and always returns a 0 exit-value. The only way I have found to determine if there is an error in the ftp is to put it in verbose mode and grep STDOUT for lines beginning with a three digit # whose value lies between 400 & 599 (because that three digit # range is reserved for IDs of error-messages) and delete from this the lines that have the word 'bytes' after a three digit # in this range. This suggested change is right-on because it complies with the RFP (I forget its #) for ftp . _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 18:19:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from elisa.utopianet.net (elisa.utopianet.net [212.210.231.2]) by hub.freebsd.org (Postfix) with ESMTP id EAE5437B401 for ; Mon, 19 Feb 2001 18:19:40 -0800 (PST) Received: (from rlucia@localhost) by elisa.utopianet.net (8.9.1a/8.9.1) id DAA21348; Tue, 20 Feb 2001 03:19:16 +0100 (CET) Date: Tue, 20 Feb 2001 03:19:16 +0100 From: Rocco Lucia To: Chris Johnson Cc: security@FreeBSD.ORG Subject: Re: Firewall rules with natd and IPSEC VPN Message-ID: <20010220031916.A20586@iscanet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20010219173539.A75521@palomine.net>; from cjohnson@palomine.net on Mon, Feb 19, 2001 at 05:35:39PM -0500 X-Disclaimer: The truth is out there X-Organization: Iscanet Internet Services X-Evil: Microsoft Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Feb 19, 2001 at 05:35:39PM -0500, Chris Johnson wrote: > ... > It mostly works as I'd hoped, but I'm a little hazy on what firewall rules need > to be in place. Before I implemented the VPN, I had: > > add divert 8668 ip from any to any via dc0 > [a bunch of other stuff] > > I found that in order to make the VPN work, I had to change this to: > > ipfw add allow ip from 192.168.11.0/24 to 192.168.5.0/24 > ipfw add allow ip from 192.168.5.0/24 to 192.168.11.0/24 > add divert 8668 ip from any to any via dc0 > [a bunch of other stuff] > > With the above rules, things seem to work. But the two rules I added before the > divert rule make me a little nervous. Should they? Is there something more > restrictive that will still work? > those two rules will prevent to be diverted to natd all traffic to going to the other private lan, so it will just be routed into your IPSEC tunnel. If you want to apply firewall filtering rules between your private lans you can do one of the following things: 1. add ipfw allow rules terminated by a deny rule specifying "via gif0" or whatever your tunnel interface is (before those 2 catch all lan-to-lan rules). 2. not to use your first two rules and allow/deny traffic at your will, before your divert catch all rule ... or other fancy ways of course. > My ipsec.conf file has the following: > > spdadd 192.168.5.0/24 192.168.11.0/24 any -P in ipsec esp/tunnel/1.2.3.4-5.6.7.8/require; > spdadd 192.168.11.0/24 192.168.5.0/24 any -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require; > > Does this protect me from someone spoofing a 192.168.5.0/24 address and getting > something through my firewall, since any packet arriving from 192.168.5.0/24 > will have the above security policy applied to it? (Obviously my understanding > of this IPSEC stuff is a little vague; thanks for your patience.) > well, that will not prevent spoofing at the ingres points of your tunnels (say somebody sending spoofed traffic from your dc0 interface). But you can filter out spoofed traffic by deny'ing packets with source/dest your private lans received from your dc0 interface (say ipfw deny ... in recv dc0). ciao, Rocco -- Rocco Lucia Iscanet Internet Services rlucia@iscanet.com System and Network Admin http://elisa.utopianet.net/~rlucia Free unices for a free world. Support *BSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 20: 8:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.prod.itd.earthlink.net [207.217.121.85]) by hub.freebsd.org (Postfix) with ESMTP id 9D1DF37B684 for ; Mon, 19 Feb 2001 20:08:45 -0800 (PST) Received: from colltech.com (1Cust48.tnt3.clarksburg.wv.da.uu.net [63.15.38.48]) by gull.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id UAA10015; Mon, 19 Feb 2001 20:08:20 -0800 (PST) Message-ID: <3A91EE6A.82EBBC37@colltech.com> Date: Mon, 19 Feb 2001 23:11:22 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Edward W. M." Cc: cjclark@reflexnet.net, fbsdsec@killaz-r-us.com, freebsd-security@FreeBSD.ORG Subject: Re: Fw: Remote logging References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Edward W. M." wrote: > Exactly, so here's an idea. What if we moved syslogd into the > kernel and set up a sysctl knob for turning syslog on and off > (syslog.active for example). Each activity change would be > logged, of course. First, it doesn't seem that moving syslog into the kernel fits w/ my understanding of the UNIX design philosophy (separate programs for services, i.e. init, swapper, inetd, syslog, sendmail, etc.). Plus it brings up more code that would have to be severely audited for the base system to be considered 'secure' (for whatever criteria you decide to use). Keeping syslog separate lets you delete the binary and no longer have to worry about that code path for security reasons (if, for example, you replaced syslog w/ nsyslog). [snip discussion of sysctl knobs] It is my understanding (I could be wrong, it wouldn't even be the first time) that raw sockets operate below the firewall code on the network stack. If this is the case, then it would be trivial to forge status reports on the compromised host. There are also issues involving forging packets from a third host. Syslog uses UDP after all, so the source information can be forged from machines on at least the same subnet in many/most situations. You need MACs to prevent forging, which isn't available in the default syslog. Since UDP is unreliable, you also are spending a lot of effort on getting packets onto the wire even though you can't guarantee they will be delivered to the loghost. > Last, but not least, the kernel would prevent any attempts to bind > the syslog socket when syslogd would not be running, so syslog > spoofing to remote machines would become more difficult. The bottom > line is, regardless of whether the attacker would manage to make it > look as if syslog were still active on a certain host, you would know > for sure that a syslog status change has occurred, so you could set > up a script which would send you an SMS upon detecting any such > change. This is ignoring an important issue for security conscious sites: how do you replace the default syslog w/ something else. There are alternative syslogs out there that use crypto & TCP to resolve/mitigate many of the forging & delivery issues you're trying to address. If the kernel will block binding on syslog's port, how will you use one of these alternate implementations? You are also requiring securelevels to prevent an attacker circumventing all of the extra configuration you're adding. The difficulties in deploying securelevels has been beaten to death, so I won't reiterate them here. > Well, it was just an idea. Not a terribly bad one either, but I think there are lots of issues that aren't readily addressed. I would have to say that ACL's for signal delivery (which I believe actually falls under the capabilities work from TrustedBSD.org) would be a better way to go, perhaps w/ the addition of running syslogd from /etc/ttys in inittab mode (I'm not sure about the hurdles to doing that). Of course, remote logging depends on a lot of supporting infrastructure to work (what do you do if he takes out your loghost's switch or DDoSs it?). If we were going to rewrite the syslog code, I'd vote for doing it to add the crypto support (encryption & MACs) so it would be easily accessible for those who want that type of thing. Of course, that's just my $.04 ;-) Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 20:22:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.prod.itd.earthlink.net [207.217.121.85]) by hub.freebsd.org (Postfix) with ESMTP id E2BDF37B401 for ; Mon, 19 Feb 2001 20:22:10 -0800 (PST) Received: from colltech.com (1Cust48.tnt3.clarksburg.wv.da.uu.net [63.15.38.48]) by gull.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id UAA22786; Mon, 19 Feb 2001 20:21:12 -0800 (PST) Message-ID: <3A91F16E.4915B5F4@colltech.com> Date: Mon, 19 Feb 2001 23:24:14 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Poul-Henning Kamp Cc: Dag-Erling Smorgrav , security@FreeBSD.ORG Subject: Re: ftpd's read-only mode References: <87016.982617995@critter> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In message , Dag-Erling Smorgrav writes: > >A while ago, Poul-Henning implemented a read-only option in ftpd that > >makes the server refuse any command that would write, remove or modify > >a file or directory. Currently, the server will send a 202 reply with > >the reason "Command ignored. Server is in readonly mode.", but I think > >that a "550 Permission denied" would be much more appropriate. Does > >anybody object to this change? Back at the beginning of Jan I had a patch discussed on -audit that fixed some minor stuff w/ the 'ro' code and added a per-user read-only mode to login.conf. If you want to commit this too (it originally got killed due to rumors that ftpd was going to be replaced by the netbsd version), the patch is still available from http://vtopus.cs.vt.edu/~dhagan/freebsd/ftpd.patch The discussion in in the archives http://docs.freebsd.org/mail/archive/2001/freebsd-audit/20010107.freebsd-audit.html Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 21:12: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from phalse.2600.com (phalse.2600.COM [216.66.24.2]) by hub.freebsd.org (Postfix) with ESMTP id 1775C37B401 for ; Mon, 19 Feb 2001 21:12:06 -0800 (PST) Received: from localhost (localhost [[UNIX: localhost]]) by phalse.2600.com (8.9.3/8.9.3) with ESMTP id AAA25614 for ; Tue, 20 Feb 2001 00:12:04 -0500 (EST) Date: Tue, 20 Feb 2001 00:12:04 -0500 (EST) From: Dominick LaTrappe To: security@freebsd.org Subject: OpenSSH 2.3.0 "tvp" messages Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I run several machines on FreeBSD 4.2-STABLE, with the base system's OpenSSH 2.3.0 on "LogLevel DEBUG". I get a lot of messages in syslog like these: debug1: tvp!=NULL kid 0 mili 10 debug1: tvp!=NULL kid 1 mili 10 debug1: tvp!=NULL kid 1 mili 100 These come from both the SSH daemons and the per-session children, and come in bursts. Can anyone tell me if this should be cause for concern? Thanks all, ||| Dominick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 21:28:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 1FB9837B401 for ; Mon, 19 Feb 2001 21:28:09 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id AAA19180; Tue, 20 Feb 2001 00:28:06 -0500 Date: Tue, 20 Feb 2001 00:28:05 -0500 (EST) From: Mikhail Kruk To: Dominick LaTrappe Cc: Subject: Re: OpenSSH 2.3.0 "tvp" messages In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As far as I can tell it's a normal condition which should happen alot. if (child_terminated && packet_not_very_much_data_to_write()) if (max_time_milliseconds == 0) max_time_milliseconds = 100; if (max_time_milliseconds == 0) tvp = NULL; else { tv.tv_sec = max_time_milliseconds / 1000; tv.tv_usec = 1000 * (max_time_milliseconds % 1000); tvp = &tv; } if (tvp!=NULL) debug("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds); /* Wait for something to happen, or the timeout to expire. */ ret = select(max_fd + 1, readset, writeset, NULL, tvp); On Tue, 20 Feb 2001, Dominick LaTrappe wrote: > I run several machines on FreeBSD 4.2-STABLE, with the base system's > OpenSSH 2.3.0 on "LogLevel DEBUG". I get a lot of messages in syslog like > these: > > debug1: tvp!=NULL kid 0 mili 10 > debug1: tvp!=NULL kid 1 mili 10 > debug1: tvp!=NULL kid 1 mili 100 > > These come from both the SSH daemons and the per-session children, and > come in bursts. Can anyone tell me if this should be cause for concern? > > Thanks all, > > ||| Dominick > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 23: 7:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 6D83437B6C6 for ; Mon, 19 Feb 2001 23:07:16 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 19 Feb 2001 23:05:18 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1K774o73762; Mon, 19 Feb 2001 23:07:04 -0800 (PST) (envelope-from cjc) Date: Mon, 19 Feb 2001 23:07:03 -0800 From: "Crist J. Clark" To: "Edward W. M." Cc: fbsdsec@killaz-r-us.com, freebsd-security@FreeBSD.ORG Subject: Re: Fw: Remote logging Message-ID: <20010219230703.R62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from edward_wm@hotmail.com on Mon, Feb 19, 2001 at 11:30:09AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Feb 19, 2001 at 11:30:09AM -0800, Edward W. M. wrote: > Crist J. Clark writes: > >Not much point. You can always send a SIGKILL which cannot be caught > >by the process. The attacker would have to cooperate by sending > >syslogd(8) a SIGTERM or SIGINT, but why would he do that? > > Exactly, so here's an idea. What if we moved syslogd into the > kernel...[snip] Please pass along whatever crack you have been smoking. That stuff will mess your head good. Adding syslog to the kernel makes many, many more problems than it solves. I think one has to accept the idea that syslog can be killed on a remote host and that the host can send data to a logging server to and from abitrary ports. If a box is owned, it's owned. The attacker can do whatever he wants... almost. You have two chances, (1) the remote logging client will notify you before the box is completely taken or (2) you can recognize that the remote client has been tampered with. Problem (1) is hard. You have to account for any type of attack. (2) is not easy, but it probably easier. All I would want would be for syslogd on the client and server generate a shared, cryptographically strong secret when any of them is reset (HUPped) or restarted. The secret is forgotten at the slightest tampering. We use simple public key crypto, e.g. Diffie-Hellman, for the syslogd's to generate the secret. All subsequent messages can be signed (what I would typically prefer) or encrypted (some people might like this) using this number. We then watch for this number to change. The server syslogd will note this and log it. If the shared secret does not change, we have good reason to believe syslogd has not been tampered with. If it does change, we need to take a look at why. This approach is subject to a number of attacks. If you already have an intruder on your network, he may be able to perform a man-in-the-middle, bucket-brigade attack during the key exchange. Note this exchange is NOT authentication. However, an intruder cannot learn the key by listening passively on the network. The other challenge is for the attacker to alter syslogd without losing the secret or to retrieve the secret and then use his own syslogd that can load it (this syslogd would _NOT_ have an option to use a fixed secret). Assuming that your network is in a fairly secure initial state, the lack of authentication is not a problem (and adding authentication is "hard"). The challenge is making sure an attacker will have a hard time altering the running syslogd or getting the secret... Running at securelevel would really help there (since it would be hard to tamper with the kernel to get at syslogd's "raw" bits). syslogd would have to be written with a bit of a hair trigger to forget the secret, not core dump it, be hard to attach a debugger, etc. I'd have to think about how to do that... or if it is even practical. I would tend to think someone has already done this? But most the "improved" syslogds that I have seen are too overblown with features for my tastes and go too far away from the established protocols. I think these extensions could be done without back-compatibility issues. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 19 23:25:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 41EBE37B4EC for ; Mon, 19 Feb 2001 23:25:14 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 19 Feb 2001 23:23:18 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1K7P9a73916; Mon, 19 Feb 2001 23:25:09 -0800 (PST) (envelope-from cjc) Date: Mon, 19 Feb 2001 23:25:03 -0800 From: "Crist J. Clark" To: Daniel Hagan Cc: "Edward W. M." , fbsdsec@killaz-r-us.com, freebsd-security@FreeBSD.ORG Subject: Re: Fw: Remote logging Message-ID: <20010219232503.T62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A91EE6A.82EBBC37@colltech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A91EE6A.82EBBC37@colltech.com>; from dhagan@colltech.com on Mon, Feb 19, 2001 at 11:11:22PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Feb 19, 2001 at 11:11:22PM -0500, Daniel Hagan wrote: > "Edward W. M." wrote: [snip] > There are also issues involving forging packets from a third host. > Syslog uses UDP after all, so the source information can be forged from > machines on at least the same subnet in many/most situations. You need > MACs to prevent forging, which isn't available in the default syslog. MACs can be easily forged by local machines. MAC information is not normally accessible to programs anyway. You could not use "regular" UDP socket programming. Crypto or physical security is the only practical way to secure locally. And since crypto also works remotely... > Since UDP is unreliable, you also are spending a lot of effort on > getting packets onto the wire even though you can't guarantee they will > be delivered to the loghost. It is easy to notice when packets stop coming. The attacker loses if the data stops. No need to guarantee delivery. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 2:30:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from harrier.prod.itd.earthlink.net (harrier.prod.itd.earthlink.net [207.217.121.12]) by hub.freebsd.org (Postfix) with ESMTP id 5B45A37B4EC for ; Tue, 20 Feb 2001 02:30:41 -0800 (PST) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust48.tnt3.clarksburg.wv.da.uu.net [63.15.38.48]) by harrier.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id CAA21065; Tue, 20 Feb 2001 02:30:30 -0800 (PST) Message-ID: <3A9247FD.F6C68145@colltech.com> Date: Tue, 20 Feb 2001 05:33:33 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: "Edward W. M." , fbsdsec@killaz-r-us.com, freebsd-security@FreeBSD.ORG Subject: Re: Fw: Remote logging References: <3A91EE6A.82EBBC37@colltech.com> <20010219232503.T62368@rfx-216-196-73-168.users.reflex> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J. Clark" wrote: > On Mon, Feb 19, 2001 at 11:11:22PM -0500, Daniel Hagan wrote: > > You need > > MACs to prevent forging, which isn't available in the default syslog. > > MACs can be easily forged by local machines. MAC information is not > normally accessible to programs anyway. You could not use "regular" > UDP socket programming. Crypto or physical security is the only > practical way to secure locally. And since crypto also works > remotely... MAC == Message Authentication Code in the above paragraph. I'm not sure if that's how you read it or not (were you thinking 802.3?). > It is easy to notice when packets stop coming. The attacker loses if > the data stops. No need to guarantee delivery. Right, but if the attacker can stop the reset messages and forge the mark messages, then all's clear as far as the loghost is concerned. If your systems are setup w/ the default mark intervals, that gives the attacker 20 minutes to penetrate the system, compromise syslog, and start up bogus mark messages. Maybe not 'easy' but certainly doable. I like some of the ideas you proposed in your other post (dh keys, etc.). Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 4:13:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id B355837B6A1 for ; Tue, 20 Feb 2001 04:13:41 -0800 (PST) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA39014; Tue, 20 Feb 2001 09:15:59 -0300 (ART) From: Fernando Schapachnik Message-Id: <200102201215.JAA39014@ns1.via-net-works.net.ar> Subject: Re: Inconsistent behavior on openssh In-Reply-To: <20010219153542.A54742@mollari.cthul.hu> "from Kris Kennaway at Feb 19, 2001 03:35:42 pm" To: Kris Kennaway Date: Tue, 20 Feb 2001 09:15:59 -0300 (ART) Cc: Matt Dillon , security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Kris Kennaway escribió: > > Simply install your ~/.ssh/identity.pub in your remote account's > > ~/.ssh/authorized_keys file. That's why I use. I've never in my > > life used .rhosts or .shosts with ssh. > > Or if you really want to use RhostsRSAAuthentication, rebuild sshd > with ENABLE_SUID_SSH=true in /etc/make.conf I don't think it will sufice: ssh.c: /* Disable rhosts authentication if not running as root. */ if (original_effective_uid != 0 ||!options.use_privileged_port) { options.rhosts_authentication = 0; options.rhosts_rsa_authentication = 0; It's not #ifdef'd. Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 4:35:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 937BC37B401 for ; Tue, 20 Feb 2001 04:35:18 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA33961; Tue, 20 Feb 2001 13:35:13 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "gerald stoller" Cc: phk@critter.freebsd.dk, security@FreeBSD.ORG Subject: Re: ftpd's read-only mode References: From: Dag-Erling Smorgrav Date: 20 Feb 2001 13:35:12 +0100 In-Reply-To: "gerald stoller"'s message of "Mon, 19 Feb 2001 19:21:35 -0500" Message-ID: Lines: 14 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "gerald stoller" writes: > ftp (the ones I've seen so far) never writes to STDERR and always > returns a 0 exit-value. ftp(1) is meant for interactive use, not for scripting. Use fetch(1). > This suggested change is right-on because it complies with > the RFP (I forget its #) for ftp . You're probably thinking of RFC959. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 7:22:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from post.webmailer.de (natmail2.webmailer.de [192.67.198.65]) by hub.freebsd.org (Postfix) with ESMTP id 11E2837B491 for ; Tue, 20 Feb 2001 07:22:01 -0800 (PST) (envelope-from koester@x-itec.de) Received: from bastion.localhost (B27f2.pppool.de [213.7.39.242]) by post.webmailer.de (8.9.3/8.8.7) with ESMTP id QAA12558; Tue, 20 Feb 2001 16:21:41 +0100 (MET) Received: from master ([192.168.0.1]) by bastion.localhost (8.11.1/8.11.1) with ESMTP id f1KG9Bc01205; Tue, 20 Feb 2001 16:09:11 GMT Date: Tue, 20 Feb 2001 16:12:56 +0100 From: Boris X-Mailer: The Bat! (v1.48f) Personal Reply-To: Boris X-Priority: 3 (Normal) Message-ID: <1369319020.20010220161256@x-itec.de> To: "Andy Kim" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ICMP floods In-reply-To: <007901c09ab9$77d5c720$7300a8c0@DOMAIN> References: <007901c09ab9$77d5c720$7300a8c0@DOMAIN> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Andy, Monday, February 19, 2001, 10:18:12 PM, you wrote: AK> Some of the servers have been getting hit several times with ICMP floods from our FreeBSD server and we can't figure out why. They believe that someone had hacked in and put a trojan on our box. AK> Is there any way of finding out what's going on and more importantly, how to fix the problem? Any help would be greatly appreciated AK> as I am rather new to FreeBSD. AK> Andy Kim There are some tools outside like "stacheldraht" and others. Someone can place an agent on your server (if hacked) and he can remotely enable or disable this service to attack specific targets with serveral hacked machines at one time to bring other servers down. This game is played a lot with older solaris servers as far is I know hhehe. Such a client needs several commands what to do and when to do it. Based on a date, time and so on. The command-excange is usually encrypted with rsa, but the ports for communication are not usual ports and they can be detected. To find a possible problem, we look at netstat to see the current connections (simply enter "netstat"). Here is an example.. netstat: Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 4 bastion.telnet 192.168.0.1.1073 ESTABLISHED Someone from 192.. is connecting to the BSD-Box to the telnet service, as example. It could be a break-in or not, this you may decide yourself depending on your configurations. To see the data on the wire, use this for example: "tcpdump -i isp0 -x -X -s 14400" isp0 is your internet-device, maybe on your server it is ed0, ed1 or similar. If you want to break the internet-connection with someone depending on specific events like special words, try out the package "sudo", not easy to install because it needs an addintional library for special things but it can protect you, too. Usual services are FTP, telnet, www, email-services and so on. If you see a service that sounds unusual, post it here. It is not always sure that your attacker enables your icmp-flood while you are checking the network status, so check the daily time when the attack is done to see if there is an automation somehwere or between a specific time-window. The next point is to limit the icmp sendings and to block them completely if neccessary with ipfw command for example and you need to limit the icmp response (infos seen on the list even today how to do it). I personally blocked all ICMP ports between 130-140 (they are scanned a lot in general) as well as some other ports completely. While analyzing your server, block all not neccessary requests with ipfw. If you need only www and sendmail, block everything else (for example). You need "ipfw" commands for this. while the icmp floods are going on, check the processlist with "ps ax|more" for example. There are some services usual, some are not usual. Here is an example for a "normal" output, nothing looks critical here. 0 ?? DLs 0:00.01 (swapper) 1 ?? ILs 0:00.05 /sbin/init -- 2 ?? DL 0:00.01 (pagedaemon) 3 ?? DL 0:00.00 (vmdaemon) 4 ?? DL 0:00.05 (bufdaemon) 5 ?? DL 0:00.17 (syncer) 114 ?? Ss 0:00.23 syslogd -s 117 ?? Is 0:00.00 /usr/sbin/portmap 137 ?? Is 0:00.04 inetd -wW 139 ?? Ss 0:00.05 cron 142 ?? Is 0:00.08 sendmail: accepting connections (sendmail) 146 ?? Is 0:01.13 /usr/sbin/sshd 148 ?? Ss 0:00.02 /usr/sbin/usbd 165 ?? Is 0:00.00 moused -p /dev/psm0 -t auto 355 ?? Ss 0:00.35 telnetd 356 p0 Is 0:00.06 -bash (bash) 358 p0 D 0:00.12 _su (csh) 1189 p0 R+ 0:00.00 ps ax 1190 p0 RV 0:00.00 _su (csh) 272 v0 Is+ 0:00.09 -csh (csh) 273 v1 Is+ 0:00.01 /usr/libexec/getty Pc ttyv1 274 v2 Is+ 0:00.01 /usr/libexec/getty Pc ttyv2 275 v3 Is+ 0:00.02 /usr/libexec/getty Pc ttyv3 276 v4 Is+ 0:00.01 /usr/libexec/getty Pc ttyv4 277 v5 Is+ 0:00.01 /usr/libexec/getty Pc ttyv5 278 v6 Is+ 0:00.01 /usr/libexec/getty Pc ttyv6 279 v7 Is+ 0:00.01 /usr/libexec/getty Pc ttyv7 251 con- I+ 0:00.00 /bin/sh /usr/local/pgsql/bin/pg_ctl -w start 253 con- I+ 0:00.05 /usr/local/pgsql/bin/postmaster -i -o -F (postgres) The last two processes seems to be started not within a usual path, but pgsql means "postgresql" and everything is ok at this point. The magic process in finding something unusual is to "feel" if something is going strong. Its not easy to explain. You need time to see what is going on. Sending ICMP floods takes some processor-time, so enter "top" to see what process is working at the moment, maybe you can find the bad one. Check all useraccounts, disable accounts you not really need. Your attacker (if there is an attacker) has his own backdoor-accound (its possible). But he not really need (if an intelligent trojan) a useraccount to login, this is done by the troja. Disable accounts only if you are really sure what they do or not do. Normally, you can be happy that there are only ICMP floods on your machine. You should be happy that your server is still up and working. While examining your system, make a plan to (eventually) reinstall your server completely. First planning, then doing - if you forgot something to backup then you will start screaming a lot. If you restore something wrong (the troja) then you can start screaming again. But an administrator is no musican as far as i know hhahah. -- Boris [MCSE, CNA] ................................................................... X-ITEC : Consulting * Programming * Net-Security * Crypto-Research ........: [PRIVATE ADDRESS:] : Boris Köster eMail koester@x-itec.de http://www.x-itec.de : Grüne 33-57368 Lennestadt Germany Tel: +49 (0)2721 989400 : 101 PERFECTION - SECURITY - STABILITY - FUNCTIONALITY ........:.......................................................... Everything I am writing is (c) by Boris Köster and may not be rewritten or distributed in any way without my permission. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 10: 4:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from bbf.mcguire.af.mil (bbf.mcguire.af.mil [132.18.128.2]) by hub.freebsd.org (Postfix) with ESMTP id A1A8F37B401 for ; Tue, 20 Feb 2001 10:04:08 -0800 (PST) (envelope-from kam.salisbury@mcguire.af.mil) Received: from bbf.mcguire.af.mil (root@localhost) by bbf.mcguire.af.mil with ESMTP id NAA01950 for ; Tue, 20 Feb 2001 13:00:14 -0500 (EST) Received: from fsptflnav1.mcguire.af.mil (fsptflnav1.mcguire.af.mil [132.18.129.25]) by bbf.mcguire.af.mil with SMTP id NAA01929 for ; Tue, 20 Feb 2001 13:00:13 -0500 (EST) Received: from FSPTFL17.mcguire.af.mil ([132.18.178.78]) by fsptflnav1.mcguire.af.mil (NAVIEG 2.1 bld 63) with SMTP id M2001022013015119941 for ; Tue, 20 Feb 2001 13:01:51 -0500 Received: by fsptfl17.mcguire.af.mil with Internet Mail Service (5.5.2650.21) id <15J1MSHP>; Tue, 20 Feb 2001 13:03:48 -0500 Message-ID: <4D89A55D335FD4119B1C0008C75D4F4B03144F53@fsptfl17.mcguire.af.mil> From: Salisbury Kam-Reef G SSgt 305LSS/LGLOA To: freebsd-security@freebsd.org Subject: Date: Tue, 20 Feb 2001 13:03:47 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 10:10: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f258.pav1.hotmail.com [64.4.30.133]) by hub.freebsd.org (Postfix) with ESMTP id DEE3337B491 for ; Tue, 20 Feb 2001 10:10:02 -0800 (PST) (envelope-from netalchemist@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 20 Feb 2001 10:10:02 -0800 Received: from 132.18.128.3 by pv1fd.pav1.hotmail.msn.com with HTTP; Tue, 20 Feb 2001 18:10:02 GMT X-Originating-IP: [132.18.128.3] Reply-To: kam@salsolutions.net From: "Kam Salisbury" To: freebsd-security@freebsd.org Subject: subscribe Date: Tue, 20 Feb 2001 18:10:02 -0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 20 Feb 2001 18:10:02.0705 (UTC) FILETIME=[58520C10:01C09B68] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 10:31:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id EF82F37B401 for ; Tue, 20 Feb 2001 10:31:34 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 20 Feb 2001 10:29:36 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1KIVQO77935; Tue, 20 Feb 2001 10:31:26 -0800 (PST) (envelope-from cjc) Date: Tue, 20 Feb 2001 10:31:26 -0800 From: "Crist J. Clark" To: Daniel Hagan Cc: "Edward W. M." , fbsdsec@killaz-r-us.com, freebsd-security@FreeBSD.ORG Subject: Re: Fw: Remote logging Message-ID: <20010220103126.A77883@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A91EE6A.82EBBC37@colltech.com> <20010219232503.T62368@rfx-216-196-73-168.users.reflex> <3A9247FD.F6C68145@colltech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A9247FD.F6C68145@colltech.com>; from dhagan@colltech.com on Tue, Feb 20, 2001 at 05:33:33AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 20, 2001 at 05:33:33AM -0500, Daniel Hagan wrote: > "Crist J. Clark" wrote: > > On Mon, Feb 19, 2001 at 11:11:22PM -0500, Daniel Hagan wrote: > > > You need > > > MACs to prevent forging, which isn't available in the default syslog. > > > > MACs can be easily forged by local machines. MAC information is not > > normally accessible to programs anyway. You could not use "regular" > > UDP socket programming. Crypto or physical security is the only > > practical way to secure locally. And since crypto also works > > remotely... > > MAC == Message Authentication Code in the above paragraph. I'm not sure > if that's how you read it or not (were you thinking 802.3?). I was reading Media Access Control address. Sorry, I was wa-ay off. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 11:22:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 06ADC37B401 for ; Tue, 20 Feb 2001 11:22:29 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.0/8.11.0) id f1KJMSo94585; Tue, 20 Feb 2001 11:22:28 -0800 (PST) Date: Tue, 20 Feb 2001 11:22:28 -0800 From: Erick Mechler To: kam@salsolutions.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: subscribe Message-ID: <20010220112228.C93660@techometer.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Kam Salisbury on Tue, Feb 20, 2001 at 06:10:02PM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nope, and it didn't work the first time you tried this approach, either. Here's how you get on the lists: http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL Cheers - Erick At Tue, Feb 20, 2001 at 06:10:02PM -0000, Kam Salisbury said this: :: subscribe :: _________________________________________________________________ :: Get your FREE download of MSN Explorer at http://explorer.msn.com :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 11:26:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id 6E8B937B4EC for ; Tue, 20 Feb 2001 11:26:55 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 266F566F2E; Tue, 20 Feb 2001 11:26:55 -0800 (PST) Date: Tue, 20 Feb 2001 11:26:55 -0800 From: Kris Kennaway To: Fernando Schapachnik Cc: security@FreeBSD.ORG Subject: Re: Inconsistent behavior on openssh Message-ID: <20010220112654.A35156@mollari.cthul.hu> References: <20010219153542.A54742@mollari.cthul.hu> <200102201215.JAA39014@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102201215.JAA39014@ns1.via-net-works.net.ar>; from fpscha@ns1.via-net-works.net.ar on Tue, Feb 20, 2001 at 09:15:59AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --+HP7ph2BbKc20aGI Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 20, 2001 at 09:15:59AM -0300, Fernando Schapachnik wrote: > En un mensaje anterior, Kris Kennaway escribi=F3: > > > Simply install your ~/.ssh/identity.pub in your remote account's > > > ~/.ssh/authorized_keys file. That's why I use. I've never in my > > > life used .rhosts or .shosts with ssh. > >=20 > > Or if you really want to use RhostsRSAAuthentication, rebuild sshd > > with ENABLE_SUID_SSH=3Dtrue in /etc/make.conf >=20 > I don't think it will sufice: >=20 > ssh.c: > /* Disable rhosts authentication if not running as root. */ > if (original_effective_uid !=3D 0 ||!options.use_privileged_port) { > options.rhosts_authentication =3D 0; > options.rhosts_rsa_authentication =3D 0;=20 >=20 >=20 > It's not #ifdef'd. Erm - if it's setuid root (controlled by the makefile when it's installed), the original_effective_uid =3D=3D 0. Kris --+HP7ph2BbKc20aGI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ksT+Wry0BWjoQKURAnL/AJwJFlOkOQHLeNBSHcUIIC0Dsw1lOQCfWOe9 hW8ANsa+DvXEt3Y/emjeIrE= =TtS/ -----END PGP SIGNATURE----- --+HP7ph2BbKc20aGI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 11:59:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id 671A237B491 for ; Tue, 20 Feb 2001 11:59:39 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 29A6E66F2F; Tue, 20 Feb 2001 11:59:39 -0800 (PST) Date: Tue, 20 Feb 2001 11:59:39 -0800 From: Kris Kennaway To: Mikhail Kruk Cc: Dominick LaTrappe , security@FreeBSD.ORG Subject: Re: OpenSSH 2.3.0 "tvp" messages Message-ID: <20010220115939.A36095@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from meshko@cs.brandeis.edu on Tue, Feb 20, 2001 at 12:28:05AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Feb 20, 2001 at 12:28:05AM -0500, Mikhail Kruk wrote: > As far as I can tell it's a normal condition which should happen alot. ..and should only be displayed if you're running ssh or sshd in debug mode. Kris --sm4nu43k4a2Rpi4c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ksyqWry0BWjoQKURAp4RAJ9TDx0md4tIcF8ctCNeN3n2vLRvqACgryhe Wg89sudgmCIGdalx8wrJk6E= =QR3s -----END PGP SIGNATURE----- --sm4nu43k4a2Rpi4c-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 12: 5:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from quack.kfu.com (quack.kfu.com [205.178.90.194]) by hub.freebsd.org (Postfix) with ESMTP id 6A33637B4EC for ; Tue, 20 Feb 2001 12:05:47 -0800 (PST) (envelope-from nsayer@medusa.kfu.com) Received: from medusa.kfu.com (medusa.kfu.com [205.178.90.222]) by quack.kfu.com (8.11.1/8.11.1) with ESMTP id f1KK5kj48392 for ; Tue, 20 Feb 2001 12:05:46 -0800 (PST) (envelope-from nsayer@medusa.kfu.com) Received: (from nsayer@localhost) by medusa.kfu.com (8.11.1/8.11.0) id f1KK5kv83619 for freebsd-security@freebsd.org; Tue, 20 Feb 2001 12:05:46 -0800 (PST) (envelope-from nsayer) Date: Tue, 20 Feb 2001 12:05:46 -0800 (PST) From: Nick Sayer Message-Id: <200102202005.f1KK5kv83619@medusa.kfu.com> To: freebsd-security@freebsd.org Subject: /etc/rc.firewall fixes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would like to suggest a new "simple" firewall configuration. I recently put a security fix in the prototype /etc/rc.firewall stuff to close up a rather glaring security hole. The old stuff did pass udp from any 53 to ${oip} which allows someone to communicate, for instance, with port 2049 so long as they bind their end to 53. The state keeping stuff is the correct solution. My proposed "simple" firewall config goes something like this: check-state pass udp from ${mynet} to any keep-state pass all from ${mynet} to any pass tcp from any to any established pass icmp from any to any This simple set of rules represents a simple one-way set up. UDP is allowed to go out, and matching replies are allowed to come back in. TCP sessions are allowed to go out only. By itself it is not a complete ruleset, but I think it is a better one than any of the examples we presently have. I haven't committed this because I wanted to start some discussion first and commit the resulting consensus. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 12:23:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (flutter.freebsd.dk [212.242.40.147]) by hub.freebsd.org (Postfix) with ESMTP id 4C70537B491; Tue, 20 Feb 2001 12:23:24 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.1/8.11.1) with ESMTP id f1KKNWx94829; Tue, 20 Feb 2001 21:23:32 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: security@freebsd.org, doc@freebsd.org Subject: ipfw examples... From: Poul-Henning Kamp Date: Tue, 20 Feb 2001 21:23:32 +0100 Message-ID: <94827.982700612@critter> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The ipfw deny tcp from any to me 23 ^^ functionality is now present in both -current and -stable. I think a number of our ipfw examples, including rc.firewall might need a minor revision in the light of this change. In particular it has been pointed out to me, that it is now much easier to firewall machines which get dynamic IP numbers from DHCP or PPP or similar. Consider this a gentle poke to look at this area... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 14: 5: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 5D0DB37B401 for ; Tue, 20 Feb 2001 14:05:03 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA93282; Wed, 21 Feb 2001 09:05:02 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA04080; Wed, 21 Feb 2001 09:05:02 +1100 (EST) Message-Id: <200102202205.JAA04080@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: Nick Sayer Cc: freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes In-Reply-To: Message from Nick Sayer of "Tue, 20 Feb 2001 12:05:46 -0800." <200102202005.f1KK5kv83619@medusa.kfu.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 21 Feb 2001 09:05:02 +1100 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm in the process of hacking on my rc.firewall because I'm building new firewalls, so I'm interested in any ideas people have. The stuff that I put in yesterday was to auto-generate my anti-spoofing rules (which is a huge saving when you have seven Ethernet interfaces!), and organise my rule numbering. I also have stuff so that you basically only have to map the logical interfaces (oif, iif, etc.) to the physical interfaces (fxp0, fxp1, etc.) and it sets the other variables for you (oip, omask, iip, imask, etc.). Note that I don't bother with onet, inet, etc. because you can get the same result by using, for example, ${oip}:${omask}. As a result of these bits of hackery, my rc.firewall looks something like: rule... rule... rule... rule... rule... If anyone wants to see it and has a fairly strong stomach ;-) let me know. If there are a few people interested, I'll post to the group. Cheers, Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 16:14:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mighty.grot.org (mighty.grot.org [216.15.97.5]) by hub.freebsd.org (Postfix) with ESMTP id 57F5237B4EC; Tue, 20 Feb 2001 16:14:24 -0800 (PST) (envelope-from lists@grot.org) Received: by mighty.grot.org (Postfix, from userid 998) id 899FB5DCB; Tue, 20 Feb 2001 16:14:23 -0800 (PST) Date: Tue, 20 Feb 2001 16:14:23 -0800 From: lists To: Kris Kennaway Cc: freebsd-security@freebsd.org Subject: Re: Encrypted networked filesystem needed Message-ID: <20010220161423.A34880@mighty.grot.org> Reply-To: lists@lists.grot.org References: <00aa01c07cbd$71209dc0$0c00a8c0@ipform.ru> <20010112174616.D23818@citusc.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010112174616.D23818@citusc.usc.edu>; from kris@FreeBSD.ORG on Fri, Jan 12, 2001 at 05:46:16PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 12, 2001 at 05:46:16PM -0800, Kris Kennaway wrote: > On Fri, Jan 12, 2001 at 08:22:58PM +0200, Roman Shterenzon wrote: > > > If IPSec is supported on both sides, it is the best available solution. > > You'll get a completely transparent encryption and a powerful NFSv3 > > server/client. Did I mention that FreeBSD rocks? > > This way all network services will be secured and since the most of IPSec > > (AH/ESP) is done in the kernel mode, it'll be quite fast even on > > moderate hardware. > > Unfortunately I think there are some layering bugs with NFS + IPSEC on > FreeBSD - I have had lots of NFS filesystem wedges when testing this. Is there an open pr on this or has it been fixed/addressed in 4.2-STABLE? I've been trying it and it has worked for 24+ hours without problems (albeit very low NFS traffic) as long as I don't use racoon... Thanks, Adi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 17: 1:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from h-209-91-79-2.gen.cadvision.com (h24-68-202-204.cg.shawcable.net [24.68.202.204]) by hub.freebsd.org (Postfix) with ESMTP id 0227237B401 for ; Tue, 20 Feb 2001 17:01:09 -0800 (PST) (envelope-from gtf@cirp.org) Received: from cirp.org (localhost [127.0.0.1]) by h-209-91-79-2.gen.cadvision.com (8.9.3/8.9.3) with ESMTP id SAA38561 for ; Tue, 20 Feb 2001 18:01:01 -0700 (MST) (envelope-from gtf@cirp.org) Message-Id: <200102210101.SAA38561@h-209-91-79-2.gen.cadvision.com> Date: Tue, 20 Feb 2001 18:01:00 -0700 (MST) From: "Geoffrey T. Falk" Subject: IPv6 risk with ssh? To: security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From time to time I've noticed sshd on "tcp46" listening right now on one of my servers (4.1.1-RELEASE). I don't see it always. # netstat -an [...] tcp4 0 0 *.22 *.* LISTEN tcp46 0 0 *.22 *.* LISTEN What is tcp46, a hybrid IP4/IP6 protocol? Should I be concerned? Nobody else has (legitimate) access to this box. I'd prefer to disable/block all IPv6 for now if possible. How can I be assured that this is the case? I am currently running ipfw with a default deny rule. I don't have a way to probe the box using IPv6 currently. Thanks Geoffrey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 17: 9:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with ESMTP id B964537B491 for ; Tue, 20 Feb 2001 17:09:28 -0800 (PST) (envelope-from tcannon@noops.org) Received: from localhost (tcannon@localhost) by sonar.noops.org (8.9.3/8.9.3) with ESMTP id RAA08268; Tue, 20 Feb 2001 17:09:43 -0800 (PST) (envelope-from tcannon@noops.org) X-Authentication-Warning: sonar.noops.org: tcannon owned process doing -bs Date: Tue, 20 Feb 2001 17:09:43 -0800 (PST) From: Thomas Cannon To: "Geoffrey T. Falk" Cc: security@FreeBSD.ORG Subject: Re: IPv6 risk with ssh? In-Reply-To: <200102210101.SAA38561@h-209-91-79-2.gen.cadvision.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'd prefer to disable/block all IPv6 for now if possible. How can > I be assured that this is the case? I am currently running ipfw with > a default deny rule. As I don't use ipv6 for anything, I like to take it out of my kernel, and have been doing that by removing the "option INET6" from my kernel config, and removing the ipv6-specific devices, too. Seems to work, but again, may not be the best possible way of doing it. Cheers, Thomas Richard Feynman was a hacker; read any of his books. -Bruce Schneier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 17:39:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 43D8637B401 for ; Tue, 20 Feb 2001 17:39:32 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 7754 invoked by alias); 21 Feb 2001 01:37:55 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 21 Feb 2001 01:37:55 -0000 Message-ID: <000d01c09ba7$50558700$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: "Thomas Cannon" , "Geoffrey T. Falk" Cc: References: Subject: Re: IPv6 risk with ssh? Date: Tue, 20 Feb 2001 20:40:47 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org you can also disable ipv6 by specifying in /etc/rc.conf ipv6_enable="NO" iirc ssh's ipv46 is ipv6 translation to ipv4 via the faith device. can someone comment on this? (i could be wrong). aren't we supposed to start switching to IPV6 anyway? personally, I would like to do all my freebsd-to-freebsd ssh'ing via ipv6, but i haven't had time to fool around with registering ipv6 addresses with DNS servers yet (and typing in/memorizing ipv4 IPs is a lot easier than ipv6 IPs :). furthermore, i don't know of any attacks that have used ipv6 protocols since not every router supports it yet. In this case, security through obscurity is ok maybe? ----- Original Message ----- From: "Thomas Cannon" To: "Geoffrey T. Falk" Cc: Sent: Tuesday, February 20, 2001 8:09 PM Subject: Re: IPv6 risk with ssh? > > I'd prefer to disable/block all IPv6 for now if possible. How can > > I be assured that this is the case? I am currently running ipfw with > > a default deny rule. > > As I don't use ipv6 for anything, I like to take it out of my kernel, and > have been doing that by removing the "option INET6" from my kernel config, > and removing the ipv6-specific devices, too. Seems to work, but again, may > not be the best possible way of doing it. > > Cheers, > > Thomas > > Richard Feynman was a hacker; read any of his books. > -Bruce Schneier > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 17:45:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 6D5CD37B491 for ; Tue, 20 Feb 2001 17:45:12 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id KAA28395; Wed, 21 Feb 2001 10:44:33 +0900 (JST) To: "Peter C. Lai" Cc: "Thomas Cannon" , "Geoffrey T. Falk" , security@FreeBSD.ORG In-reply-to: sirmoo's message of Tue, 20 Feb 2001 20:40:47 EST. <000d01c09ba7$50558700$1e9e6389@137.99.156.23> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPv6 risk with ssh? From: itojun@iijlab.net Date: Wed, 21 Feb 2001 10:44:33 +0900 Message-ID: <28392.982719873@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >iirc ssh's ipv46 is ipv6 translation to ipv4 via the faith device. can >someone comment on this? (i could be wrong). no. the "tcp46" line is for sshd listening to AF_INET6 wildcard socket, which may grab both IPv4/v6 traffic (if you run fstat, you will see it more clearer). if you would like to disable the AF_INET6 listening socket by sshd, have the following line in /etc/sshd_config: ListenAddress 0.0.0.0 or "sshd -4" should do it. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 17:55:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from assaris.sics.se (h122n4fls32o892.telia.com [213.64.47.122]) by hub.freebsd.org (Postfix) with ESMTP id AA7B037B4EC; Tue, 20 Feb 2001 17:55:35 -0800 (PST) (envelope-from assar@assaris.sics.se) Received: (from assar@localhost) by assaris.sics.se (8.9.3/8.9.3) id CAA35589; Wed, 21 Feb 2001 02:55:50 +0100 (CET) (envelope-from assar) From: assar@FreeBSD.org To: Robert Watson Cc: "Brian F. Feldman" , security@FreeBSD.org Subject: Re: PAM/SSH and KerberosIV? References: Date: 21 Feb 2001 02:55:49 +0100 In-Reply-To: Robert Watson's message of "Fri, 2 Feb 2001 21:14:38 -0500 (EST)" Message-ID: <5l8zn0ajfe.fsf@assaris.sics.se> Lines: 14 User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson writes: > However, this seems to have broken using unique kerberos ticket filenames > for each session -- now it always uses /tmp/tkt1000 for uid 1000, rather > than /tmp/tkt1000_randomnumber, meaning that if you log in twice, the > first logout hoses the tickets for the second session. This didn't happen > previously, and is probably an issue with pam_kerberosIV.so that I didn't > run into previously since I always logged in via SSH. It's probably not a > security hole as presumably KTH does the right thing with regards to > O_EXCL and so on, but it's not ideal. That's what src/lib/libpam/modules/pam_kerberosIV/klogin.c does, and yes, it should be perfectly safe. /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 18: 2:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by hub.freebsd.org (Postfix) with ESMTP id 2EC6037B4EC for ; Tue, 20 Feb 2001 18:02:15 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from xor.obsecurity.org ([63.207.60.67]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8I00F0RBQ6O4@mta6.snfc21.pbi.net> for security@FreeBSD.ORG; Fri, 9 Feb 2001 12:32:31 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 504D76739C; Fri, 09 Feb 2001 12:35:16 -0800 (PST) Date: Fri, 09 Feb 2001 12:35:16 -0800 From: Kris Kennaway Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE In-reply-to: <20010209195847.F27987@petra.hos.u-szeged.hu>; from sziszi@petra.hos.u-szeged.hu on Fri, Feb 09, 2001 at 07:58:47PM +0100 To: Szilveszter Adam Cc: security@FreeBSD.ORG Message-id: <20010209123516.B64466@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mojUlQ0s9EVzWg2t" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <200102082014.PAA29877@vws3.interlog.com> <2488141552.981740685@[192.168.1.2]> <20010209195847.F27987@petra.hos.u-szeged.hu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --mojUlQ0s9EVzWg2t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 09, 2001 at 07:58:47PM +0100, Szilveszter Adam wrote: > On Fri, Feb 09, 2001 at 05:44:45PM +0100, Eric Cholet wrote: > > I received the following, what worries me is that the PGP signature > > verified, and it's not April 1st. WTF ?? >=20 > AFAIK it was not at all signed... unlike previous attempts by the same > "funny" person. But what got me worried (and what nobody apparently > understood from my post from yesterday) that this time the prankster > managed to post on both freebsd-announce and freebsd-security-announce, > which are supposed to be closed and moderated lists. >=20 > So does this effectively mean, that just by forging a From: header, I can > already post whatever I want on -announce? (An allegedly trusted resource) > If so, we (freebsd.org) have a security problem. (Hence the post on > -security, since we do not have any *public* mailing list for discussing > security matters wrt freebsd.org itself, before anyone asks again.) >=20 > If my allegation is not true, then what happened?=20 That was the case, but it's been fixed. Kris --mojUlQ0s9EVzWg2t Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hFSDWry0BWjoQKURAsIYAKDZiqAUQ/USvUzgcmzYb3dBsw4amQCg8Kfd JPLmFtJlfqAW7sjvf+dBRnA= =a8AH -----END PGP SIGNATURE----- --mojUlQ0s9EVzWg2t-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 18: 2:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by hub.freebsd.org (Postfix) with ESMTP id D609937B65D; Tue, 20 Feb 2001 18:02:24 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from xor.obsecurity.org ([64.165.226.103]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8G00180G36PA@mta6.snfc21.pbi.net>; Thu, 8 Feb 2001 12:11:31 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 3EDC966CBE; Thu, 08 Feb 2001 12:14:12 -0800 (PST) Date: Thu, 08 Feb 2001 12:14:12 -0800 From: Kris Kennaway Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:10.bind [REVISED] In-reply-to: <200102081752.MAA50931@giganda.komkon.org>; from str@giganda.komkon.org on Thu, Feb 08, 2001 at 12:52:19PM -0500 To: Igor Roshchin Cc: security-officer@freebsd.org, security@freebsd.org Message-id: <20010208121412.A46381@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <200102081752.MAA50931@giganda.komkon.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 08, 2001 at 12:52:19PM -0500, Igor Roshchin wrote: >=20 > I already made this comment when the earlier advisory > on bind was issued: > Reference to 4.x is not completely correct (or at least, > confusing) , since 4.0-RELEASE had > earlier, vulnerable version of bind. >=20 > Kris, you probably forgot about your intention to correct that part > of the advisory. Yeah, I did forget, but I don't think it's really important since SA-01:18 affects 4.0 and is far more serious. I don't want people saying "oh, we run 4.0, so we don't have bind problems" - as noted in this rerelease there's a big discrepancy between downloads of 01:10 and 01:18 for some reason. Kris --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6gv4TWry0BWjoQKURArd6AKCuUN4AZiprn6VtDzZA33SdwknuvwCgiHFC xf1s5waugrDypJaLvAFmMKU= =epGP -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 18:27:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id 87E5237B4EC; Tue, 20 Feb 2001 18:27:23 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 6F20966F2E; Tue, 20 Feb 2001 18:27:22 -0800 (PST) Date: Tue, 20 Feb 2001 18:27:22 -0800 From: Kris Kennaway To: lists Cc: Kris Kennaway , freebsd-security@freebsd.org Subject: Re: Encrypted networked filesystem needed Message-ID: <20010220182722.F41601@mollari.cthul.hu> References: <00aa01c07cbd$71209dc0$0c00a8c0@ipform.ru> <20010112174616.D23818@citusc.usc.edu> <20010220161423.A34880@mighty.grot.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="CXFpZVxO6m2Ol4tQ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010220161423.A34880@mighty.grot.org>; from lists@lists.grot.org on Tue, Feb 20, 2001 at 04:14:23PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --CXFpZVxO6m2Ol4tQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 20, 2001 at 04:14:23PM -0800, lists wrote: > On Fri, Jan 12, 2001 at 05:46:16PM -0800, Kris Kennaway wrote: > > On Fri, Jan 12, 2001 at 08:22:58PM +0200, Roman Shterenzon wrote: > >=20 > > > If IPSec is supported on both sides, it is the best available solutio= n. > > > You'll get a completely transparent encryption and a powerful NFSv3 > > > server/client. Did I mention that FreeBSD rocks? > > > This way all network services will be secured and since the most of I= PSec > > > (AH/ESP) is done in the kernel mode, it'll be quite fast even on > > > moderate hardware. > >=20 > > Unfortunately I think there are some layering bugs with NFS + IPSEC on > > FreeBSD - I have had lots of NFS filesystem wedges when testing this. >=20 > Is there an open pr on this or has it been fixed/addressed in 4.2-STABLE? >=20 > I've been trying it and it has worked for 24+ hours without problems (alb= eit > very low NFS traffic) as long as I don't use racoon... If it works for you, great! :) It may indeed have been fixed, there have been a number of bug fixes in -stable since the last time I tried it. Kris --CXFpZVxO6m2Ol4tQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6kyeKWry0BWjoQKURAq6wAJwIKy6rsYSLDODcC4QE3vPQ++TyLACfUMGi NqlShSZ21sBmjIS+Gr9ULk4= =A+mI -----END PGP SIGNATURE----- --CXFpZVxO6m2Ol4tQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 19:25: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtppop3pub.verizon.net (smtppop3pub.gte.net [206.46.170.22]) by hub.freebsd.org (Postfix) with ESMTP id 199B037B401 for ; Tue, 20 Feb 2001 19:25:02 -0800 (PST) (envelope-from res03db2@gte.net) Received: from gte.net (evrtwa1-ar4-4-34-145-186.dsl.gtei.net [4.34.145.186]) by smtppop3pub.verizon.net with ESMTP ; id VAA121598195 Tue, 20 Feb 2001 21:20:14 -0600 (CST) Received: (from res03db2@localhost) by gte.net (8.9.3/8.9.3) id TAA19217; Tue, 20 Feb 2001 19:24:16 -0800 (PST) (envelope-from res03db2@gte.net) Date: Tue, 20 Feb 2001 19:24:16 -0800 From: Robert Clark To: Tony Landells Cc: Nick Sayer , freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes Message-ID: <20010220192416.A19188@darkstar.gte.net> References: <200102202205.JAA04080@tungsten.austclear.