From owner-freebsd-security Sun Apr 22 5:16:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 31A4437B42C for ; Sun, 22 Apr 2001 05:16:04 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NDNM ([195.161.98.237]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id UAA56104; Sun, 22 Apr 2001 20:18:39 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Sun, 22 Apr 2001 20:18:48 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <2410845404.20010422201848@morning.ru> To: Bert Kellerman Cc: freebsd-security@freebsd.org Subject: Re[2]: ipfw problem In-Reply-To: <3AE2C731.13715531@charter.net> References: <68144568768.20010422130414@morning.ru> <3AE2C731.13715531@charter.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org BK> I don't see a problem with the current implementation of not having BK> ranges. The same do I (almost). The only thing I almost (again this word) prefer is flexibility -- if things could be made more flex, they certainly should be made. It is a basis of all computer programming (variables, indirect de-referencing, and so on). BK> Most routed firewall configurations are built on top of a BK> subnetted hierarchy, Aha... but there is Point-to-point 'beast' which can to do not follow this at all -- 10.0.0.1:192.168.255.1 is quite legal pair... (just an example, without any connection to use of 10.1-192.168.255.1 range :) BK> with each subnet having a different security BK> policy. I think if you are trying to enfore different security policies BK> for certain *ranges* of a subnet, then you should rethink your strategy BK> and consider subnetting. In a solid network security architecture, the BK> physical and layer3 topology should be consistent with your ip filtering BK> design. Even if what I stated above it *not* true :) , then just learn BK> to use the net/mask connotation...it's standard. Thank you, but it seems you got me absolutely wrong, I'd recommend you read my previous answer in the thread again :) I do use net/m.a.s.k or net/mask and quite familiar with that system. (The common sense of my reply was that implementing of ip1-ip2 checking isn't too hard and wouldn't make firewall code too slow) P.S. The reality is so, that one aim may be reached via different ways -- the world is built so. So it is rather logical to have different ways of ideas expressing (coding also ;). And it is what UNIX stands on. %) BK> Regards, BK> Bert BK> Igor Podlesny wrote: >> >> PP> On Sat, Apr 21, 2001 at 06:25:13PM +0100, Lee Smallbone wrote: >> >> Hi Peter, >> >> >> >> Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow >> >> ranges?? If the author listening...) >> >> >> >> I thought I had it for one minute, where I found that ${ip} isn't defined until later on >> >> in the script. No such luck. >> >> PP> Hmm I didn't quite parse that - are you saying that ${ip} really isn't defined >> PP> until later? If so, has that solved your problem? >> >> PP> And about the ranges - ipfw(8) is only a controlling interface to the kernel >> PP> ipfw routines. >> sure >> >> PP> It would be *much* harder for the kernel to compare every >> PP> packet's address against a range than it is to compare it against a netmask - >> PP> the latter only involves a bitwise AND operator. >> >> I rather dont agree with that statement, but consider, we should >> decide what *MUCH* is at any case :) >> >> And pay your attention, plz -- it does check port ranges absolutely >> easy.. I don't see any big difference between ports and IP-addresses. >> They both are represented as usual (not too big) numbers at last. >> >> PP> I wonder if ranges would >> PP> be so hard to implement though; the fact is, they are not implemented at >> PP> the moment, this would take some work, and actually, I'm not aware of any >> PP> other firewalling system that implements ranges. I would be VERY much out >> PP> of my bailiwick here, though, because I've not dealt with that many other >> PP> firewalling systems, but still, I think ranges are somewhat unusual in >> PP> firewall rules :) >> >> PP> G'luck, >> PP> Peter >> >> -- >> Igor mailto:poige@morning.ru >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 9:31: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from introsearch.com (host213-123-28-135.btinternet.com [213.123.28.135]) by hub.freebsd.org (Postfix) with SMTP id 0A54B37B496 for ; Sun, 22 Apr 2001 09:30:18 -0700 (PDT) (envelope-from admin@introsearch.com) From: "Introsearch.Com" To: Subject: Click on to meet someone you Click with Mime-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Date: Sun, 22 Apr 2001 17:30:15 +0100 Reply-To: "Introsearch.Com" Content-Transfer-Encoding: 8bit Message-Id: <20010422163018.0A54B37B496@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Click on to meet someone you Click with

Introsearch.com
Click on to meet someone you Click with

Introsearch does not condone unsolicited Bulk Emailing - Our source email lists comprise only of email addresses which have been obtained through correct legal channels from users who have at some stage authorised third party organisations to contact them via email regarding products or services which the customer may find interesting.  To be removed from our mailing list, please send an email to remove@introsearch.com with the word 'remove' in the subject line

Introsearch.com is one of the fastest growing introduction systems on the Internet and you can join online now at a fraction of the cost. Are you looking for a change in your life, or just to busy to find the right person, Introsearch.com has all the answers. Take a look at some of the benefits below that are on offer to all our members.

  • Twelve months membership
  • Powerful matching system
  • For all age groups
  • Picture upload facility
  • Voice upload facility
  • Video upload facility
  • Members chat rooms
  • Members forums
  • Private emailing system
  • Local party nights
  • Members have complete control
  • Confidentiality assured

Join today for an annual membership of only £14:50 (21:00 us dollars) and receive all the benefits above and much much more with introsearch.com. Yes that's an amazing 28p per week.

This is a special promotional offer and valid from 2nd April 2001 to finish on or before the last day of June 2001. 
Click on the link below and start meeting new friends today.

http://www.introsearch.com

Click on to meet someone you Click with

Introsearch.com is a member of the Data Protection Act 1974 License Number Z4788975 (c) 2001 Introsearch. All Rights Reserved
If you have any further issues with our advertising policy, contact Introsearch at Tel: +44 (0)1772 798071 or by Post to: 
INTROSEARCH, ENGLAND  (Use Correct Postage - No letters or correspondence without postage affixed will be opened)
PLEASE NOTE: This address is a licensed Royal Mail Postage Address and WILL be received.

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 10:33: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 2F70E37B423 for ; Sun, 22 Apr 2001 10:33:01 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id TAA54345; Sun, 22 Apr 2001 19:33:01 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: =?iso-8859-1?q?P=E4r?= Thoren Cc: Joseph Gleason , freebsd-security@FreeBSD.ORG Subject: Re: static arp values References: From: Dag-Erling Smorgrav Date: 22 Apr 2001 19:32:59 +0200 In-Reply-To: Message-ID: Lines: 9 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org P=E4r Thoren writes: > But I can still sniff the connection between the machine with the static > arp value and the router. That is what I find strange. How do you expect a static ARP entry will prevent sniffing? DES --=20 Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 10:36:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3D51B37B423 for ; Sun, 22 Apr 2001 10:36:21 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id TAA54362; Sun, 22 Apr 2001 19:36:22 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: =?iso-8859-1?q?P=E4r?= Thoren Cc: freebsd-security@FreeBSD.ORG Subject: Re: rpc.statd attack References: From: Dag-Erling Smorgrav Date: 22 Apr 2001 19:36:21 +0200 In-Reply-To: Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org P=E4r Thoren writes: > Ok when I get portscanned...but these guys tries to exploit my ass. Why is rpc.statd running? If you really need it (for NFS on your LAN, I presume), why isn't portmap or rpcbind firewalled off so only local hosts can access it? DES --=20 Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 10:45:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from segfault.kiev.ua (segfault.kiev.ua [193.193.193.4]) by hub.freebsd.org (Postfix) with ESMTP id 4B68E37B422 for ; Sun, 22 Apr 2001 10:45:23 -0700 (PDT) (envelope-from netch@iv.nn.kiev.ua) Received: (from uucp@localhost) by segfault.kiev.ua (8) with UUCP id URH10347; Sun, 22 Apr 2001 20:44:59 +0300 (EEST) (envelope-from netch@iv.nn.kiev.ua) Received: (from netch@localhost) by iv.nn.kiev.ua (8.11.3/8.11.3) id f3MHLit01875; Sun, 22 Apr 2001 20:21:44 +0300 (EEST) (envelope-from netch) Date: Sun, 22 Apr 2001 20:21:44 +0300 From: Valentin Nechayev To: Rasputin Cc: freebsd-security@freebsd.org Subject: Re: Security Announcements & Incremental Patches Message-ID: <20010422202144.A313@iv.nn.kiev.ua> Reply-To: netch@segfault.kiev.ua References: <20010412105356.A88231@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010412105356.A88231@dogma.freebsd-uk.eu.org>; from rara.rasputin@virgin.net on Thu, Apr 12, 2001 at 10:53:56AM +0100 X-42: On Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thu, Apr 12, 2001 at 10:53:56, rara.rasputin (Rasputin) wrote about "Re: Security Announcements & Incremental Patches": > > Agreed. It might be worthwhile to point out that Linux is gaining > > market share by leaps and bounds while FreeBSD's user base remains > > relatively stagnant for *exactly* this reason. > > Why? Because RedHat only provide updates as individual RPMS, so updating > a system from one version to another was always a complete nightmare? > (Exhibit A being shipping the new version of RPM as an RPM. > In the new package format.) > A central source tree form kernel and userland is BSDs crtowning glory, IMO. > But that's not to say that patches aren't an option. FreeBSD is at one polus, RedHat at another, but both has the same sickness: lack of internal ABI compatibility culture. This sickness requires violent synchronization of all compiled system code via `make world' in FreeBSD (and not only world! any third-party application, which uses KVM - e.g. ucd-snmp - should be recompiled with KVM change), and quite often strange upgrade order topology in RedHat or any another Linux-based system, with almost guaranteed incorrect work when upgrade is not completed (e.g. after installworld but before reboot). None commercial operating system can allow permanent ABI changes of its interfaces without correct support of old ones: vendor of such system shall be bankrupt rather soon, even in case it provides sources, even in `open source' case. (RedHat is not commercial system, is it?) However, RedHat variant with individual RPMs is much more convenient for admins which cannot upgrade total system to last -STABLE and on another side has no C code compiling skills; /me personally knows a few real examples of admins who had to use RedHat/KSI/BlackCat due to such FreeBSD requirements. (It's not me; at my job we have a large team of FreeBSD apologists;-) but only for PC and only for free systems world.) It is quite simple for any qualified FreeBSD admin, including FreeBSD FTP site team, to make patched binaries for all supported releases for any security advisory and put them for free download for such admins who has bad compiling skills; but it is not provided now, and anyone should recompile the whole world or teach compilation underwater stones (why `make depend' is required, what `make obj' does,...) and put patch with hands tremor and after `100 gramms of good whiskie to be brave', instead of simple `rpm -U'. > IMO, all contact I've had with the FreeBSd team has been motivated out of > a genuine need to create a good product. Saying they do this to > 'increase market share' does them a disservice. > Their motivation to me has always seemed to be to make an OS > that sucks less than any other, whether or not that's commercially attractive. If the OS sucks less, it shall be commercially attractive. If it is not commercially attractive, it sucks in something. This `something' can be lack of $$, as compared with Microsoft, or lack of efficient unbuggy pthreads implementation, as compared with AIX or HP-UX, but it exists. Really, solution to use violent syncronization based on compile-time dependencies is made long time ago and supported by FreeBSD developers, and my letter is ugly flamebait against it. Please move thread to correct list in case you reply. /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 10:50:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 0698B37B443 for ; Sun, 22 Apr 2001 10:50:02 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 1586 invoked by uid 1000); 22 Apr 2001 17:50:23 -0000 Date: Sun, 22 Apr 2001 19:50:23 +0200 From: "Karsten W. Rohrbach" To: Cy Schubert - ITSD Open Systems Group Cc: Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: Tripwire or the like for FreeBSD ? Message-ID: <20010422195023.A924@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Cy Schubert - ITSD Open Systems Group , Ragnar Beer , freebsd-security@FreeBSD.ORG References: <200104202010.f3KKAQL13623@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104202010.f3KKAQL13623@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Fri, Apr 20, 2001 at 01:10:08PM -0700 X-Arbitrary-Number-Of-The-Day: 42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline i am using this simple script sitting in /opt/security/mtree/bin with data in /opt/security/mtree/data. it should be pretty self explanatory and i call it from /etc/weekly.local in check mode. comments and suggestions welcome. /k Cy Schubert - ITSD Open Systems Group(Cy.Schubert@uumail.gov.bc.ca)@2001.04.20 13:10:08 +0000: > In message , Ragnar Beer writes: > > Has anybody looked at http://sourceforge.net/projects/tripwire/ ? > > There's a GPL'd version (2.3.1-2) of Tripwire. I got the impression > > that over mtree Tripwire has the advantage of a more finegrained > > control. > > I'm currently whittling away on the upcoming Tripwire 2.3.1-2 port. > The new port compiles and installs ok. The only thing left to complete > is the creation of a default FreeBSD policy file, which in my > estimation is about 20% complete. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > Ragnar > > > > >Hopefully I am not being too dense, but what about the Tripwire-1.2 in the > > >security ports? > > > > > >SM > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- > Life is a sexually transmitted disease. KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de [Key] [KeyID---] [Created-] [Fingerprint-------------------------------------] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=mtreechk #!/bin/sh # mtree checker # config ME="mtreechk 0.1" BASEDIR=/opt/security/mtree BINDIR=${BASEDIR}/bin DATADIR=${BASEDIR}/data MASTER=${DATADIR}/master.mtree EXCLUDE=${DATADIR}/exclude SYSTEMROOT=/ CURDATE=`date +%Y%m%d%H%M%S` CURFILE=${DATADIR}/current MTREE=/usr/sbin/mtree MTREEFLAGSWR="-cK uid,gid,mode,size,md5digest,sha1digest,ripemd160digest" MTREEFLAGSRD="" MTREEWR="${MTREE} -p ${SYSTEMROOT} -X ${EXCLUDE} ${MTREEFLAGSWR}" MTREERD="${MTREE} -p ${SYSTEMROOT} -X ${EXCLUDE} ${MTREEFLAGSRD}" RM="/bin/rm -f" NICE="/usr/bin/nice -10" # write mtree data to repo write() { local DATAFILE NEWDATE DATAFILE="${MASTER}-${CURDATE}" echo "${ME}: ${MTREEWR}" echo "${ME}: write run starts @ ${CURDATE}" ${NICE} ${MTREEWR} > ${DATAFILE} echo -n ${CURDATE} > ${CURFILE} NEWDATE=`date +%Y%m%d%H%M%S` echo "${ME}: write run ends @ ${NEWDATE}" return } # check the live fs against repo check() { local CURRENT DATAFILE ERR if [ "${2}" = "" ] then CURRENT=`cat ${CURFILE}` DATAFILE="${MASTER}-${CURRENT}" else DATAFILE=${1} fi echo "${ME}: ${MTREERD}" echo "${ME}: check run starts @ ${CURDATE}" ${NICE} ${MTREERD} < ${DATAFILE} ERR=${?} NEWDATE=`date +%Y%m%d%H%M%S` echo "${ME}: check run ends @ ${NEWDATE}" if [ ${ERR} = 0 ] then echo "${ME}: no diffs" else echo "${ME}: found differences, please check" fi return } # kill the repo clobber() { echo "${ME}: resetting repository" ${RM} ${MASTER}-* ${CURFILE} } # blurb usage() { echo "${ME} - wrapper for automated file integrity checks" echo "syntax: ${0} command [parameter]" echo "commands: " echo " write write out mtree for ${SYSTEMROOT}" echo " check check latest integrity information on ${SYSTEMROOT}" echo " check FILE check integrity information containe in FILE" echo " clobber reset (KILL) the checksum repository" echo "submit your comments and patches: karsten@rohrbach.de" exit 1 } CMD=${1} case ${CMD} in write) write ;; check) check ;; clobber) clobber ;; *) usage ;; esac --HlL+5n6rz5pIUxbD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 11: 3:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from obelix.rby.hk-r.se (obelix-140.rby.hk-r.se [194.47.140.4]) by hub.freebsd.org (Postfix) with ESMTP id 9CB3D37B424 for ; Sun, 22 Apr 2001 11:03:09 -0700 (PDT) (envelope-from t98pth@student.bth.se) Received: from helios.kna.hk-r.se (helios [194.47.153.5]) by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id f3MI38M22670; Sun, 22 Apr 2001 20:03:08 +0200 (MEST) Received: from localhost (t98pth@localhost) by helios.kna.hk-r.se (8.9.3+Sun/8.9.3) with ESMTP id UAA01423; Sun, 22 Apr 2001 20:03:44 +0200 (MEST) X-Authentication-Warning: helios.kna.hk-r.se: t98pth owned process doing -bs Date: Sun, 22 Apr 2001 20:03:44 +0200 (MEST) From: =?ISO-8859-1?Q?P=E4r_Thoren?= X-Sender: t98pth@helios To: Dag-Erling Smorgrav Cc: freebsd-security@freebsd.org Subject: Re: static arp values In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org a attacker can arppoisonen my arpcache with false information about what macadress the gateway has. The attacker tells the arpcache that the gateway ip has the macadress of his nic, then route my traffic to the "real" gateway without my knowledge. He can then monitor my traffic. A static value of the macadress of the gateway could prevent this. This is, again, on a switched ethernet lan. /P=E4r On 22 Apr 2001, Dag-Erling Smorgrav wrote: > P=E4r Thoren writes: > > But I can still sniff the connection between the machine with the stati= c > > arp value and the router. That is what I find strange. >=20 > How do you expect a static ARP entry will prevent sniffing? >=20 > DES > --=20 > Dag-Erling Smorgrav - des@ofug.org >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 11: 5: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from obelix.rby.hk-r.se (obelix.rby.hk-r.se [194.47.