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <200102202205.JAA04080@tungsten.austclear.com.au>; from ahl@austclear.com.au on Wed, Feb 21, 2001 at 09:05:02AM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm interested. [RC] On Wed, Feb 21, 2001 at 09:05:02AM +1100, Tony Landells wrote: > I'm in the process of hacking on my rc.firewall because I'm building > new firewalls, so I'm interested in any ideas people have. > > The stuff that I put in yesterday was to auto-generate my anti-spoofing > rules (which is a huge saving when you have seven Ethernet interfaces!), > and organise my rule numbering. > > I also have stuff so that you basically only have to map the logical > interfaces (oif, iif, etc.) to the physical interfaces (fxp0, fxp1, etc.) > and it sets the other variables for you (oip, omask, iip, imask, etc.). > Note that I don't bother with onet, inet, etc. because you can get the > same result by using, for example, ${oip}:${omask}. > > As a result of these bits of hackery, my rc.firewall looks something like: > > > > > rule... > > rule... > > rule... > > rule... > > > rule... > > If anyone wants to see it and has a fairly strong stomach ;-) let me > know. If there are a few people interested, I'll post to the group. > > Cheers, > Tony > -- > Tony Landells > Senior Network Engineer Ph: +61 3 9677 9319 > Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 > Level 4, Rialto North Tower > 525 Collins Street > Melbourne VIC 3000 > Australia > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 19:37:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id EE9C537B4EC for ; Tue, 20 Feb 2001 19:37:16 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id UAA24134; Tue, 20 Feb 2001 20:36:55 -0700 (MST) Message-Id: <4.3.2.7.2.20010220203519.045e7b90@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 20 Feb 2001 20:36:52 -0700 To: Tony Landells , Nick Sayer From: Brett Glass Subject: Re: /etc/rc.firewall fixes Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200102202205.JAA04080@tungsten.austclear.com.au> References: <200102202005.f1KK5kv83619@medusa.kfu.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:05 PM 2/20/2001, Tony Landells wrote: >I'm in the process of hacking on my rc.firewall because I'm building >new firewalls, so I'm interested in any ideas people have. > >The stuff that I put in yesterday was to auto-generate my anti-spoofing >rules (which is a huge saving when you have seven Ethernet interfaces!), >and organise my rule numbering. > >I also have stuff so that you basically only have to map the logical >interfaces (oif, iif, etc.) to the physical interfaces (fxp0, fxp1, etc.) >and it sets the other variables for you (oip, omask, iip, imask, etc.). There's a rule generation script on the IPFilter site (I believe it's called "mkfilter") that does some of this already, though it makes the mistake of using IP addresses instead of interface names. (When your address is assigned via DHCP, as many are, you want to use interface names so that the rules are independent of your current IP.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 19:38: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id BD60C37B401; Tue, 20 Feb 2001 19:38:03 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f1L3c2h21555; Tue, 20 Feb 2001 22:38:03 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 20 Feb 2001 22:38:02 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: assar@FreeBSD.org Cc: "Brian F. Feldman" , security@FreeBSD.org Subject: Re: PAM/SSH and KerberosIV? In-Reply-To: <5l8zn0ajfe.fsf@assaris.sics.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 21 Feb 2001 assar@FreeBSD.org wrote: > Robert Watson writes: > > However, this seems to have broken using unique kerberos ticket filenames > > for each session -- now it always uses /tmp/tkt1000 for uid 1000, rather > > than /tmp/tkt1000_randomnumber, meaning that if you log in twice, the > > first logout hoses the tickets for the second session. This didn't happen > > previously, and is probably an issue with pam_kerberosIV.so that I didn't > > run into previously since I always logged in via SSH. It's probably not a > > security hole as presumably KTH does the right thing with regards to > > O_EXCL and so on, but it's not ideal. > > That's what src/lib/libpam/modules/pam_kerberosIV/klogin.c does, and > yes, it should be perfectly safe. Ok, so I was right in surmising it not a security hole. Any hope of moving to a model with ticket filenames created using mkstemp? Right now multiple SSH sessions use the same ticket file, so when any of them logs out, all sessions lose their ticket. This is a substantial down-turn compared to before pam_kerberosIV in SSH. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 20: 1:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id DB5D837B4EC for ; Tue, 20 Feb 2001 20:01:40 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9355666F2E; Tue, 20 Feb 2001 20:01:40 -0800 (PST) Date: Tue, 20 Feb 2001 20:01:40 -0800 From: Kris Kennaway To: "Geoffrey T. Falk" Cc: security@freebsd.org Subject: Re: IPv6 risk with ssh? Message-ID: <20010220200140.B43056@mollari.cthul.hu> References: <200102210101.SAA38561@h-209-91-79-2.gen.cadvision.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="CdrF4e02JqNVZeln" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102210101.SAA38561@h-209-91-79-2.gen.cadvision.com>; from gtf@cirp.org on Tue, Feb 20, 2001 at 06:01:00PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --CdrF4e02JqNVZeln Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Feb 20, 2001 at 06:01:00PM -0700, Geoffrey T. Falk wrote: > What is tcp46, a hybrid IP4/IP6 protocol? Should I be concerned? Nobody > else has (legitimate) access to this box. Itojun has already explained the first question. As for the second, the only risk is one of access to connect to the SSH port if both of the following are true: a) You are connected to an untrusted IPv6 network (e.g. the IPv6 internet) b) You want to have restrictions on who may connect to your SSH daemon (e.g. using hosts.allow(5), or ipfw(8)), but have neglected to add the corresponding restrictions for IPv6 source hosts. There is no intrinsic risk associated with IPv6 transport of packets - after all, it's just another network protocol. > I'd prefer to disable/block all IPv6 for now if possible. How can > I be assured that this is the case? I am currently running ipfw with > a default deny rule. Remove the relevant options from your kernel config and rebuild. Kris --CdrF4e02JqNVZeln Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6kz2jWry0BWjoQKURAlIlAJ0QReuKBqScMjon0bg+4ZpwriFapACg2uPO QYH3nxFVeOszm4ZztWhVFxg= =l9Br -----END PGP SIGNATURE----- --CdrF4e02JqNVZeln-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 20 23:42:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id B0F6D37B491 for ; Tue, 20 Feb 2001 23:42:41 -0800 (PST) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f1L7gaR00677; Wed, 21 Feb 2001 02:42:36 -0500 (EST) Date: Wed, 21 Feb 2001 02:42:36 -0500 (EST) From: Trevor Johnson To: Holger Lamm , Subject: [CryptNET Advisory] pgp4pine-1.75-6 - expired public keys (fwd) Message-ID: <20010221024157.V23533-200000@blues.jpj.net> MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; BOUNDARY="168453135-1374787445-982703757=:21584" Content-ID: <20010221024201.L23533@blues.jpj.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --168453135-1374787445-982703757=:21584 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <20010221024201.N23533@blues.jpj.net> The FreeBSD port of pgp4pine is maintained by Holger Lam, the author of the program itself. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt ---------- Forwarded message ---------- Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7]) by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f1L0gfi19584; Tue, 20 Feb 2001 19:42:41 -0500 (EST) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7]) by lists.securityfocus.com (Postfix) with ESMTP id 4DE3824CF00; Tue, 20 Feb 2001 17:36:03 -0700 (MST) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 26491137 for BUGTRAQ@LISTS.SECURITYFOCUS.COM; Tue, 20 Feb 2001 17:35:09 -0700 Approved-By: beng@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Received: from securityfocus.com (mail.securityfocus.com [66.38.151.9]) by lists.securityfocus.com (Postfix) with SMTP id 414BA24D0E9 for ; Tue, 20 Feb 2001 14:06:03 -0700 (MST) Received: (qmail 28537 invoked by alias); 20 Feb 2001 21:06:17 -0000 Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Received: (qmail 28527 invoked from network); 20 Feb 2001 21:06:16 -0000 Received: from firewall.cog.ufl.edu (HELO cog.ufl.edu) (128.227.187.3) by mail.securityfocus.com with SMTP; 20 Feb 2001 21:06:16 -0000 Received: from igor.intranet (IDENT:vab@igor.intranet [10.10.15.100]) by cog.ufl.edu (8.9.3/8.9.3) with ESMTP id QAA11932 for ; Tue, 20 Feb 2001 16:05:32 -0500 X-Sender: vab@igor.intranet MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="168453135-1374787445-982703757=:21584" Message-ID: Date: Tue, 20 Feb 2001 16:15:57 -0500 Reply-To: "V. Alex Brennen" Sender: Bugtraq List From: "V. Alex Brennen" Subject: [CryptNET Advisory] pgp4pine-1.75-6 - expired public keys To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------------ CryptNET Security Advisory http://www.cryptnet.net/ Advisory Type: Privacy - Programmatic Error Synopsis: pgp4pine may fail to identify expired public keys Issue Date: 2001.02.20 Program: pgp4pine-1.75-6 - http://pgp4pine.flatline.de/ Related Programs: Gnu Privacy Guard (GnuPG) Version 1.0.4 Pine Version 4.2.1 Maintainer Response: Attempts to contact the maintainer of the pgp4pine package where unsuccessful. - ------------------------------------------------------------------------------ 1. Executive Summary pgp4pine is a program which is used to interface various PGP implementations with the popular Pine mail reading package. Version 1.75-6 of pgp4pine fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the transmission of sensitive information in clear text across the network. 2. Problem Description Version 1.75-6 of pgp4pine does not include code to check if public keys are expired when loading keys from the GnuPG openPGP implementation. If a user has an expired public key in their keyring and attempts to encrypt a message to a recipient with that expired public key, pgp4pine will fail to recognize that the key is expired. pgp4pine will then issue a command to GnuPG to encrypt the email message with the expired key. The encryption will not be successful, GnuPG will return an error message due to the invalid key. pgp4pine will not detect the error which occurred when encrypting the text and will return program flow control to Pine. Pine will then transmit the message in the clear. No notice that an error occurred will be provided to the user by pgp4pine. To duplicate the error on the command line: bash$ pgp4pine -e -i /tmp/in.tmp -o /tmp/out.tmp -r (*R) * Where R is a recipient with an expired public key in your keyring. 3. Solution A patch, written by V. Alex Brennen, has been provided with this advisory. The patch consists of code modifications which allow pgp4pine to recognize and ignore expired keys when working with GnuPG. 4. About This Advisory This advisory was produced as part of the CryptNET Free Cryptography Auditing Project. CryptNET is a group working on the development of Free Software cryptographic solutions. As part of its mission, CryptNET has undertaken The Free Cryptography Auditing Project. The project is an effort to audit some of the more popular free software cryptographic programs licensed under the GNU General Public License. If you would like to become involved in this project, please see the CryptNET web site. John Sheehy, an IBM certified specialist with e-techservices.com (http://www.e-techservices.com/), assisted with the discovery and identification of this bug. - ------------------------------------------------------------------------------ [ENC: Patch] - ------------------------------------------------------------------------------ diff -urN pgp4pine-1.75/pgp4pine/keyrings.c vab.pgp4pine-1.75/pgp4pine/keyrings.c - --- pgp4pine-1.75/pgp4pine/keyrings.c Fri Aug 18 09:24:45 2000 +++ vab.pgp4pine-1.75/pgp4pine/keyrings.c Mon Feb 12 21:03:09 2001 @@ -449,22 +449,36 @@ if (strchr(buf,':') != NULL) { strncpy(keyType,getItem(buf,':',1),3); lineType = 0; - - if (strcmp(keyType,"sec") == 0) lineType = 1; /* secret line... */ - - if (strcmp(keyType,"pub") == 0) lineType = 2; /* public key */ - - if (strcmp(keyType,"uid") == 0) lineType = 4; /* user id */ - - + /* + The letter e in the second field of the colon delimited GnuPG + output denotes that gpg asserts that the trust on this item + has expired (perhaps as the result of an expired openPGP type + 0x13 or 0x18 signature packet). If this line denotes a public + key, GnuPG will not function with this key. So, we should + return with out adding it to the list. We shouldn't check + expiration ourselves because GnuPG is the final authority. + - V. Alex Brennen, CryptNET FCAP [http://www.cryptnet.net/] + 2001.02.13.01.13.47 + */ + strncpy(tmpString,getItem(buf,':',2),1); + if (strcmp(tmpString,"e") == 0) lineType = -1; /* Line w/ expired trust */ + else if (strcmp(keyType,"sec") == 0) lineType = 1; /* secret line... */ + else if (strcmp(keyType,"pub") == 0) lineType = 2; /* public key */ + else if (strcmp(keyType,"uid") == 0) lineType = 4; /* user id */ + if (lineType == 1) inSec = 1; - - if (lineType == 2) inSec = 0; + else if (lineType == 2) inSec = 0; switch (lineType) { case 1: case 2: if (lineType == 2 && getSecretOnly) break; + myNewKey = (struct pkiKey *) myMalloc(sizeof(pkiKeyStruct)); if (firstKey == NULL) firstKey = myNewKey; if (oldKey != NULL) oldKey->nextKey = myNewKey; oldKey = myNewKey; - - + /* next, key size... */ strncpy(tmpString,getItem(buf,':',3),KEY_SIZE_LENGTH); strncpy(myNewKey->keySize,tmpString,KEY_SIZE_LENGTH); @@ -523,6 +537,8 @@ strncpy(myNewKey->emailAddress,extractEmailAddress(tmpString),EMAIL_ADDRESS_MAX_LENGTH); } break; + default: + break; } } } - ------------------------------------------------------------------------------ End CryptNET Advisory - ------------------------------------------------------------------------------ - --- V. Alex Brennen [vab@cryptnet.net] F A R B E Y O N D D R I V E N ! [ http://www.cryptnet.net/ ] 0EC8 B0E3 052D FC4C 208F 76EB FA92 0973 992A 4B3F -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Made with pgp4pine 1.75-6 iD8DBQE6kt6h+pIJc5kqSz8RAnKgAJ0T9mpnZgSM3Fh3EszThayvags90ACfQs9G hgWgYK1IrWbrkFdBYYgpQfg= =wCgO -----END PGP SIGNATURE----- --168453135-1374787445-982703757=:21584 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="vab.pgp4pine.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: pgp4pine patch as attachment Content-Disposition: ATTACHMENT; FILENAME="vab.pgp4pine.patch" ZGlmZiAtdXJOIHBncDRwaW5lLTEuNzUvcGdwNHBpbmUva2V5cmluZ3MuYyB2 YWIucGdwNHBpbmUtMS43NS9wZ3A0cGluZS9rZXlyaW5ncy5jDQotLS0gcGdw NHBpbmUtMS43NS9wZ3A0cGluZS9rZXlyaW5ncy5jICAgRnJpIEF1ZyAxOCAw OToyNDo0NSAyMDAwDQorKysgdmFiLnBncDRwaW5lLTEuNzUvcGdwNHBpbmUv a2V5cmluZ3MuYyAgICAgICBNb24gRmViIDEyIDIxOjAzOjA5IDIwMDENCkBA IC00NDksMjIgKzQ0OSwzNiBAQA0KICAgICAgICAgICAgICAgICAgICAgICAg aWYgKHN0cmNocihidWYsJzonKSAhPSBOVUxMKSB7DQogICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIHN0cm5jcHkoa2V5VHlwZSxnZXRJdGVtKGJ1 ZiwnOicsMSksMyk7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IGxpbmVUeXBlID0gMDsNCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgaWYgKHN0cmNtcChrZXlUeXBlLCJzZWMiKSA9PSAwKSBsaW5lVHlwZSA9 IDE7IC8qIHNlY3JldCBsaW5lLi4uICovDQotICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIGlmIChzdHJjbXAoa2V5VHlwZSwicHViIikgPT0gMCkg bGluZVR5cGUgPSAyOyAvKiBwdWJsaWMga2V5ICAgICAqLw0KLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBpZiAoc3RyY21wKGtleVR5cGUsInVp ZCIpID09IDApIGxpbmVUeXBlID0gNDsgLyogdXNlciBpZCAgICAgICAgKi8N Ci0NCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qDQorICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRoZSBsZXR0 ZXIgZSBpbiB0aGUgc2Vjb25kIGZpZWxkIG9mIHRoZSBjb2xvbiBkZWxpbWl0 ZWQgR251UEcNCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgb3V0cHV0IGRlbm90ZXMgdGhhdCBncGcgYXNzZXJ0cyB0aGF0IHRo ZSB0cnVzdCBvbiB0aGlzIGl0ZW0NCisgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgaGFzIGV4cGlyZWQgKHBlcmhhcHMgYXMgdGhl IHJlc3VsdCBvZiBhbiBleHBpcmVkIG9wZW5QR1AgdHlwZQ0KKyAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAweDEzIG9yIDB4MTgg c2lnbmF0dXJlIHBhY2tldCkuICBJZiB0aGlzIGxpbmUgZGVub3RlcyBhIHB1 YmxpYw0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBrZXksIEdudVBHIHdpbGwgbm90IGZ1bmN0aW9uIHdpdGggdGhpcyBrZXku ICBTbywgd2Ugc2hvdWxkDQorICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIHJldHVybiB3aXRoIG91dCBhZGRpbmcgaXQgdG8gdGhl IGxpc3QuICBXZSBzaG91bGRuJ3QgY2hlY2sNCisgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgZXhwaXJhdGlvbiBvdXJzZWx2ZXMg YmVjYXVzZSBHbnVQRyBpcyB0aGUgZmluYWwgYXV0aG9yaXR5Lg0KKyAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0gVi4gQWxl eCBCcmVubmVuLCBDcnlwdE5FVCBGQ0FQIFtodHRwOi8vd3d3LmNyeXB0bmV0 Lm5ldC9dDQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAyMDAxLjAyLjEzLjAxLjEzLjQ3DQorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAqLw0KKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgc3RybmNweSh0bXBTdHJpbmcsZ2V0SXRlbShidWYsJzonLDIp LDEpOw0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKHN0 cmNtcCh0bXBTdHJpbmcsImUiKSA9PSAwKSBsaW5lVHlwZSA9IC0xOyAvKiBM aW5lIHcvIGV4cGlyZWQgdHJ1c3QgKi8NCisgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgZWxzZSBpZiAoc3RyY21wKGtleVR5cGUsInNlYyIpID09 IDApIGxpbmVUeXBlID0gMTsgLyogc2VjcmV0IGxpbmUuLi4gKi8NCisgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgZWxzZSBpZiAoc3RyY21wKGtl eVR5cGUsInB1YiIpID09IDApIGxpbmVUeXBlID0gMjsgLyogcHVibGljIGtl eSAgICAgKi8NCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWxz ZSBpZiAoc3RyY21wKGtleVR5cGUsInVpZCIpID09IDApIGxpbmVUeXBlID0g NDsgLyogdXNlciBpZCAgICAgICAgKi8NCisNCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgaWYgKGxpbmVUeXBlID09IDEpIGluU2VjID0gMTsN Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGxpbmVUeXBl ID09IDIpIGluU2VjID0gMDsNCisgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgZWxzZSBpZiAobGluZVR5cGUgPT0gMikgaW5TZWMgPSAwOw0KDQog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN3aXRjaCAobGluZVR5 cGUpIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY2FzZSAx Og0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjYXNlIDI6DQog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGxp bmVUeXBlID09IDIgJiYgZ2V0U2VjcmV0T25seSkgYnJlYWs7DQorDQogICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbXlOZXdLZXkg PSAoc3RydWN0IHBraUtleSAqKSBteU1hbGxvYyhzaXplb2YocGtpS2V5U3Ry dWN0KSk7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgaWYgKGZpcnN0S2V5ID09IE5VTEwpIGZpcnN0S2V5ID0gbXlOZXdLZXk7 DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYg KG9sZEtleSAhPSBOVUxMKSBvbGRLZXktPm5leHRLZXkgPSBteU5ld0tleTsN CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvbGRL ZXkgPSBteU5ld0tleTsNCi0NCisNCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAvKiBuZXh0LCBrZXkgc2l6ZS4uLiAqLw0KICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0cm5jcHko dG1wU3RyaW5nLGdldEl0ZW0oYnVmLCc6JywzKSxLRVlfU0laRV9MRU5HVEgp Ow0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0 cm5jcHkobXlOZXdLZXktPmtleVNpemUsdG1wU3RyaW5nLEtFWV9TSVpFX0xF TkdUSCk7DQpAQCAtNTIzLDYgKzUzNyw4IEBADQogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzdHJuY3B5KG15TmV3 S2V5LT5lbWFpbEFkZHJlc3MsZXh0cmFjdEVtYWlsQWRkcmVzcyh0bXBTdHJp bmcpLEVNQUlMX0FERFJFU1NfTUFYX0xFTkdUSCk7DQogICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOw0KKyAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgZGVmYXVsdDoNCisgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7DQogICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICAgICAg ICAgIH0NCiAgICAgICAgICAgICAgICB9DQo= --168453135-1374787445-982703757=:21584-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 1:41:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from assaris.sics.se (assaris.sics.se [193.10.66.234]) by hub.freebsd.org (Postfix) with ESMTP id 3D06937B503; Wed, 21 Feb 2001 01:41:25 -0800 (PST) (envelope-from assar@assaris.sics.se) Received: (from assar@localhost) by assaris.sics.se (8.9.3/8.9.3) id KAA37455; Wed, 21 Feb 2001 10:41:39 +0100 (CET) (envelope-from assar) From: assar@FreeBSD.org To: Robert Watson Cc: "Brian F. Feldman" , security@FreeBSD.org Subject: Re: PAM/SSH and KerberosIV? References: Date: 21 Feb 2001 10:41:39 +0100 In-Reply-To: Robert Watson's message of "Tue, 20 Feb 2001 22:38:02 -0500 (EST)" Message-ID: <5lhf1ov0do.fsf@assaris.sics.se> Lines: 30 User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson writes: > Any hope of moving to a model with ticket filenames created using > mkstemp? That could be done. The simple patch is, however, to do what ssh was doing by itself, which would be like the following: /assar Index: klogin.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_kerberosIV/klogin.c,v retrieving revision 1.11 diff -u -w -u -w -r1.11 klogin.c --- klogin.c 2000/02/24 22:24:37 1.11 +++ klogin.c 2001/02/21 09:39:29 @@ -104,9 +104,11 @@ */ if (strcmp(instance, "root") != 0) - (void)sprintf(tkt_location, "%s%d", TKT_ROOT, pw->pw_uid); + (void)sprintf(tkt_location, "%s%d_%u", TKT_ROOT, pw->pw_uid, + getpid()); else { - (void)sprintf(tkt_location, "%s_root_%d", TKT_ROOT, pw->pw_uid); + (void)sprintf(tkt_location, "%s_root_%d_%u", TKT_ROOT, + pw->pw_uid, getpid()); krbtkfile_env = tkt_location; } (void)krb_set_tkt_string(tkt_location); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 3:43:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 1DCD737B503 for ; Wed, 21 Feb 2001 03:43:29 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id LAA17919; Wed, 21 Feb 2001 11:43:09 GMT Message-ID: <3A93A9CC.BC1D39FB@algroup.co.uk> Date: Wed, 21 Feb 2001 11:43:08 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Nick Sayer Cc: freebsd-security@freebsd.org Subject: Re: /etc/rc.firewall fixes References: <200102202005.f1KK5kv83619@medusa.kfu.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nick Sayer wrote: > > I would like to suggest a new "simple" firewall configuration. > > I recently put a security fix in the prototype /etc/rc.firewall > stuff to close up a rather glaring security hole. > > The old stuff did > > pass udp from any 53 to ${oip} > > which allows someone to communicate, for instance, with port 2049 so > long as they bind their end to 53. The state keeping stuff is the > correct solution. > > My proposed "simple" firewall config goes something like this: > > check-state > pass udp from ${mynet} to any keep-state > pass all from ${mynet} to any > pass tcp from any to any established > pass icmp from any to any > > This simple set of rules represents a simple one-way set up. UDP is > allowed to go out, and matching replies are allowed to come back in. > TCP sessions are allowed to go out only. > > By itself it is not a complete ruleset, but I think it is a better one > than any of the examples we presently have. I haven't committed this > because I wanted to start some discussion first and commit the resulting > consensus. while you're at it, all the variable definitions need to be moved out of rc.firewall itself and into rc.conf. i would also like to see a "mobile" section for ppp/dialup and will contribute mine if required... good luck with getting a commit! :) cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 5:30:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id DFD2B37B491 for ; Wed, 21 Feb 2001 05:30:38 -0800 (PST) (envelope-from mikel@ocsinternet.com) Received: from ocsinternet.com (localhost.upan.org [127.0.0.1]) by ra.upan.org (8.11.1/8.11.1) with ESMTP id f1LDUaT25513; Wed, 21 Feb 2001 08:30:36 -0500 (EST) (envelope-from mikel@ocsinternet.com) Message-ID: <3A93C2FB.3E160997@ocsinternet.com> Date: Wed, 21 Feb 2001 08:30:35 -0500 From: Mikel King Organization: OCS Internet X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Adam Laurie Cc: Nick Sayer , freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes I would tend to agree that it would be rather handy to have the config outside of the rc.firewall, and rc.conf is a likely candidate. Presently do this manually because I use have several scripts that use these common vars like 'oif' and for maintenance purposes it's easier to have a central point for their assignment. cheers, mikel Adam Laurie wrote: > Nick Sayer wrote: > > > > I would like to suggest a new "simple" firewall configuration. > > > > I recently put a security fix in the prototype /etc/rc.firewall > > stuff to close up a rather glaring security hole. > > > > The old stuff did > > > > pass udp from any 53 to ${oip} > > > > which allows someone to communicate, for instance, with port 2049 so > > long as they bind their end to 53. The state keeping stuff is the > > correct solution. > > > > My proposed "simple" firewall config goes something like this: > > > > check-state > > pass udp from ${mynet} to any keep-state > > pass all from ${mynet} to any > > pass tcp from any to any established > > pass icmp from any to any > > > > This simple set of rules represents a simple one-way set up. UDP is > > allowed to go out, and matching replies are allowed to come back in. > > TCP sessions are allowed to go out only. > > > > By itself it is not a complete ruleset, but I think it is a better one > > than any of the examples we presently have. I haven't committed this > > because I wanted to start some discussion first and commit the resulting > > consensus. > > while you're at it, all the variable definitions need to be moved out of > rc.firewall itself and into rc.conf. i would also like to see a "mobile" > section for ppp/dialup and will contribute mine if required... good luck > with getting a commit! :) > > cheers, > Adam > -- > Adam Laurie Tel: +44 (20) 8742 0755 > A.L. Digital Ltd. Fax: +44 (20) 8742 5995 > Voysey House http://www.thebunker.net > Barley Mow Passage http://www.aldigital.co.uk > London W4 4GB mailto:adam@algroup.co.uk > UNITED KINGDOM PGP key on keyservers > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 14:34: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id F14E637B401 for ; Wed, 21 Feb 2001 14:33:56 -0800 (PST) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id TAA80210; Wed, 21 Feb 2001 19:36:12 -0300 (ART) From: Fernando Schapachnik Message-Id: <200102212236.TAA80210@ns1.via-net-works.net.ar> Subject: Re: Inconsistent behavior on openssh In-Reply-To: <20010220112654.A35156@mollari.cthul.hu> "from Kris Kennaway at Feb 20, 2001 11:26:55 am" To: Kris Kennaway Date: Wed, 21 Feb 2001 19:36:12 -0300 (ART) Cc: Fernando Schapachnik , security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Kris Kennaway escribió: -- Start of PGP signed section. > On Tue, Feb 20, 2001 at 09:15:59AM -0300, Fernando Schapachnik wrote: > > En un mensaje anterior, Kris Kennaway escribió: > > > > Simply install your ~/.ssh/identity.pub in your remote account's > > > > ~/.ssh/authorized_keys file. That's why I use. I've never in my > > > > life used .rhosts or .shosts with ssh. > > > > > > Or if you really want to use RhostsRSAAuthentication, rebuild sshd > > > with ENABLE_SUID_SSH=true in /etc/make.conf > > > > I don't think it will sufice: > > > > ssh.c: > > /* Disable rhosts authentication if not running as root. */ > > if (original_effective_uid != 0 ||!options.use_privileged_port) { > > options.rhosts_authentication = 0; > > options.rhosts_rsa_authentication = 0; > > > > > > It's not #ifdef'd. > > Erm - if it's setuid root (controlled by the makefile when it's > installed), the original_effective_uid == 0. Then you were right. Should have looked better :). Thanks! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 18:19:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 1A89A37B401 for ; Wed, 21 Feb 2001 18:19:12 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 9CCAF216C; Wed, 21 Feb 2001 21:18:56 -0500 (EST) MIME-Version: 1.0 Message-Id: <3A947710.000009.60978@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_KRZ40DJXFQQMYJ0CCJD0" To: freebsd-security@freebsd.org Subject: Bind problems From: "Michael Richards" X-Fastmail-IP: 24.156.176.65 Date: Wed, 21 Feb 2001 21:18:56 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_KRZ40DJXFQQMYJ0CCJD0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Since the big BIND vulnerability, I checked all my versions of BIND to make sure they weren't the 8.2.2 variety. None were. Most returned: named 8.2.3-T6B Thu Nov 23 19:00:06 EST 2000 Which is not supposed to be vulnerable. Not too long after the exploit became publically widespread, I noticed that my bind was randomly crashing. This machine had run for months without any sort of bind problem. I should kept the core files but I did notice that they segfaulted at location 0x41414141. This looked a little suspicious to me so I immediately cvsuped. The new version is: named 8.2.3-REL Sun Feb 18 11:47:44 EST 2001 and has not crashed since the 18th when I compiled it. Before it was crashing daily. Any ideas if named 8.2.3-T6B in 4.2-RELEASE has problems? -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_KRZ40DJXFQQMYJ0CCJD0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 18:21:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id E781837B491 for ; Wed, 21 Feb 2001 18:21:48 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 289 invoked by uid 1000); 22 Feb 2001 02:21:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Feb 2001 02:21:47 -0000 Date: Wed, 21 Feb 2001 20:21:47 -0600 (CST) From: Mike Silbersack To: Michael Richards Cc: Subject: Re: Bind problems In-Reply-To: <3A947710.000009.60978@frodo.searchcanada.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 21 Feb 2001, Michael Richards wrote: > Since the big BIND vulnerability, I checked all my versions of BIND > to make sure they weren't the 8.2.2 variety. None were. > > Most returned: named 8.2.3-T6B Thu Nov 23 19:00:06 EST 2000 > Which is not supposed to be vulnerable. Yes, it is totally and completely vulnerable. The advisory could not have been more clear. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 18:32: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 2EC9137B401 for ; Wed, 21 Feb 2001 18:31:56 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id F2B10211A; Wed, 21 Feb 2001 21:31:39 -0500 (EST) MIME-Version: 1.0 Message-Id: <3A947A0B.000099.29931@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_RC050TY66ERNTT4D7TH0" To: freebsd-security@freebsd.org Subject: Odd firewall messages From: "Michael Richards" X-Fastmail-IP: 24.156.176.65 Date: Wed, 21 Feb 2001 21:31:39 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_RC050TY66ERNTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Aside from my bind problems, I finally got a firewall up and running for our servers. The ipfilter rules catching the odd packets are: # Nasty Packets: # Block any packets which are too short to be real. block in log quick all with short # Block any packets with source routing set block in log quick all with opt lsrr block in log quick all with opt ssrr # block any traffic claiming to be from an RFC reserved IP space block in log quick on xl1 from 192.168.0.0/16 to any block in log quick on xl1 from 172.16.0.0/12 to any block in log quick on xl1 from 10.0.0.0/8 to any # block localhost type IPs block in log quick on xl1 from 127.0.0.0/8 to any # block anything claiming to be a '0.x.x.x' block in log quick on xl1 from 0.0.0.0/8 to any # block IANA IPs reserved for use in auto-configuration block in log quick on xl1 from 169.254.0.0/16 to any # block IPs reserved for documentation authors block in log quick on xl1 from 192.0.2.0/24 to any # reserved SUN IPs for private cluster interlocks block in log quick on xl1 from 204.152.64.0/23 to any # multicast traffic block in log quick on xl1 from 224.0.0.0/3 to any Now I seem to be getting a number of weird packets presumably probing my machine for various open ports: 21/02/2001 04:51:05.250782 2x xl1 @0:6 b 10.0.0.1,137 -> x.x.x.x,137 PR udp len 20 19968 IN 21/02/2001 04:51:05.357334 xl1 @0:4 b 192.168.0.1,137 -> x.x.x.x,137 PR udp len 20 19968 IN 21/02/2001 05:08:04.033088 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 PR udp len 20 19968 IN 21/02/2001 05:08:05.529631 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 PR udp len 20 19968 IN 21/02/2001 05:08:07.033451 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 PR udp len 20 19968 IN 21/02/2001 05:30:15.651130 xl1 @0:1 b 205.188.246.17,46666 -> x.x.x.x,25 PR tcp len 20 7168 - IN 21/02/2001 06:05:22.220902 xl1 @0:6 b 10.23.32.72,39666 -> x.x.x.x,25 PR tcp len 20 10240 -A IN I haven't figured out what the last 2 log entries are or do only because I haven't read into the docs far enough yet. The thing I find curious is the first set of packets. These are coming from RFC reserved IP addresses. Why on earth would I probe you using a return address of 10.0.0.1 because I probably won't ever get a response. Before the firewall was plugged in (it had a bypass during setup and testing) I presume that the response for these packets were just fired back and filtered out somewhere. Since rule #2 and #3 do not seem to be firing I assume they are not source routed so as to have the return source pass through the attacking machine. Anyone have any wisdom when it comes to decoding what I'm seeing here? thanks -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_RC050TY66ERNTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 18:34:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id 7014937B491 for ; Wed, 21 Feb 2001 18:34:47 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 21AFF66F2E; Wed, 21 Feb 2001 18:34:47 -0800 (PST) Date: Wed, 21 Feb 2001 18:34:47 -0800 From: Kris Kennaway To: Michael Richards Cc: freebsd-security@freebsd.org Subject: Re: Bind problems Message-ID: <20010221183446.A64655@mollari.cthul.hu> References: <3A947710.000009.60978@frodo.searchcanada.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A947710.000009.60978@frodo.searchcanada.ca>; from michael@fastmail.ca on Wed, Feb 21, 2001 at 09:18:56PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 21, 2001 at 09:18:56PM -0500, Michael Richards wrote: > Since the big BIND vulnerability, I checked all my versions of BIND=20 > to make sure they weren't the 8.2.2 variety. None were. >=20 > Most returned: named 8.2.3-T6B Thu Nov 23 19:00:06 EST 2000 > Which is not supposed to be vulnerable. Only in bizarro-world. Kris --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6lHrGWry0BWjoQKURAmhyAKCxf5kb5GYUwAmLm0tTUbJpXkOv8gCfSSVW 1nncD4DjyKkqBb99BD7Kwvw= =MWkA -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 18:38:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 507C737B503 for ; Wed, 21 Feb 2001 18:38:47 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id B97A521F0; Wed, 21 Feb 2001 21:38:31 -0500 (EST) MIME-Version: 1.0 Message-Id: <3A947BA7.000017.60978@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_7O052I4YA1UMYJ0CCJD0" To: silby@silby.com Subject: Re: Bind problems Cc: freebsd-security@freebsd.org From: "Michael Richards" X-Fastmail-IP: 24.156.176.65 Date: Wed, 21 Feb 2001 21:38:31 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_7O052I4YA1UMYJ0CCJD0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Hrm. I looked at bugtraq id 2302 for this info. It says: vulnerable ISC BIND 8.2.2 p7 ISC BIND 8.2.2 p6 ISC BIND 8.2.2 p5 ISC BIND 8.2.2 p4 ISC BIND 8.2.2 p3 ISC BIND 8.2.2 p2 ISC BIND 8.2.2 p1 ISC BIND 8.2.2 ISC BIND 8.2.1 ISC BIND 8.2 4.2.4 not vulnerable ISC BIND 9.1 ISC BIND 9.0 ISC BIND 8.2.3 Since my version was: 8.2.3-T6B isn't that the variety that's not vulnerable? -Michael >> Since the big BIND vulnerability, I checked all my versions of >> BIND to make sure they weren't the 8.2.2 variety. None were. >> >> Most returned: named 8.2.3-T6B Thu Nov 23 19:00:06 EST 2000 >> Which is not supposed to be vulnerable. > > Yes, it is totally and completely vulnerable. The advisory could > not have been more clear. > > Mike "Silby" Silbersack _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_7O052I4YA1UMYJ0CCJD0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 18:42: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id EBF9737B401 for ; Wed, 21 Feb 2001 18:42:04 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 438A720EF; Wed, 21 Feb 2001 21:41:49 -0500 (EST) MIME-Version: 1.0 Message-Id: <3A947C6D.0000AF.29946@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_PT05YAG8WZZNTT4D7TH0" To: silby@silby.com Subject: Re: Bind problems Cc: freebsd-security@freebsd.org From: "Michael Richards" X-Fastmail-IP: 24.156.176.65 Date: Wed, 21 Feb 2001 21:41:49 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_PT05YAG8WZZNTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Sigh. Seems that I should have been reading the FreeBSD advisory rather than the bugtraq report. Now that I've been pointed in the right direction I see that it was indeed very clearly reported. thanks -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_PT05YAG8WZZNTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 21:11:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from shady.org (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 8A64137B4EC for ; Wed, 21 Feb 2001 21:11:45 -0800 (PST) (envelope-from marcr@shady.org) Received: (qmail 46864 invoked by uid 1000); 22 Feb 2001 01:13:55 -0000 Date: Thu, 22 Feb 2001 01:13:55 +0000 From: Marc Rogers To: freebsd-security@freebsd.org Subject: Re: /etc/rc.firewall fixes Message-ID: <20010222011355.D341@shady.org> References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <3A93A9CC.BC1D39FB@algroup.co.uk>; from adam@algroup.co.uk on Wed, Feb 21, 2001 at 11:43:08AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I concur, But then I already do that. Still it would be nice if it was done officialy, because then I wouldnt have to try to remember to patch my conf files after every install. Marc Rogers Head of Network Operations & Security EDC Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 22:13:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id 06A2F37B491 for ; Wed, 21 Feb 2001 22:13:45 -0800 (PST) (envelope-from DougB@gorean.org) Received: from gorean.org (Studded@master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id WAA06127; Wed, 21 Feb 2001 22:13:26 -0800 (PST) (envelope-from DougB@gorean.org) Message-ID: <3A94AE05.965BC5E4@gorean.org> Date: Wed, 21 Feb 2001 22:13:25 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Mikel King Cc: Adam Laurie , Nick Sayer , freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mikel King wrote: > > Yes I would tend to agree that it would be rather handy to have the config > outside of the rc.firewall, and rc.conf is a likely candidate. Presently do > this manually because I use have several scripts that use these common vars > like 'oif' and for maintenance purposes it's easier to have a central point > for their assignment. What's wrong with /etc/rc.conf.local ? Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 22:53:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 9CA0B37B491 for ; Wed, 21 Feb 2001 22:53:26 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 21 Feb 2001 22:51:27 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1M6rIW89799; Wed, 21 Feb 2001 22:53:18 -0800 (PST) (envelope-from cjc) Date: Wed, 21 Feb 2001 22:53:17 -0800 From: "Crist J. Clark" To: Michael Richards Cc: freebsd-security@FreeBSD.ORG Subject: Re: Odd firewall messages Message-ID: <20010221225317.A89396@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A947A0B.000099.29931@frodo.searchcanada.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A947A0B.000099.29931@frodo.searchcanada.ca>; from michael@fastmail.ca on Wed, Feb 21, 2001 at 09:31:39PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 21, 2001 at 09:31:39PM -0500, Michael Richards wrote: [snip] > Now I seem to be getting a number of weird packets presumably probing > my machine for various open ports: > > 21/02/2001 04:51:05.250782 2x xl1 @0:6 b 10.0.0.1,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 04:51:05.357334 xl1 @0:4 b 192.168.0.1,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:08:04.033088 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:08:05.529631 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:08:07.033451 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:30:15.651130 xl1 @0:1 b 205.188.246.17,46666 -> > x.x.x.x,25 PR tcp len 20 7168 - IN > 21/02/2001 06:05:22.220902 xl1 @0:6 b 10.23.32.72,39666 -> x.x.x.x,25 > PR tcp len 20 10240 -A IN > > I haven't figured out what the last 2 log entries are or do only > because I haven't read into the docs far enough yet. > > The thing I find curious is the first set of packets. These are > coming from RFC reserved IP addresses. Why on earth would I probe you > using a return address of 10.0.0.1 because I probably won't ever get > a response. Before the firewall was plugged in (it had a bypass > during setup and testing) I presume that the response for these > packets were just fired back and filtered out somewhere. Since rule > #2 and #3 do not seem to be firing I assume they are not source > routed so as to have the return source pass through the attacking > machine. > > Anyone have any wisdom when it comes to decoding what I'm seeing here? That is the NetBIOS garbage that WinXX machines chatter with. You redacted the destination IPs, were they broadcast addresses? Those are NetBIOS name resolution packets. They could be hostile, but by far the most probable scenario is someone with a misconfigured network is leaking them. You would not happen to be living off of a public broadcast domain? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 23:10:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from zmamail03.zma.compaq.com (mailout.zma.compaq.com [161.114.64.103]) by hub.freebsd.org (Postfix) with ESMTP id 7571037B401 for ; Wed, 21 Feb 2001 23:10:21 -0800 (PST) (envelope-from daniel.bornaz@compaq.com) Received: by zmamail03.zma.compaq.com (Postfix, from userid 12345) id BD0C5B686; Thu, 22 Feb 2001 02:10:20 -0500 (EST) Received: from excreo-gh02.reo.cpqcorp.net (excreo-gh02.reo.cpqcorp.net [16.37.150.254]) by zmamail03.zma.compaq.com (Postfix) with ESMTP id 6F0BDBF51 for ; Thu, 22 Feb 2001 02:10:20 -0500 (EST) Received: by excreo-gh02.reo.cpqcorp.net with Internet Mail Service (5.5.2650.21) id <1495JVFN>; Thu, 22 Feb 2001 07:10:19 -0000 Message-ID: <418D0FAA7B4CD21183610000F87ADF4A754E09@xrbexc1.xrb.dec.com> From: "Bornaz, Daniel" To: "'freebsd-security@freebsd.org'" Subject: help Date: Thu, 22 Feb 2001 07:09:58 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org help To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 21 23:27:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id DE0AA37B4EC for ; Wed, 21 Feb 2001 23:27:37 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 5FE4721C8; Thu, 22 Feb 2001 02:27:20 -0500 (EST) MIME-Version: 1.0 Message-Id: <3A94BF58.000023.66147@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_K1E5E1IZ5BZNTT4D7TH0" To: cjclark@reflexnet.net Subject: Re: Odd firewall messages Cc: freebsd-security@FreeBSD.ORG From: "Michael Richards" X-Fastmail-IP: 24.156.176.65 Date: Thu, 22 Feb 2001 02:27:20 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_K1E5E1IZ5BZNTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit >> Anyone have any wisdom when it comes to decoding what I'm seeing >> here? > > That is the NetBIOS garbage that WinXX machines chatter with. You > redacted the destination IPs, were they broadcast addresses? Those > are NetBIOS name resolution packets. They could be hostile, but by > far the most probable scenario is someone with a misconfigured > network is leaking them. You would not happen to be living off of > a public broadcast domain? These were not broadcast addresses. In fact, some of the IPs were not even used. I assumed it was some sort of scanning but was not able to figure out how they were getting answers. It seems odd that providers would not filter outgoing packets if they are coming from IPs that don't belong to the ISP. We are hooked up directly to the core router at our service provider. No public or broadcast happening with us. The 137 seems to point to NetBIOS but there are others such as: 21/02/2001 10:54:22.184764 xl1 @0:6 b 10.3.0.146,1957 -> x.x.x.x,80 PR tcp len 20 11264 -S IN That are hitting the webserver of our busiest server. I guess it's probably nothing to worry about. -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_K1E5E1IZ5BZNTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 1:55:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from internet.hilbrink.nl (ns.hilbrink.nl [212.136.135.66]) by hub.freebsd.org (Postfix) with ESMTP id 415D037B491 for ; Thu, 22 Feb 2001 01:55:36 -0800 (PST) (envelope-from cor@internet.hilbrink.nl) Received: (from cor@localhost) by internet.hilbrink.nl (8.8.8/8.8.8) id LAA28855; Thu, 22 Feb 2001 11:03:01 +0100 (CET) (envelope-from cor) Date: Thu, 22 Feb 2001 11:03:01 +0100 (CET) From: User Cor Message-Id: <200102221003.LAA28855@internet.hilbrink.nl> To: Daniel.Bornaz@compaq.com, freebsd-security@FreeBSD.ORG Subject: Re: help In-Reply-To: <418D0FAA7B4CD21183610000F87ADF4A754E09@xrbexc1.xrb.dec.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org HEllo, Do you need a rope?? regars. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 5:58:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 353B337B67D for ; Thu, 22 Feb 2001 05:58:10 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f1MDuFM92669; Thu, 22 Feb 2001 07:56:15 -0600 (CST) (envelope-from chris@jeah.net) Date: Thu, 22 Feb 2001 07:56:14 -0600 (CST) From: Chris Byrnes To: Michael Richards Cc: Subject: Re: Bind problems In-Reply-To: <3A947710.000009.60978@frodo.searchcanada.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anything before -REL is succeptable to the vulns. I was running 8.2.3-T6B as well, and assumed because the 8.2.3 was there that I was fine. Then I did some further reading and found out "oops". -cb On Wed, 21 Feb 2001, Michael Richards wrote: > Since the big BIND vulnerability, I checked all my versions of BIND > to make sure they weren't the 8.2.2 variety. None were. > > Most returned: named 8.2.3-T6B Thu Nov 23 19:00:06 EST 2000 > Which is not supposed to be vulnerable. > > Not too long after the exploit became publically widespread, I > noticed that my bind was randomly crashing. This machine had run for > months without any sort of bind problem. I should kept the core files > but I did notice that they segfaulted at location 0x41414141. > > This looked a little suspicious to me so I immediately cvsuped. The > new version is: named 8.2.3-REL Sun Feb 18 11:47:44 EST 2001 and has > not crashed since the 18th when I compiled it. Before it was crashing > daily. > > Any ideas if named 8.2.3-T6B in 4.2-RELEASE has problems? > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Free Web Email for Canadians To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 6:29:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from wasp.eng.ufl.edu (wasp.eng.ufl.edu [128.227.116.1]) by hub.freebsd.org (Postfix) with ESMTP id E1D0437B401 for ; Thu, 22 Feb 2001 06:29:08 -0800 (PST) (envelope-from bob@eng.ufl.edu) Received: from eng.ufl.edu (scanner.engnet.ufl.edu [128.227.152.221]) by wasp.eng.ufl.edu (8.9.3/8.9.3) with ESMTP id JAA06805; Thu, 22 Feb 2001 09:28:55 -0500 (EST) Message-ID: <3A952227.57E6D4D4@eng.ufl.edu> Date: Thu, 22 Feb 2001 09:28:55 -0500 From: Bob Johnson X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en, eo MIME-Version: 1.0 To: michael@fastmail.ca Cc: security@freebsd.org Subject: Re: Odd firewall messages Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Date: Wed, 21 Feb 2001 21:31:39 -0500 (EST) > From: "Michael Richards" > Subject: Odd firewall messages > > - --------------Boundary-00=_RC050TY66ERNTT4D7TH0 > Content-Type: Text/Plain > Content-Transfer-Encoding: 7bit > > Aside from my bind problems, I finally got a firewall up and running > for our servers. The ipfilter rules catching the odd packets are: > # Nasty Packets: > # Block any packets which are too short to be real. > block in log quick all with short > # Block any packets with source routing set > block in log quick all with opt lsrr > block in log quick all with opt ssrr > # block any traffic claiming to be from an RFC reserved IP space > block in log quick on xl1 from 192.168.0.0/16 to any > block in log quick on xl1 from 172.16.0.0/12 to any > block in log quick on xl1 from 10.0.0.0/8 to any > # block localhost type IPs > block in log quick on xl1 from 127.0.0.0/8 to any > # block anything claiming to be a '0.x.x.x' > block in log quick on xl1 from 0.0.0.0/8 to any > # block IANA IPs reserved for use in auto-configuration > block in log quick on xl1 from 169.254.0.0/16 to any > # block IPs reserved for documentation authors > block in log quick on xl1 from 192.0.2.0/24 to any > # reserved SUN IPs for private cluster interlocks > block in log quick on xl1 from 204.152.64.0/23 to any > # multicast traffic > block in log quick on xl1 from 224.0.0.0/3 to any > You might want to block incoming packets that claim to be from your network if you don't already do so. It is a courtesy to others to also block outgoing packets that do not claim to be from your network. That helps suppress some forms of DoS attacks that might be relayed through you. > Now I seem to be getting a number of weird packets presumably probing > my machine for various open ports: > > 21/02/2001 04:51:05.250782 2x xl1 @0:6 b 10.0.0.1,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 04:51:05.357334 xl1 @0:4 b 192.168.0.1,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:08:04.033088 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:08:05.529631 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:08:07.033451 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:30:15.651130 xl1 @0:1 b 205.188.246.17,46666 -> > x.x.x.x,25 PR tcp len 20 7168 - IN > 21/02/2001 06:05:22.220902 xl1 @0:6 b 10.23.32.72,39666 -> x.x.x.x,25 > PR tcp len 20 10240 -A IN > > I haven't figured out what the last 2 log entries are or do only > because I haven't read into the docs far enough yet. The hard part about dealing with port 137 probes is that many Windows systems generate them as part of their normal operation, so you often have to see a definite scanning pattern to be sure they are not legitimate. There are a few trojan horse programs out there that systematically search for writable network shares on Windows systems: they start with systematic probes for port 137. Of course, seeing them come from a private IP number makes them interesting... Port 25 is incoming mail. Depending on your configuration, either someone is legitimately trying to deliver mail to you, or they are probing for mail servers to exploit. Port 80 (which by the miracle of modern technology I know you are going to mention in a later message) is HTTP, i.e. the default web server port. > > The thing I find curious is the first set of packets. These are > coming from RFC reserved IP addresses. Why on earth would I probe you > using a return address of 10.0.0.1 because I probably won't ever get > a response. Before the firewall was plugged in (it had a bypass > during setup and testing) I presume that the response for these > packets were just fired back and filtered out somewhere. Since rule > #2 and #3 do not seem to be firing I assume they are not source > routed so as to have the return source pass through the attacking > machine. Without a clear idea of how you get to the Internet this is only a guess, but some of the larger ISPs use private IP numbers for their internal routers, nameservers, security scanners, etc. This could be a legitimate security scan from your provider. You might try turning off the firewall briefly and doing traceroute 10.0.0.1 to see if you can actually reach a real system with that address. Or you might ask your ISP. > > Anyone have any wisdom when it comes to decoding what I'm seeing here? > > thanks > - -Michael Only guesses. - Bob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 6:50: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id 2E28937B491 for ; Thu, 22 Feb 2001 06:50:04 -0800 (PST) (envelope-from mikel@ocsinternet.com) Received: from ocsinternet.com (localhost.upan.org [127.0.0.1]) by ra.upan.org (8.11.1/8.11.1) with ESMTP id f1MEmAk00420; Thu, 22 Feb 2001 09:48:11 -0500 (EST) (envelope-from mikel@ocsinternet.com) Message-ID: <3A9526AA.19D00D47@ocsinternet.com> Date: Thu, 22 Feb 2001 09:48:10 -0500 From: Mikel King Organization: OCS Internet X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Doug Barton Cc: Adam Laurie , Nick Sayer , freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org rc.conf.local and rc.local weree deprecated around the release of 4.x. Of course you can still use them if you really want...but I think rc.conf is a better choice since it's already skagged into rc.firewall and it keeps everything centralized. Cheers, Mikel Doug Barton wrote: > Mikel King wrote: > > > > Yes I would tend to agree that it would be rather handy to have the config > > outside of the rc.firewall, and rc.conf is a likely candidate. Presently do > > this manually because I use have several scripts that use these common vars > > like 'oif' and for maintenance purposes it's easier to have a central point > > for their assignment. > > What's wrong with /etc/rc.conf.local ? > > Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 7: 2: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from masshosting.com (MassHosting.com [166.90.189.34]) by hub.freebsd.org (Postfix) with ESMTP id 143C237B401 for ; Thu, 22 Feb 2001 07:02:04 -0800 (PST) (envelope-from fa-q@innu.org) Received: from innu.org (www2.masshosting.com [63.211.166.26]) by masshosting.com (8.9.3/8.9.3) with ESMTP id LAA31116 for ; Thu, 22 Feb 2001 11:02:42 -0500 Message-ID: <3A952CD7.31948295@innu.org> Date: Thu, 22 Feb 2001 10:14:31 -0500 From: Sean Trifero X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-stealth i686) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: unsubscribe Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 7: 4:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from masshosting.com (MassHosting.com [166.90.189.34]) by hub.freebsd.org (Postfix) with ESMTP id 4F75637B401 for ; Thu, 22 Feb 2001 07:04:09 -0800 (PST) (envelope-from strifero@mad.scientist.com) Received: from mad.scientist.com (www2.masshosting.com [63.211.166.26]) by masshosting.com (8.9.3/8.9.3) with ESMTP id LAA31146; Thu, 22 Feb 2001 11:04:46 -0500 Message-ID: <3A952D53.87F78EE4@mad.scientist.com> Date: Thu, 22 Feb 2001 10:16:35 -0500 From: Sean Trifero X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-stealth i686) X-Accept-Language: en MIME-Version: 1.0 To: "INCIDENTS@securityfocus.com" , "freebsd-security@FreeBSD.ORG" Subject: unsubscribe Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 7: 5: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from masshosting.com (MassHosting.com [166.90.189.34]) by hub.freebsd.org (Postfix) with ESMTP id 923C937B401 for ; Thu, 22 Feb 2001 07:04:58 -0800 (PST) (envelope-from strifero@mad.scientist.com) Received: from mad.scientist.com (www2.masshosting.com [63.211.166.26]) by masshosting.com (8.9.3/8.9.3) with ESMTP id LAA31167 for ; Thu, 22 Feb 2001 11:05:37 -0500 Message-ID: <3A952D86.550CC422@mad.scientist.com> Date: Thu, 22 Feb 2001 10:17:26 -0500 From: Sean Trifero X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-stealth i686) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: (no subject) References: <3A952CD7.31948295@innu.