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 06A5D37B424 for ; Sun, 22 Apr 2001 11:05:04 -0700 (PDT) (envelope-from t98pth@student.bth.se) Received: from helios.kna.hk-r.se (helios [194.47.153.5]) by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id f3MI52M23078; Sun, 22 Apr 2001 20:05:02 +0200 (MEST) Received: from localhost (t98pth@localhost) by helios.kna.hk-r.se (8.9.3+Sun/8.9.3) with ESMTP id UAA01429; Sun, 22 Apr 2001 20:05:40 +0200 (MEST) X-Authentication-Warning: helios.kna.hk-r.se: t98pth owned process doing -bs Date: Sun, 22 Apr 2001 20:05:40 +0200 (MEST) From: =?ISO-8859-1?Q?P=E4r_Thoren?= X-Sender: t98pth@helios To: Dag-Erling Smorgrav Cc: freebsd-security@freebsd.org Subject: Re: rpc.statd attack In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org yes..I=B4ve added ipfw rules now. But the question was if rpc.statd logged the ip of the attacker.=20 I use ipfw to log it now. On 22 Apr 2001, Dag-Erling Smorgrav wrote: > P=E4r Thoren writes: > > Ok when I get portscanned...but these guys tries to exploit my ass. >=20 > Why is rpc.statd running? If you really need it (for NFS on your LAN, > I presume), why isn't portmap or rpcbind firewalled off so only local > hosts can access it? >=20 > DES > --=20 > Dag-Erling Smorgrav - des@ofug.org >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 14:51: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.delfi.lv (smtp.delfi.lv [195.2.96.248]) by hub.freebsd.org (Postfix) with ESMTP id 7DD7837B423 for ; Sun, 22 Apr 2001 14:50:56 -0700 (PDT) (envelope-from system@navigators.lv) Received: from mail.navigators.lv (mail.navigators.lv [195.2.96.201]) by smtp.delfi.lv (8.8.8/8.8.0) with ESMTP id f3MLokf05916 for ; Mon, 23 Apr 2001 00:50:50 +0300 Received: from blacksun [195.114.52.166] by mail.navigators.lv (SMTPD32-6.06) id A25AC39502BE; Mon, 23 Apr 2001 00:51:22 +0300 Message-ID: <00da01c0cb76$0b1a3420$0201a8c0@soft.lv> From: "Valentin Yeliseev" To: Subject: Is it ftp bug??? Date: Mon, 23 Apr 2001 00:49:01 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, all I just tested patched ftpd (SA:33) and found strange problem: action: system@daemon 0:44 /users/release/ftp> ftp -a daemon Connected to daemon. 220 daemon.care.lv FTP server (Version 6.00LS) ready. 331 Guest login ok, send your email address as password. 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> get /*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ top output: last pid: 21458; load averages: 0.69, 0.24, 0.26 up 2+13:23:36 00:51:47 21 processes: 2 running, 19 sleeping CPU states: 24.5% user, 0.0% nice, 75.5% system, 0.0% interrupt, 0.0% idle Mem: 107M Active, 3596K Inact, 20M Wired, 29M Buf, 56M Free Swap: 450M Total, 3404K Used, 447M Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 21457 system 61 0 104M 104M RUN 1:07 97.82% 95.85% ftp 753 mysql 2 0 11040K 952K poll 0:03 0.00% 0.00% mysqld 7353 root 2 0 2116K 488K select 0:02 0.00% 0.00% sshd 21424 system 28 0 1864K 1040K RUN 0:01 0.00% 0.00% top To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 18: 8:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from nol.co.za (nol.co.za [196.33.45.2]) by hub.freebsd.org (Postfix) with ESMTP id B592437B424 for ; Sun, 22 Apr 2001 18:08:56 -0700 (PDT) (envelope-from tim@nol.co.za) Received: from cafe2.sz.co.za ([196.33.45.155] helo=cafe2.nol.co.za) by nol.co.za with esmtp (Exim 3.20 #1) id 14rUqT-0000WV-00 for freebsd-security@freebsd.org; Mon, 23 Apr 2001 01:08:53 +0000 Message-Id: <5.0.2.1.2.20010423031011.01c68c60@nol.co.za> X-Sender: tim@nol.co.za X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Mon, 23 Apr 2001 03:11:33 +0200 To: From: "Timothy S. Bowers" Subject: upgrades Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, What does this mean ? Apr 23 01:04:59 stasis sshd[1979]: no modules loaded for `sshd' service Apr 23 01:04:59 stasis sshd[1979]: fatal: PAM session setup failed[6]: Permission denied To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 18:10:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from calliope.cs.brandeis.edu (calliope.cs.brandeis.edu [129.64.3.189]) by hub.freebsd.org (Postfix) with ESMTP id 506CA37B422 for ; Sun, 22 Apr 2001 18:10:53 -0700 (PDT) (envelope-from meshko@calliope.cs.brandeis.edu) Received: from localhost (meshko@localhost) by calliope.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id VAA31215; Sun, 22 Apr 2001 21:10:35 -0400 Date: Sun, 22 Apr 2001 21:10:35 -0400 (EDT) From: Mikhail Kruk To: "Timothy S. Bowers" Cc: Subject: Re: upgrades In-Reply-To: <5.0.2.1.2.20010423031011.01c68c60@nol.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org read /usr/src/UPDATING 20010112: Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version. This requires adding the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so > Hi, > > What does this mean ? > > Apr 23 01:04:59 stasis sshd[1979]: no modules loaded for `sshd' service > Apr 23 01:04:59 stasis sshd[1979]: fatal: PAM session setup failed[6]: Permission denied > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 18:11:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id 8772A37B423 for ; Sun, 22 Apr 2001 18:11:43 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 11555 invoked by uid 1000); 23 Apr 2001 01:11:42 -0000 Date: Sun, 22 Apr 2001 21:11:42 -0400 From: Chris Johnson To: "Timothy S. Bowers" Cc: freebsd-security@freebsd.org Subject: Re: upgrades Message-ID: <20010422211142.A11536@palomine.net> References: <5.0.2.1.2.20010423031011.01c68c60@nol.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.2.20010423031011.01c68c60@nol.co.za>; from tim@nol.co.za on Mon, Apr 23, 2001 at 03:11:33AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 23, 2001 at 03:11:33AM +0200, Timothy S. Bowers wrote: > What does this mean ? >=20 > Apr 23 01:04:59 stasis sshd[1979]: no modules loaded for `sshd' service > Apr 23 01:04:59 stasis sshd[1979]: fatal: PAM session setup failed[6]: Pe= rmission denied I believe it means that you didn't run mergemaster (and thus install an upd= ated pam.conf) after you installed world. Chris --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE644FNyeUEMvtGLWERAnQCAJ9U+9smhiM48b63cqEwFE/7UDADIwCgmjZ8 nLiz93lw4SLPAnnAPQa9QFE= =6Kjo -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 18:12:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 25E0337B424 for ; Sun, 22 Apr 2001 18:12:22 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id A484713614; Sun, 22 Apr 2001 21:12:16 -0400 (EDT) Date: Sun, 22 Apr 2001 21:12:16 -0400 From: Chris Faulhaber To: "Timothy S. Bowers" Cc: freebsd-security@freebsd.org Subject: Re: upgrades Message-ID: <20010422211216.A21091@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , "Timothy S. Bowers" , freebsd-security@freebsd.org References: <5.0.2.1.2.20010423031011.01c68c60@nol.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9jxsPFA5p3P2qPhR" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.2.20010423031011.01c68c60@nol.co.za>; from tim@nol.co.za on Mon, Apr 23, 2001 at 03:11:33AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --9jxsPFA5p3P2qPhR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 23, 2001 at 03:11:33AM +0200, Timothy S. Bowers wrote: > Hi, >=20 > What does this mean ? >=20 > Apr 23 01:04:59 stasis sshd[1979]: no modules loaded for `sshd' service > Apr 23 01:04:59 stasis sshd[1979]: fatal: PAM session setup failed[6]: Pe= rmission denied >=20 It means that 1) you aren't using mergemaster 2) you haven't read /usr/src/UPDATING (20010112 entry) --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --9jxsPFA5p3P2qPhR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrjgXAACgkQObaG4P6BelCSwACfTRt9ymPyBMX05ZP4Zy4pYego +AIAoJEYDAKE/aNmGGgB92p4ihL3mBKR =MqeZ -----END PGP SIGNATURE----- --9jxsPFA5p3P2qPhR-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 18:17:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 51DAE37B423 for ; Sun, 22 Apr 2001 18:17:36 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3N1G5M35200; Sun, 22 Apr 2001 21:16:06 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Sun, 22 Apr 2001 21:16:01 -0400 (EDT) From: Rob Simmons To: "Timothy S. Bowers" Cc: Subject: Re: upgrades In-Reply-To: <5.0.2.1.2.20010423031011.01c68c60@nol.co.za> Message-ID: <20010422211024.H35128-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Look in /usr/src/UPDATING. There are a couple of lines that need to be added to /etc/pam.conf so that sshd can use pam: Robert Simmons Systems Administrator http://www.wlcg.com/ On Mon, 23 Apr 2001, Timothy S. Bowers wrote: > Hi, > > What does this mean ? > > Apr 23 01:04:59 stasis sshd[1979]: no modules loaded for `sshd' service > Apr 23 01:04:59 stasis sshd[1979]: fatal: PAM session setup failed[6]: Permission denied > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE644JVv8Bofna59hYRA37PAJ42/SWRORWKeXS7GyQAF6utSDZEjACgv0TQ iOyJnmyn/yVjQq/IyI08KFo= =0O/t -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 18:18:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from localhost.gumbynet.org (localhost.gumbynet.org [203.42.225.1]) by hub.freebsd.org (Postfix) with ESMTP id 08D9E37B422 for ; Sun, 22 Apr 2001 18:18:27 -0700 (PDT) (envelope-from saboteur@saboteur.cx) Received: (from saboteur@localhost) by localhost.gumbynet.org (8.9.3/8.9.3/Debian 8.9.3-21) id LAA11845 for freebsd-security@freebsd.org; Mon, 23 Apr 2001 11:18:24 +1000 From: Tim Kent Date: Mon, 23 Apr 2001 11:18:24 +1000 To: freebsd-security@freebsd.org Subject: Connection attempts Message-ID: <20010423111824.A11827@gumbynet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey all, Over the last few days I have noticed many people trying to connect to port 111 (portmapper). I don't run portmapper but i have log in vain enabled. Are these people going crazy with rpcinfo or what? I have attached the related output from dmesg but have changed my IP: Connection attempt to TCP phoenix:111 from 213.236.151.240:4912 Connection attempt to TCP phoenix:111 from 203.250.123.237:3278 Connection attempt to TCP phoenix:111 from 203.197.150.162:63525 Connection attempt to TCP phoenix:111 from 203.197.150.162:63525 Connection attempt to TCP phoenix:111 from 203.197.150.162:64156 Connection attempt to TCP phoenix:111 from 24.182.49.154:4078 Connection attempt to TCP phoenix:111 from 210.207.57.166:4719 Connection attempt to TCP phoenix:111 from 208.53.106.140:3845 Connection attempt to TCP phoenix:111 from 202.104.175.141:3925 Connection attempt to TCP phoenix:111 from 210.248.184.194:1366 Connection attempt to TCP phoenix:111 from 213.236.151.240:4946 Connection attempt to TCP phoenix:111 from 210.188.186.143:4116 Connection attempt to TCP phoenix:111 from 212.240.49.169:2825 Connection attempt to TCP phoenix:111 from 24.94.196.93:2864 Connection attempt to TCP phoenix:111 from 210.95.3.130:4938 Connection attempt to TCP phoenix:21 from 213.93.138.243:3110 Connection attempt to TCP phoenix:111 from 203.148.180.195:4677 Connection attempt to TCP phoenix:111 from 203.199.203.10:2481 Connection attempt to TCP phoenix:111 from 203.198.140.219:1647 Connection attempt to TCP phoenix:111 from 203.200.84.140:1328 Connection attempt to TCP phoenix:111 from 128.173.188.242:3436 Connection attempt to TCP phoenix:111 from 203.195.159.12:4217 Connection attempt to TCP phoenix:111 from 24.200.33.37:2556 Connection attempt to TCP phoenix:111 from 211.118.80.250:1387 Connection attempt to TCP phoenix:111 from 61.32.250.11:4250 Connection attempt to TCP phoenix:111 from 204.58.142.1:111 Connection attempt to TCP phoenix:111 from 24.200.33.37:1528 Connection attempt to TCP phoenix:111 from 211.252.179.2:4668 Connection attempt to TCP phoenix:111 from 210.103.56.125:4590 Connection attempt to TCP phoenix:111 from 211.251.201.131:4123 Connection attempt to TCP phoenix:111 from 24.181.206.84:3610 Connection attempt to TCP phoenix:111 from 210.204.116.2:3328 Connection attempt to TCP phoenix:111 from 202.31.150.178:3794 Connection attempt to TCP phoenix:6635 from 212.172.221.66:36819 Connection attempt to TCP phoenix:111 from 202.102.219.129:4508 Connection attempt to TCP phoenix:111 from 211.240.0.3:1752 Connection attempt to TCP phoenix:111 from 62.180.124.115:3174 Connection attempt to TCP phoenix:111 from 211.46.114.157:3358 Connection attempt to TCP phoenix:111 from 203.194.161.199:1877 Connection attempt to TCP phoenix:111 from 203.199.203.10:4882 Connection attempt to TCP phoenix:111 from 211.205.178.64:2530 Connection attempt to TCP phoenix:111 from 202.104.155.36:1550 Connection attempt to TCP phoenix:111 from 211.243.74.141:4054 Connection attempt to TCP phoenix:1080 from 203.101.17.227:47996 Connection attempt to TCP phoenix:111 from 202.66.38.217:3547 Connection attempt to TCP phoenix:111 from 210.219.79.67:2337 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 18:42: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fdma.com (mail.fdma.com [216.241.67.73]) by hub.freebsd.org (Postfix) with ESMTP id 460E637B422 for ; Sun, 22 Apr 2001 18:41:59 -0700 (PDT) (envelope-from scheidell@fdma.com) Received: from MIKELT (mikelt.fdma.lan [192.168.3.5]) by mail.fdma.com (8.11.3/8.11.3) with SMTP id f3N1fhg63633 for ; Sun, 22 Apr 2001 21:41:44 -0400 (EDT) Message-ID: <003a01c0cb96$8d660420$0503a8c0@fdma.com> From: "Michael Scheidell" To: References: <20010423111824.A11827@gumbynet.org> Subject: Re: Connection attempts Date: Sun, 22 Apr 2001 21:41:15 -0400 Organization: Florida Datamation, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org all those darn linux 6.2 system. They should be replaced with rocks. ----- Original Message ----- From: "Tim Kent" Newsgroups: local.freebsd.security Sent: Sunday, April 22, 2001 9:18 PM Subject: Connection attempts > Hey all, > > Over the last few days I have noticed many people trying to connect to port 111 (portmapper). > I don't run portmapper but I have log in vain enabled. Are these people going crazy with rpcinfo or what? > > I have attached the related output from dmesg but have changed my IP: You can look up the 'attackers' to see if they have attacked others at: http://www.mynetwatchman.com/mynetwatchman/SearchOpenIncidents.asp you can DL a copy of the freebsd / ipfw also. > > Connection attempt to TCP phoenix:111 from 213.236.151.240:4912 had attacked at least 7 other computers since the 13th. > Connection attempt to TCP phoenix:111 from 203.250.123.237:3278 One other on the 20th. > Connection attempt to TCP phoenix:111 from 203.197.150.162:63525 > Connection attempt to TCP phoenix:111 from 203.197.150.162:63525 > Connection attempt to TCP phoenix:111 from 203.197.150.162:64156 persistent bugger, eh? no others listed (if you ran the mnwclient, then nynetwatchman would have larted the isp for you) > Connection attempt to TCP phoenix:111 from 24.182.49.154:4078 @home cable user, attacked someone on the 18th and @home sent email on the 19th. > Connection attempt to TCP phoenix:111 from 210.207.57.166:4719 bora.net: lots of attacks must be infected > Connection attempt to TCP phoenix:111 from 208.53.106.140:3845 look up any others. you would be amazed how far and wide these hack attacks range. 80% of them are compromised linux systems (that went unreported... hint... hint) and are now hacking into other systems. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 19:33:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 0711537B424 for ; Sun, 22 Apr 2001 19:33:36 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7FA4A66DF6; Sun, 22 Apr 2001 19:33:35 -0700 (PDT) Date: Sun, 22 Apr 2001 19:33:35 -0700 From: Kris Kennaway To: Tim Kent Cc: freebsd-security@FreeBSD.ORG Subject: Re: Connection attempts Message-ID: <20010422193335.B23245@xor.obsecurity.org> References: <20010423111824.A11827@gumbynet.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IrhDeMKUP4DT/M7F" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010423111824.A11827@gumbynet.org>; from saboteur@saboteur.cx on Mon, Apr 23, 2001 at 11:18:24AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --IrhDeMKUP4DT/M7F Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Apr 23, 2001 at 11:18:24AM +1000, Tim Kent wrote: > Over the last few days I have noticed many people trying to connect > to port 111 (portmapper). I don't run portmapper but i have log in > vain enabled. Are these people going crazy with rpcinfo or what? Script kiddies..just ignore it and get used to it. Kris --IrhDeMKUP4DT/M7F Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE645R/Wry0BWjoQKURAmchAJ0TxAVMi7+kerEYHb8EywdOwzgZ4ACfcfMM OdMLc/vNIYxEGBntB1qjE4g= =uH+G -----END PGP SIGNATURE----- --IrhDeMKUP4DT/M7F-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 19:43:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id ED1F237B42C for ; Sun, 22 Apr 2001 19:43:29 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 772B966DF6; Sun, 22 Apr 2001 19:43:29 -0700 (PDT) Date: Sun, 22 Apr 2001 19:43:29 -0700 From: Kris Kennaway To: netch@segfault.kiev.ua Cc: Rasputin , freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements & Incremental Patches Message-ID: <20010422194329.A23392@xor.obsecurity.org> References: <20010412105356.A88231@dogma.freebsd-uk.eu.org> <20010422202144.A313@iv.nn.kiev.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010422202144.A313@iv.nn.kiev.ua>; from netch@iv.nn.kiev.ua on Sun, Apr 22, 2001 at 08:21:44PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Apr 22, 2001 at 08:21:44PM +0300, Valentin Nechayev wrote: > It is quite simple for any qualified FreeBSD admin, including FreeBSD > FTP site team, to make patched binaries for all supported releases for > any security advisory and put them for free download for such admins who > has bad compiling skills; but it is not provided now, and anyone should No, it's not simple. You have to make sure you include all dependencies of the change, everything the change depends on (e.g. libraries with changes that are required by the updated utility), and you have to test it in a variety of environments to make sure it works as expected. It's relatively simple to make a package from random pieces, it's quite difficult to test it and make sure that it works. More to the point, it takes additional time, which is always the most scarce resource in volunteer projects. Are you willing to help test binary security packages by reinstalling your system to a clean installation of 4.3-RELEASE, then applying and testing the package? Having said this, the RELENG_4_3 release branch is a step towards allowing us to do this (since it's a known, constant base which is expected to have few changes and therefore easy to manage dependencies); there's the possibility of generating binary packages for users of -RELEASE versions of FreeBSD starting with 4.3 only. Kris --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE645bRWry0BWjoQKURAoNYAJ4gx0EIU+t1sJUZo9NBAhUAqW++sgCg9uoq li3sn8FhM4K1JGb4EOvHV9k= =tkMm -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 20:17:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from sibptus.tomsk.ru (sibptus.tomsk.ru [213.59.238.16]) by hub.freebsd.org (Postfix) with ESMTP id 16DAB37B423 for ; Sun, 22 Apr 2001 20:17:25 -0700 (PDT) (envelope-from sudakov@sibptus.tomsk.ru) Received: (from sudakov@localhost) by sibptus.tomsk.ru (8.9.3/8.9.3) id LAA17574 for freebsd-security@freebsd.org; Mon, 23 Apr 2001 11:16:32 +0800 (KRAST) (envelope-from sudakov) Date: Mon, 23 Apr 2001 11:16:32 +0800 From: Victor Sudakov To: freebsd-security@freebsd.org Subject: Q: Impact of globbing vulnerability in ftpd Message-ID: <20010423111632.B17342@sibptus.tomsk.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i Organization: AO "Svyaztransneft", SibPTUS Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Colleagues: I do not quite understand the impact of the globbing vulnerability. As far as I understand, it can be exploited only after a user has logged in, so ftpd is already chrooted and running with the uid of the user at the moment. What serious trouble can an attacker cause under these conditions? Thank you for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/149@fidonet http://vas.tomsk.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 21:24:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from covert.iadfw.net (covert.black-ring.iadfw.net [209.196.123.142]) by hub.freebsd.org (Postfix) with SMTP id C9DF737B422 for ; Sun, 22 Apr 2001 21:24:48 -0700 (PDT) (envelope-from datazone@airmail.net) Received: from scab.caprolite.org from [207.136.36.203] by covert.iadfw.net (/\##/\ Smail3.1.30.16 #30.49) with smtp for freebsd-security@freebsd.org sender: id ; Sun, 22 Apr 2001 23:24:59 -0500 (CDT) Message-Id: Date: Sun, 22 Apr 2001 23:25:00 -0500 (CDT) To: "Michael Scheidell" Cc: freebsd-security@freebsd.org From: datazone@airmail.net Subject: Re: Connection attempts X-Mailer: Gmail 0.7.0pre5 (http://gmail.linuxpower.org) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > all those darn linux 6.2 system. They should be replaced with rocks. I did not know that there was a "linux 6.2" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 21:31:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from firehouse.net (rdu26-60-051.nc.rr.com [66.26.60.51]) by hub.freebsd.org (Postfix) with SMTP id 11B3637B424 for ; Sun, 22 Apr 2001 21:31:22 -0700 (PDT) (envelope-from abc@firehouse.net) Received: (qmail 78753 invoked by uid 1000); 23 Apr 2001 04:35:41 -0000 Date: Mon, 23 Apr 2001 00:35:41 -0400 From: Alan Clegg To: datazone@airmail.net Cc: freebsd-chat@freebsd.org Subject: Re: Connection attempts Message-ID: <20010423003541.B78446@diskfarm.firehouse.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from datazone@airmail.net on Sun, Apr 22, 2001 at 11:25:00PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unless the network is lying to me again, datazone@airmail.net said: > > all those darn linux 6.2 system. They should be replaced with rocks. > > I did not know that there was a "linux 6.2" Didn't you hear? Linux == RedHat AlanC -- perl -le '$_="6110>374086;2064208213:90<307;55";tr[0->][ LEOR\!AUBGNSTY];print' echo "6110>374086;2064208213:90<307;55" | tr '0->' ' LEOR\!AUBGNSTY' alan@clegg.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 21:40:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from threat.tjhsst.edu (threat.tjhsst.edu [198.38.16.9]) by hub.freebsd.org (Postfix) with ESMTP id A097937B42C for ; Sun, 22 Apr 2001 21:40:35 -0700 (PDT) (envelope-from abarros@threat.tjhsst.edu) Received: (from abarros@localhost) by threat.tjhsst.edu (8.11.3/8.11.3) id f3N4Sa631156; Mon, 23 Apr 2001 00:28:36 -0400 Date: Mon, 23 Apr 2001 00:28:36 -0400 From: Andrew Barros To: Victor Sudakov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Q: Impact of globbing vulnerability in ftpd Message-ID: <20010423002836.C24869@tjhsst.edu> Mail-Followup-To: Victor Sudakov , freebsd-security@FreeBSD.ORG References: <20010423111632.B17342@sibptus.tomsk.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9Ek0hoCL9XbhcSqy" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010423111632.B17342@sibptus.tomsk.ru>; from sudakov@sibptus.tomsk.ru on Mon, Apr 23, 2001 at 11:16:32AM +0800 X-Operating-System: Linux threat.tjhsst.edu 2.2.17 X-I-Graduate-In: 57.2020486111111 days Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --9Ek0hoCL9XbhcSqy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable The problem lies in that when you tell ftpd to get * it has to make a list= =20 of all those files, now for a really complex pattern like=20 */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../= */../*/.. ftpd will take a long time to build the list. Thats the globbing vulnerabi= lity. -ajb On Mon, Apr 23, 2001 at 11:16:32AM +0800, Victor Sudakov wrote: ->Colleagues: -> ->I do not quite understand the impact of the globbing vulnerability. -> ->As far as I understand, it can be exploited only after a user has ->logged in, so ftpd is already chrooted and running with the uid of ->the user at the moment. What serious trouble can an attacker ->cause under these conditions? -> ->Thank you for any input. -> ->--=20 ->Victor Sudakov, VAS4-RIPE, VAS47-RIPN ->2:5005/149@fidonet http://vas.tomsk.ru/ -> ->To Unsubscribe: send mail to majordomo@FreeBSD.org ->with "unsubscribe freebsd-security" in the body of the message ---end quoted text--- --=20 Andrew Barros PGP Key Fingerprint: D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 --9Ek0hoCL9XbhcSqy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE64690ChurNrZVH7gRAgLvAJ4qSQZ+poEiWdLKxsjo3cSrhaE6MgCeLGyl 5KkH1DjQl64N9gQBfZUnfgg= =SEnO -----END PGP SIGNATURE----- --9Ek0hoCL9XbhcSqy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 22 23:50:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id 6A64C37B424 for ; Sun, 22 Apr 2001 23:50:38 -0700 (PDT) (envelope-from sparklist-admin@nova.sparklist.com) Message-Id: X-sparklist-type: unsubscribed From: "SparkLIST.com" Reply-To: "SparkLIST.com" To: freebsd-security@freebsd.org Subject: Re: your unsubscribe request Date: Mon, 23 Apr 2001 01:52:36 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As you requested, you have been unsubscribed from 'fwd-newswire'. --- Return-Path: Received: from mail.alkar.net ([195.248.191.95]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Mon, 23 Apr 2001 01:52:35 -0500 Received: from [212.86.226.5] (HELO dark) by mail.alkar.net (CommuniGate Pro SMTP 3.4.4) with SMTP id 2182968 for leave-fwd-newswire-2059532E@nova.sparklist.com; Mon, 23 Apr 2001 09:50:30 +0300 Message-ID: <002c01c0cbc1$a12ab070$05e256d4@alkar.net> From: "Grigory T. Kisilev" To: fwd-newswire-request Subject: Date: Mon, 23 Apr 2001 09:50:05 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 # Mail sent to leave-fwd-newswire-2059532e was converted to these commands: unsubscribe fwd-newswire freebsd-security@freebsd.org confirm end # This is the text of the message that triggered the action: Return-Path: Received: from mail.alkar.net ([195.248.191.95]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Mon, 23 Apr 2001 01:52:35 -0500 Received: from [212.86.226.5] (HELO dark) by mail.alkar.net (CommuniGate Pro SMTP 3.4.4) with SMTP id 2182968 for leave-fwd-newswire-2059532E@nova.sparklist.com; Mon, 23 Apr 2001 09:50:30 +0300 Message-ID: <002c01c0cbc1$a12ab070$05e256d4@alkar.net> From: "Grigory T. Kisilev" To: Subject: Date: Mon, 23 Apr 2001 09:50:05 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 2: 2:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from sibptus.tomsk.ru (sibptus.tomsk.ru [213.59.238.16]) by hub.freebsd.org (Postfix) with ESMTP id 41F3237B424 for ; Mon, 23 Apr 2001 02:02:26 -0700 (PDT) (envelope-from sudakov@sibptus.tomsk.ru) Received: (from sudakov@localhost) by sibptus.tomsk.ru (8.9.3/8.9.3) id RAA24054 for security@freebsd.org; Mon, 23 Apr 2001 17:01:03 +0800 (KRAST) (envelope-from sudakov) Date: Mon, 23 Apr 2001 12:39:34 +0800 From: Victor Sudakov To: Andrew Barros Subject: Re: Q: Impact of globbing vulnerability in ftpd Message-ID: <20010423123934.A19055@sibptus.tomsk.ru> References: <20010423111632.B17342@sibptus.tomsk.ru> <20010423002836.C24869@tjhsst.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20010423002836.C24869@tjhsst.edu>; from abarros@tjhsst.edu on Mon, Apr 23, 2001 at 12:28:36AM -0400 Organization: AO "Svyaztransneft", SibPTUS Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 23, 2001 at 12:28:36AM -0400, Andrew Barros wrote: > The problem lies in that when you tell ftpd to get * it has to make a list > of all those files, now for a really complex pattern like > */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/.. > > ftpd will take a long time to build the list. Thats the > globbing vulnerability. FreeBSD-SA-01:33 thinks otherwise: III. Impact Remote users may be able to execute arbitrary code on the FTP server as the user running ftpd, usually root. === What you described is a DoS attack maybe, but I was speaking of the vulnerability. > > -ajb > On Mon, Apr 23, 2001 at 11:16:32AM +0800, Victor Sudakov wrote: > ->Colleagues: > -> > ->I do not quite understand the impact of the globbing vulnerability. > -> > ->As far as I understand, it can be exploited only after a user has > ->logged in, so ftpd is already chrooted and running with the uid of > ->the user at the moment. What serious trouble can an attacker > ->cause under these conditions? > -> > ->Thank you for any input. > -> > ->-- > ->Victor Sudakov, VAS4-RIPE, VAS47-RIPN > ->2:5005/149@fidonet http://vas.tomsk.ru/ > -> > ->To Unsubscribe: send mail to majordomo@FreeBSD.org > ->with "unsubscribe freebsd-security" in the body of the message > ---end quoted text--- > > -- > Andrew Barros > PGP Key Fingerprint: > D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/149@fidonet http://vas.tomsk.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 3:16:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3BBBE37B423 for ; Mon, 23 Apr 2001 03:16:47 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id MAA57309; Mon, 23 Apr 2001 12:16:45 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Victor Sudakov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Q: Impact of globbing vulnerability in ftpd References: <20010423111632.B17342@sibptus.tomsk.ru> From: Dag-Erling Smorgrav Date: 23 Apr 2001 12:16:44 +0200 In-Reply-To: <20010423111632.B17342@sibptus.tomsk.ru> Message-ID: Lines: 22 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Victor Sudakov writes: > I do not quite understand the impact of the globbing vulnerability. There was an exploitable buffer overflow in the globbing code. > As far as I understand, it can be exploited only after a user has > logged in, so ftpd is already chrooted Not necessarily. > and running with the uid of > the user at the moment. What serious trouble can an attacker > cause under these conditions? Run arbitrary code on the target machine, which may perform operations (such as creating new directories to store warez) which the FTP server normally doesn't allow the user to perform, or even exploit a local root compromise. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 4:12:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from sibptus.tomsk.ru (sibptus.tomsk.ru [213.59.238.16]) by hub.freebsd.org (Postfix) with ESMTP id E08B937B42C for ; Mon, 23 Apr 2001 04:12:46 -0700 (PDT) (envelope-from sudakov@sibptus.tomsk.ru) Received: (from sudakov@localhost) by sibptus.tomsk.ru (8.9.3/8.9.3) id TAA26099; Mon, 23 Apr 2001 19:07:37 +0800 (KRAST) (envelope-from sudakov) Date: Mon, 23 Apr 2001 19:07:37 +0800 From: Victor Sudakov To: Dag-Erling Smorgrav Cc: freebsd-security@freebsd.org Subject: Re: Q: Impact of globbing vulnerability in ftpd Message-ID: <20010423190737.A25969@sibptus.tomsk.ru> References: <20010423111632.B17342@sibptus.tomsk.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from des@ofug.org on Mon, Apr 23, 2001 at 12:16:44PM +0200 Organization: AO "Svyaztransneft", SibPTUS Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 23, 2001 at 12:16:44PM +0200, Dag-Erling Smorgrav wrote: > > I do not quite understand the impact of the globbing vulnerability. > > There was an exploitable buffer overflow in the globbing code. > > > As far as I understand, it can be exploited only after a user has > > logged in, so ftpd is already chrooted > > Not necessarily. Anonymous account is always chrooted. I think you have to play with the source to disable this. > > > and running with the uid of > > the user at the moment. What serious trouble can an attacker > > cause under these conditions? > > Run arbitrary code on the target machine, which may perform operations > (such as creating new directories to store warez) which the FTP server > normally doesn't allow the user to perform, How is this possible if ftpd drops root privileges after successful login? > or even exploit a local > root compromise. > So, if the users already have shell accounts, this security hole does not matter for me, does it? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/149@fidonet http://vas.tomsk.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 5:29:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id B64CA37B42C for ; Mon, 23 Apr 2001 05:29:52 -0700 (PDT) (envelope-from scheidell@Cerintha.com) Received: (from scheidell@localhost) by caerulus.cerintha.com (8.11.3/8.11.3) id f3NCTk939079; Mon, 23 Apr 2001 08:29:46 -0400 (EDT) Date: Mon, 23 Apr 2001 08:29:46 -0400 (EDT) From: Michael S Scheidell Message-Id: <200104231229.f3NCTk939079@caerulus.cerintha.com> To: freebsd-security@freebsd.org Subject: Re: Connection attempts In-Reply-To: <20010422193335.B23245@xor.obsecurity.org> References: <20010423111824.A11827@gumbynet.org> <20010422193335.B23245@xor.obsecurity.org> Reply-To: scheidell@fdma.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In local.freebsd.security, you wrote: > >Script kiddies..just ignore it and get used to it. I don't suggest ignoring the 'kiddies' that walk down the street trying to see if my windows are open either. 80% of these systems have bveen compromized, and the owner doesn't even know it. Wouldn't you like to take these systems off the net? You want one of them to run against your system (if you miss a security bulitin?) its easy enough to log and alert the isp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 7:16:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id 27B3237B422 for ; Mon, 23 Apr 2001 07:16:39 -0700 (PDT) (envelope-from sparklist-admin@nova.sparklist.com) Message-Id: X-sparklist-type: unsubscribed From: "SparkLIST.com" Reply-To: "SparkLIST.com" To: freebsd-security@freebsd.org Subject: Re: your unsubscribe request Date: Mon, 23 Apr 2001 09:18:36 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As you requested, you have been unsubscribed from 'fwd-newswire'. --- Return-Path: Received: from mailhost.sparknet.net ([207.67.22.123]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Mon, 23 Apr 2001 09:18:35 -0500 Received: from don-oakes.sparklist.com (dhcp-client-26.sparklist.com [207.250.191.151]) by mailhost.sparknet.net (8.10.1/8.10.1) with ESMTP id f3NEKeI07701 for ; Mon, 23 Apr 2001 09:20:40 -0500 Message-Id: <4.3.1.2.20010423091158.025f1750@207.67.22.123> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Mon, 23 Apr 2001 09:12:06 -0500 To: fwd-newswire-request From: admin Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed # Mail sent to leave-fwd-newswire-2059532e was converted to these commands: unsubscribe fwd-newswire freebsd-security@freebsd.org confirm end # This is the text of the message that triggered the action: Return-Path: Received: from mailhost.sparknet.net ([207.67.22.123]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Mon, 23 Apr 2001 09:18:35 -0500 Received: from don-oakes.sparklist.com (dhcp-client-26.sparklist.com [207.250.191.151]) by mailhost.sparknet.net (8.10.1/8.10.1) with ESMTP id f3NEKeI07701 for ; Mon, 23 Apr 2001 09:20:40 -0500 Message-Id: <4.3.1.2.20010423091158.025f1750@207.67.22.123> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Mon, 23 Apr 2001 09:12:06 -0500 To: leave-fwd-newswire-2059532E@nova.sparklist.com From: admin Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 7:21:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id DE26E37B423 for ; Mon, 23 Apr 2001 07:21:48 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f3NEMBf99054; Mon, 23 Apr 2001 10:22:12 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 23 Apr 2001 10:22:11 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Victor Sudakov Cc: freebsd-security@freebsd.org Subject: Re: Q: Impact of globbing vulnerability in ftpd In-Reply-To: <20010423111632.B17342@sibptus.tomsk.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 23 Apr 2001, Victor Sudakov wrote: > As far as I understand, it can be exploited only after a user has logged > in, so ftpd is already chrooted and running with the uid of the user at > the moment. What serious trouble can an attacker cause under these > conditions? It is true that the globbing vulnerability cannot be exploited until a login has occurred, as prior to authentication, there are no opportunities to present the FTP server with an expression that is expanded using glob(). However, logging in as an anonymous user, where enabled, is sufficient to allow the vulnerability to be exploited. This problem is compounded because the FTP server only runs with an effective UID of the user, as it needs to rebind new privileged ports in active mode. All vulnerabilities in the FTP daemon are very serious because of this behavior; I've been considering the idea of a flag to ftpd to force the use of passive mode by all clients (violation of spec, and nasty to many clients and firewalls, no doubt), which would allow the server to run with less privilege. Even if the attacker only exploits the rights of the effective (authenticated) user, it may be possible to break out of the chroot() if there are processes outside of the chroot() running as the same user. For example, if ftpd switches to the "nobody" uid for anonymous users, and there is a web server running as "nobody" which executes CGI (thus giving up the P_SUGID bit); in such a scenario, the user can both influence (see, signal, ...) processes not chroot()'d, but also attach to them using debugging services. Note: chroot() is *not* a comprehensive security feature, it is a file system namespace feature. Improper use of chroot(), such as overloading use of the uid by executing code with the same uid without identical chroot() limitations, will result in possible undesirable effects. So the sort of it is: this is a serious vulnerability that should be addressed by anyone running the FTP daemon, especially those with anonymous FTP enabled. Because the vulnerability is in glob, there are actually a variety of other software authors who may need to evaluate the safety of their code. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 7:54:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3173F37B43C for ; Mon, 23 Apr 2001 07:54:27 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id QAA49573; Mon, 23 Apr 2001 16:54:22 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Victor Sudakov Cc: freebsd-security@freebsd.org Subject: Re: Q: Impact of globbing vulnerability in ftpd References: <20010423111632.B17342@sibptus.tomsk.ru> <20010423190737.A25969@sibptus.tomsk.ru> From: Dag-Erling Smorgrav Date: 23 Apr 2001 16:54:22 +0200 In-Reply-To: <20010423190737.A25969@sibptus.tomsk.ru> Message-ID: Lines: 27 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Victor Sudakov writes: > On Mon, Apr 23, 2001 at 12:16:44PM +0200, Dag-Erling Smorgrav wrote: > > > As far as I understand, it can be exploited only after a user has > > > logged in, so ftpd is already chrooted > > Not necessarily. > Anonymous account is always chrooted. I think you have to play > with the source to disable this. The logged-in user is not necessarily anonymous. > > Run arbitrary code on the target machine, which may perform operations > > (such as creating new directories to store warez) which the FTP server > > normally doesn't allow the user to perform, > How is this possible if ftpd drops root privileges after > successful login? I didn't claim the code would run as root. It would run as the logged-in user, or user "ftp" in case of an anonymous login. > So, if the users already have shell accounts, this security hole > does not matter for me, does it? Probably not. Depends on your anonftp setup. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 8:29:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id AAE4737B422 for ; Mon, 23 Apr 2001 08:29:45 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo (w2xo [192.168.5.1]) by w2xo.pgh.pa.us (8.11.2/8.9.3) with ESMTP id f3NFSPq28106 for ; Mon, 23 Apr 2001 15:28:25 GMT (envelope-from durham@w2xo.pgh.pa.us) Date: Mon, 23 Apr 2001 15:28:24 +0000 (GMT) From: Jim Durham X-Sender: durham@w2xo.int To: freebsd-security@freebsd.org Subject: Re: Connection attempts In-Reply-To: <200104231229.f3NCTk939079@caerulus.cerintha.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 23 Apr 2001, Michael S Scheidell wrote: > In local.freebsd.security, you wrote: > > > >Script kiddies..just ignore it and get used to it. > > I don't suggest ignoring the 'kiddies' that walk down the street trying to > see if my windows are open either. > > 80% of these systems have bveen compromized, and the owner doesn't even > know it. > > Wouldn't you like to take these systems off the net? > You want one of them to run against your system (if you miss a security > bulitin?) > > its easy enough to log and alert the isp. > > I don't know what you folks' experience has been, but I've had almost no luck with alerting ISPs to these problems. A lot of this stuff comes from Korea and Chekoslovokia and I get no responses from the ISPs. -Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 9: 2: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id DD74F37B424 for ; Mon, 23 Apr 2001 09:01:55 -0700 (PDT) (envelope-from scheidell@Cerintha.com) Received: (from scheidell@localhost) by caerulus.cerintha.com (8.11.3/8.11.3) id f3NG1rt45478; Mon, 23 Apr 2001 12:01:53 -0400 (EDT) Date: Mon, 23 Apr 2001 12:01:53 -0400 (EDT) From: Michael S Scheidell Message-Id: <200104231601.f3NG1rt45478@caerulus.cerintha.com> To: freebsd-security@freebsd.org Subject: Re: Connection attempts In-Reply-To: References: <200104231229.f3NCTk939079@caerulus.cerintha.com> Reply-To: scheidell@fdma.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In local.freebsd.security, you wrote: >I don't know what you folks' experience has been, but I've had >almost no luck with alerting ISPs to these problems. A lot of >this stuff comes from Korea and Chekoslovokia and I get no >responses from the ISPs. I use mynetwatchman. Its kinda like spamcop for hackers. depending on the port number and/or number of different people he gets attacked from, he will alert the isp on 'first contact' (port 111, 515, some of the windows trojan ports, like subseven or netbus) he has contacts in korea, I don't have to track them down and lart the isp. I can go to web site and see status of 'alerts' and escalated attacks in last 24 hrs I can punch in a suspect ip address and see if it was just me or others that got attacked. There are replys back form many isp's and 'victims' that let us know that 'thank you for reporting that' our client system was hacked into and he didn't even know it was being used to attack others. What you are doing (at least a little) is removing compromised systems by alerting the owners These compromised systems are used to further attack and hack (see news stories on the escalation between us and chinese hackers on the security lists). so, if there is a 2% response back, with no effort on my part but to install the ipfw per scripts, at least thats 2%. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 9:56:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 9092A37B424 for ; Mon, 23 Apr 2001 09:56:13 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GC98D300.QK6; Mon, 23 Apr 2001 09:55:51 -0700 Message-ID: <3AE45EAC.18A180EE@globalstar.com> Date: Mon, 23 Apr 2001 09:56:12 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: Victor Sudakov , freebsd-security@FreeBSD.ORG Subject: Re: Q: Impact of globbing vulnerability in ftpd References: <20010423111632.B17342@sibptus.tomsk.ru> <20010423190737.A25969@sibptus.tomsk.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > > Victor Sudakov writes: > > On Mon, Apr 23, 2001 at 12:16:44PM +0200, Dag-Erling Smorgrav wrote: > > > > As far as I understand, it can be exploited only after a user has > > > > logged in, so ftpd is already chrooted > > > Not necessarily. > > Anonymous account is always chrooted. I think you have to play > > with the source to disable this. > > The logged-in user is not necessarily anonymous. > > > > Run arbitrary code on the target machine, which may perform operations > > > (such as creating new directories to store warez) which the FTP server > > > normally doesn't allow the user to perform, > > How is this possible if ftpd drops root privileges after > > successful login? > > I didn't claim the code would run as root. It would run as the > logged-in user, or user "ftp" in case of an anonymous login. The FTP daemon does _NOT_ drop privileges. It changes effective user ID only. (Do a 'ps -axo pid,command,user,ruser | grep ftpd' on a running daemon.) > > So, if the users already have shell accounts, this security hole > > does not matter for me, does it? > > Probably not. Depends on your anonftp setup. Privilege escalation is possible whenever an FTP daemon can be fed arbitrary code to execute. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 10:33: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx9.port.ru (mx9.port.ru [194.67.23.46]) by hub.freebsd.org (Postfix) with ESMTP id 3BA8937B422 for ; Mon, 23 Apr 2001 10:33:06 -0700 (PDT) (envelope-from rakukin@mail.ru) Received: from f11.int ([10.0.0.84] helo=f11.mail.ru) by mx9.port.ru with esmtp (Exim 3.14 #17) id 14rkCu-0004T8-00 for security@freebsd.org; Mon, 23 Apr 2001 21:33:04 +0400 Received: from mail by f11.mail.ru with local (Exim 3.14 #3) id 14rkCu-0007HX-00; Mon, 23 Apr 2001 21:33:04 +0400 Received: from [130.237.166.114] by koi.mail.port.ru with HTTP; Mon, 23 Apr 2001 17:33:04 +0000 (GMT) From: "A. Rakukin" To: security@freebsd.org Subject: ssh X11 forwarding Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [130.237.166.114] Reply-To: "A. Rakukin" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Date: Mon, 23 Apr 2001 21:33:04 +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I have a problem with X11 forwarding. It does not work if I login frm the machine with >uname -imprsv SunOS 5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-2 >ssh -V OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f to the server with >uname -mrs FreeBSD 4.2-RELEASE i386 >ssh -V SSH Version OpenSSH_2.2.0, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). >grep X /etc/ssh/sshd_config X11Forwarding yes X11DisplayOffset 50 Logins from to the server via loopback do forward X connections. A. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 14:10:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 39B6B37B422 for ; Mon, 23 Apr 2001 14:10:36 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 42F3F66DF6; Mon, 23 Apr 2001 14:10:34 -0700 (PDT) Date: Mon, 23 Apr 2001 14:10:33 -0700 From: Kris Kennaway To: scheidell@fdma.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Connection attempts Message-ID: <20010423141033.C6800@xor.obsecurity.org> References: <20010423111824.A11827@gumbynet.org> <20010422193335.B23245@xor.obsecurity.org> <200104231229.f3NCTk939079@caerulus.cerintha.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5QAgd0e35j3NYeGe" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104231229.f3NCTk939079@caerulus.cerintha.com>; from scheidell@Cerintha.com on Mon, Apr 23, 2001 at 08:29:46AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --5QAgd0e35j3NYeGe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 23, 2001 at 08:29:46AM -0400, Michael S Scheidell wrote: > In local.freebsd.security, you wrote: > > > >Script kiddies..just ignore it and get used to it. >=20 > I don't suggest ignoring the 'kiddies' that walk down the street trying to > see if my windows are open either. >=20 > 80% of these systems have bveen compromized, and the owner doesn't even > know it. >=20 > Wouldn't you like to take these systems off the net? > You want one of them to run against your system (if you miss a security > bulitin?) >=20 > its easy enough to log and alert the isp. Fine, feel free to :-) Kris --5QAgd0e35j3NYeGe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65JpJWry0BWjoQKURAm1lAJ9U71S1OR8DpFYPUFblFbltr4qB8gCg0p4j S8bPVCGJyqC2EAcA6CbLuJA= =E7vv -----END PGP SIGNATURE----- --5QAgd0e35j3NYeGe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 14:13:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id 0F2F737B422 for ; Mon, 23 Apr 2001 14:13:40 -0700 (PDT) (envelope-from scheidell@Cerintha.com) Received: (from scheidell@localhost) by caerulus.cerintha.com (8.11.3/8.11.3) id f3NLDdL54572; Mon, 23 Apr 2001 17:13:39 -0400 (EDT) Date: Mon, 23 Apr 2001 17:13:39 -0400 (EDT) From: Michael S Scheidell Message-Id: <200104232113.f3NLDdL54572@caerulus.cerintha.com> To: freebsd-security@freebsd.org Subject: Re: Connection attempts In-Reply-To: <20010423141033.C6800@xor.obsecurity.org> References: <20010423111824.A11827@gumbynet.org> <20010422193335.B23245@xor.obsecurity.org> <200104231229.f3NCTk939079@caerulus.cerintha.com> <20010423141033.C6800@xor.obsecurity.org> Reply-To: scheidell@fdma.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In local.freebsd.security, you wrote: > >Fine, feel free to :-) > >Kris Everyone needs a hobby. I just have a perl script that looks at ipfw logs, uploads certain hits to mynetwatchman and he larts the isp. What could be easier? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 14:30:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [193.219.211.5]) by hub.freebsd.org (Postfix) with ESMTP id 692B137B422 for ; Mon, 23 Apr 2001 14:30:15 -0700 (PDT) (envelope-from domas.mituzas@delfi.lt) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.1/8.11.1) with ESMTP id f3NLU3902776; Mon, 23 Apr 2001 23:30:07 +0200 (EET) Date: Mon, 23 Apr 2001 23:30:03 +0200 (EET) From: Domas Mituzas X-X-Sender: To: Cc: Subject: Re: Connection attempts (& active ids) In-Reply-To: <200104232113.f3NLDdL54572@caerulus.cerintha.com> Message-ID: <20010423231908.N574-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I just have a perl script that looks at ipfw logs, uploads certain hits to > mynetwatchman and he larts the isp. > it is really easy to spoof connection source IP for your IPFW logs. are you sure you wish to alert the ISP? Several days ago I gave a lesson to guys, running portsentry and similiar stuff with active blocking enabled. They did not believe they had any security breach, but after their own systems blocked all TLD servers, they removed portsentry immediately. It would be really annoying for various ISP's to get fake reports (they are already poured with fake spam reports, when spammers use fake domains for their From: ). Therefore, any automatic action to so called intrusions can cause a lot worse impact, than just ignoring them. Try to use least privillege principle, but not trusting logs of your IDS, that can be spoofed for fun and/or profit. You can trust more such type of defence as tcp wrappers, that are invoked only when system verifies tcp connection and gives control to userland. But still, it's more important to do secure system design (use chroot, jails, unprivilleged accounts etc), than to trust AI of your security software. One of best practices is to build honeypots - early warning systems with great publicity and observed security. And software, with changed banners into older ones :) Know your enemy, but be silent. Cheers, Domas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 15: 0:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id CDFEA37B424 for ; Mon, 23 Apr 2001 15:00:19 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GC9MFX00.DL0; Mon, 23 Apr 2001 14:59:57 -0700 Message-ID: <3AE4A5F2.E52825EE@globalstar.com> Date: Mon, 23 Apr 2001 15:00:18 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Domas Mituzas Cc: scheidell@fdma.com, freebsd-security@FreeBSD.ORG Subject: Re: Connection attempts (& active ids) References: <20010423231908.N574-100000@axis.tdd.lt> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Domas Mituzas wrote: [snip] > One of best practices is to build honeypots - early warning systems with > great publicity and observed security. And software, with changed banners > into older ones :) Most of what you said made sense up until this point. You are not saying it is a "best practice" for everyone concerned with security to build honeypots? Unless you are actively doing security research (i.e. your job description goes beyond just protection computer and information assets, or you are doing it on your own time), building and deploying honeypots is a very questionable use of resources. You are most likely going to be capturing script kiddie tools you could just go download off of any of a dozen h4x0r sitez. Building a secure honeypot is harder than building a secure "legit" machine, and we all make mistakes. That can actually reduce your security as a whole by introducing compromised machines (and if you are building entire secure extranets just to house honeypots, that's a lot of resources being spent). Honeypots are also a potental legal liability. If you want "great publicity" to justify yourself to management, a simple NIDS will give you just as much ammunition as a honeypot (would management even understand the distinction?). And don't pretend that the kiddies or crackers will just stop poking around your network once they find your honeypot. We all see the scans walk methodically across our nets. We all know most of them come from machines already compromised. Honeypots just focus _more_ kiddie and cracker attention on you rather than distract them from your real assets. Honeypots do have a place for those doing security research. For someone working to protect a corporate, academic, or government network, energy is better spent on other things... unless your network is already 100% secure (heh-heh). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 15: 5:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id 0567137B423 for ; Mon, 23 Apr 2001 15:05:48 -0700 (PDT) (envelope-from scheidell@Cerintha.com) Received: (from scheidell@localhost) by caerulus.cerintha.com (8.11.3/8.11.3) id f3NM5l256247; Mon, 23 Apr 2001 18:05:47 -0400 (EDT) Date: Mon, 23 Apr 2001 18:05:47 -0400 (EDT) From: Michael S Scheidell Message-Id: <200104232205.f3NM5l256247@caerulus.cerintha.com> To: freebsd-security@freebsd.org Subject: Re: Connection attempts (& active ids) In-Reply-To: <20010423231908.N574-100000@axis.tdd.lt> References: <200104232113.f3NLDdL54572@caerulus.cerintha.com> <20010423231908.N574-100000@axis.tdd.lt> Reply-To: scheidell@fdma.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In local.freebsd.security, you wrote: > >it is really easy to spoof connection source IP for your IPFW logs. >are you sure you wish to alert the ISP? Yes. > >Several days ago I gave a lesson to guys, running portsentry and similiar >stuff with active blocking enabled. They did not believe they had any >security breach, but after their own systems blocked all TLD servers, they >removed portsentry immediately. It would be really annoying for various yes, you can use 'things' (like stick) and nmap to spoof p addresses, but then tyou won't gather any information the things we are seeing, 4/5, 10, 20 per day are linux 'worms' (mostly compromized redhat,... arn't you glad you chose freebsd?) These compromized systems are NOT spoofing (they are compromized, and are gathering more 'children'. If they spoof tcpip connections, they cannot send in their exploit code, cann't find out of there are open or closed ports, cannot propagate, so: In these cases, yes To double check, since this is a central collection of intrusions, logs of other systems, mostly dsl and home cable modem users are compared for consistancy. guess what: ipaddress w.x.y.z apears on several different logs, a quick look at w.x.y.z shows redhat 6.2 running with open ports 21,53,98,111 and 515. Was it an ip spoof? hardly. isp contacted, logs sent, client thanks us that we alerte dhim, as he had no clue. >One of best practices is to build honeypots - early warning systems with >great publicity and observed security. And software, with changed banners >into older ones :) These arn't honeypots, but with several (70+ active agents) recording the same port scans form the same ip addresses, either: A) someone is spoofing (not decoy, just spoofing) certain ip addresses who just hapen to have lion or adore root kit installed on them) or B) they are spoofing just for fun, scanning multiple a blocks ranging from 24.0.0.0/8 @home cable modems to 63.0.0.0 dsl lines to 216, 207, etc. so, in these cases, what is more likely? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 15:11:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fdma.com (mail.fdma.com [216.241.67.73]) by hub.freebsd.org (Postfix) with ESMTP id 1A48B37B423 for ; Mon, 23 Apr 2001 15:11:52 -0700 (PDT) (envelope-from scheidell@fdma.com) Received: from MIKELT (mikelt.fdma.lan [192.168.3.5]) by mail.fdma.com (8.11.3/8.11.3) with SMTP id f3NMBng66558 for ; Mon, 23 Apr 2001 18:11:51 -0400 (EDT) Message-ID: <002c01c0cc42$65b4cef0$0503a8c0@fdma.com> From: "Michael Scheidell" To: References: <20010423231908.N574-100000@axis.tdd.lt> Subject: Re: Connection attempts (& active ids) Date: Mon, 23 Apr 2001 18:11:40 -0400 Organization: Florida Datamation, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org fyi, it is this activity, documented on several security lists that we are seeing. It is compromised systems we see trying to find 'children' I would like to inform the owners of these systems that their computers have been hacked into and let them take note (sure beats the daily posts 'I found this in my logs, was I hacked'? I would rather be proactive than reactive. Now, since I can't wave a magic wand and do an rm -rf / & on every linux/redhat 6.2 system out there, best I can do is to keep them from spreading germs. ---- from recent mcafee email: 4. Virus News ? Linux/Adore Worm RISK ASSESSMENT: LOW Discovered on 4/5/01, The Linux/Adore package, containing "Elf" binary files as well as script files, targets to scan the internet to look for vulnerable Linux systems to exploit. (Bind, rpc.statd, wu-ftp, lpd) When an exploitable system has been found, it replaces the process file called "ps". The original file gets moved to the /usr/bin/adore directory, while the other files from the Linux/Adore package are put into /usr/lib/lib. If successful, the worm tries to send an e-mail to 4 e-mail addresses. The e-mail contains system info from the vulnerable systems. Learn more at http://hq.mcafeeasap.com/dispVirus.asp?virus_k=99064 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 18:50:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (s216-232-31-82.bc.hsia.telus.net [216.232.31.82]) by hub.freebsd.org (Postfix) with ESMTP id 5E7BD37B423 for ; Mon, 23 Apr 2001 18:50:28 -0700 (PDT) (envelope-from dr@kyx.net) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id DC2951DC07; Mon, 23 Apr 2001 18:53:38 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: "Crist Clark" , Domas Mituzas Subject: Re: Connection attempts (& active ids) Date: Mon, 23 Apr 2001 18:39:25 -0700 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain Cc: scheidell@fdma.com, freebsd-security@FreeBSD.ORG References: <20010423231908.N574-100000@axis.tdd.lt> <3AE4A5F2.E52825EE@globalstar.com> In-Reply-To: <3AE4A5F2.E52825EE@globalstar.com> MIME-Version: 1.0 Message-Id: <01042318494515.00270@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have to say that I disagree with most of the arguments espoused below. A carefully controlled and monitored auxilliary system is not only a good defensive measure, but unlikely an actual security risk unless you make it ridiculously easy to break into. Thankfully, most script kiddy intruders seem to be lazy and go for the honeypots and the path of least resistance most often.... But it's probably better to have the honeypot mirror your normal configs to get the most value out of it and to make it less obviously different from your production system. I would even go as far in differing as to say that I expect honeypot systems to become a standard practice not just a "best" practice. I'm not quite convinced about the "canned" honeypots though.... Like that movie said, "Every Jedi must build their own..." :-) If nothing else, a honeypot makes a great use for a hot standby spare... cheers, --dr On Mon, 23 Apr 2001, Crist Clark wrote: > Domas Mituzas wrote: > > [snip] > > > One of best practices is to build honeypots - early warning systems with > > great publicity and observed security. And software, with changed banners > > into older ones :) > > Most of what you said made sense up until this point. You are not saying it > is a "best practice" for everyone concerned with security to build honeypots? > Unless you are actively doing security research (i.e. your job description > goes beyond just protection computer and information assets, or you are doing > it on your own time), building and deploying honeypots is a very questionable > use of resources. > > You are most likely going to be capturing script kiddie tools you could > just go download off of any of a dozen h4x0r sitez. Building a secure > honeypot is harder than building a secure "legit" machine, and we all > make mistakes. That can actually reduce your security as a whole by > introducing compromised machines (and if you are building entire secure > extranets just to house honeypots, that's a lot of resources being > spent). Honeypots are also a potental legal liability. > > If you want "great publicity" to justify yourself to management, a simple > NIDS will give you just as much ammunition as a honeypot (would management > even understand the distinction?). And don't pretend that the kiddies or > crackers will just stop poking around your network once they find your > honeypot. We all see the scans walk methodically across our nets. We all > know most of them come from machines already compromised. Honeypots just > focus _more_ kiddie and cracker attention on you rather than distract > them from your real assets. > > Honeypots do have a place for those doing security research. For someone > working to protect a corporate, academic, or government network, energy > is better spent on other things... unless your network is already 100% > secure (heh-heh). > -- > Crist J. Clark Network Security Engineer > crist.clark@globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 > > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmaster@globalstar.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Dragos Ruiu dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 18:57:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from sibptus.tomsk.ru (sibptus.tomsk.ru [213.59.238.16]) by hub.freebsd.org (Postfix) with ESMTP id 06B8F37B43C for ; Mon, 23 Apr 2001 18:57:27 -0700 (PDT) (envelope-from sudakov@sibptus.tomsk.ru) Received: (from sudakov@localhost) by sibptus.tomsk.ru (8.9.3/8.9.3) id JAA40687; Tue, 24 Apr 2001 09:57:00 +0800 (KRAST) (envelope-from sudakov) Date: Tue, 24 Apr 2001 09:57:00 +0800 From: Victor Sudakov To: Dag-Erling Smorgrav Cc: freebsd-security@freebsd.org Subject: Re: Q: Impact of globbing vulnerability in ftpd Message-ID: <20010424095700.A40591@sibptus.tomsk.ru> References: <20010423111632.B17342@sibptus.tomsk.ru> <20010423190737.A25969@sibptus.tomsk.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from des@ofug.org on Mon, Apr 23, 2001 at 04:54:22PM +0200 Organization: AO "Svyaztransneft", SibPTUS Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 23, 2001 at 04:54:22PM +0200, Dag-Erling Smorgrav wrote: > > > > As far as I understand, it can be exploited only after a user has > > > > logged in, so ftpd is already chrooted > > > Not necessarily. > > Anonymous account is always chrooted. I think you have to play > > with the source to disable this. > > The logged-in user is not necessarily anonymous. In my installations, a user is always chrooted, unless he/she has a shell account anyway. > > > > Run arbitrary code on the target machine, which may perform operations > > > (such as creating new directories to store warez) which the FTP server > > > normally doesn't allow the user to perform, > > How is this possible if ftpd drops root privileges after > > successful login? > > I didn't claim the code would run as root. It would run as the > logged-in user, or user "ftp" in case of an anonymous login. The security advisory claims that. So I became interested. > > > So, if the users already have shell accounts, this security hole > > does not matter for me, does it? > > Probably not. Depends on your anonftp setup. Anonftp is always chrooted :) -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/149@fidonet http://vas.tomsk.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 19: 2:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from sibptus.tomsk.ru (sibptus.tomsk.ru [213.59.238.16]) by hub.freebsd.org (Postfix) with ESMTP id 1E0ED37B423 for ; Mon, 23 Apr 2001 19:02:28 -0700 (PDT) (envelope-from sudakov@sibptus.tomsk.ru) Received: (from sudakov@localhost) by sibptus.tomsk.ru (8.9.3/8.9.3) id KAA40783; Tue, 24 Apr 2001 10:00:45 +0800 (KRAST) (envelope-from sudakov) Date: Tue, 24 Apr 2001 10:00:44 +0800 From: Victor Sudakov To: Crist Clark Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Q: Impact of globbing vulnerability in ftpd Message-ID: <20010424100044.B40591@sibptus.tomsk.ru> References: <20010423111632.B17342@sibptus.tomsk.ru> <20010423190737.A25969@sibptus.tomsk.ru> <3AE45EAC.18A180EE@globalstar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <3AE45EAC.18A180EE@globalstar.com>; from crist.clark@globalstar.com on Mon, Apr 23, 2001 at 09:56:12AM -0700 Organization: AO "Svyaztransneft", SibPTUS Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 23, 2001 at 09:56:12AM -0700, Crist Clark wrote: > Dag-Erling Smorgrav wrote: > > > > Victor Sudakov writes: > > > On Mon, Apr 23, 2001 at 12:16:44PM +0200, Dag-Erling Smorgrav wrote: > > > > > As far as I understand, it can be exploited only after a user has > > > > > logged in, so ftpd is already chrooted > > > > Not necessarily. > > > Anonymous account is always chrooted. I think you have to play > > > with the source to disable this. > > > > The logged-in user is not necessarily anonymous. > > > > > > Run arbitrary code on the target machine, which may perform operations > > > > (such as creating new directories to store warez) which the FTP server > > > > normally doesn't allow the user to perform, > > > How is this possible if ftpd drops root privileges after > > > successful login? > > > > I didn't claim the code would run as root. It would run as the > > logged-in user, or user "ftp" in case of an anonymous login. > > The FTP daemon does _NOT_ drop privileges. It changes effective user > ID only. (Do a 'ps -axo pid,command,user,ruser | grep ftpd' on a running > daemon.) I see. > > > > So, if the users already have shell accounts, this security hole > > > does not matter for me, does it? > > > > Probably not. Depends on your anonftp setup. > > Privilege escalation is possible whenever an FTP daemon can be fed > arbitrary code to execute. Do you know of any exploits that can run arbitrary code via ftpd not with the euid of the user (possible anonymous) , but with root privileges? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/149@fidonet http://vas.tomsk.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 20:17: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7FED637B424; Mon, 23 Apr 2001 20:17:03 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from jedgar@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3O3H3H42265; Mon, 23 Apr 2001 20:17:03 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 23 Apr 2001 20:17:03 -0700 (PDT) Message-Id: <200104240317.f3O3H3H42265@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: jedgar set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01: Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:34 Security Advisory FreeBSD, Inc. Topic: hylafax contains local compromise Category: ports Module: hylafax Announced: 2001-04-23 Credits: Marcin Dawcewicz Affects: Ports collection prior to the correction date. Corrected: 2001-04-17 Vendor status: Updated version released FreeBSD only: NO I. Background HylaFAX is a facsimile system for UNIX systems. II. Problem Description The hylafax port, versions prior to hylafax-4.1.b2_2, contains a format string bug in the hfaxd program. A local user may execute the hfaxd program with command-line arguments containing format string characters, potentially gaining root privileges on the local system. The hylafax port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 5000 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. The ports collection that shipped with FreeBSD 4.3 is not vulnerable since this problem was corrected prior to the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local users may gain root privileges on the local system. If you have not chosen to install the hylafax port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the hylafax port/package if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the hylafax port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/comms/hylafax-4.1.b2_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/comms/hylafax-4.1.b2_2.tgz NOTE: it may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the hylafax port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBOuTqs1UuHi5z0oilAQEWwgQAlhOuE800ddI0J9hiGsQKli2LJyQ18ObQ w0/rdjahJDkOLrx5IGlFe9M1IzjbeXauYT6TUnaOxfwMo58bUy1T7QZ9ROUYzE39 DzrN1JmjcTshG3HdgsdVfSwjQirYpN6uvRVWQx6ncMpuN5bSw3RZ3ci4WH/LsKty tZ9P/gD6bAs= =EFP3 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 20:20:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8FDC437B43F; Mon, 23 Apr 2001 20:20:32 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from jedgar@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3O3KWB42492; Mon, 23 Apr 2001 20:20:32 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 23 Apr 2001 20:20:32 -0700 (PDT) Message-Id: <200104240320.f3O3KWB42492@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: jedgar set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:35.licq Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:35 Security Advisory FreeBSD, Inc. Topic: licq contains multiple remote vulnerabilities Category: ports Module: licq Announced: 2001-04-23 Credits: Stan Bubrouski Affects: Ports collection prior to the correction date. Corrected: 2001-03-13 Vendor status: Updated version released FreeBSD only: NO I. Background licq is an ICQ client. II. Problem Description The licq port, versions prior to 1.0.3, contains a vulnerability in URL parsing. URLs received by the licq program are passed to the web browser using the system() function. Since licq performs no sanity checking, a remote attacker may be able to pipe commands contained in the URL causing the client to execute arbitrary commands. Additionally, the licq program also contains a buffer overflow in the logging functions allowing a remote attacker to cause licq to crash and potentially execute arbitbrary code on the local machine as the user running licq. The licq port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 5000 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. The ports collection that shipped with FreeBSD 4.3 is not vulnerable since this problem was corrected prior to the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote attackers may be able to crash licq or execute arbitrary commands on the local machine as the user running the licq program. If you have not chosen to install the licq port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the licq port/package if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the licq port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/licq-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/licq-1.0.3.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the licq port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBOuTqtFUuHi5z0oilAQGRMAQAkun9z8bA3ZGNHt0MjYrFdjFCg8EWZ4H6 3e7pQxTXJktJkI6NgNVqycjezo4PMrTI5BOm8wMjnCpElI0sapZdf5mso65iJd8D WOrQYGsPA4//1tjv7P/VAtc61k53kr0HzwvZbczwbhiQqkEKFxxN4kyRuF4f9eQ1 dFkYSVA+kVg= =J8Cm -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 20:22:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0DEB537B63A; Mon, 23 Apr 2001 20:22:44 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from jedgar@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3O3MiO42701; Mon, 23 Apr 2001 20:22:44 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 23 Apr 2001 20:22:44 -0700 (PDT) Message-Id: <200104240322.f3O3MiO42701@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: jedgar set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:36.samba Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:36 Security Advisory FreeBSD, Inc. Topic: samba ports contain locally exploitable /tmp races Category: ports Module: samba Announced: 2001-04-23 Credits: Marcus Meissner Affects: Ports collection prior to the correction date. Corrected: 2001-04-18 Vendor status: Updated version released FreeBSD only: No I. Background Samba is an implementation of the Server Message Block (SMB) protocol. II. Problem Description The samba ports, versions prior to samba-2.0.8 and samba-devel-2.2.0, contain /tmp races that may allow local users to cause arbitrary files and devices to be overwritten. Due to easily predictable printer queue cache file names, local users may create symbolic links to any file or device causing it to be corrupted when a remote user accesses a printer. In addition, the file will be left with world- writable permission allowing any user to enter their own data. The samba ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 5000 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. The ports collection that shipped with FreeBSD 4.3 is not vulnerable since this problem was corrected prior to the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may cause arbitrary files or devices to be corrupted and gain increased privileges on the local system. If you have not chosen to install the samba ports/packages, then your system is not vulnerable to this problem. Samba servers that do not have any printers configured are not vulnerable. IV. Workaround Deinstall the samba port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the samba port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/samba-2.0.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/samba-2.0.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/samba-devel-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/samba-devel-2.2.0.tgz NOTE: it may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the samba from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBOuTqtVUuHi5z0oilAQEaFAQAlriJxzRK8s/UnIJliIIGqZgdp+bTiKfs XV66+DD0+RZtWcsjPx5imCCfsWJgdurq9JpM6iWYJCir34wargJygpZRWSU/Pnov yKw2IrNbOVkp4ASRbXCqLm+Z6WZKXhbJN+f/8N+ts2XVk+QJrZWzCRqa1ynyx1I1 MpvXhM9lTvk= =qspP -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 20:26:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 35D9337B43E; Mon, 23 Apr 2001 20:25:34 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from jedgar@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3O3PYd43039; Mon, 23 Apr 2001 20:25:34 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 23 Apr 2001 20:25:34 -0700 (PDT) Message-Id: <200104240325.f3O3PYd43039@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: jedgar set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:37.slrn Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:37 Security Advisory FreeBSD, Inc. Topic: slrn contains remotely-exploitable buffer overflow Category: ports Module: slrn Announced: 2001-04-23 Credits: Bill Nottingham Affects: Ports collection prior to the correction date. Corrected: 2001-04-04 Vendor status: Updated version released FreeBSD only: NO I. Background slrn is a slang-based NNTP news reader. II. Problem Description The slrn port, versions prior to slrn-0.9.7.0, contains a buffer overflow in the wrapping/unwrapping functions of message header parsing. If a sufficiently long header is parsed, a buffer may overflow allowing the execution of arbitrary code contained in a message header as the user running the slrn program. The slrn port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 5000 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. The ports collection that shipped with FreeBSD 4.3 is not vulnerable since this problem was corrected prior to the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Arbitrary code may be executed on the local machine as the user running the slrn program. If you have not chosen to install the slrn port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the slrn port/package, it you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the slrn port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/news/slrn-0.9.7.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/news/slrn-0.9.7.0.