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 7: 9: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 57AA237B65D for ; Thu, 22 Feb 2001 07:08:47 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA28508; Thu, 22 Feb 2001 07:08:34 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda28506; Thu Feb 22 07:08:25 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1MF8Ks24780; Thu, 22 Feb 2001 07:08:20 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdP24778; Thu Feb 22 07:07:44 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1MF7iX45138; Thu, 22 Feb 2001 07:07:44 -0800 (PST) Message-Id: <200102221507.f1MF7iX45138@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdK45091; Thu Feb 22 07:07:24 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "Michael Richards" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Bind problems In-reply-to: Your message of "Wed, 21 Feb 2001 21:18:56 EST." <3A947710.000009.60978@frodo.searchcanada.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 22 Feb 2001 07:07:24 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3A947710.000009.60978@frodo.searchcanada.ca>, "Michael Richards" wr ites: > Since the big BIND vulnerability, I checked all my versions of BIND > to make sure they weren't the 8.2.2 variety. None were. > > Most returned: named 8.2.3-T6B Thu Nov 23 19:00:06 EST 2000 > Which is not supposed to be vulnerable. I wouldn't be surprised if your system has already been hacked. 8.2.3-REL has fixed all known (to ISC) security holes. All previous versions of BIND are vulnerable. If I (taking my manager's hat off and putting my security officer's hat on) were you I'd do the prudent thing, which is to verify the system was not already hacked or otherwise consider the system suspect until I can prove it otherwise. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 7:11: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 27F1537B4EC for ; Thu, 22 Feb 2001 07:11:05 -0800 (PST) (envelope-from mit@mitayai.net) Received: from cr592943a (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.2/8.11.2) with ESMTP id f1MFAxA54386; Thu, 22 Feb 2001 10:10:59 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "Sean Trifero" , Subject: RE: (no subject) Date: Thu, 22 Feb 2001 10:09:06 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <3A952D86.550CC422@mad.scientist.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org read the text at the bottom for unsubscribe instructiuons. :-----Original Message----- :From: owner-freebsd-security@FreeBSD.ORG :[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Sean Trifero :Sent: February 22, 2001 10:17 AM :To: freebsd-security@FreeBSD.ORG :Subject: (no subject) : : :unsubscribe freebsd-security : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 7:15:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from yang.earlham.edu (yang.earlham.edu [159.28.1.1]) by hub.freebsd.org (Postfix) with ESMTP id 4B23437B491 for ; Thu, 22 Feb 2001 07:15:35 -0800 (PST) (envelope-from marouni@earlham.edu) Received: from earlham.edu (IDENT:odysseus@odysseus.earlham.edu [159.28.1.207]) by yang.earlham.edu (8.9.3/8.9.3) with ESMTP id KAA00640; Thu, 22 Feb 2001 10:21:19 -0500 Message-ID: <3A952C27.6A513CE@earlham.edu> Date: Thu, 22 Feb 2001 10:11:35 -0500 From: Nick Marouf X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-6.1.1smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Sean Trifero Cc: "INCIDENTS@securityfocus.com" , "freebsd-security@FreeBSD.ORG" Subject: Re: unsubscribe References: <3A952D53.87F78EE4@mad.scientist.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey, you are sending this to the list.. send it to majordomo@freebsd.org Nick Sean Trifero wrote: > unsubscribe > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 7:21:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id 61C5537B4EC for ; Thu, 22 Feb 2001 07:21:48 -0800 (PST) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: Bind vulnerability To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Thu, 22 Feb 2001 09:22:03 -0600 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 02/22/2001 09:14:23 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The bind vulnerability has been fixed in 4.2-current ? TIA, George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 7:27:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 7522637B401 for ; Thu, 22 Feb 2001 07:27:16 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 6107 invoked by uid 1000); 22 Feb 2001 15:25:09 -0000 Date: Thu, 22 Feb 2001 17:25:09 +0200 From: Peter Pentchev To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: Bind vulnerability Message-ID: <20010222172509.E440@ringworld.oblivion.bg> Mail-Followup-To: George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Thu, Feb 22, 2001 at 09:22:03AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 22, 2001 at 09:22:03AM -0600, George.Giles@mcmail.vanderbilt.edu wrote: > The bind vulnerability has been fixed in 4.2-current ? There is no such thing as 4.2-current. The BIND vulnerability has been fixed in 4.2-STABLE, yes. G'luck, Peter -- If there were no counterfactuals, this sentence would not have been paradoxical. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 7:30: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id D6BC837B503 for ; Thu, 22 Feb 2001 07:30:00 -0800 (PST) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 80C9B1360C; Thu, 22 Feb 2001 10:29:59 -0500 (EST) Date: Thu, 22 Feb 2001 10:29:59 -0500 From: Chris Faulhaber To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: Bind vulnerability Message-ID: <20010222102959.A11558@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Thu, Feb 22, 2001 at 09:22:03AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 22, 2001 at 09:22:03AM -0600, George.Giles@mcmail.vanderbilt.ed= u wrote: > The bind vulnerability has been fixed in 4.2-current ? >=20 a) 4.2-current does not exist b) the vulnerability has been fixed, see the advisory released a few weeks ago for more details: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjqVMHcACgkQObaG4P6BelD5ygCgnAnTVx122VG00bgUjzlGKGDi BvsAn0MNlij1fRVyF2RrHeUOo7Eq+OuZ =w9d7 -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 7:43:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 49DC837B4EC for ; Thu, 22 Feb 2001 07:43:15 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 13389 invoked by alias); 22 Feb 2001 15:41:52 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 22 Feb 2001 15:41:52 -0000 Message-ID: <005901c09ce6$4a895820$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: , "Michael Richards" Cc: References: <3A94BF58.000023.66147@frodo.searchcanada.ca> Subject: Re: Odd firewall messages Date: Thu, 22 Feb 2001 10:44:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org NetBIOS "scanning" is done many times by machines infected with the "Bymer" virus. Check your machines. "Bymer" looks for open (writable) NetBIOS shares to a root C:\ or a writable c:\windows (which is a stupid thing to do, but people sometimes forget to password or disable "full access") and that is its route of propagation. On our network here we look for a machine doing massive amounts of netbios udp sends, and suspect Bymer. ----- Original Message ----- From: "Michael Richards" To: Cc: Sent: Thursday, February 22, 2001 2:27 AM Subject: Re: Odd firewall messages > > >> Anyone have any wisdom when it comes to decoding what I'm seeing > >> here? > > > > That is the NetBIOS garbage that WinXX machines chatter with. You > > redacted the destination IPs, were they broadcast addresses? Those > > are NetBIOS name resolution packets. They could be hostile, but by > > far the most probable scenario is someone with a misconfigured > > network is leaking them. You would not happen to be living off of > > a public broadcast domain? > > These were not broadcast addresses. In fact, some of the IPs were not > even used. I assumed it was some sort of scanning but was not able to > figure out how they were getting answers. It seems odd that providers > would not filter outgoing packets if they are coming from IPs that > don't belong to the ISP. We are hooked up directly to the core router > at our service provider. No public or broadcast happening with us. > > The 137 seems to point to NetBIOS but there are others such as: > 21/02/2001 10:54:22.184764 xl1 @0:6 b 10.3.0.146,1957 -> x.x.x.x,80 > PR tcp len 20 11264 -S IN > That are hitting the webserver of our busiest server. > > I guess it's probably nothing to worry about. > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Free Web Email for Canadians To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 7:45:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id EFD5C37B699 for ; Thu, 22 Feb 2001 07:45:37 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 6265 invoked by uid 1000); 22 Feb 2001 15:43:39 -0000 Date: Thu, 22 Feb 2001 17:43:39 +0200 From: Peter Pentchev To: security@FreeBSD.org Subject: [OT] ssh.com SSH 2.0.13 - OpenSSH interoperability problem Message-ID: <20010222174339.F440@ringworld.oblivion.bg> Mail-Followup-To: security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, so I'll admit that I might not have been RTFM'ing enough, but.. Are OpenSSH and ssh.com's SSH DSA public keys compatible? I have a public key, generated by OpenSSH's ssh-keygen -d, and it works fine when connecting to an OpenSSH server. However, with an ssh.com's SSH server, I have the following in my ~/.ssh2/authorization file: Key /home/roam/.ssh/authorized_keys2 ..and /home/roam/.ssh/authorized_keys2 is the public portion of the key (one line, starting with ssh-dss, ending with roam@ringworld.oblivion.bg) And yet.. debug: authentications that can continue: publickey,password debug: next auth method to try is publickey debug: try pubkey: /usr/home/roam/.ssh/id_dsa debug: read DSA private key done debug: sig size 20 20 debug: datafellows debug: we sent a publickey packet, wait for reply debug: authentications that can continue: publickey,password ..and it asks me for a password. Is there something more I need to do? G'luck, Peter -- This would easier understand fewer had omitted. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 8:28:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 78B1B37B491 for ; Thu, 22 Feb 2001 08:28:07 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA29185 for ; Thu, 22 Feb 2001 08:28:03 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda29183; Thu Feb 22 08:28:00 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1MGRtw25390 for ; Thu, 22 Feb 2001 08:27:55 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdb25388; Thu Feb 22 08:27:47 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1MGRk149151 for ; Thu, 22 Feb 2001 08:27:46 -0800 (PST) Message-Id: <200102221627.f1MGRk149151@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdG48726; Thu Feb 22 08:27:23 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: freebsd-security@freebsd.org Subject: Sudo version 1.6.3p6 now available (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 22 Feb 2001 08:27:23 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As I don't have time to submit a PR for the sudo port morning, I'm sending this to -security. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message [headers removed] Message-Id: <200102221552.f1MFqvE25180@xerxes.courtesan.com> To: sudo-announce@courtesan.com Subject: Sudo version 1.6.3p6 now available Date: Thu, 22 Feb 2001 08:52:56 -0700 From: "Todd C. Miller" Sender: sudo-announce-admin@courtesan.com Errors-To: sudo-announce-admin@courtesan.com X-BeenThere: sudo-announce@courtesan.com X-Mailman-Version: 2.0.1 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Moderated list for general sudo announcementss List-Unsubscribe: , Sudo version 1.6.3p6 is now available (ftp sites listed at the end). This fixes a *buffer overflow* in sudo which is a potential security problem. I don't know of any exploits that currently exist but I suggest that you upgrade none the less. Sudo has a good track record wrt secure coding, but this one slipped by me. - todd Sudo web site: http://www.courtesan.com/sudo/ Master FTP sites: ftp.courtesan.com:/pub/sudo/ ftp.cs.colorado.edu:/pub/sudo/ FTP Mirrors: ftp.uu.net:/pub/security/sudo/ (Falls Church, Virginia, USA) ftp.tux.org:/pub/security/sudo/ (Beltsville, Maryland, USA) coast.cs.purdue.edu:/pub/tools/unix/sudo/ (West Lafayette, Indiana, USA) ftp.uwsg.indiana.edu:/pub/sudo/ (Bloomington, Indiana, USA) ftp.tamu.edu:/pub/mirrors/ftp.courtesan.com/ (College Station, Texas, USA) ftp.rge.com:/pub/admin/sudo/ (Rochester, New York, USA) ftp.srv.ualberta.ca:/pub/Mirror/sudo/ (Canada) ftp.umds.ac.uk:/pub/sudo/ (Great Britain) ftp.iphil.net:/pub/sudo/ (Makati City, Philippines) ftp.csc.cuhk.edu.hk:/pub/packages/unix-tools/sudo/ (Hong Kong) ftp.icm.edu.pl:/vol/wojsyl5/sudo/ (Poland) ftp.tuwien.ac.at:/utils/admin-tools/sudo/ (Austria) ftp.eunet.cz:/pub/security/sudo/ (Czechoslovakia) ftp.tvi.tut.fi:/pub/security/unix/sudo/ (Finland) ftp.lps.ens.fr:/pub/software/sudo/ (France) ftp.crihan.fr:/pub/security/sudo/ (France) ftp.sai.msu.su:/pub/unix/security/ (Russia) ftp.mc.hik.se:/pub/unix/security/sudo/ (Sweden) ftp.rz.uni-osnabrueck.de/pub/unix/security/sudo/ (Germany) ftp.edu.tw:/UNIX/sudo/ (Taiwan) ftp.win.ne.jp:/pub/misc/sudo/ (Japan) ftp.st.ryukoku.ac.jp:/pub/security/tool/sudo/ (Japan) ftp.eos.hokudai.ac.jp:/pub/misc/sudo/ (Japan) ftp.tokyonet.ad.jp:/pub/security/sudo/ (Japan) ftp.kobe-u.ac.jp:/pub/util/security/tool/sudo/ (Japan) ftp.cin.nihon-u.ac.jp:/pub/util/sudo/ (Japan) ftp.fujitsu.co.jp:/pub/misc/sudo/ (Japan) core.ring.gr.jp:/pub/misc/sudo/ (Japan) ftp.ring.gr.jp:/pub/misc/sudo/ (Japan) Master WWW site: http://www.courtesan.com/sudo/dist/ WWW Mirrors: http://www.rge.com/pub/admin/sudo/ (Rochester, New York, USA) http://gd.tuwien.ac.at/utils/admin-tools/sudo/ (Austria) http://sudo.cdu.elektra.ru/ (Russia) http://www.ring.gr.jp/archives/misc/sudo/ (Japan) http://core.ring.gr.jp/archives/misc/sudo/ (Japan) RPMs: ftp://ftp.rpmfind.net/linux/falsehope/pub/sudo ftp://ftp.tux.org/pub/sites/ftp.falsehope.com/sudo ftp://ftp.freshmeat.net/pub/rpms/sudo Note that mirror sites may take a while to update. - --- Todd C. Miller Sysadmin/Consultant Todd.Miller@courtesan.com ____________________________________________________________ sudo-announce mailing list For list information, options, or to unsubscribe, visit: http://www.courtesan.com/mailman/listinfo/sudo-announce ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 8:45:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id 9507037B491 for ; Thu, 22 Feb 2001 08:45:23 -0800 (PST) (envelope-from DougB@gor.com) Received: from gor.com (Studded@master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id IAA12430; Thu, 22 Feb 2001 08:41:55 -0800 (PST) (envelope-from DougB@gor.com) Message-ID: <3A954152.C7887C3@gor.com> Date: Thu, 22 Feb 2001 08:41:54 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Mikel King Cc: Doug Barton , Adam Laurie , Nick Sayer , freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mikel King wrote: > > rc.conf.local and rc.local weree deprecated around the release of 4.x. Don't be silly. Both are fully supported, and there is no plan to remove support at any time in the future (and I will vigorously oppose any plan to do so). The only thing that has actually changed is that the system no longer ships with an rc.local file installed. Doug -- "Pain heals. Chicks dig scars. Glory . . . lasts forever." -- Keanu Reeves as Shane Falco in "The Replacements" Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 10: 4:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id ED07137B491 for ; Thu, 22 Feb 2001 10:04:14 -0800 (PST) (envelope-from dima@unixfreak.org) Received: from hornet.unixfreak.org (hornet [63.198.170.140]) by bazooka.unixfreak.org (Postfix) with ESMTP id 48FF63E09; Thu, 22 Feb 2001 10:04:12 -0800 (PST) To: Peter Pentchev Cc: security@FreeBSD.org Subject: Re: [OT] ssh.com SSH 2.0.13 - OpenSSH interoperability problem In-Reply-To: Message from Peter Pentchev of "Thu, 22 Feb 2001 17:43:39 +0200." <20010222174339.F440@ringworld.oblivion.bg> Date: Thu, 22 Feb 2001 10:04:12 -0800 From: Dima Dorfman Message-Id: <20010222180412.48FF63E09@bazooka.unixfreak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > OK, so I'll admit that I might not have been RTFM'ing enough, but.. > Are OpenSSH and ssh.com's SSH DSA public keys compatible? I have OpenSSH has an option to export DSA public keys in a format ssh2 would understand. From ssh-keygen(1): -x This option will read a private OpenSSH DSA format file and print a SSH2-compatible public key to stdout. Hope this helps Dima Dorfman dima@unixfreak.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 10:32:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from ashburn.skiltech.com (ashburn.skiltech.com [216.235.79.239]) by hub.freebsd.org (Postfix) with ESMTP id D1AD837B4EC for ; Thu, 22 Feb 2001 10:32:33 -0800 (PST) (envelope-from minter@ashburn.skiltech.com) Received: (from minter@localhost) by ashburn.skiltech.com (8.11.1/8.11.1) id f1MIWWX68164; Thu, 22 Feb 2001 13:32:32 -0500 (EST) (envelope-from minter) Date: Thu, 22 Feb 2001 13:32:32 -0500 (EST) From: "H. Wade Minter" X-X-Sender: To: Subject: Best way for one-way DNS traffic Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My gateway box is running a name server for my home network. Internal clients point to the gateway box for DNS service, and the gateway goes out and resolves DNS queries. I've also got an ipfw firewall on the gateway. What I'd like to do is make it so internal DNS works like it should, but nobody on the outside should be able to connect to port 53.sadm@unired.net.pe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 10:37:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.ruhr.de (in-ruhr4.ruhr.de [212.23.134.2]) by hub.freebsd.org (Postfix) with SMTP id 2787937B401 for ; Thu, 22 Feb 2001 10:37:11 -0800 (PST) (envelope-from ue@nathan.ruhr.de) Received: (qmail 24482 invoked by uid 10); 22 Feb 2001 18:37:10 -0000 Received: (from ue@localhost) by nathan.ruhr.de (8.11.2/8.11.2) id f1MIbPF78409 for freebsd-security@FreeBSD.org; Thu, 22 Feb 2001 19:37:25 +0100 (CET) (envelope-from ue) Date: Thu, 22 Feb 2001 19:37:25 +0100 From: Udo Erdelhoff To: freebsd-security@FreeBSD.org Subject: Re: [OT] ssh.com SSH 2.0.13 - OpenSSH interoperability problem Message-ID: <20010222193725.J71432@nathan.ruhr.de> Mail-Followup-To: freebsd-security@FreeBSD.org References: <20010222180412.48FF63E09@bazooka.unixfreak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010222180412.48FF63E09@bazooka.unixfreak.org>; from dima@unixfreak.org on Thu, Feb 22, 2001 at 10:04:12AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 22, 2001 at 10:04:12AM -0800, Dima Dorfman wrote: > -x This option will read a private OpenSSH DSA format file and ^^^^^^^ > print a SSH2-compatible public key to stdout. ^^^^^^ Duh? Shouldn't that be "reads a public OpenSSH" and "public key"? /s/Udo -- The first rule of system administration: Always put your best foot forward; straight into the groin of anyone who stands in your way To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 10:37:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.ruhr.de (in-ruhr4.ruhr.de [212.23.134.2]) by hub.freebsd.org (Postfix) with SMTP id 2B29837B491 for ; Thu, 22 Feb 2001 10:37:12 -0800 (PST) (envelope-from ue@nathan.ruhr.de) Received: (qmail 24476 invoked by uid 10); 22 Feb 2001 18:37:09 -0000 Received: (from ue@localhost) by nathan.ruhr.de (8.11.2/8.11.2) id f1MIZ7Z78395 for freebsd-security@FreeBSD.org; Thu, 22 Feb 2001 19:35:07 +0100 (CET) (envelope-from ue) Date: Thu, 22 Feb 2001 19:35:07 +0100 From: Udo Erdelhoff Cc: freebsd-security@FreeBSD.org Subject: Re: [OT] ssh.com SSH 2.0.13 - OpenSSH interoperability problem Message-ID: <20010222193506.I71432@nathan.ruhr.de> References: <20010222174339.F440@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010222174339.F440@ringworld.oblivion.bg>; from roam@orbitel.bg on Thu, Feb 22, 2001 at 05:43:39PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 22, 2001 at 05:43:39PM +0200, Peter Pentchev wrote: > OK, so I'll admit that I might not have been RTFM'ing enough, but.. > Are OpenSSH and ssh.com's SSH DSA public keys compatible? The keys are compatible, the storage format is different. You'll have to convert it with ssh_keygen. -x should do the trick. /s/Udo -- "God gave them the ability to reproduce... ...Science gave us the hope they won't." -KBK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 10:57:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 3A67337B4EC for ; Thu, 22 Feb 2001 10:57:19 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1MIvG088922; Thu, 22 Feb 2001 13:57:20 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Thu, 22 Feb 2001 13:57:16 -0500 (EST) From: Rob Simmons To: "H. Wade Minter" Cc: Subject: Re: Best way for one-way DNS traffic In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org man 5 named.conf look in the options section. Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 22 Feb 2001, H. Wade Minter wrote: > My gateway box is running a name server for my home network. Internal > clients point to the gateway box for DNS service, and the gateway goes out > and resolves DNS queries. > > I've also got an ipfw firewall on the gateway. What I'd like to do is > make it so internal DNS works like it should, but nobody on the outside > should be able to connect to port 53.sadm@unired.net.pe > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 11: 1:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 87CA937B4EC for ; Thu, 22 Feb 2001 11:01:06 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1MJ1Jj89181; Thu, 22 Feb 2001 14:01:19 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Thu, 22 Feb 2001 14:01:19 -0500 (EST) From: Rob Simmons To: "H. Wade Minter" Cc: Subject: Re: Best way for one-way DNS traffic In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The "cricket book" on DNS and Bind by Albitz & Liu is another good place to look for information on running bind. Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 22 Feb 2001, H. Wade Minter wrote: > My gateway box is running a name server for my home network. Internal > clients point to the gateway box for DNS service, and the gateway goes out > and resolves DNS queries. > > I've also got an ipfw firewall on the gateway. What I'd like to do is > make it so internal DNS works like it should, but nobody on the outside > should be able to connect to port 53.sadm@unired.net.pe > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 11: 6:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from ashburn.skiltech.com (ashburn.skiltech.com [216.235.79.239]) by hub.freebsd.org (Postfix) with ESMTP id 2E6A937B503 for ; Thu, 22 Feb 2001 11:06:17 -0800 (PST) (envelope-from minter@ashburn.skiltech.com) Received: (from minter@localhost) by ashburn.skiltech.com (8.11.1/8.11.1) id f1MJ6Gt79852; Thu, 22 Feb 2001 14:06:16 -0500 (EST) (envelope-from minter) Date: Thu, 22 Feb 2001 14:06:16 -0500 (EST) From: "H. Wade Minter" X-X-Sender: To: Subject: [OOPS] Re: Best way for one-way DNS traffic In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I had postponed this message in pine, but got a case of happy fingers and accidentally sent it. Feel free to disregard. --Wade On Thu, 22 Feb 2001, H. Wade Minter wrote: > My gateway box is running a name server for my home network. Internal > clients point to the gateway box for DNS service, and the gateway goes out > and resolves DNS queries. > > I've also got an ipfw firewall on the gateway. What I'd like to do is > make it so internal DNS works like it should, but nobody on the outside > should be able to connect to port 53.sadm@unired.net.pe > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 11: 7:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from h-209-91-79-2.gen.cadvision.com (h24-68-202-204.cg.shawcable.net [24.68.202.204]) by hub.freebsd.org (Postfix) with ESMTP id DDA7B37B491 for ; Thu, 22 Feb 2001 11:07:13 -0800 (PST) (envelope-from gtf@cirp.org) Received: from cirp.org (localhost [127.0.0.1]) by h-209-91-79-2.gen.cadvision.com (8.9.3/8.9.3) with ESMTP id MAA57960; Thu, 22 Feb 2001 12:07:02 -0700 (MST) (envelope-from gtf@cirp.org) Message-Id: <200102221907.MAA57960@h-209-91-79-2.gen.cadvision.com> Date: Thu, 22 Feb 2001 12:07:01 -0700 (MST) From: "Geoffrey T. Falk" Subject: Re: Best way for one-way DNS traffic To: "H. Wade Minter" Cc: freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 22 Feb, H. Wade Minter wrote: > My gateway box is running a name server for my home network. Internal > clients point to the gateway box for DNS service, and the gateway goes out > and resolves DNS queries. > > I've also got an ipfw firewall on the gateway. What I'd like to do is > make it so internal DNS works like it should, but nobody on the outside > should be able to connect to port 53.sadm@unired.net.pe Set up your DNS as a forwarder to your upstream provider's nameserver. Block all inbound traffic on UDP port 53, except from your ISP's nameserver. Set up your local zone files also. This still leaves you open to DoS from someone forging your upstream provider's IP address. But by blocking source routed packets you can ensure that nobody else can query your nameserver. g. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 11: 8:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.43.88]) by hub.freebsd.org (Postfix) with ESMTP id E24AA37B401 for ; Thu, 22 Feb 2001 11:08:24 -0800 (PST) (envelope-from bmah@cisco.com) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-2.cisco.com (8.9.3/8.9.1) with ESMTP id LAA06794; Thu, 22 Feb 2001 11:08:40 -0800 (PST) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.2/8.11.1) id f1MJ8NY42653; Thu, 22 Feb 2001 11:08:23 -0800 (PST) (envelope-from bmah) Message-Id: <200102221908.f1MJ8NY42653@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.3.1 01/19/2001 with nmh-1.0.4 To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sudo version 1.6.3p6 now available (fwd) In-Reply-To: <200102221627.f1MGRk149151@cwsys.cwsent.com> References: <200102221627.f1MGRk149151@cwsys.cwsent.com> Comments: In-reply-to Cy Schubert - ITSD Open Systems Group message dated "Thu, 22 Feb 2001 08:27:23 -0800." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1277318321P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 22 Feb 2001 11:08:23 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_1277318321P Content-Type: text/plain; charset=us-ascii If memory serves me right, Cy Schubert - ITSD Open Systems Group wrote: > As I don't have time to submit a PR for the sudo port morning, I'm > sending this to -security. [snip] > Sudo version 1.6.3p6 is now available (ftp sites listed at the end). > This fixes a *buffer overflow* in sudo which is a potential security > problem. I don't know of any exploits that currently exist but I > suggest that you upgrade none the less. Someone already updated the version in the ports tree: bmah-freebsd-0:bmah% pkg_version -v | grep sudo sudo-1.6.3.6 = up-to-date with port Cheers, Bruce. --==_Exmh_1277318321P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE6lWOn2MoxcVugUsMRAk0GAJ99ljDGM26OATNGZXKUxC/PsZzCxgCg1uxW qsBsWilCwQMAFE75AxCJ0CU= =Shis -----END PGP SIGNATURE----- --==_Exmh_1277318321P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 11:14:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 453CC37B491 for ; Thu, 22 Feb 2001 11:14:17 -0800 (PST) (envelope-from vdrifter@ocis.ocis.net) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id LAA23637 for ; Thu, 22 Feb 2001 11:14:16 -0800 Date: Thu, 22 Feb 2001 11:14:16 -0800 (PST) From: John F Cuzzola To: freebsd-security@FreeBSD.ORG Subject: Source routing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quick question. I have a FreeBSD NAT firewall and I want to make sure that source routed packets are not honored. Does these sysctl settings do the trick? net.inet.ip.sourceroute: 0 net.inet.ip.accept_sourceroute: 0 or should I block them specifically with an ipfw + options rule? I want both the FreeBSD firewall not to accept source route packets coming in or going out. Thanks in advance :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 11:15: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id C3CCB37B65D; Thu, 22 Feb 2001 11:15:00 -0800 (PST) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 55C0713614; Thu, 22 Feb 2001 14:14:59 -0500 (EST) Date: Thu, 22 Feb 2001 14:14:59 -0500 From: Chris Faulhaber To: "Bruce A. Mah" Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG Subject: Re: Sudo version 1.6.3p6 now available (fwd) Message-ID: <20010222141459.A70502@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , "Bruce A. Mah" , Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG References: <200102221627.f1MGRk149151@cwsys.cwsent.com> <200102221908.f1MJ8NY42653@bmah-freebsd-0.cisco.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102221908.f1MJ8NY42653@bmah-freebsd-0.cisco.com>; from bmah@FreeBSD.ORG on Thu, Feb 22, 2001 at 11:08:23AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 22, 2001 at 11:08:23AM -0800, Bruce A. Mah wrote: > If memory serves me right, Cy Schubert - ITSD Open Systems Group wrote: > > As I don't have time to submit a PR for the sudo port morning, I'm=20 > > sending this to -security. >=20 > [snip] >=20 > > Sudo version 1.6.3p6 is now available (ftp sites listed at the end). > > This fixes a *buffer overflow* in sudo which is a potential security > > problem. I don't know of any exploits that currently exist but I > > suggest that you upgrade none the less. >=20 > Someone already updated the version in the ports tree: >=20 > bmah-freebsd-0:bmah% pkg_version -v | grep sudo > sudo-1.6.3.6 =3D up-to-date with port >=20 Though the commit message is confusing: Update to 1.6.3p5 --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjqVZTMACgkQObaG4P6BelDIJACfeYh5c6Pw+isR7vfA7nZGv2Sd AnQAnA5rqU3X0K2cEStYa2Rv76/lhOys =dHsR -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 11:22:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from nol.co.za (nol.co.za [196.33.45.2]) by hub.freebsd.org (Postfix) with ESMTP id CD93637B401 for ; Thu, 22 Feb 2001 11:22:44 -0800 (PST) (envelope-from security@nol.co.za) Received: from cafe2.sz.co.za ([196.33.45.155] helo=cafe2.nol.co.za) by nol.co.za with esmtp (Exim 3.13 #1) id 14W1J6-0007dZ-00; Thu, 22 Feb 2001 21:21:40 +0200 Message-Id: <4.3.2.7.2.20010222211944.00b41350@nol.co.za> X-Sender: security@nol.co.za X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 22 Feb 2001 21:23:26 +0200 To: "Geoffrey T. Falk" From: "Timothy S. Bowers" Subject: Re: Best way for one-way DNS traffic Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200102221907.MAA57960@h-209-91-79-2.gen.cadvision.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >"Set up your DNS as a forwarder to your upstream provider's nameserver." Lets say 196.25.1.1 was your upstream provider would you configure it like this: forwarders { 196.25.1.1; }; ..and I guess if you are hosting reverse IP lookup entries and other domain names you can't do this can you ? At 12:07 PM 2/22/01 -0700, Geoffrey T. Falk wrote: >On 22 Feb, H. Wade Minter wrote: > > My gateway box is running a name server for my home network. Internal > > clients point to the gateway box for DNS service, and the gateway goes out > > and resolves DNS queries. > > > > I've also got an ipfw firewall on the gateway. What I'd like to do is > > make it so internal DNS works like it should, but nobody on the outside > > should be able to connect to port 53.sadm@unired.net.pe > > >Set up your DNS as a forwarder to your upstream provider's nameserver. >Block all inbound traffic on UDP port 53, except from your ISP's >nameserver. Set up your local zone files also. > >This still leaves you open to DoS from someone forging your upstream >provider's IP address. But by blocking source routed packets you can >ensure that nobody else can query your nameserver. > >g. > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 11:46:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by hub.freebsd.org (Postfix) with ESMTP id 113AC37B491; Thu, 22 Feb 2001 11:46:38 -0800 (PST) (envelope-from bmah@cisco.com) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-4.cisco.com (8.9.3/8.9.1) with ESMTP id LAA01251; Thu, 22 Feb 2001 11:46:40 -0800 (PST) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.2/8.11.1) id f1MJkb643414; Thu, 22 Feb 2001 11:46:37 -0800 (PST) (envelope-from bmah) Message-Id: <200102221946.f1MJkb643414@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.3.1 01/19/2001 with nmh-1.0.4 To: Chris Faulhaber Cc: "Bruce A. Mah" , Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG Subject: Re: Sudo version 1.6.3p6 now available (fwd) In-Reply-To: <20010222141459.A70502@peitho.fxp.org> References: <200102221627.f1MGRk149151@cwsys.cwsent.com> <200102221908.f1MJ8NY42653@bmah-freebsd-0.cisco.com> <20010222141459.A70502@peitho.fxp.org> Comments: In-reply-to Chris Faulhaber message dated "Thu, 22 Feb 2001 14:14:59 -0500." From: bmah@FreeBSD.ORG (Bruce A. Mah) Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_737004483P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 22 Feb 2001 11:46:37 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_737004483P Content-Type: text/plain; charset=us-ascii If memory serves me right, Chris Faulhaber wrote: > Though the commit message is confusing: > > Update to 1.6.3p5 Yeah, there was a follow-up message to cvs-all after this happened. It confused me too. Bruce. --==_Exmh_737004483P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE6lWyd2MoxcVugUsMRAuaPAKCFbMNVlghPFHdQ0MYZvq/3ciBcRgCgoMx8 6sOK8L61o0B+9NsUlNWy8qg= =v85v -----END PGP SIGNATURE----- --==_Exmh_737004483P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 12:38:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 4BC3437B491 for ; Thu, 22 Feb 2001 12:38:22 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 7627120CC; Thu, 22 Feb 2001 15:37:58 -0500 (EST) MIME-Version: 1.0 Message-Id: <3A9578A6.000055.93744@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_ANE6GR72Q7BNTT4D7TH0" To: Cy.Schubert@uumail.gov.bc.ca Subject: Re: Bind problems Cc: freebsd-security@FreeBSD.ORG From: "Michael Richards" X-Fastmail-IP: 24.156.176.65 Date: Thu, 22 Feb 2001 15:37:58 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_ANE6GR72Q7BNTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Hi. Within minutes of discovering that the version of bind was compromised, it was shut down and an onsite person booted the system from a disk and ran tripwire. Nothing odd. I've been monitoring via the firewall and paying close attention to that machine and there is nothing out of the ordinary going on with it. I have a feeling that people were trying a linux specific exploit and that was merely causing bind to crash. -Michael > I wouldn't be surprised if your system has already been hacked. > 8.2.3-REL has fixed all known (to ISC) security holes. All > previous versions of BIND are vulnerable. If I (taking my > manager's hat off and putting my security officer's hat on) were > you I'd do the prudent thing, which is to verify the system was > not already hacked or otherwise consider the system suspect until > I can prove it otherwise. _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_ANE6GR72Q7BNTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 13:22: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id F396C37B503 for ; Thu, 22 Feb 2001 13:21:57 -0800 (PST) (envelope-from marc@milestonerdl.com) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.11.2/8.10.0) with ESMTP id f1MLMtr11114; Thu, 22 Feb 2001 15:22:55 -0600 (CST) Date: Thu, 22 Feb 2001 15:22:55 -0600 (CST) From: Marc Rassbach To: Michael Richards Cc: Cy.Schubert@uumail.gov.bc.ca, freebsd-security@FreeBSD.ORG Subject: Re: Bind problems In-Reply-To: <3A9578A6.000055.93744@frodo.searchcanada.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Or, you may have been running -u bind -g bind and that works to keep the lid on things. (Unless the security team knows that -u -g on bind 8 doesn't help.) On Thu, 22 Feb 2001, Michael Richards wrote: > Hi. > > Within minutes of discovering that the version of bind was > compromised, it was shut down and an onsite person booted the system > from a disk and ran tripwire. Nothing odd. I've been monitoring via > the firewall and paying close attention to that machine and there is > nothing out of the ordinary going on with it. I have a feeling that > people were trying a linux specific exploit and that was merely > causing bind to crash. > > -Michael > > > I wouldn't be surprised if your system has already been hacked. > > 8.2.3-REL has fixed all known (to ISC) security holes. All > > previous versions of BIND are vulnerable. If I (taking my > > manager's hat off and putting my security officer's hat on) were > > you I'd do the prudent thing, which is to verify the system was > > not already hacked or otherwise consider the system suspect until > > I can prove it otherwise. > > _________________________________________________________________ > http://fastmail.ca/ - Fast Free Web Email for Canadians To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 13:38:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 5D48E37B401 for ; Thu, 22 Feb 2001 13:38:12 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 22 Feb 2001 13:36:16 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1MLc8295180; Thu, 22 Feb 2001 13:38:08 -0800 (PST) (envelope-from cjc) Date: Thu, 22 Feb 2001 13:38:08 -0800 From: "Crist J. Clark" To: Udo Erdelhoff Cc: freebsd-security@FreeBSD.ORG Subject: Re: [OT] ssh.com SSH 2.0.13 - OpenSSH interoperability problem Message-ID: <20010222133808.J89396@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <20010222180412.48FF63E09@bazooka.unixfreak.org> <20010222193725.J71432@nathan.ruhr.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010222193725.J71432@nathan.ruhr.de>; from ue@nathan.ruhr.de on Thu, Feb 22, 2001 at 07:37:25PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 22, 2001 at 07:37:25PM +0100, Udo Erdelhoff wrote: > On Thu, Feb 22, 2001 at 10:04:12AM -0800, Dima Dorfman wrote: > > -x This option will read a private OpenSSH DSA format file and > ^^^^^^^ > > print a SSH2-compatible public key to stdout. > ^^^^^^ > > Duh? Shouldn't that be "reads a public OpenSSH" and "public key"? No. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 13:39:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from C126508-B.rchdsn1.tx.home.com (c126508-b.rchdsn1.tx.home.com [24.7.19.88]) by hub.freebsd.org (Postfix) with ESMTP id DB80937B491 for ; Thu, 22 Feb 2001 13:39:28 -0800 (PST) (envelope-from jdunfee@C126508-B.rchdsn1.tx.home.com) Received: (from jdunfee@localhost) by C126508-B.rchdsn1.tx.home.com (8.11.1/8.11.1) id f1MLrum34085 for freebsd-security@FreeBSD.ORG; Thu, 22 Feb 2001 15:53:56 -0600 (CST) (envelope-from jdunfee) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14997.34720.863814.315334@C126508-B.rchdsn1.tx.home.com> In-Reply-To: <20010222174339.F440@ringworld.oblivion.bg> References: <20010222174339.F440@ringworld.oblivion.bg> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: Jonathan Dunfee From: "Jonathan D. Dunfee" To: Peter Pentchev Cc: jdunfee@acm.org Subject: [OT] ssh.com SSH 2.0.13 - OpenSSH interoperability problem Date: Thu, 22 Feb 2001 15:41:52 -0600 (CST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I forgot to CC' the security list with this reply to Peter Pentchev's question.... I believe CC'ing is correct for responses to this list? Jon ===== Peter, I'm not sure trying to "share" config files between OpenSSH and SSH is a good thing. I think it will only lead to heartache. I keep the two separate. Here's what I do to go from an OpenSSH box to an SSH server (>2.2.0): On OpenSSH side: (we'll call this machine openssh_host.home.net; we'll call the commercial machine commssh.work.net) 1) Generate an Open ssh pub/private key with ssh-keygen: example$ ssh-keygen -d -f commssh_host This will create a private called commssh_host and public key called commssh_host.pub. I like to have my keys called by hostname to help keep them straight. 2) Create an SSH compatible key: example$ ssh-keygen -f commssh_host -x > commssh_host_SSH.pub The file commssh_host_SSH.pub contains the key for SSH. 3) In your ${HOME}/.ssh dir create a file called config with a specification to use this key pair for the remote host. Here is an example from my home FreeBSD box: example$ cat config Host * ForwardAgent no ForwardX11 yes FallBackToRsh no Protocol 2 Cipher blowfish UsePrivilegedPort no Port 22 # use special key for this site # i always use IP's but hostnames are fine too. Host 33.33.33.33 IdentityFile2 commssh_host example$ ls -l config -rw-r--r-- 1 jdunfee jdunfee 214 Feb 22 14:54 config 4) Somehow move the commssh_host_SSH.pub to the remote host running commercial SSH (commssh.work.net). On commercial SSH side: (all the following assume "UserConfigDirectory" is ${HOME}/.ssh2) 1) Move remote_host_SSH.pub to ${HOME}/.ssh2. I move the file from commssh_host_SSH.pub to the name of the machine I'll be coming from. I realize this means two file names for the same file on different machines, but I like to keep things in perspective of the machine I'm currently on. So, I do: example$ mv commssh_host_SSH.pub openssh_host.home.net.pub 2) Now add a line to ${HOME}/.ssh2/authorization so the key is recognized: example$ echo "Key openssh_host.home.net.pub" >> authorization 3) That's it (I think). You're now ready to go. (assuming everything else is okay with the SSH server). Note that if you're trying to run both on the same machine, SSH uses /etc/ssh2 and ${HOME}/.ssh2 by default and OpenSSH uses /etc/ssh and ${HOME}/.ssh by default. Even on machines where I have both installed, I keep these separate entities. There are enough subtle and not so subtle differences between the two that trying to share files (even soft links) can make life confusing. You might want to check out http://www.openssh.com/faq.html. There are some items listed here you'll want to be aware of. Hope this helps, Jon Peter Pentchev writes: > OK, so I'll admit that I might not have been RTFM'ing enough, but.. > Are OpenSSH and ssh.com's SSH DSA public keys compatible? I have > a public key, generated by OpenSSH's ssh-keygen -d, and it works fine > when connecting to an OpenSSH server. However, with an ssh.com's SSH > server, I have the following in my ~/.ssh2/authorization file: > Key /home/roam/.ssh/authorized_keys2 > > ..and /home/roam/.ssh/authorized_keys2 is the public portion of the key > (one line, starting with ssh-dss, ending with roam@ringworld.oblivion.bg) > > And yet.. > > debug: authentications that can continue: publickey,password > debug: next auth method to try is publickey > debug: try pubkey: /usr/home/roam/.ssh/id_dsa > debug: read DSA private key done > debug: sig size 20 20 > debug: datafellows > debug: we sent a publickey packet, wait for reply > debug: authentications that can continue: publickey,password > > ..and it asks me for a password. > Is there something more I need to do? > > G'luck, > Peter > > -- > This would easier understand fewer had omitted. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jonathan D. Dunfee jdunfee@acm.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 13:44:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 3683A37B491 for ; Thu, 22 Feb 2001 13:44:10 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 22 Feb 2001 13:42:13 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1MLhuS95301; Thu, 22 Feb 2001 13:43:56 -0800 (PST) (envelope-from cjc) Date: Thu, 22 Feb 2001 13:43:55 -0800 From: "Crist J. Clark" To: Cy Schubert - ITSD Open Systems Group Cc: Michael Richards , freebsd-security@FreeBSD.ORG Subject: Re: Bind problems Message-ID: <20010222134355.K89396@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A947710.000009.60978@frodo.searchcanada.ca> <200102221507.f1MF7iX45138@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102221507.f1MF7iX45138@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Thu, Feb 22, 2001 at 07:07:24AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 22, 2001 at 07:07:24AM -0800, Cy Schubert - ITSD Open Systems Group wrote: > In message <3A947710.000009.60978@frodo.searchcanada.ca>, "Michael > Richards" wr > ites: > > Since the big BIND vulnerability, I checked all my versions of BIND > > to make sure they weren't the 8.2.2 variety. None were. > > > > Most returned: named 8.2.3-T6B Thu Nov 23 19:00:06 EST 2000 > > Which is not supposed to be vulnerable. > > I wouldn't be surprised if your system has already been hacked. > 8.2.3-REL has fixed all known (to ISC) security holes. All previous > versions of BIND are vulnerable. Not precisely true. See everone's favorite ISC page for the details, http://www.isc.org/products/BIND/bind-security.html -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 13:44:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.nbrewer.com (sparge.nbrewer.com [208.42.68.70]) by hub.freebsd.org (Postfix) with ESMTP id AA49637B401 for ; Thu, 22 Feb 2001 13:44:16 -0800 (PST) (envelope-from chris@nbrewer.com) Received: by mail.nbrewer.com (Postfix, from userid 1009) id AD812168; Thu, 22 Feb 2001 02:32:33 -0600 (CST) Date: Thu, 22 Feb 2001 02:32:33 -0600 From: Christopher Farley To: freebsd-security@freebsd.org Subject: Bind TSIG exploit Message-ID: <20010222023233.A629@northernbrewer.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Organization: Northern Brewer, St. Paul, MN Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is what I get for not subscribing to freebsd-security (until now): On Feb 7, named dumped core (running bind 8.2.3 beta). I didn't catch it until recently. While searching the archives, I came across information on the well-known bind vulnerabilities. My non-technical armchair analysis of the core dump indicates the TSIG exploit (based on the presence of ';; TSIG invalid (%s)' at the top of the core file -- how's that for non-technial?). Is there any way to analyze the core dump to find out what 'arbitrary code' may have been executed? I've taken the usual steps to detect a root compromise, but found nothing obvious. I've upgraded named to 8.2.3-REL, but I'm guessing I should decommission and rebuild the server as a precaution... unless I can be convinced this not necessary. There have been a couple of messages in recent days on -questions about named dumping core, so I suspect this vulnerability is being widely exploited at present. Congratulations if you patched the hole two or three weeks ago, you escaped... ----------------- I don't know if this is interesting or not: # strings - named.core | head -45 FreeBSD FreeBSD 833333 FreeBSD named named /home /home /var/mail /dev /var/spool /usr/tmp /tmp /var/log/lastlog /var/log/wtmp /var/log/messages /dev/random mtime->tv_usec >= 0 && mtime->tv_usec < 1000000 /usr/src/lib/libbind/../../contrib/bind/lib/dst/prandom.c /proc/ $Id: res_update.c,v 1.24 1999/10/15 19:49:12 vixie Exp $ res_findzonecut failed (%d) malloc failed res_mkupdrec failed res_mkupdate -> %d res_nsend: send error, n=%d (%s) ;; res_nupdate: HMAC-MD5.SIG-ALG.REG.INT ;; TSIG invalid (%s) ;; TSIG ok ;; res_query(%s, %d, %d) ;; res_query: mkquery failed ;; res_query: send error ;; rcode = %d, ancount=%d ;; res_nquerydomain(%s, %s, %d, %d) %s.%s HOSTALIASES /etc/networks /etc/hosts getservent getservbyname %s %s getservbyport %d %s setservent setservent failed: %s -- Christopher Farley www.northernbrewer.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 13:47: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id 43DCD37B401 for ; Thu, 22 Feb 2001 13:47:04 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C483866C34; Thu, 22 Feb 2001 13:47:03 -0800 (PST) Date: Thu, 22 Feb 2001 13:47:03 -0800 From: Kris Kennaway To: Marc Rassbach Cc: Michael Richards , Cy.Schubert@uumail.gov.bc.ca, freebsd-security@FreeBSD.ORG Subject: Re: Bind problems Message-ID: <20010222134703.A7745@mollari.cthul.hu> References: <3A9578A6.000055.93744@frodo.searchcanada.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from marc@milestonerdl.com on Thu, Feb 22, 2001 at 03:22:55PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Feb 22, 2001 at 03:22:55PM -0600, Marc Rassbach wrote: > Or, you may have been running -u bind -g bind and that works to keep the > lid on things. (Unless the security team knows that -u -g on bind 8 > doesn't help.) Well, it doesn't really help, because it still gives the attacker an account on your system, which they can use to bootstrap to root if you have an unpatched local root hole. Even running in a chroot or jail only goes so far, because they can still run arbitrary code on the system as that user and use it to e.g. launch DDoS attacks, run an rc5des client, you name it :) Kris --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6lYjXWry0BWjoQKURAl3mAJ0Z+kDhZNl/nu3OMDFEf+bFtEEliQCgp+6J y5/7S+BOOmDlPayKS9jFDeQ= =mOAv -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 13:50: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id E5AC237B401 for ; Thu, 22 Feb 2001 13:50:04 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8F70166F38; Thu, 22 Feb 2001 13:50:04 -0800 (PST) Date: Thu, 22 Feb 2001 13:50:04 -0800 From: Kris Kennaway To: Christopher Farley Cc: freebsd-security@freebsd.org Subject: Re: Bind TSIG exploit Message-ID: <20010222135004.A7884@mollari.cthul.hu> References: <20010222023233.A629@northernbrewer.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010222023233.A629@northernbrewer.com>; from chris@northernbrewer.com on Thu, Feb 22, 2001 at 02:32:33AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 22, 2001 at 02:32:33AM -0600, Christopher Farley wrote: > On Feb 7, named dumped core (running bind 8.2.3 beta). I didn't catch it > until recently. While searching the archives, I came across information > on the well-known bind vulnerabilities. Subscribe to one of the mailing list where FreeBSD security advisories get distributed, and you would have found this out weeks ago and saved yourself a possible root compromise. > My non-technical armchair analysis of the core dump indicates the > TSIG exploit (based on the presence of ';; TSIG invalid (%s)' at the=20 > top of the core file -- how's that for non-technial?). Well, that's probably just an error string from the binary, not an indication of state. > Is there any way to analyze the core dump to find out what 'arbitrary > code' may have been executed? I've taken the usual steps to detect You'd need to use the usual debugging gdb magic. It's certainly possible but beyond the scope of this message :-) > a root compromise, but found nothing obvious. I've upgraded named > to 8.2.3-REL, but I'm guessing I should decommission and rebuild > the server as a precaution... unless I can be convinced this not > necessary. Safest to treat it as compromised and do a full rebuild, then take the lesson and subscribe to security-notifications and be more reactive in future :-) Kris --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6lYmLWry0BWjoQKURAvfxAKDBWKffFc+po+0OT5OIP9/VGB5DqgCeJR9B L35LZUTwn3PkNmJUWt+YL1E= =sAg3 -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 15:32: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 86DCB37B401 for ; Thu, 22 Feb 2001 15:32:01 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id PAA30325; Thu, 22 Feb 2001 15:30:34 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda30323; Thu Feb 22 15:30:16 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1MNUAr30256; Thu, 22 Feb 2001 15:30:10 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdi30254; Thu Feb 22 15:30:08 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1MNU7e64567; Thu, 22 Feb 2001 15:30:07 -0800 (PST) Message-Id: <200102222330.f1MNU7e64567@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdT64533; Thu Feb 22 15:29:48 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Kris Kennaway Cc: Marc Rassbach , Michael Richards , Cy.Schubert@uumail.gov.bc.ca, freebsd-security@FreeBSD.ORG Subject: Re: Bind problems In-reply-to: Your message of "Thu, 22 Feb 2001 13:47:03 PST." <20010222134703.A7745@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 22 Feb 2001 15:29:48 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010222134703.A7745@mollari.cthul.hu>, Kris Kennaway writes: > On Thu, Feb 22, 2001 at 03:22:55PM -0600, Marc Rassbach wrote: > > Or, you may have been running -u bind -g bind and that works to keep the > > lid on things. (Unless the security team knows that -u -g on bind 8 > > doesn't help.) > > Well, it doesn't really help, because it still gives the attacker an > account on your system, which they can use to bootstrap to root if you > have an unpatched local root hole. > > Even running in a chroot or jail only goes so far, because they can > still run arbitrary code on the system as that user and use it to > e.g. launch DDoS attacks, run an rc5des client, you name it :) I think you can mitigate or even eliminate that possibility. First, make all files directories in the chrooted environment writable by root only, except for named's log directory and the directory it places its named.pid file. Next, union or nullfs mount with the noexec option the directories where all of the named logs and pid file are written. The worst that could happen is that the intruder could fill your disk. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 17: 0:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C03DF37B401 for ; Thu, 22 Feb 2001 17:00:24 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id RAA30701; Thu, 22 Feb 2001 17:00:16 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda30695; Thu Feb 22 17:00:01 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1N0xtE30907; Thu, 22 Feb 2001 16:59:55 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdw30905; Thu Feb 22 16:59:19 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1N0xIp65074; Thu, 22 Feb 2001 16:59:18 -0800 (PST) Message-Id: <200102230059.f1N0xIp65074@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdm65068; Thu Feb 22 16:58:18 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "H. Wade Minter" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best way for one-way DNS traffic In-reply-to: Your message of "Thu, 22 Feb 2001 13:32:32 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 22 Feb 2001 16:58:17 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "H. Wade Minter" writes: > My gateway box is running a name server for my home network. Internal > clients point to the gateway box for DNS service, and the gateway goes out > and resolves DNS queries. > > I've also got an ipfw firewall on the gateway. What I'd like to do is > make it so internal DNS works like it should, but nobody on the outside > should be able to connect to port 53.sadm@unired.net.pe Statefull firewall and forwarding options in named (forwarding to limit your exposure to a few hosts, your ISP's name servers, on the Internet). Run named as a non-privileged user (-u -g), chroot (-t). Make sure that the named user cannot write to any file or directory in the chroot environment except for /var/run and /var/log. Mount noexec /var/log using nullfs or unionfs with -r option to restrict execution of binaries in your chroot environment. Other things you should do are install tripwire and monitor your logs religiously. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 17:24:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 1D9B137B4EC; Thu, 22 Feb 2001 17:24:21 -0800 (PST) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.2/8.11.2) with ESMTP id f1N1OJg08864; Thu, 22 Feb 2001 20:24:20 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010222202121.03d64948@marble.sentex.net> X-Sender: mdtancsa@marble.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 22 Feb 2001 20:24:18 -0500 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1 Cc: gshapiro@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is this a LINUX specific thing, or Sendmail in general ?? >Approved-By: beng@SECURITYFOCUS.COM >Delivered-To: bugtraq@lists.securityfocus.com >Delivered-To: bugtraq@securityfocus.com >User-Agent: Mutt/1.2.5i >X-Mailman-Version: 1.1 >List-Id: Announcements-only security list > >X-BeenThere: tl-security-announce@www.turbolinux.com >Date: Thu, 22 Feb 2001 14:09:35 -0800 >Reply-To: security@TURBOLINUX.COM >Sender: Bugtraq List >From: security@TURBOLINUX.COM >Subject: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1 >X-To: tl-security-announce@www1.turbolinux.com >To: BUGTRAQ@SECURITYFOCUS.COM >X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (amavis.org) > > > >___________________________________________________________________________ > > TurboLinux Security Announcement > > > Vulnerable Packages: All versions previous to 8.11.2-5 > Date: 02/21/2001 5:00 PDT > > Affected TurboLinux versions:TL 6.1 WorkStation, > All TurboLinux versions > 6.0.5 and earlier > > TurboLinux Advisory ID#: TLSA2001003-1 > > Credits: Vulnerability discovered by Michal Zalewski > of the Internet for Schools project(IdS). >___________________________________________________________________________ > >A security hole was discovered in the package mentioned above. >Please update the package in your installation as soon as possible. >___________________________________________________________________________ > >1. Problem Summary > > Sendmail, launched with the -bt command-line switch, enters its special > "address test" mode. Under these conditions, it is vulnerable to a > segmentation fault which can occur when trying to set a class in ad- > dress test mode due to a negative array index. > >2. Impact > > A user can gain root privileges. > >3. Solution > > Update the package from our ftp server by running the following command: > > rpm -Uvh ftp_path_to_filename > > Where ftp_path_to_filename is the following: > > >ftp://ftp.turbolinux.com/pub/updates/6.0/security/sendmail-8.11.2-5.i386.rpm > > The source RPM can be downloaded here: > > ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/sendmail-8.11.2-5.src.rpm > > **Note: You must rebuild and install the RPM if you choose to download > and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE > THE SECURITY HOLE. > > Please verify the MD5 checksums of the updates before you install: > > MD5 sum Package Name >--------------------------------------------------------------------------- >38eee0653839595aedad386cc8d2346f sendmail-8.11.2-5.i386.rpm >cfe857414b7e3cdbf658a898bd592b71 sendmail-8.11.2-5.src.rpm >___________________________________________________________________________ > >These packages are GPG signed by TurboLinux for security. Our key >is available here: > > http://www.turbolinux.com/security/tlgpgkey.asc > >To verify a package, use the following command: > > rpm --checksig name_of_rpm > >To examine only the md5sum, use the following command: > > rpm --checksig --nogpg name_of_rpm > >**Note: Checking GPG keys requires RPM 3.0 or higher. > >___________________________________________________________________________ >You can find more updates on our ftp server: > > ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0 Workstation > and Server security updates > ftp://ftp.turbolinux.com/pub/updates/4.0/security/ for TL4.0 Workstation > and Server security updates > >Our webpage for security announcements: > > http://www.turbolinux.com/security > >If you want to report vulnerabilities, please contact: > > security@turbolinux.com >___________________________________________________________________________ > >Subscribe to the TurboLinux Security Mailing lists: > > TL-security - A moderated list for discussing security issues > TurboLinux products. > Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security > > TL-security-announce - An announce-only mailing list for security updates > and alerts. > Subscribe at: > > http://www.turbolinux.com/mailman/listinfo/tl-security-announce -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 17:38: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id 8FC8437B503 for ; Thu, 22 Feb 2001 17:37:54 -0800 (PST) (envelope-from DougB@gorean.org) Received: from slave (Studded@slave [10.0.0.1]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id RAA15947; Thu, 22 Feb 2001 17:36:32 -0800 (PST) (envelope-from DougB@gorean.org) Date: Thu, 22 Feb 2001 17:36:32 -0800 (PST) From: Doug Barton X-X-Sender: To: Cy Schubert - ITSD Open Systems Group Cc: Michael Richards , Subject: Re: Bind problems In-Reply-To: <200102221507.f1MF7iX45138@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Feb 2001, Cy Schubert - ITSD Open Systems Group wrote: > In message <3A947710.000009.60978@frodo.searchcanada.ca>, "Michael > Richards" wr > ites: > > Since the big BIND vulnerability, I checked all my versions of BIND > > to make sure they weren't the 8.2.2 variety. None were. > > > > Most returned: named 8.2.3-T6B Thu Nov 23 19:00:06 EST 2000 > > Which is not supposed to be vulnerable. Any BIND 8 other than 8.2.3-REL *IS* vulnerable. No one (ISC, FreeBSD, etc.) has ever said any different. > If I (taking my manager's hat off and > putting my security officer's hat on) were you I'd do the prudent > thing, which is to verify the system was not already hacked or > otherwise consider the system suspect until I can prove it otherwise. It's impossible to prove that a system connected to a network has not been hacked. If you have even a reasonable suspicion that a machine is compromised you should assume it is and proceed accordingly. Doug -- "Pain heals. Chicks dig scars. Glory . . . lasts forever." -- Keanu Reeves as Shane Falco in "The Replacements" Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 17:39:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 4D33037B503 for ; Thu, 22 Feb 2001 17:39:41 -0800 (PST) (envelope-from gshapiro@gshapiro.net) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta3/8.12.0.Beta3) id f1N1dehf008094; Thu, 22 Feb 2001 17:39:40 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14997.48988.504211.466384@horsey.gshapiro.net> Date: Thu, 22 Feb 2001 17:39:40 -0800 From: Gregory Neil Shapiro To: Mike Tancsa Cc: security@freebsd.org Subject: Re: Fwd: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1 In-Reply-To: <4.2.2.20010222202121.03d64948@marble.sentex.net> References: <4.2.2.20010222202121.03d64948@marble.sentex.net> X-Mailer: VM 6.89 under 21.2 (beta42) "Poseidon" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "mike" == Mike Tancsa writes: mike> Is this a LINUX specific thing, or Sendmail in general ?? >> TurboLinux Advisory ID#: TLSA2001003-1 >> 1. Problem Summary >> >> Sendmail, launched with the -bt command-line switch, enters its special >> "address test" mode. Under these conditions, it is vulnerable to a >> segmentation fault which can occur when trying to set a class in ad- >> dress test mode due to a negative array index. First, that was *fixed* in 8.11.2, not vulnerable in 8.11.2: 8.11.2/8.11.2 2000/12/29 Prevent a segmentation fault when trying to set a class in address test mode due to a negative array index. Audit other array indexing. This bug is not believed to be exploitable. Noted by Michal Zalewski of the "Internet for Schools" project (IdS). >> 2. Impact >> >> A user can gain root privileges. Second, it does not give you any privileges at all, even in the version that has the bug. The original reporter, Michal Zalewski, even acknowledges this fact. I wonder where TurboLinux gets their information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 17:49: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id EBAA937B491; Thu, 22 Feb 2001 17:49:00 -0800 (PST) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.2/8.11.2) with ESMTP id f1N1mxg08892; Thu, 22 Feb 2001 20:49:00 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010222204523.03d6ef90@marble.sentex.net> X-Sender: mdtancsa@marble.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 22 Feb 2001 20:48:58 -0500 To: Gregory Neil Shapiro From: Mike Tancsa Subject: Re: Fwd: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1 Cc: security@FreeBSD.ORG In-Reply-To: <14997.48988.504211.466384@horsey.gshapiro.net> References: <4.2.2.20010222202121.03d64948@marble.sentex.net> <4.2.2.20010222202121.03d64948@marble.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:39 PM 2/22/2001 -0800, Gregory Neil Shapiro wrote: > >>>>> "mike" == Mike Tancsa writes: > >mike> Is this a LINUX specific thing, or Sendmail in general ?? > > >> TurboLinux Advisory ID#: TLSA2001003-1 > > >> 1. Problem Summary > >> > >> Sendmail, launched with the -bt command-line switch, enters its special > >> "address test" mode. Under these conditions, it is vulnerable to a > >> segmentation fault which can occur when trying to set a class in ad- > >> dress test mode due to a negative array index. > >First, that was *fixed* in 8.11.2, not vulnerable in 8.11.2: Thanks for the quick response! The way it was worded, it claimed all versions of sendmail were vulnerable :-( > >> 2. Impact > >> > >> A user can gain root privileges. > >Second, it does not give you any privileges at all, even in the version >that has the bug. The original reporter, Michal Zalewski, even >acknowledges this fact. I wonder where TurboLinux gets their information. I thought this looked familiar from a while back. Thanks again for quickly settling the issue! ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 19:28: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id 6EEBD37B401 for ; Thu, 22 Feb 2001 19:28:06 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id F3BF366C3B; Thu, 22 Feb 2001 19:28:05 -0800 (PST) Date: Thu, 22 Feb 2001 19:28:05 -0800 From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: Bind problems Message-ID: <20010222192805.A12575@mollari.cthul.hu> References: <20010222134703.A7745@mollari.cthul.hu> <200102222330.f1MNU7e64567@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102222330.f1MNU7e64567@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Thu, Feb 22, 2001 at 03:29:48PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 22, 2001 at 03:29:48PM -0800, Cy Schubert - ITSD Open Systems G= roup wrote: > > Even running in a chroot or jail only goes so far, because they can > > still run arbitrary code on the system as that user and use it to > > e.g. launch DDoS attacks, run an rc5des client, you name it :) >=20 > I think you can mitigate or even eliminate that possibility. First,=20 > make all files directories in the chrooted environment writable by root= =20 > only, except for named's log directory and the directory it places its=20 > named.pid file. Next, union or nullfs mount with the noexec option the= =20 > directories where all of the named logs and pid file are written. >=20 > The worst that could happen is that the intruder could fill your disk. No, they still get the ability to run arbitrary code because they compromise a running process and take over its execution context. The attacker just needs to upload the code into the processes memory space, instead of loading it from disk. Kris --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ldjFWry0BWjoQKURAujDAJ43smf0BqNL1olXX/Jf9uHhTYnAZgCgkryz XIXEeCShBsMqJONrt4SID94= =uQJo -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 19:33:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 5E25C37B401 for ; Thu, 22 Feb 2001 19:33:24 -0800 (PST) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.2/8.11.2) with ESMTP id f1N3XAg09018; Thu, 22 Feb 2001 22:33:11 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010222223209.03bb2600@marble.sentex.net> X-Sender: mdtancsa@marble.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 22 Feb 2001 22:33:09 -0500 To: Kris Kennaway From: Mike Tancsa Subject: Re: Bind problems Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20010222192805.A12575@mollari.cthul.hu> References: <200102222330.f1MNU7e64567@cwsys.cwsent.com> <20010222134703.A7745@mollari.cthul.hu> <200102222330.f1MNU7e64567@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:28 PM 2/22/2001 -0800, Kris Kennaway wrote: > > > > The worst that could happen is that the intruder could fill your disk. > >No, they still get the ability to run arbitrary code because they >compromise a running process and take over its execution context. The But only as the non root UID though right ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 19:36:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id 4266037B401 for ; Thu, 22 Feb 2001 19:36:26 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D0ADE66C34; Thu, 22 Feb 2001 19:36:25 -0800 (PST) Date: Thu, 22 Feb 2001 19:36:25 -0800 From: Kris Kennaway To: Mike Tancsa Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Bind problems Message-ID: <20010222193625.A12797@mollari.cthul.hu> References: <200102222330.f1MNU7e64567@cwsys.cwsent.com> <20010222134703.A7745@mollari.cthul.hu> <200102222330.f1MNU7e64567@cwsys.cwsent.com> <20010222192805.A12575@mollari.cthul.hu> <4.2.2.20010222223209.03bb2600@marble.sentex.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="KsGdsel6WgEHnImy" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.2.2.20010222223209.03bb2600@marble.sentex.net>; from mike@sentex.net on Thu, Feb 22, 2001 at 10:33:09PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 22, 2001 at 10:33:09PM -0500, Mike Tancsa wrote: > At 07:28 PM 2/22/2001 -0800, Kris Kennaway wrote: > > > > > > The worst that could happen is that the intruder could fill your disk. > > > >No, they still get the ability to run arbitrary code because they > >compromise a running process and take over its execution context. The >=20 > But only as the non root UID though right ? In the absence of an accessible userland or kernel root hole, yes. e.g. if you had old versions of procfs (i.e. prior to the advisory from a few months ago) available to the environment of the bind process they could get kernel privileges and completely take over the machine, sans any restrictions). Kris --KsGdsel6WgEHnImy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ldq5Wry0BWjoQKURAhT+AJ4x2dpJGi3cvMbS7HDYJy7WymzTfwCfaNnK 2W/n2/8KrqoJA8udPNXxtNI= =0f2a -----END PGP SIGNATURE----- --KsGdsel6WgEHnImy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 20:27:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 0ECFC37B4EC for ; Thu, 22 Feb 2001 20:27:30 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1N4RnY08016 for ; Thu, 22 Feb 2001 23:27:50 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Thu, 22 Feb 2001 23:27:49 -0500 (EST) From: Rob Simmons To: Subject: RIPEMD-160 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am interested in changing the libcrypt links to point to RIPEMD-160 libs. I looked in the source, and I noticed that there are a set of MD based algorithm libs in src/lib/libmd. Is there a way to get these to work when libcrypt is linked to them? I tried just linking to the three files like you would to the DES or MD5 libs, but it failed. Robert Simmons Systems Administrator http://www.wlcg.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 20:35:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-53.dsl.lsan03.pacbell.net [64.165.226.53]) by hub.freebsd.org (Postfix) with ESMTP id 7791E37B401 for ; Thu, 22 Feb 2001 20:35:27 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EBACC66C34; Thu, 22 Feb 2001 20:35:26 -0800 (PST) Date: Thu, 22 Feb 2001 20:35:26 -0800 From: Kris Kennaway To: Rob Simmons Cc: freebsd-security@freebsd.org Subject: Re: RIPEMD-160 Message-ID: <20010222203526.A13606@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rsimmons@wlcg.com on Thu, Feb 22, 2001 at 11:27:49PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Feb 22, 2001 at 11:27:49PM -0500, Rob Simmons wrote: > I am interested in changing the libcrypt links to point to RIPEMD-160 > libs. I looked in the source, and I noticed that there are a set of MD > based algorithm libs in src/lib/libmd. Is there a way to get these to > work when libcrypt is linked to them? I tried just linking to the three > files like you would to the DES or MD5 libs, but it failed. Well, it's of course not this simple - you would have to modify the libcrypt code. But IMO there's no justification for doing this - MD5 passwords aren't known to be insecure in any way. Kris --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6leiOWry0BWjoQKURAuBFAKC0332sslUaa2N3zqYLZHiv86XyuACg+CPO GC0C4vBKJdlGretcvRIjdLU= =0TX7 -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 22 23:13:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 4EEAB37B491 for ; Thu, 22 Feb 2001 23:13:18 -0800 (PST) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14WCa0-0000fP-00; Fri, 23 Feb 2001 00:23:52 -0700 Message-ID: <3A961008.5EF9D154@softweyr.com> Date: Fri, 23 Feb 2001 00:23:52 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Peter Pentchev Cc: George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org Subject: Re: Bind vulnerability References: <20010222172509.E440@ringworld.oblivion.bg> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Pentchev wrote: > > On Thu, Feb 22, 2001 at 09:22:03AM -0600, George.Giles@mcmail.vanderbilt.edu wrote: > > The bind vulnerability has been fixed in 4.2-current ? > > There is no such thing as 4.2-current. 4.2 is a place, -CURRENT is a direction. The latest (several) bind vulnerability(s) existed in 4.2, but have been fixed in -CURRENT (only for system developers, quite scary and unstable) and -STABLE (useful for real work). > The BIND vulnerability has been fixed in 4.2-STABLE, yes. Technically, -STABLE is a direction also. But the bind vulnerability(s) are fixed in -STABLE. Read the handbook about using cvsup. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 3:38:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.neophile.net (neophile.net [195.224.237.7]) by hub.freebsd.org (Postfix) with ESMTP id 0C24637B401 for ; Fri, 23 Feb 2001 03:38:36 -0800 (PST) (envelope-from slamdunk@neophile.net) Received: from host213-123-155-233.btopenworld.com ([213.123.155.233] helo=celly.neophile.net) by mail.neophile.net with esmtp (Exim 3.15 #1) id 14WGRG-000DS6-00 for freebsd-security@freebsd.org; Fri, 23 Feb 2001 11:31:07 +0000 Message-Id: <4.3.2.7.2.20010223113706.00cedb10@pop3.neophile.net> X-Sender: slamdunk@pop3.neophile.net X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 23 Feb 2001 11:38:26 +0000 To: freebsd-security@freebsd.org From: slamdunk Subject: weird login attempt In-Reply-To: <20010201014819.H675@riget.scene.pl> References: <200101312123.f0VLNL134920@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can anyone identify what this might be? Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, ^[[S^[[J^[[J^[[J^[[~^[ Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, ^[[S^[[J^[[J^[[J^[[~^[ Jerry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 3:45: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 5A16E37B6D3 for ; Fri, 23 Feb 2001 03:44:57 -0800 (PST) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id IAA94132; Fri, 23 Feb 2001 08:46:59 -0300 (ART) From: Fernando Schapachnik Message-Id: <200102231146.IAA94132@ns1.via-net-works.net.ar> Subject: Re: weird login attempt In-Reply-To: <4.3.2.7.2.20010223113706.00cedb10@pop3.neophile.net> "from slamdunk at Feb 23, 2001 11:38:26 am" To: slamdunk Date: Fri, 23 Feb 2001 08:46:59 -0300 (ART) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, slamdunk escribió: > Can anyone identify what this might be? Somebody laying its hand over the keyboard :) > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, ^[[S^[[J^[[J^[[J^[[~^[ > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, ^[[S^[[J^[[J^[[J^[[~^[ Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 3:50:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id D4D4D37B4EC for ; Fri, 23 Feb 2001 03:50:39 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 8831 invoked by uid 1000); 23 Feb 2001 11:48:43 -0000 Date: Fri, 23 Feb 2001 13:48:43 +0200 From: Peter Pentchev To: Fernando Schapachnik Cc: slamdunk , freebsd-security@FreeBSD.ORG Subject: Re: weird login attempt Message-ID: <20010223134843.H1899@ringworld.oblivion.bg> Mail-Followup-To: Fernando Schapachnik , slamdunk , freebsd-security@FreeBSD.ORG References: <4.3.2.7.2.20010223113706.00cedb10@pop3.neophile.net> <200102231146.IAA94132@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102231146.IAA94132@ns1.via-net-works.net.ar>; from fpscha@ns1.via-net-works.net.ar on Fri, Feb 23, 2001 at 08:46:59AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: > En un mensaje anterior, slamdunk escribio: > > Can anyone identify what this might be? > > Somebody laying its hand over the keyboard :) > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, ^[[S^[[J^[[J^[[J^[[~^[ > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, ^[[S^[[J^[[J^[[J^[[~^[ Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something around the numeric keypad. G'luck, Peter -- If you think this sentence is confusing, then change one pig. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 5:43:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 1190737B4EC for ; Fri, 23 Feb 2001 05:43:29 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1NDhhx15072; Fri, 23 Feb 2001 08:43:43 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 23 Feb 2001 08:43:43 -0500 (EST) From: Rob Simmons To: Kris Kennaway Cc: Subject: Re: RIPEMD-160 In-Reply-To: <20010222203526.A13606@mollari.cthul.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I figured, after looking at it that it would require some changes to the code. The reason I want to do this is for the multi-user boxes that I have. I would like to use a 160-bit algorithm that is not know to be insecure. Another reason is that most of the common password cracking programs support MD5, DES, etc. Confusing script kiddies is always fun. Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 22 Feb 2001, Kris Kennaway wrote: > Well, it's of course not this simple - you would have to modify the > libcrypt code. But IMO there's no justification for doing this - MD5 > passwords aren't known to be insecure in any way. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 9:13:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (Postfix) with ESMTP id D44F237B491; Fri, 23 Feb 2001 09:13:15 -0800 (PST) (envelope-from kuku@gilberto.physik.rwth-aachen.de) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.9.3/8.9.3) id SAA45796; Fri, 23 Feb 2001 18:13:13 +0100 (CET) (envelope-from kuku) Date: Fri, 23 Feb 2001 18:13:13 +0100 (CET) From: Christoph Kukulies Message-Id: <200102231713.SAA45796@gilberto.physik.rwth-aachen.de> To: torstenb@freebsd.org Subject: ssh 1.2.31 - patch Cc: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thorsten, have you heard of the sshd security hole recently? http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fmid%3D161448%26start%3D2001-02%2520-04%26list%3D1%26fromthread%3D0%26threads%3D0%26end%3D2001-02-10%26 It would be nice to have the pacth in ports and packages pre-applied. Thanks. -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 9:19:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id E5A4C37B491 for ; Fri, 23 Feb 2001 09:19:30 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 22090 invoked by uid 1000); 23 Feb 2001 17:17:34 -0000 Date: Fri, 23 Feb 2001 19:17:34 +0200 From: Peter Pentchev To: Christoph Kukulies Cc: torstenb@freebsd.org, freebsd-security@freebsd.org Subject: Re: ssh 1.2.31 - patch Message-ID: <20010223191734.F827@ringworld.oblivion.bg> Mail-Followup-To: Christoph Kukulies , torstenb@freebsd.org, freebsd-security@freebsd.org References: <200102231713.SAA45796@gilberto.physik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102231713.SAA45796@gilberto.physik.rwth-aachen.de>; from kuku@gilberto.physik.rwth-aachen.de on Fri, Feb 23, 2001 at 06:13:13PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 23, 2001 at 06:13:13PM +0100, Christoph Kukulies wrote: > > Thorsten, > > have you heard of the sshd security hole recently? > http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fmid%3D161448%26start%3D2001-02%2520-04%26list%3D1%26fromthread%3D0%26threads%3D0%26end%3D2001-02-10%26 > > It would be nice to have the pacth in ports and packages pre-applied. I think those were already fixed on Feb 09 by Kris Kennaway, in files/patch-ay and files/patch-az for the security/ssh port. G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 10:29:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 43FC837B401 for ; Fri, 23 Feb 2001 10:29:33 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1NITqx29043 for ; Fri, 23 Feb 2001 13:29:54 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 23 Feb 2001 13:29:52 -0500 (EST) From: Rob Simmons To: Subject: openssh 2.5.1 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What are the plans for updating openssh in the core OS to version 2.5.1? Robert Simmons Systems Administrator http://www.wlcg.