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the slrn port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBOuTqtVUuHi5z0oilAQHqsAP+PEzZ8FPPCrKKKDGP7gACN77r5dbbE9LF MYSVGp2Z2+vwSysJG2BOtyNrrKlUhaKTLAoWZF+7ytV9ujli+bI06R2iYoe5SqMM a7K1N1XKNvXdvq1nYjDuawIzJzl9b2B8XavPFEtwkkxDVAtq2ODKTabAtllrNnfV hD4HsUzFMRI= =al4w -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 20:26:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2E93237B617; Mon, 23 Apr 2001 20:25:42 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from jedgar@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3O3PgQ43078; Mon, 23 Apr 2001 20:25:42 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 23 Apr 2001 20:25:42 -0700 (PDT) Message-Id: <200104240325.f3O3PgQ43078@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: jedgar set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:38.sudo Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:38 Security Advisory FreeBSD, Inc. Topic: sudo contains local buffer overflow Category: ports Module: sudo Announced: 2001-04-23 Credits: Chris Wilson Affects: Ports collection prior to the correction date. Corrected: 2001-03-07 Vendor status: Updated version released FreeBSD only: NO I. Background sudo is a program that allowss a sysadmin to give limited root privileges to users and logs root activity. II. Problem Description The sudo port, versions prior to sudo-1.6.3.7, contains a local command-line buffer overflow allowing a local user to potentially gain increased privileges on the local system. The sudo port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 5000 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. The ports collection that shipped with FreeBSD 4.3 is not vulnerable since this problem was corrected prior to the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local users may potentially gain increased privileges on the local system. If you have not chosen to install the sudo port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the sudo port/package if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the sudo port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/sudo-1.6.3.7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/sudo-1.6.3.7.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the sudo port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBOuTqtlUuHi5z0oilAQGsKQP9HXFq79DNvBXkV+03EadLPoJV1gwzG2lp KCJeMOhMc2pKgPcGIxMQ9bmLC7gI+xkr2XrjEpsUnYHCoBS2F7Jd9gKQZNLvGqVy r2hCiTKcg1rObIYML4cghlo12Ppe7saxXszBmNa4VnHZwC4ksuREvZWJc+jKJ5oz zybz712C8iQ= =CQtP -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 23 20:57:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from covert.iadfw.net (covert.black-ring.iadfw.net [209.196.123.142]) by hub.freebsd.org (Postfix) with SMTP id 09C2F37B42C for ; Mon, 23 Apr 2001 20:57:19 -0700 (PDT) (envelope-from datazone@airmail.net) Received: from scab.caprolite.org from [207.136.36.203] by covert.iadfw.net (/\##/\ Smail3.1.30.16 #30.49) with smtp for freebsd-security@freebsd.org sender: id ; Mon, 23 Apr 2001 22:57:34 -0500 (CDT) Message-Id: Date: Mon, 23 Apr 2001 22:57:35 -0500 (CDT) To: "Michael Scheidell" Cc: freebsd-security@freebsd.org From: datazone@airmail.net Subject: Re: Connection attempts (& active ids) X-Mailer: Gmail 0.7.0pre5 (http://gmail.linuxpower.org) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Now, since I can't wave a magic wand and do an rm -rf / & on every > linux/redhat 6.2 system out there, best I can do is to keep them from > spreading germs. pretty big words, security is a way of life. an idiot admin using freebsd is just as bad as an idiot admin using windows, or any other OS. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 24 6: 8:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from tempest.waterspout.com (cc444939-a.lwrnc1.in.home.com [24.178.180.124]) by hub.freebsd.org (Postfix) with ESMTP id C3A0E37B423 for ; Tue, 24 Apr 2001 06:08:16 -0700 (PDT) (envelope-from ajk@iu.edu) Received: from localhost (ajk@localhost) by tempest.waterspout.com (8.11.1/8.11.1) with ESMTP id f3OD8Lr75676; Tue, 24 Apr 2001 08:08:21 -0500 (EST) (envelope-from ajk@iu.edu) Date: Tue, 24 Apr 2001 08:07:01 -0500 (EST) From: "Andrew J. Korty" X-X-Sender: To: Cc: , Subject: [PATCH] syslogd hangs Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Several months ago someone on -security was complaining about syslogd hanging when logging from remote hosts. I've since been affected by the problem myself and looked into it closely. It appears syslogd is suffering from a problem with the way the resolver handles interrupted kevent() calls. This problem was fixed back when the resolver used poll(), but the fix was not retained when refactoring with kqueue()/kevent(). I've submitted a bug report and patch, bin/26665. Please take a look. Thanks! -- Andrew J. Korty, Principal Security Engineer, GCIA Office of the Vice President for Information Technology Indiana University To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 24 7:43: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from c0mailgw06.prontomail.com (mailgw.prontomail.com [216.163.180.10]) by hub.freebsd.org (Postfix) with ESMTP id 634EC37B422 for ; Tue, 24 Apr 2001 07:42:56 -0700 (PDT) (envelope-from djstrobelite@starband.net) Received: by c0mailgw06.prontomail.com (NPlex 5.1.050) id 3AE3B68A000307E7 for freebsd-security@FreeBSD.ORG; Tue, 24 Apr 2001 07:41:20 -0700 Received: from 148.75.148.202 by SmtpServer for ; Tue, 24 Apr 2001 14:41:17 +0000 Message-ID: <3AE590D4.66E038DA@starband.net> Date: Tue, 24 Apr 2001 08:42:41 -0600 From: Jumpin Joe Reply-To: djs@uscreativetypes.com X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: other services vulnerable to globbing exploit? Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings: I have followed with interest the recent exchanges about the ftpd globbing vulnerability. Below is a line from the logs of a certain site I host. The output looks very similar to the output I've seen shared here about how the vulnerability is exploited. Could this be an (attempt) to exploit the same vulnerability through httpd? And as always, can this even be considered an attack? My apache and bind are up to date and requests like this come through at a variable rate, have not crashed the service, but do seem to be increasing load and eating up bandwidth. Thanks in advance for your consideration. Joe -------------------------------- log output -------------------------------------------------- 216.72.28.15 - - [24/Apr/2001:08:22:34 -0600] "GET /cgi-bin/somecompany/some_script.pl/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/' /'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/some.gif' HTTP/1.0" 200 20165 "http://www.somecompany.com/cgi-bin/omecompany/some_script.pl/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/ '/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/ '/'/'/'/'/'/'/'/'/another.gif'" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 24 9:57:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id D89AC37B422 for ; Tue, 24 Apr 2001 09:57:35 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GCB33E00.72P; Tue, 24 Apr 2001 09:57:14 -0700 Message-ID: <3AE5B07D.9EFE500B@globalstar.com> Date: Tue, 24 Apr 2001 09:57:33 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Victor Sudakov Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Q: Impact of globbing vulnerability in ftpd References: <20010423111632.B17342@sibptus.tomsk.ru> <20010423190737.A25969@sibptus.tomsk.ru> <3AE45EAC.18A180EE@globalstar.com> <20010424100044.B40591@sibptus.tomsk.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Victor Sudakov wrote: [snip] > > Privilege escalation is possible whenever an FTP daemon can be fed > > arbitrary code to execute. > > Do you know of any exploits that can run arbitrary code via ftpd > not with the euid of the user (possible anonymous) , but with root privileges? Here's one from Bugtraq. It claims to run under FreeBSD 4.x (not .3) and OpenBSD 2.8. It does not include code to break from a chroot, so it does not work for that case. However, nothing is stopping you from adding code to break out of the chroot once you have setuid back to root. I have not tested it. No guarantee it works. Have fun. http://www.securityfocus.com/archive/1/176905 -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 24 10: 8:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 5340437B423 for ; Tue, 24 Apr 2001 10:08:31 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 8639 invoked by uid 1000); 24 Apr 2001 17:08:51 -0000 Date: Tue, 24 Apr 2001 19:08:51 +0200 From: "Karsten W. Rohrbach" To: Kris Kennaway Cc: netch@segfault.kiev.ua, Rasputin , freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements & Incremental Patches Message-ID: <20010424190851.K1191@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Kris Kennaway , netch@segfault.kiev.ua, Rasputin , freebsd-security@FreeBSD.ORG References: <20010412105356.A88231@dogma.freebsd-uk.eu.org> <20010422202144.A313@iv.nn.kiev.ua> <20010422194329.A23392@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010422194329.A23392@xor.obsecurity.org>; from kris@obsecurity.org on Sun, Apr 22, 2001 at 07:43:29PM -0700 X-Arbitrary-Number-Of-The-Day: 42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway(kris@obsecurity.org)@2001.04.22 19:43:29 +0000: > On Sun, Apr 22, 2001 at 08:21:44PM +0300, Valentin Nechayev wrote: > > > It is quite simple for any qualified FreeBSD admin, including FreeBSD > > FTP site team, to make patched binaries for all supported releases for > > any security advisory and put them for free download for such admins who > > has bad compiling skills; but it is not provided now, and anyone should > > No, it's not simple. You have to make sure you include all > dependencies of the change, everything the change depends on > (e.g. libraries with changes that are required by the updated > utility), and you have to test it in a variety of environments to make > sure it works as expected. It's relatively simple to make a package > from random pieces, it's quite difficult to test it and make sure that > it works. that said, it sounds more reasonable than the approach of some "vendors", "fixing" software and releasing it mostly untested. mostly the software gets pushed into the field without extensive testing and the user feedback may be taken as a basis for debugging the newly introduced "features" ;-) > > More to the point, it takes additional time, which is always the most > scarce resource in volunteer projects. Are you willing to help test > binary security packages by reinstalling your system to a clean > installation of 4.3-RELEASE, then applying and testing the package? the problem with testing security relevant fixes is that you have to conduct the test in a production environment. a clean room test setup will lead to nothing better than you could achieve by simply reading the code of the fixes... the problem is to recruit as many experienced admins who are really into server operations and know a lot about the bsd intrinsics and who are willing to test the fixes on their machines in the field. on the other hand, those machines you want to test the patches on have to be out-of-the-box installations with not many customizations. i do not think, that there are a lot of those boxes available since nearly every bigger organization creates their inhouse releases and/or customizes the base system by removing whole subsystems (like sendmail etc.) and running something different. so a lot of my freebsd installations go a "nonstandard" way in terms of system configuration, so binary fixes probably will not be 100% reliable to apply. > > Having said this, the RELENG_4_3 release branch is a step towards > allowing us to do this (since it's a known, constant base which is > expected to have few changes and therefore easy to manage > dependencies); there's the possibility of generating binary packages > for users of -RELEASE versions of FreeBSD starting with 4.3 only. definately. > > Kris cheers, /k -- > yes, i'm writing all lowercase. that's a fact. KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de [Key] [KeyID---] [Created-] [Fingerprint-------------------------------------] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 24 11:49:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id D2DE137B422 for ; Tue, 24 Apr 2001 11:49:38 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7FA2866DF6; Tue, 24 Apr 2001 11:49:38 -0700 (PDT) Date: Tue, 24 Apr 2001 11:49:38 -0700 From: Kris Kennaway To: djs@uscreativetypes.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: other services vulnerable to globbing exploit? Message-ID: <20010424114938.E89156@xor.obsecurity.org> References: <3AE590D4.66E038DA@starband.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jKBxcB1XkHIR0Eqt" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AE590D4.66E038DA@starband.net>; from djstrobelite@starband.net on Tue, Apr 24, 2001 at 08:42:41AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jKBxcB1XkHIR0Eqt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 24, 2001 at 08:42:41AM -0600, Jumpin Joe wrote: > Greetings: >=20 > I have followed with interest the recent exchanges about the ftpd > globbing vulnerability. Below is a line from the logs of a certain site > I host. The output looks very similar to the output I've seen shared > here about how the vulnerability is exploited. Could this be an > (attempt) to exploit the same vulnerability through httpd? And as > always, can this even be considered an attack? My apache and bind are > up to date and requests like this come through at a variable rate, have > not crashed the service, but do seem to be increasing load and eating up > bandwidth. Thanks in advance for your consideration. This doesn't look like a globbing attempt, but other services certainly could be vulnerable to the buffer overflow, since glob() is in libc (this was noted in the advisory, I believe). Recompile libc and any statically-linked servers, etc. Kris --jKBxcB1XkHIR0Eqt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65crBWry0BWjoQKURAt1UAJ9ylrLqEFOY+q948MCL0r64cdZRaACfVXYp 4jW4a5IFtC+ESuatLLLu4pw= =ft5R -----END PGP SIGNATURE----- --jKBxcB1XkHIR0Eqt-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 24 11:50:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id A803837B424 for ; Tue, 24 Apr 2001 11:50:22 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3FFBC66DF6; Tue, 24 Apr 2001 11:50:22 -0700 (PDT) Date: Tue, 24 Apr 2001 11:50:22 -0700 From: Kris Kennaway To: Victor Sudakov Cc: Crist Clark , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Q: Impact of globbing vulnerability in ftpd Message-ID: <20010424115022.F89156@xor.obsecurity.org> References: <20010423111632.B17342@sibptus.tomsk.ru> <20010423190737.A25969@sibptus.tomsk.ru> <3AE45EAC.18A180EE@globalstar.com> <20010424100044.B40591@sibptus.tomsk.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HCdXmnRlPgeNBad2" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010424100044.B40591@sibptus.tomsk.ru>; from sudakov@sibptus.tomsk.ru on Tue, Apr 24, 2001 at 10:00:44AM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --HCdXmnRlPgeNBad2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Apr 24, 2001 at 10:00:44AM +0800, Victor Sudakov wrote: > Do you know of any exploits that can run arbitrary code via ftpd > not with the euid of the user (possible anonymous) , but with root privileges? I'm sure they exist. Kris --HCdXmnRlPgeNBad2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65crtWry0BWjoQKURAgMZAJ0Q10DKku4ASszj+lAIAhBhJzwyUQCfRz/k EmLi9WYi6NCOvB+QfjaJaPM= =aAen -----END PGP SIGNATURE----- --HCdXmnRlPgeNBad2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 24 17:18:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 37CF137B424 for ; Tue, 24 Apr 2001 17:18:13 -0700 (PDT) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust68.tnt1.clarksburg.wv.da.uu.net [63.21.114.68]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id RAA25390; Tue, 24 Apr 2001 17:17:52 -0700 (PDT) Message-ID: <3AE61853.F8DEF42D@colltech.com> Date: Tue, 24 Apr 2001 20:20:35 -0400 From: Daniel Hagan X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Dragos Ruiu Cc: Crist Clark , Domas Mituzas , scheidell@fdma.com, freebsd-security@FreeBSD.ORG Subject: Re: Connection attempts (& active ids) References: <20010423231908.N574-100000@axis.tdd.lt> <3AE4A5F2.E52825EE@globalstar.com> <01042318494515.00270@smp.kyx.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dragos Ruiu wrote: > But it's probably better to have the honeypot > mirror your normal configs to get the most value out of it and to > make it less obviously different from your production system. If a system mirrors your production configuration, it's no longer a honeypot. Honeypots must be easier to compromise than the production systems or they can no longer fulfill their purpose (enticement of attackers to a known location, so to speak, facilitating detection and/or monitoring). > I would even go as far in differing as to say that I expect honeypot > systems to become a standard practice not just a "best" practice. Even after the legal issues surrounding honeypot use are more thoroughly explored, I wouldn't expect to see non-research organizations deploying them in any great numbers. It really depends on what your goals are. If you want to entice an attacker into a situation where he can be monitored and his tools captured, honeypots are a good idea. If you're charged with protecting certain information or service assets from compromise, honeypots are not very effective. A well designed network with NIDS will give you higher quality and larger quantities of intelligence regarding activity on your network than a honeypot will. > If nothing else, a honeypot makes a great use for a hot standby > spare... I'll assume that you're kidding here. You wouldn't really treat a system *designed* to be compromised as a fail over resource if your primary assets became unavailable, would you? Daniel - -- Consultant, Collective Technologies http://www.collectivetech.com/ Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOuYYFsKlLCvSLxWxEQIcHwCfVSghC4XxUFWxU+693GmsvqJQFP0Anjn+ BysQFm1MTr38cDNs4Ok/Mi70 =RPWn -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 24 22:25:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from yellow.jscc.ru (yellow.jscc.ru [194.85.104.95]) by hub.freebsd.org (Postfix) with ESMTP id F2C3637B423; Tue, 24 Apr 2001 22:25:31 -0700 (PDT) (envelope-from avz@elserv.msk.su) Received: from elserv.msk.su (dialadm-236.jscc.ru [195.208.40.236]) by yellow.jscc.ru (8.9.3/8.9.3/JSCC) with ESMTP id JAA87260; Wed, 25 Apr 2001 09:25:21 +0400 (MSD) Message-ID: <3AE65FBE.83F10409@elserv.msk.su> Date: Wed, 25 Apr 2001 09:25:19 +0400 From: Andrey Zakharchenko Organization: íÅÖ×ÅÄÏÍÓÔ×ÅÎÎÙÊ óÕÐÅÒËÏÍÐØÀÔÅÒÎÙÊ ãÅÎÔÒ X-Mailer: Mozilla 4.61 [en] (OS/2; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Subject: imap-uw Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! Are the 'shell door' and 'mailbox lock' vulnerabilities closed in the recent versions of imap-uw? UW claims so, but FreeBSD ports system seems to don't agree. -- Andrey Zakharchenko To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 3:27:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.svr.pol.co.uk (mail1.svr.pol.co.uk [195.92.193.18]) by hub.freebsd.org (Postfix) with ESMTP id 97B8637B423 for ; Wed, 25 Apr 2001 03:27:28 -0700 (PDT) (envelope-from lee@kechara.net) Received: from [195.92.198.123] (helo=mail17.svr.pol.co.uk) by mail1.svr.pol.co.uk with esmtp (Exim 3.13 #0) id 14sMW1-0005Hv-00 for freebsd-security@freebsd.org; Wed, 25 Apr 2001 11:27:21 +0100 Received: from modem-68.ainur.dialup.pol.co.uk ([62.136.100.68] helo=itchy.kechara.org) by mail17.svr.pol.co.uk with esmtp (Exim 3.13 #0) id 14sMW6-0007BF-00 for freebsd-security@freebsd.org; Wed, 25 Apr 2001 11:27:26 +0100 Received: from itchy (bart.kechara.org [192.168.1.2]) by itchy.kechara.org (8.8.8/8.8.8) with SMTP id NAA29875; Thu, 22 Jun 2000 13:18:09 +0100 Date: Sat, 21 Apr 2001 10:23:18 +0100 From: Lee Smallbone X-Mailer: The Bat! (v1.18 Christmas Edition) S/N 3FDB2AD8 Reply-To: Lee Smallbone Organization: Kechara Internet X-Priority: 3 (Normal) Message-ID: <7432.010421@kechara.net> To: Jim Durham Cc: freebsd-security@freebsd.org Subject: Re[2]: Connection attempts References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Jim, Monday, 23 April 2001, you wrote: JD> On Mon, 23 Apr 2001, Michael S Scheidell wrote: >> In local.freebsd.security, you wrote: >> > >> >Script kiddies..just ignore it and get used to it. >> >> I don't suggest ignoring the 'kiddies' that walk down the street trying to >> see if my windows are open either. >> >> 80% of these systems have bveen compromized, and the owner doesn't even >> know it. >> >> Wouldn't you like to take these systems off the net? >> You want one of them to run against your system (if you miss a security >> bulitin?) >> >> its easy enough to log and alert the isp. >> >> JD> I don't know what you folks' experience has been, but I've had JD> almost no luck with alerting ISPs to these problems. A lot of JD> this stuff comes from Korea and Chekoslovokia and I get no JD> responses from the ISPs. You should see my intrusion database... 