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 10:55:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.neophile.net (neophile.net [195.224.237.7]) by hub.freebsd.org (Postfix) with ESMTP id 8418B37B69D for ; Fri, 23 Feb 2001 10:55:18 -0800 (PST) (envelope-from slamdunk@neophile.net) Received: from host213-123-155-233.btopenworld.com ([213.123.155.233] helo=celly.neophile.net) by mail.neophile.net with esmtp (Exim 3.15 #1) id 14WNFs-000E3E-00 for freebsd-security@FreeBSD.ORG; Fri, 23 Feb 2001 18:47:48 +0000 Message-Id: <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net> X-Sender: slamdunk@pop3.neophile.net X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 23 Feb 2001 18:55:13 +0000 To: freebsd-security@FreeBSD.ORG From: slamdunk Subject: Re: weird login attempt In-Reply-To: <20010223134843.H1899@ringworld.oblivion.bg> References: <200102231146.IAA94132@ns1.via-net-works.net.ar> <4.3.2.7.2.20010223113706.00cedb10@pop3.neophile.net> <200102231146.IAA94132@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nope it wont be either of these - The box is in a locked cabinet in our datacenter. Ah well, seems this will remain a mystery Jerry At 13:48 23/02/2001 +0200, you wrote: >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: > > En un mensaje anterior, slamdunk escribio: > > > Can anyone identify what this might be? > > > > Somebody laying its hand over the keyboard :) > > > > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > ^[[S^[[J^[[J^[[J^[[~^[ > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > ^[[S^[[J^[[J^[[J^[[~^[ > >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something >around the numeric keypad. > >G'luck, >Peter > >-- >If you think this sentence is confusing, then change one pig. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 11: 2:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.lta.lviv.ua (fire.lta.link.lviv.ua [194.44.202.145]) by hub.freebsd.org (Postfix) with SMTP id CF77A37B401 for ; Fri, 23 Feb 2001 11:02:23 -0800 (PST) (envelope-from pwr@postoffice.lta.lviv.ua) Received: (qmail 67031 invoked from network); 23 Feb 2001 19:02:19 -0000 Received: from postoffice.lta.link.lviv.ua (HELO postoffice.lta.lviv.ua) (194.44.202.145) by mail.lta.link.lviv.ua with SMTP; 23 Feb 2001 19:02:19 -0000 Received: (qmail 75935 invoked by uid 204); 23 Feb 2001 19:02:18 -0000 Received: from pwr@postoffice.lta.lviv.ua by fs with qmail-scanner-0.93 (. Clean. Processed in 1.065421 secs); 23/02/2001 21:02:17 Date: 23 Feb 2001 21:02:17 +0200 Date: Fri, 23 Feb 2001 21:02:17 +0200 (EET) From: Wolodymyr Protsaylo X-Sender: pwr@fs.academy.lviv.ua Cc: freebsd-security@FreeBSD.ORG Subject: Re: weird login attempt In-Reply-To: <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe freebsd-security _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Wolodymyr Protsaylo email: UNIX System Administrator phone/fax: +380 (322) 769545 Lviv Theological Academy _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 11: 9: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 89F1E37B4EC for ; Fri, 23 Feb 2001 11:08:59 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 18789 invoked by alias); 23 Feb 2001 19:07:51 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 23 Feb 2001 19:07:51 -0000 Message-ID: <000d01c09dcc$4504b700$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: , "slamdunk" References: <200102231146.IAA94132@ns1.via-net-works.net.ar> <4.3.2.7.2.20010223113706.00cedb10@pop3.neophile.net> <200102231146.IAA94132@ns1.via-net-works.net.ar> <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net> Subject: Re: weird login attempt Date: Fri, 23 Feb 2001 14:10:22 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org if someone tried to telnet in, and at the password prompt, they just pressed some keys and of course in telnet, before the session termcap is established, all "funky" keys such as the arrows and the function keys will return escape sequences, and then if they used ^] (or the escape sequence), and then quit, you'd get that. I can replicate that easily. since almost all my logins are via ssh, sshd will report this, but if it happens to be a telnet session, login will report this. ----- Original Message ----- From: "slamdunk" To: Sent: Friday, February 23, 2001 1:55 PM Subject: Re: weird login attempt > Nope it wont be either of these - The box is in a locked cabinet in our > datacenter. > > Ah well, seems this will remain a mystery > > Jerry > > At 13:48 23/02/2001 +0200, you wrote: > >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: > > > En un mensaje anterior, slamdunk escribio: > > > > Can anyone identify what this might be? > > > > > > Somebody laying its hand over the keyboard :) > > > > > > > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > ^[[S^[[J^[[J^[[J^[[~^[ > > > >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something > >around the numeric keypad. > > > >G'luck, > >Peter > > > >-- > >If you think this sentence is confusing, then change one pig. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 11:17:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-57.dsl.lsan03.pacbell.net [63.207.60.57]) by hub.freebsd.org (Postfix) with ESMTP id 58F5537B503; Fri, 23 Feb 2001 11:17:48 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0A4AF66F83; Fri, 23 Feb 2001 11:17:47 -0800 (PST) Date: Fri, 23 Feb 2001 11:17:47 -0800 From: Kris Kennaway To: Christoph Kukulies Cc: torstenb@freebsd.org, freebsd-security@freebsd.org Subject: Re: ssh 1.2.31 - patch Message-ID: <20010223111747.A72526@mollari.cthul.hu> References: <200102231713.SAA45796@gilberto.physik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102231713.SAA45796@gilberto.physik.rwth-aachen.de>; from kuku@gilberto.physik.rwth-aachen.de on Fri, Feb 23, 2001 at 06:13:13PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 23, 2001 at 06:13:13PM +0100, Christoph Kukulies wrote: >=20 > Thorsten, >=20 > have you heard of the sshd security hole recently? > http://www.securityfocus.com/frames/?content=3D/templates/archive.pike%3F= mid%3D161448%26start%3D2001-02%2520-04%26list%3D1%26fromthread%3D0%26thread= s%3D0%26end%3D2001-02-10%26 >=20 > It would be nice to have the pacth in ports and packages pre-applied. See the freebsd security advisory of a few weeks ago - the port has already been fixed. Kris --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6lrdbWry0BWjoQKURAlSYAKCKgTwUfDvj59D4vmpG/4pDGikAGACgtrAE TpHY4z89B8fs7D/qRaER2AQ= =4xD9 -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 11:19:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-57.dsl.lsan03.pacbell.net [63.207.60.57]) by hub.freebsd.org (Postfix) with ESMTP id 06AE437B491 for ; Fri, 23 Feb 2001 11:19:27 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id CE4B866F92; Fri, 23 Feb 2001 11:19:26 -0800 (PST) Date: Fri, 23 Feb 2001 11:19:26 -0800 From: Kris Kennaway To: "Peter C. Lai" Cc: freebsd-security@FreeBSD.ORG, slamdunk Subject: Re: weird login attempt Message-ID: <20010223111926.B72526@mollari.cthul.hu> References: <200102231146.IAA94132@ns1.via-net-works.net.ar> <4.3.2.7.2.20010223113706.00cedb10@pop3.neophile.net> <200102231146.IAA94132@ns1.via-net-works.net.ar> <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net> <000d01c09dcc$4504b700$1e9e6389@137.99.156.23> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="K8nIJk4ghYZn606h" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000d01c09dcc$4504b700$1e9e6389@137.99.156.23>; from sirmoo@cowbert.2y.net on Fri, Feb 23, 2001 at 02:10:22PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --K8nIJk4ghYZn606h Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Feb 23, 2001 at 02:10:22PM -0500, Peter C. Lai wrote: > if someone tried to telnet in, and at the password prompt, they just pressed > some keys and of course in telnet, before the session termcap is Except that the login was on the system console. Someone pressed some arrow/function keys on the system keyboard and pressed enter. > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > > ^[[S^[[J^[[J^[[J^[[~^[ Kris --K8nIJk4ghYZn606h Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6lre+Wry0BWjoQKURAlAtAKDUNOIum+hMxNobbY5Tdf2WU+CqQgCgiy2e H/1DH22eG0J8geYKK7m73+c= =n+Hp -----END PGP SIGNATURE----- --K8nIJk4ghYZn606h-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 11:43:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtppop2pub.verizon.net (smtppop2pub.gte.net [206.46.170.21]) by hub.freebsd.org (Postfix) with ESMTP id 3B07D37B491 for ; Fri, 23 Feb 2001 11:43:24 -0800 (PST) (envelope-from res03db2@gte.net) Received: from gte.net (evrtwa1-ar4-4-34-145-186.dsl.gtei.net [4.34.145.186]) by smtppop2pub.verizon.net with ESMTP ; id NAA92574558 Fri, 23 Feb 2001 13:43:23 -0600 (CST) Received: (from res03db2@localhost) by gte.net (8.9.3/8.9.3) id LAA24335; Fri, 23 Feb 2001 11:42:45 -0800 (PST) (envelope-from res03db2@gte.net) Date: Fri, 23 Feb 2001 11:42:45 -0800 From: Robert Clark To: slamdunk Cc: freebsd-security@FreeBSD.ORG Subject: Re: weird login attempt Message-ID: <20010223114245.A24302@darkstar.gte.net> References: <200102231146.IAA94132@ns1.via-net-works.net.ar> <4.3.2.7.2.20010223113706.00cedb10@pop3.neophile.net> <200102231146.IAA94132@ns1.via-net-works.net.ar> <20010223134843.H1899@ringworld.oblivion.bg> <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net>; from slamdunk@neophile.net on Fri, Feb 23, 2001 at 06:55:13PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Failing keyboard controller? Flaky keyboard? Condensation? A mouse loose in the cabinet? [RC] On Fri, Feb 23, 2001 at 06:55:13PM +0000, slamdunk wrote: > Nope it wont be either of these - The box is in a locked cabinet in our > datacenter. > > Ah well, seems this will remain a mystery > > Jerry > > At 13:48 23/02/2001 +0200, you wrote: > >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: > > > En un mensaje anterior, slamdunk escribio: > > > > Can anyone identify what this might be? > > > > > > Somebody laying its hand over the keyboard :) > > > > > > > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > ^[[S^[[J^[[J^[[J^[[~^[ > > > >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something > >around the numeric keypad. > > > >G'luck, > >Peter > > > >-- > >If you think this sentence is confusing, then change one pig. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 11:45:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from cartman.cisp.cc (mail.cisp.cc [63.174.69.7]) by hub.freebsd.org (Postfix) with ESMTP id 567BB37B4EC for ; Fri, 23 Feb 2001 11:44:57 -0800 (PST) (envelope-from aaron@cisp.cc) Received: by cartman.cisp.cc with Internet Mail Service (5.5.2650.21) id ; Fri, 23 Feb 2001 14:40:41 -0500 Message-ID: From: Aaron Weiker To: freebsd-security@FreeBSD.ORG Subject: RE: weird login attempt Date: Fri, 23 Feb 2001 14:40:41 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C09DD0.810D3A20" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C09DD0.810D3A20 Content-Type: text/plain; charset="iso-8859-1" Poltergeist -------------------------------------------- Failing keyboard controller? Flaky keyboard? Condensation? A mouse loose in the cabinet? [RC] On Fri, Feb 23, 2001 at 06:55:13PM +0000, slamdunk wrote: > Nope it wont be either of these - The box is in a locked cabinet in our > datacenter. > > Ah well, seems this will remain a mystery > > Jerry > > At 13:48 23/02/2001 +0200, you wrote: > >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: > > > En un mensaje anterior, slamdunk escribio: > > > > Can anyone identify what this might be? > > > > > > Somebody laying its hand over the keyboard :) > > > > > > > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > ^[[S^[[J^[[J^[[J^[[~^[ > > > >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something > >around the numeric keypad. > > > >G'luck, > >Peter > > > >-- > >If you think this sentence is confusing, then change one pig. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_001_01C09DD0.810D3A20 Content-Type: text/html; charset="iso-8859-1" RE: weird login attempt

Poltergeist
--------------------------------------------
Failing keyboard controller? Flaky keyboard?

Condensation? A mouse loose in the cabinet?

[RC]


On Fri, Feb 23, 2001 at 06:55:13PM +0000, slamdunk wrote:
> Nope it wont be either of these - The box is in a locked cabinet in our
> datacenter.
>
> Ah well, seems this will remain a mystery
>
> Jerry
>
> At 13:48 23/02/2001 +0200, you wrote:
> >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote:
> > > En un mensaje anterior, slamdunk escribio:
> > > > Can anyone identify what this might be?
> > >
> > > Somebody laying its hand over the keyboard :)
> > >
> > > >
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0,
> > ^[[S^[[J^[[J^[[J^[[~^[
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0,
> > ^[[S^[[J^[[J^[[J^[[~^[
> >
> >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something
> >around the numeric keypad.
> >
> >G'luck,
> >Peter
> >
> >--
> >If you think this sentence is confusing, then change one pig.
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-security" in the body of the message
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

------_=_NextPart_001_01C09DD0.810D3A20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 11:48:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from uno.tksoft.com (dsl-hki1-94.dial.inet.fi [213.28.168.94]) by hub.freebsd.org (Postfix) with ESMTP id 42FB337B503 for ; Fri, 23 Feb 2001 11:48:03 -0800 (PST) (envelope-from tjk@tksoft.com) Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id KAA17044 for freebsd-security@FreeBSD.ORG; Fri, 23 Feb 2001 10:51:38 -0800 Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id KAA16516; Fri, 23 Feb 2001 10:33:04 -0800 From: "tjk@tksoft.com" Message-Id: <200102231833.KAA16516@uno.tksoft.com> Subject: Re: weird login attempt To: slamdunk@neophile.net (slamdunk) Date: Fri, 23 Feb 2001 10:33:04 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net> from "slamdunk" at Feb 23, 2001 06:55:13 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jerry, Since the user is www, is it possible that the login was attempted through the web server? I.e. do you have your web server running under the username www? One theoretical possibility would be that someone was able to execute a cgi which tried to login to the system. The ttyv0 indicates a local login, not a networked (pseudo tty) login. If the cgi exec'ed code which attached to ttyv0, then this would seem consistent. Might be a good idea to see your web access logs for that particular moment in time and see if some cgi was called just then. Troy > > Nope it wont be either of these - The box is in a locked cabinet in our > datacenter. > > Ah well, seems this will remain a mystery > > Jerry > > At 13:48 23/02/2001 +0200, you wrote: > >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: > > > En un mensaje anterior, slamdunk escribio: > > > > Can anyone identify what this might be? > > > > > > Somebody laying its hand over the keyboard :) > > > > > > > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > ^[[S^[[J^[[J^[[J^[[~^[ > > > >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something > >around the numeric keypad. > > > >G'luck, > >Peter > > > >-- > >If you think this sentence is confusing, then change one pig. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 12: 7:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp11.singnet.com.sg (smtp11.singnet.com.sg [165.21.6.31]) by hub.freebsd.org (Postfix) with ESMTP id 4F09137B4EC; Fri, 23 Feb 2001 12:07:48 -0800 (PST) (envelope-from spades@galaxynet.org) Received: from bryan (ad202.166.107.215.magix.com.sg [202.166.107.215]) by smtp11.singnet.com.sg (8.11.2/8.11.2) with SMTP id f1NK7e701634; Sat, 24 Feb 2001 04:07:40 +0800 (SGT) Message-Id: <3.0.32.20010224041623.01593650@smtp.magix.com.sg> X-Sender: spades@smtp.magix.com.sg X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 24 Feb 2001 04:16:23 +0800 To: freebsd-security@freebsd.org From: Spades Subject: Re: passwd problem Cc: questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org # passwd Warning: configuration file missing; please run 'tconf' Unable to update EPS password. Password changed. How do i reinstall passwd or fix this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 12:16:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from boyle.physics.purdue.edu (boyle.physics.purdue.edu [128.210.146.197]) by hub.freebsd.org (Postfix) with ESMTP id 7475D37B491 for ; Fri, 23 Feb 2001 12:16:38 -0800 (PST) (envelope-from will@physics.purdue.edu) Received: (from will@localhost) by boyle.physics.purdue.edu (8.11.2/8.11.1) id f1NK9KK08079; Fri, 23 Feb 2001 15:09:20 -0500 (EST) (envelope-from will@physics.purdue.edu) X-Authentication-Warning: boyle.physics.purdue.edu: will set sender to will@physics.purdue.edu using -f Date: Fri, 23 Feb 2001 15:09:20 -0500 From: Will Andrews To: Rob Simmons Cc: freebsd-security@FreeBSD.ORG Subject: Re: openssh 2.5.1 Message-ID: <20010223150920.C7948@boyle.physics.purdue.edu> Reply-To: Will Andrews References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rsimmons@wlcg.com on Fri, Feb 23, 2001 at 01:29:52PM -0500 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 23, 2001 at 01:29:52PM -0500, Rob Simmons wrote: > What are the plans for updating openssh in the core OS to version 2.5.1? As near as I can tell, 2.5.1 breaks certain things, like TIS auth. It will probably be some time before current gets 2.5.x. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 12:36:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.oregonfast.net (mail.oregonfast.net [63.228.228.11]) by hub.freebsd.org (Postfix) with SMTP id 35D7537B401 for ; Fri, 23 Feb 2001 12:36:35 -0800 (PST) (envelope-from daemus@oregonfast.net) Received: (qmail 14007 invoked by uid 89); 23 Feb 2001 20:36:33 -0000 Message-ID: <20010223203633.14006.qmail@mail.oregonfast.net> References: <200102231833.KAA16516@uno.tksoft.com> In-Reply-To: <200102231833.KAA16516@uno.tksoft.com> From: "James" To: freebsd-security@FreeBSD.ORG Subject: Re: weird login attempt Date: Fri, 23 Feb 2001 20:36:33 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Sender: daemus@oregonfast.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org www is the short hostname of the box that the logs came from. tjk@tksoft.com writes: > Jerry, > > Since the user is www, is it possible that the login > was attempted through the web server? I.e. do you have > your web server running under the username www? > > One theoretical possibility would be that someone > was able to execute a cgi which tried to login > to the system. > > The ttyv0 indicates a local login, not a networked > (pseudo tty) login. If the cgi exec'ed code which > attached to ttyv0, then this would seem consistent. > > Might be a good idea to see your web access logs for > that particular moment in time and see if some cgi > was called just then. > > > Troy > >> >> Nope it wont be either of these - The box is in a locked cabinet in our >> datacenter. >> >> Ah well, seems this will remain a mystery >> >> Jerry >> >> At 13:48 23/02/2001 +0200, you wrote: >> >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: >> > > En un mensaje anterior, slamdunk escribio: >> > > > Can anyone identify what this might be? >> > > >> > > Somebody laying its hand over the keyboard :) >> > > >> > > > >> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 >> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 >> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, >> > ^[[S^[[J^[[J^[[J^[[~^[ >> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, >> > ^[[S^[[J^[[J^[[J^[[~^[ >> > >> >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something >> >around the numeric keypad. >> > >> >G'luck, >> >Peter >> > >> >-- >> >If you think this sentence is confusing, then change one pig. >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-security" in the body of the message >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 16:26: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from burka.rdy.com (burka.rdy.com [205.149.189.91]) by hub.freebsd.org (Postfix) with ESMTP id 96D4937B401 for ; Fri, 23 Feb 2001 16:25:53 -0800 (PST) (envelope-from dima@sivka.rdy.com) Received: from sivka.rdy.com (sivka.rdy.com [206.184.209.131]) by burka.rdy.com (8.9.3/8.9.3) with ESMTP id QAA08011 for ; Fri, 23 Feb 2001 16:25:53 -0800 (PST) (envelope-from dima@sivka.rdy.com) Received: (from dima@localhost) by sivka.rdy.com (8.11.2/8.11.2) id f1NK5jA07079; Fri, 23 Feb 2001 12:05:45 -0800 (PST) (envelope-from dima) Date: Fri, 23 Feb 2001 12:05:45 -0800 From: Dima Ruban To: "tjk@tksoft.com" Cc: slamdunk , freebsd-security@FreeBSD.ORG Subject: Re: weird login attempt Message-ID: <20010223120545.A7058@sivka.rdy.com> References: <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net> <200102231833.KAA16516@uno.tksoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102231833.KAA16516@uno.tksoft.com>; from tjk@tksoft.com on Fri, Feb 23, 2001 at 10:33:04AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Look at the logs. www is the name of the machine, not the user name. On Fri, Feb 23, 2001 at 10:33:04AM -0800, tjk@tksoft.com wrote: > Jerry, > > Since the user is www, is it possible that the login > was attempted through the web server? I.e. do you have > your web server running under the username www? > > One theoretical possibility would be that someone > was able to execute a cgi which tried to login > to the system. > > The ttyv0 indicates a local login, not a networked > (pseudo tty) login. If the cgi exec'ed code which > attached to ttyv0, then this would seem consistent. > > Might be a good idea to see your web access logs for > that particular moment in time and see if some cgi > was called just then. > > > Troy > > > > > Nope it wont be either of these - The box is in a locked cabinet in our > > datacenter. > > > > Ah well, seems this will remain a mystery > > > > Jerry > > > > At 13:48 23/02/2001 +0200, you wrote: > > >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: > > > > En un mensaje anterior, slamdunk escribio: > > > > > Can anyone identify what this might be? > > > > > > > > Somebody laying its hand over the keyboard :) > > > > > > > > > > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > > >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something > > >around the numeric keypad. > > > > > >G'luck, > > >Peter > > > > > >-- > > >If you think this sentence is confusing, then change one pig. > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 23 22: 9:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 423DE37B503 for ; Fri, 23 Feb 2001 22:09:51 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f1O69gh75959; Sat, 24 Feb 2001 01:09:42 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sat, 24 Feb 2001 01:09:42 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Christopher Farley Cc: freebsd-security@freebsd.org Subject: Re: Bind TSIG exploit In-Reply-To: <20010222023233.A629@northernbrewer.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Feb 2001, Christopher Farley wrote: > My non-technical armchair analysis of the core dump indicates the TSIG > exploit (based on the presence of ';; TSIG invalid (%s)' at the top of > the core file -- how's that for non-technial?). A coredump generally corresponds with a failed attempt to exploit a bug present -- a successful exploit will not result in the process being killed and dumped, instead it generally results in a /bin/sh with I/O bound to the socket. However, that doesn't mean that you weren't compromised: the unsuccessful compromise could be a result of using an exploit targetted at another operating system and/or hardware platform (probably Linux or Solaris, as those are popular targets), or it could be the result of an incorrect offset being used when overflowing the buffer, in which case they might have the right exploit for your machine, they just need to work through the offset space to find the right one for your machine. As Kris recommended, you probably want to reinstall the machine from scratch, and subscribe to the FreeBSD security-notifications mailing list if you haven't already. Extracting the exploit is probably not a useful exercise as (unless it exploits a new/different bug), an exploit has already been posted and is widely circulated, so chances are it is the same one. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 24 4:13:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (ns.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id CDFAE37B4EC for ; Sat, 24 Feb 2001 04:13:47 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([192.168.192.1]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id MAA26770; Sat, 24 Feb 2001 12:12:04 GMT Message-ID: <3A97A4E6.C53ECF27@algroup.co.uk> Date: Sat, 24 Feb 2001 12:11:18 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Doug Barton Cc: Mikel King , Doug Barton , Nick Sayer , freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Doug Barton wrote: > > Mikel King wrote: > > > > rc.conf.local and rc.local weree deprecated around the release of 4.x. > > Don't be silly. Both are fully supported, and there is no plan to remove > support at any time in the future (and I will vigorously oppose any plan to > do so). The only thing that has actually changed is that the system no > longer ships with an rc.local file installed. so what's the point in putting it in there instead of rc.conf then? since the interfaces that will be referred to, and other firewall parameters are set in /etc/rc.conf, and rc.conf is explicitly read by /etc/rc.firewall, this would seem the logical choice (and yes, i'm aware that rc.conf.local will also get read, but it just seems a needless obfuscation, particularly since it is not even there by default). cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 24 7:49:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 8210637B401 for ; Sat, 24 Feb 2001 07:49:34 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA46261; Sat, 24 Feb 2001 10:49:25 -0500 (EST) (envelope-from wollman) Date: Sat, 24 Feb 2001 10:49:25 -0500 (EST) From: Garrett Wollman Message-Id: <200102241549.KAA46261@khavrinen.lcs.mit.edu> To: Adam Laurie Cc: Doug Barton , Mikel King , Doug Barton , Nick Sayer , freebsd-security@FreeBSD.org Subject: Re: /etc/rc.firewall fixes In-Reply-To: <3A97A4E6.C53ECF27@algroup.co.uk> References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> <3A97A4E6.C53ECF27@algroup.co.uk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > that rc.conf.local will also get read, but it just seems a needless > obfuscation, particularly since it is not even there by default). wollman@mintaka(1)$ ls -li /etc/rc.conf* 493 -r--r--r-- 1 root wheel 783 Nov 27 15:37 /etc/rc.conf 378 -r--r--r-- 1 root wheel 1062 Feb 11 13:19 /etc/rc.conf.lampang 235 -r--r--r-- 2 root wheel 464 Nov 2 14:00 /etc/rc.conf.local 235 -r--r--r-- 2 root wheel 464 Nov 2 14:00 /etc/rc.conf.mintaka 368 -r--r--r-- 1 root wheel 969 Nov 25 18:24 /etc/rc.conf.ossipee That's why. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 24 13: 6:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id BAA2B37B67D for ; Sat, 24 Feb 2001 13:06:16 -0800 (PST) (envelope-from DougB@gorean.org) Received: from gorean.org (Studded@master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id NAA44167; Sat, 24 Feb 2001 13:05:40 -0800 (PST) (envelope-from DougB@gorean.org) Message-ID: <3A982224.893F76AF@gorean.org> Date: Sat, 24 Feb 2001 13:05:40 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Adam Laurie Cc: Mikel King , Nick Sayer , freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> <3A97A4E6.C53ECF27@algroup.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Adam Laurie wrote: > > Doug Barton wrote: > > > > Mikel King wrote: > > > > > > rc.conf.local and rc.local weree deprecated around the release of 4.x. > > > > Don't be silly. Both are fully supported, and there is no plan to remove > > support at any time in the future (and I will vigorously oppose any plan to > > do so). The only thing that has actually changed is that the system no > > longer ships with an rc.local file installed. > > so what's the point in putting it in there instead of rc.conf then? The original question I responded to suggested putting the settings for rc.firewall into a whole new conf file. My point was that there were already several locations that would be more appropriate. Doug -- "Pain heals. Chicks dig scars. Glory . . . lasts forever." -- Keanu Reeves as Shane Falco in "The Replacements" Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message