93% from Korea, Taiwan and the likes. The rest from interesting places such as Hungaria. There is never any response from ISPs. Solution a) grin and bare it (is that really a solution though?). Solution b) actively firewall connections from these places (blanket bans are never a great idea though.) Solution c) anyone? This could make for an interesting debate. Best regards, Lee Smallbone lee@kechara.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 5: 0:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from totem.fix.no (totem.fix.no [213.142.66.130]) by hub.freebsd.org (Postfix) with ESMTP id 1E89E37B422; Wed, 25 Apr 2001 05:00:35 -0700 (PDT) (envelope-from anders@totem.fix.no) Received: by totem.fix.no (Postfix, from userid 1000) id 4358B3CC8; Wed, 25 Apr 2001 14:00:34 +0200 (CEST) Date: Wed, 25 Apr 2001 14:00:34 +0200 From: Anders Nordby To: Andrey Zakharchenko Cc: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Subject: Re: imap-uw Message-ID: <20010425140034.A3661@totem.fix.no> References: <3AE65FBE.83F10409@elserv.msk.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AE65FBE.83F10409@elserv.msk.su>; from avz@elserv.msk.su on Wed, Apr 25, 2001 at 09:25:19AM +0400 X-Operating-System: FreeBSD 4.1.1-STABLE X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Wed, Apr 25, 2001 at 09:25:19AM +0400, Andrey Zakharchenko wrote: > Are the 'shell door' and 'mailbox lock' vulnerabilities closed in the > recent versions of imap-uw? UW claims so, but FreeBSD ports system seems > to don't agree. Yes they are. Though, I feel that there should be warning there because of this particular package's habit of being vulnerable every now and then. I'll change the message next time I update the port. Cheers, -- Anders. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 5:30:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id C8D5937B422 for ; Wed, 25 Apr 2001 05:30:29 -0700 (PDT) (envelope-from scheidell@Cerintha.com) Received: (from scheidell@localhost) by caerulus.cerintha.com (8.11.3/8.11.3) id f3PC4cw22343; Wed, 25 Apr 2001 08:04:38 -0400 (EDT) Date: Wed, 25 Apr 2001 08:04:38 -0400 (EDT) From: Michael S Scheidell Message-Id: <200104251204.f3PC4cw22343@caerulus.cerintha.com> To: freebsd-security@freebsd.org Subject: Re: Re[2]: Connection attempts In-Reply-To: <7432.010421@kechara.net> References: <7432.010421@kechara.net> Reply-To: scheidell@fdma.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > You should see my intrusion database... 93% from Korea, Taiwan and > the likes. The rest from interesting places such as Hungaria. There > is never any response from ISPs. Solution a) grin and bare it (is > that really a solution though?). Solution b) actively firewall > connections from these places (blanket bans are never a great idea > though.) mynetwatchman has contacts in koera. there is a 'cert' web site there (i forget link) but hehas contacts at kornet and they host many of the schools (where ths systems are mostly located) > > Solution c) anyone? firewall china at least. kills spam and if you use stealth mode, harasses spammers all in one step. #china: $fwcmd add deny ip from 61.128.0.0/16 to any in via $oif $fwcmd add deny ip from 202.96.0.0/16 to any in via $oif $fwcmd add deny ip from 202.107.0.0/16 to any in via $oif $fwcmd add deny ip from 211.96.0.0/21 to any in via $oif $fwcmd add deny ip from 211.88.0.0/21 to any in via $oif $fwcmd add deny ip from 210.72.0.0/22 to any in via $oif $fwcmd add deny ip from 159.226.0.0/16 to any in via $oif $fwcmd add deny ip from 61.128.0.0/18 to any in via $oif $fwcmd add deny ip from 202.64.0.0/18 to any in via $oif $fwcmd add deny ip from 210.14.192.0/18 to any in via $oif $fwcmd add deny ip from 203.93.0.0/16 to any in via $oif $fwcmd add deny ip from 166.111.0.0/15 to any in via $oif #HK: # 203.168.128.0 - 203.168.159.255 $fwcmd add deny ip from 203.168.128.0/17 to any in via $oif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 5:53:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from probity.mcc.ac.uk (probity.mcc.ac.uk [130.88.200.94]) by hub.freebsd.org (Postfix) with ESMTP id 55DAB37B422 for ; Wed, 25 Apr 2001 05:53:37 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by probity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14sOnO-0000yx-00 for security@freebsd.org; Wed, 25 Apr 2001 13:53:26 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f3PCquv00931 for security@freebsd.org; Wed, 25 Apr 2001 13:52:56 +0100 (BST) (envelope-from rasputin) Date: Wed, 25 Apr 2001 13:52:56 +0100 From: Rasputin To: security@freebsd.org Subject: IPf fragment fix Message-ID: <20010425135255.A847@dogma.freebsd-uk.eu.org> Reply-To: Rasputin Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is the one that was patched in STABLE on the 7th of April, isn't it? http://www.deadly.org/article.php3?sid=20010419234351 So we got a fix 2 weeks before OpenBSD. That's pretty impressive. Just wanted to check before I start ribbing my mate who keeps gloating over the 'secure by default' mantra ;) -- You cannot propel yourself forward by patting yourself on the back. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 6:39: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 752A937B424 for ; Wed, 25 Apr 2001 06:39:01 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA03724; Wed, 25 Apr 2001 06:38:44 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda03722; Wed Apr 25 06:38:37 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3PDcWY88431; Wed, 25 Apr 2001 06:38:32 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdy88429; Wed Apr 25 06:38:08 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3PDc8V44466; Wed, 25 Apr 2001 06:38:08 -0700 (PDT) Message-Id: <200104251338.f3PDc8V44466@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdc44461; Wed Apr 25 06:37:48 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Rasputin Cc: security@FreeBSD.ORG Subject: Re: IPf fragment fix In-reply-to: Your message of "Wed, 25 Apr 2001 13:52:56 BST." <20010425135255.A847@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 25 Apr 2001 06:37:48 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010425135255.A847@dogma.freebsd-uk.eu.org>, Rasputin writes: > > This is the one that was patched in STABLE on the 7th of April, > isn't it? > > http://www.deadly.org/article.php3?sid=20010419234351 > > So we got a fix 2 weeks before OpenBSD. That's pretty impressive. > > Just wanted to check before I start ribbing my mate who > keeps gloating over the 'secure by default' mantra ;) Darren Reed, the author of IP Filter has FreeBSD commit privileges. He committed the patch to FreeBSD's IPF the same day he released the patch and a new IPF that include the patch + other fixes. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 7: 5:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 115AC37B422 for ; Wed, 25 Apr 2001 07:05:51 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=2d30ffc1ee241b6ab4b50c9e48679bcd) by softweyr.com with esmtp (Exim 3.16 #1) id 14sPvF-00006D-00; Wed, 25 Apr 2001 08:05:37 -0600 Message-ID: <3AE6D9B1.18CC58C9@softweyr.com> Date: Wed, 25 Apr 2001 08:05:37 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Rasputin Cc: security@freebsd.org Subject: Re: IPf fragment fix References: <20010425135255.A847@dogma.freebsd-uk.eu.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rasputin wrote: > > This is the one that was patched in STABLE on the 7th of April, > isn't it? > > http://www.deadly.org/article.php3?sid=20010419234351 > > So we got a fix 2 weeks before OpenBSD. That's pretty impressive. > > Just wanted to check before I start ribbing my mate who > keeps gloating over the 'secure by default' mantra ;) We just happened to upgrade to .17 at "the right time". Of course, we've had .17 running on OpenBSD 2.7 and 2.8 since the day .17 was released at work. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 14:59: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204]) by hub.freebsd.org (Postfix) with ESMTP id 012C737B423 for ; Wed, 25 Apr 2001 14:59:02 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f3PM5A809607 for ; Wed, 25 Apr 2001 15:05:10 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Wed, 25 Apr 2001 15:05:10 -0700 (PDT) From: mudman To: Subject: defaced websites and the like Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Every now and then you pick up a copy of the newspaper or you are on-line reading CNN.com or something and you hear about these "hackers" who broke into yada yada's website, or did this or that to NASA or the pentagon. Usually the article follows up with something like how they posted pornographic material or put some signature onto the site. Of course, what they never tell you is what was actually wrong with the systems that these things ocurred to (obviously major news sources may not be a good idea for getting your security information, hah!). Are these kind of attacks on httpd itself (Apache or otherwise) or are said "hackers" (heh heh) breaking in through other channels or services? Maybe as a good follow up, would using one OS over another OS change the risk assessment for this kind of thing? (although I admit this last question would take into account a lot of different variables) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 15: 8:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from kottan-labs.bgsu.edu (kottan-labs.bgsu.edu [129.1.133.123]) by hub.freebsd.org (Postfix) with SMTP id 1D3CA37B422 for ; Wed, 25 Apr 2001 15:08:25 -0700 (PDT) (envelope-from memphis_ms@gmx.net) Received: (qmail 26738 invoked from network); 25 Apr 2001 18:09:47 -0400 Received: from m133-122.bgsu.edu (HELO gmx.net) (129.1.133.122) by kottan-labs.bgsu.edu with RC4-MD5 encrypted SMTP; 25 Apr 2001 18:09:47 -0400 Message-ID: <3AE74BAB.7303BBE5@gmx.net> Date: Wed, 25 Apr 2001 18:11:55 -0400 From: Raoul Schroeder X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: mudman Cc: freebsd-security@freebsd.org Subject: Re: defaced websites and the like References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, in one of the last articles in aforemention cnn.com, they actually do say that very often they use a Windows NT bug. And there have been a couple of security fixes for IIS, I am sure it was (and is) possible to hack IIS quite easily. The problem is that Windows NT users are not as unixy as we are, and do not update and maintain their servers as well as they should. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 15:13:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 22DE937B423 for ; Wed, 25 Apr 2001 15:13:06 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3PMDF834095; Wed, 25 Apr 2001 18:13:15 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Wed, 25 Apr 2001 18:13:11 -0400 (EDT) From: Rob Simmons To: mudman Cc: freebsd-security@FreeBSD.ORG Subject: Re: defaced websites and the like In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Most of the sites that are defaced are done so with the smallest of effort. Usually sites are updated via ftp. Just sniff the ftp username and password and you can violate to your heart's content. Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 25 Apr 2001, mudman wrote: > > Every now and then you pick up a copy of the newspaper or you are on-line > reading CNN.com or something and you hear about these "hackers" who broke > into yada yada's website, or did this or that to NASA or the pentagon. > > Usually the article follows up with something like how they posted > pornographic material or put some signature onto the site. > > Of course, what they never tell you is what was actually wrong with the > systems that these things ocurred to (obviously major news sources may > not be a good idea for getting your security information, hah!). > > Are these kind of attacks on httpd itself (Apache or otherwise) or are > said "hackers" (heh heh) breaking in through other channels or services? > > Maybe as a good follow up, would using one OS over another OS change > the risk assessment for this kind of thing? (although I admit this last > question would take into account a lot of different variables) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE650v7v8Bofna59hYRAwg7AJ9hsPkJ++0jfB9lmveJSscLIMCq5QCgn2ft TXS9ul+v5S4uPQ9VxeOL9Dc= =doFC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 15:17:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from Thanatos.Shenton.Org (a3.ebbed1.client.atlantech.net [209.190.235.163]) by hub.freebsd.org (Postfix) with SMTP id 5CB6937B423 for ; Wed, 25 Apr 2001 15:17:52 -0700 (PDT) (envelope-from chris@Shenton.Org) Received: (qmail 36855 invoked by uid 1000); 25 Apr 2001 22:17:51 -0000 To: mudman Cc: Subject: Re: defaced websites and the like References: From: Chris Shenton Date: 25 Apr 2001 18:17:51 -0400 In-Reply-To: mudman's message of "Wed, 25 Apr 2001 15:05:10 -0700 (PDT)" Message-ID: <87n194pqsw.fsf@thanatos.shenton.org> Lines: 51 User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org mudman writes: > Are these kind of attacks on httpd itself (Apache or otherwise) or are > said "hackers" (heh heh) breaking in through other channels or services? Attacks can use many vectors including holes in a server itself, holes in other services, holes in the OS, holes in the infrastructure (e.g. hacking DNS then exploiting names which are "trusted"), or even "social engineering" (call a sysadm up claiming to be a legit user who forgot his password, etc). When a hole is discovered -- whether it is in the OS, a major server like a web server or a less common one like the recent NTP hole, or an infrastrucuture service (like the recent BIND bug) -- the information propagates quickly within the network community. Good guys try to protect themselves, bad guys try and exploit the problems. Sofware exploit code is released in amazingly short time so you have to fix any problems that are found regardless of where it is. A good reason to practice "security in depth", which I kinda associate with having no system trust any other system/software any more than absolutely necessary in case it gets hacked. > Maybe as a good follow up, would using one OS over another OS change > the risk assessment for this kind of thing? (although I admit this last > question would take into account a lot of different variables) I prefer software I can look at and determine its config, so I prefer things like UNIX-style config files and command-line tools. I find it very hard to tell the state of my system on a grope-n-poke OS likw WinDoze. I also belive Open Source allows many people to look for holes in the software where proprietary relies on the discredited idea of security-through-obscurity. Also, commercial vendors have more pressure to release more features than to fix bugs. A major factor which I am sure others will suggest is to use what you know best. I can secure a FreeBSD, Solaris, or Irix system pretty well. It would take me longer to secure a Linux box cuz it's been a while, and I'd be pathetic trying to secure a WinDoze box due to my unfamiliarity at it (I don't know if it *is* possible to secure, and certainly don't know how). --Chris Anti-Hacking premiums 25% higher for Win NT: An insurance policy against hacker-inflicted damage costs 25 per cent more for companies using Windows NT. This is because "there are so many security holes in Microsoft products", John Wurzler, of Wurzler underwriting managers, told us today. -- http://www.theregister.co.uk/content/8/18324.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 15:26:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id D620437B424 for ; Wed, 25 Apr 2001 15:26:26 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GCDCZC00.EAM; Wed, 25 Apr 2001 15:26:00 -0700 Message-ID: <3AE74F0B.A9E714A2@globalstar.com> Date: Wed, 25 Apr 2001 15:26:19 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: mudman Cc: freebsd-security@FreeBSD.ORG Subject: Re: defaced websites and the like References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org mudman wrote: > > Every now and then you pick up a copy of the newspaper or you are on-line > reading CNN.com or something and you hear about these "hackers" who broke > into yada yada's website, or did this or that to NASA or the pentagon. [snip] > Are these kind of attacks on httpd itself (Apache or otherwise) or are > said "hackers" (heh heh) breaking in through other channels or services? In the recent past (the last year or so), the vast majority of these defacements have been done by exploting vulnerabilities in M$ IIS webservers. The next biggest cause is probably vulnerable CGI programs. Some CGIs issues are associated with specific CGI packages, either example scripts left in the webroot, administrative scripts without proper controls, or just plain bad CGI security in the codes. Of course, some defacements have nothing to do with webserver holes. For example, "hackers lo-ove noodles!" (For those who are not familiar with the quote, the Ramen Worm that attacks other services on Red Hat systems also defaced the default install webpages.) > Maybe as a good follow up, would using one OS over another OS change > the risk assessment for this kind of thing? (although I admit this last > question would take into account a lot of different variables) For OSes, the key is to harden the system as appropriate. No OS, no, not even OpenBSD, can be done as a default install, have the web server turned on, and placed on the net with no additional steps. As opposed to saying "this OS is more secure than that one," most of the time, IMHO, the best approach is to decide which OS you (or your staff, your contractor, whatever) are most capable of hardening well and stick with it. That said, avoid IIS, period. But it is an application issue, not OS. As for CGI, that is pretty much a cross-platform problem. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 18: 2:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from firehouse.net (rdu26-60-051.nc.rr.com [66.26.60.51]) by hub.freebsd.org (Postfix) with SMTP id E79CD37B423 for ; Wed, 25 Apr 2001 18:02:19 -0700 (PDT) (envelope-from abc@firehouse.net) Received: (qmail 48531 invoked by uid 1000); 26 Apr 2001 01:06:21 -0000 Date: Wed, 25 Apr 2001 21:06:21 -0400 From: Alan Clegg To: mudman Cc: freebsd-security@freebsd.org Subject: Re: defaced websites and the like Message-ID: <20010425210621.C43159@diskfarm.firehouse.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from mudman@R181204.resnet.ucsb.edu on Wed, Apr 25, 2001 at 03:05:10PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unless the network is lying to me again, mudman said: > Maybe as a good follow up, would using one OS over another OS change > the risk assessment for this kind of thing? (although I admit this last > question would take into account a lot of different variables) I hate to toot my own horn, but... *TOOT* Check out http://www.attrition.org/mirror/attrition/ for a relatively comprehensive list of defacements, including breakdowns (and graphs) by OS, web server type, etc... for example: http://www.attrition.org/mirror/attrition/os.html#APRIL2001 While I'm not part of the attrition team, I do now host their defacement mailing list. To be advised of defacements as they are "snapshotted", send an e-mail to: defaced-l-subscribe@mailinglists.org Each annoucement includes the type of system defaced (OS), web service running (apache, IIS, etc etc), and the "group" that did the defacement. There is also a link back to the attrition mirror so you can see what the defaced page looked like even after the owner 'fixes' the problem. AlanC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 19: 1: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from anchor-post-31.mail.demon.net (anchor-post-31.mail.demon.net [194.217.242.89]) by hub.freebsd.org (Postfix) with ESMTP id 761A537B424 for ; Wed, 25 Apr 2001 19:01:02 -0700 (PDT) (envelope-from goddard@acm.org) Received: from shootthemlater.demon.co.uk ([194.222.93.84] helo=cerebus.parse.net) by anchor-post-31.mail.demon.net with esmtp (Exim 2.12 #1) id 14sb5Z-0009ap-0V; Thu, 26 Apr 2001 03:01:01 +0100 Received: from wbra0013.cognos.com ([10.0.0.3] helo=acm.org) by cerebus.parse.net with esmtp (Exim 3.16 #1) id 14sX1q-0000Mj-00; Wed, 25 Apr 2001 22:40:54 +0100 Message-ID: <3AE744B2.186E5793@acm.org> Date: Wed, 25 Apr 2001 22:42:10 +0100 From: David Goddard X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Domas Mituzas Cc: scheidell@fdma.com, freebsd-security@FreeBSD.ORG Subject: Re: Connection attempts (& active ids) References: <20010423231908.N574-100000@axis.tdd.lt> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Domas Mituzas wrote: [...] > Several days ago I gave a lesson to guys, running portsentry and similiar > stuff with active blocking enabled. They did not believe they had any > security breach, but after their own systems blocked all TLD servers, they > removed portsentry immediately. [...] Now, this sounds like you are suggesting that portsentry is a Bad Thing, Period. I'm not sure I agree here... Root servers I hadn't considered (thanks!), but I run portsentry and it's configured not to block any of the other machines essential to server running (gateway, colo DNS, backup MX, my own IPs etc.) and I don't give a toss if it blocks anything else temporarily (a luxury some might not have, admittedly) - I can fix any obvious problems. Simply by being sat there listening to port 111, portsentry blocks several probably compromised systems a day from talking to my servers. Why should I not use it as a part of my security strategy? I'm not trying to be combative, but you seem to believe this sort of thing is fit for nothing and if I'm wrong I'd like to know it now rather than later... Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 19:48:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id 0B5AD37B623 for ; Wed, 25 Apr 2001 19:48:23 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 8026 invoked by uid 1000); 26 Apr 2001 02:48:22 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Apr 2001 02:48:22 -0000 Date: Wed, 25 Apr 2001 21:48:21 -0500 (CDT) From: Mike Silbersack To: David Goddard Cc: Domas Mituzas , , Subject: Re: Connection attempts (& active ids) In-Reply-To: <3AE744B2.186E5793@acm.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 25 Apr 2001, David Goddard wrote: > Simply by being sat there listening to port 111, portsentry blocks > several probably compromised systems a day from talking to my servers. > Why should I not use it as a part of my security strategy? Soooooo... if you weren't running portsentry, wouldn't they be talking to a closed port, and hence leave you alone as well? Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 20: 3:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id DB3B837B423 for ; Wed, 25 Apr 2001 20:03:12 -0700 (PDT) (envelope-from scheidell@Cerintha.com) Received: (from scheidell@localhost) by caerulus.cerintha.com (8.11.3/8.11.3) id f3Q33CK49974; Wed, 25 Apr 2001 23:03:12 -0400 (EDT) Message-Id: <200104260303.f3Q33CK49974@caerulus.cerintha.com> Subject: Re: Connection attempts (& active ids) In-Reply-To: "from Mike Silbersack at Apr 25, 2001 09:48:21 pm" To: freebsd-security@freebsd.org Date: Wed, 25 Apr 2001 23:03:11 -0400 (EDT) From: Michael Scheidell Reply-To: Michael Scheidell X-Loop: scheidell@fdma.com X-Mailer: ELM [version 2.4ME+ PL77 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > On Wed, 25 Apr 2001, David Goddard wrote: > > > Simply by being sat there listening to port 111, portsentry blocks > > several probably compromised systems a day from talking to my servers. > > Why should I not use it as a part of my security strategy? > > Soooooo... if you weren't running portsentry, wouldn't they be talking to > a closed port, and hence leave you alone as well? Sooooooo... if I lock all my doors and windows, and they don't get it, I should be happy, right? The problem is, if I don't keep an eye on what is going on, I don't know they are trying. If I don't know they are trying, they WILL get in. read about the $50,000 hacker chalange? Guess what With enough incentive, they will get in. locked doors and windows are not enough anymore. We need alarms and armed guards. I sure wish I could send a 240vt spike down the link on each and every one. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 20:18:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 1B4D637B424 for ; Wed, 25 Apr 2001 20:18:53 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id XAA16168; Wed, 25 Apr 2001 23:18:47 -0400 (EDT) (envelope-from wollman) Date: Wed, 25 Apr 2001 23:18:47 -0400 (EDT) From: Garrett Wollman Message-Id: <200104260318.XAA16168@khavrinen.lcs.mit.edu> To: Michael Scheidell Cc: freebsd-security@FreeBSD.ORG Subject: Re: Connection attempts (& active ids) In-Reply-To: <200104260303.f3Q33CK49974@caerulus.cerintha.com> References: <200104260303.f3Q33CK49974@caerulus.cerintha.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > If I don't know they are trying, they WILL get in. If you don't make it worth their while, they will move on to a more tempting target. There are enough unpatched DeadRat 7.0 machines in the world to occupy their time for quite a while. My network has a thousand machines on it, of which about ten are somewhat under my personal control. I could spend all my time every day responding to IDS alerts, port scans, address scans, and such like, or I could put real effort into ensuring that the mission-critical systems I am responsible for are managed properly and securely -- not to mention educating the people who manage the others about doing the same. I don't think I need to state which activity I find more useful. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 20:30:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id 9B56D37B422 for ; Wed, 25 Apr 2001 20:30:14 -0700 (PDT) (envelope-from scheidell@Cerintha.com) Received: (from scheidell@localhost) by caerulus.cerintha.com (8.11.3/8.11.3) id f3Q3UE950845; Wed, 25 Apr 2001 23:30:14 -0400 (EDT) Date: Wed, 25 Apr 2001 23:30:14 -0400 (EDT) From: Michael S Scheidell Message-Id: <200104260330.f3Q3UE950845@caerulus.cerintha.com> To: freebsd-security@freebsd.org Subject: Re: Connection attempts (& active ids) In-Reply-To: <200104260318.XAA16168@khavrinen.lcs.mit.edu> References: <200104260303.f3Q33CK49974@caerulus.cerintha.com> <200104260318.XAA16168@khavrinen.lcs.mit.edu> Reply-To: scheidell@fdma.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In local.freebsd.security, you wrote: >day responding to IDS alerts, port scans, address scans, and such >like, or I could put real effort into ensuring that the what if you could 'set and forget' have an perl script that uploads IDENTIFIED attacks to a central location? That central location would match up that attackers ip to others (like about 100 active ones right now) What if that central location could trigger an email with logs sent to the isp or admin responsible for that ip address? Hey, wouldn't YOU want to know if a system on YOUR network goot rooted? I suspect the first thing it would do was to scan its local class c. What if you could just look at a summary, every now and then. See how you were doing? Of course you wouldn't need to, but you could, either a summary log file or the web page. See if these attacks are directed against YOU only (only one reporting such ip address) or others? What if it didn't cost anything? Don't have portsentry logs parsed, but do have ipfw logs supported. (and ipchains and iptables on 'deadhat') and cisco ios logs as well, perl script, GPL license. Free. launch it with shell script in /usr/local/etc/rc.d Right now, mynetwatchman is getting about a 30% response rate from those attacked. most tell him that their system was rootkitted (redhat 6.2 mostly) most thank him for letting them know, because now at least THAT system isn't being used by God knows who, sitting ready for who knows what. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 25 21:47:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from atom.alles.or.jp (atom.alles.or.jp [210.231.151.1]) by hub.freebsd.org (Postfix) with ESMTP id 6DEDC37B42C for ; Wed, 25 Apr 2001 21:47:20 -0700 (PDT) (envelope-from fukuda@alles.ad.jp) Received: from fukuda.alles.ad.jp (tokyo-gw.alles.or.jp [210.231.143.251]) by atom.alles.or.jp (8.11.1/3.7W/allesnet) with SMTP id f3Q4lCE24753 for ; Thu, 26 Apr 2001 13:47:13 +0900 (JST) Message-Id: <200104260447.AA00749@fukuda.alles.ad.jp> From: fukuda shinichi Date: Thu, 26 Apr 2001 13:47:14 +0900 To: freebsd-security@FreeBSD.ORG Subject: =?ISO-2022-JP?B?c3RyYW5nZRskQiEhGyhCbG9n?= MIME-Version: 1.0 X-Mailer: AL-Mail32 Version 1.11 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. I would be very glad if anyone could help me. I found a weird storange log in /var/log/message like this ... Apr 20 00:02:25 do0 inetd[81102]: refused connection from unknown, service ftpd (tcp) Apr 20 00:02:27 do0 inetd[81103]: refused connection from unknown, service telnetd (tcp) Apr 25 12:40:57 do0 inetd[1912]: refused connection from unknown, service ftpd (tcp) Apr 25 12:41:02 do0 inetd[1913]: refused connection from unknown, service telnetd (tcp) System use 4.1.1-R and 4.2-R. How can i find out "unknown" ?? Thank you. ================= shinichi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 2:56: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from probity.mcc.ac.uk (probity.mcc.ac.uk [130.88.200.94]) by hub.freebsd.org (Postfix) with ESMTP id 7327A37B422 for ; Thu, 26 Apr 2001 02:55:59 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by probity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14siVC-000Iuk-00 for security@freebsd.org; Thu, 26 Apr 2001 10:55:58 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f3Q9twf30937 for security@freebsd.org; Thu, 26 Apr 2001 10:55:58 +0100 (BST) (envelope-from rasputin) Date: Thu, 26 Apr 2001 10:55:58 +0100 From: Rasputin To: security@freebsd.org Subject: Re: Connection attempts (& active ids) Message-ID: <20010426105558.A30778@dogma.freebsd-uk.eu.org> Reply-To: Rasputin References: <200104260303.f3Q33CK49974@caerulus.cerintha.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200104260303.f3Q33CK49974@caerulus.cerintha.com>; from me2@privacy.net on Wed, Apr 25, 2001 at 11:03:11PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Michael Scheidell [010426 04:05]: > > On Wed, 25 Apr 2001, David Goddard wrote: > > > Simply by being sat there listening to port 111, portsentry blocks > > > several probably compromised systems a day from talking to my servers. > > > Why should I not use it as a part of my security strategy? > > Soooooo... if you weren't running portsentry, wouldn't they be talking to > > a closed port, and hence leave you alone as well? > Sooooooo... if I lock all my doors and windows, and they don't get it, I > should be happy, right? grep log_in_vain /etc/defaults/rc.conf >> /etc/rc.conf You still get connection attempts flagged, but (as far as I know) from the outside the connection appears to fail. The same would go for most firewalls (certainly our 2 can be configured to return a 'connection refused' and log the intrusion. IPF allows a 'log body' option too, so if you have the disk you can inspect the actual packets sent to you.) -- "I've seen, I SAY, I've seen better heads on a mug of beer" -- Senator Claghorn Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 3:30:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from infoviaplus.net.ar (adv18.infoviaplus.net.ar [200.9.212.60]) by hub.freebsd.org (Postfix) with ESMTP id B4FC737B618 for ; Thu, 26 Apr 2001 03:30:10 -0700 (PDT) (envelope-from izelaya@infovia.com.ar) Received: from infovia.com.ar ([209.13.247.126]) by infoviaplus.net.ar (Tid InfoMail Exchanger v2.20) with SMTP id #988280864.058920001; Thu, 26 Apr 2001 07:27:44 -0300 Message-ID: <3AE7F976.D6F3CAC2@infovia.com.ar> Date: Thu, 26 Apr 2001 07:33:26 -0300 From: ignacio X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.3-RC i386) MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: User-Agent Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Infomail-Id: 988280864.170401AC1E039F.20864 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When netscape connects to a http server, it's sends something like this: GET / HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.73 [en] (X11; I; FreeBSD 4.3-RC i386) And when you send a mail, in the headers you can see: X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.3-RC i386) So, 2 questions: 1) How netscape gets info from the O.S. and version (uname perhaps?) 2) How can I hide that info. I remember that wwwoffled has an option to hide the user agent, but i want to know how to prevent netscape to get it. -- Saludos,Ignacio. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 3:42:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from elisa.utopianet.net (elisa.utopianet.net [212.210.231.2]) by hub.freebsd.org (Postfix) with ESMTP id 6E90437B423 for ; Thu, 26 Apr 2001 03:42:37 -0700 (PDT) (envelope-from rlucia@iscanet.com) Received: from merlino.iscanet.com (root@[217.59.173.229]) by elisa.utopianet.net (8.9.1a/8.9.1) with ESMTP id MAA13286 for ; Thu, 26 Apr 2001 12:42:18 +0200 (CEST) Received: from [10.0.1.5] (adsl-156-135.38-151.net24.it [151.38.135.156]) (authenticated) by merlino.iscanet.com (8.11.2/8.11.2) with ESMTP id f3QAfTQ54528; Thu, 26 Apr 2001 12:41:29 +0200 (CEST) (envelope-from rlucia@iscanet.com) Mime-Version: 1.0 X-Sender: rluciamac@imap.iscanet.com (Unverified) Message-Id: In-Reply-To: <3AE7F976.D6F3CAC2@infovia.com.ar> References: <3AE7F976.D6F3CAC2@infovia.com.ar> Date: Thu, 26 Apr 2001 12:41:03 +0200 To: ignacio , From: Rocco Lucia Subject: Re: User-Agent Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 7:33 -0300 26-04-2001, ignacio wrote: >When netscape connects to a http server, >it's sends something like this: > > > GET / HTTP/1.0 > Connection: Keep-Alive > User-Agent: Mozilla/4.73 [en] (X11; I; FreeBSD 4.3-RC i386) > >And when you send a mail, in the headers you can see: > > X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.3-RC i386) > > >So, 2 questions: > >1) How netscape gets info from the O.S. and version (uname perhaps?) it is hardwired at compile time >2) How can I hide that info. I don't really know, look into js properties maybe... or mess with the binary? :) Ciao, Rocco -- Rocco Lucia - rlucia@iscanet.com Iscanet Internet Services http://elisa.utopianet.net/~rlucia System and Network Admin C6E6 AC9A 1361 FB38 B47A 2792 9FC4 C52F 7A68 4468 Free unices for a free world. Support *BSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 4:19:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from elisa.utopianet.net (elisa.utopianet.net [212.210.231.2]) by hub.freebsd.org (Postfix) with ESMTP id 3425337B423 for ; Thu, 26 Apr 2001 04:19:33 -0700 (PDT) (envelope-from rlucia@iscanet.com) Received: from merlino.iscanet.com (root@[217.59.173.229]) by elisa.utopianet.net (8.9.1a/8.9.1) with ESMTP id NAA15066; Thu, 26 Apr 2001 13:19:13 +0200 (CEST) Received: from [10.0.1.5] (adsl-156-135.38-151.net24.it [151.38.135.156]) (authenticated) by merlino.iscanet.com (8.11.2/8.11.2) with ESMTP id f3QBJnR54942; Thu, 26 Apr 2001 13:19:49 +0200 (CEST) (envelope-from rlucia@iscanet.com) Mime-Version: 1.0 X-Sender: rluciamac@imap.iscanet.com (Unverified) Message-Id: In-Reply-To: References: <3AE7F976.D6F3CAC2@infovia.com.ar> Date: Thu, 26 Apr 2001 13:19:23 +0200 To: ignacio , From: Rocco Lucia Subject: Re: User-Agent Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:41 +0200 26-04-2001, Rocco Lucia wrote: > > > >>So, 2 questions: >> >>1) How netscape gets info from the O.S. and version (uname perhaps?) > >it is hardwired at compile time oops, it is *partly* hardwired at compile time -- Rocco Lucia - rlucia@iscanet.com Iscanet Internet Services http://elisa.utopianet.net/~rlucia System and Network Admin C6E6 AC9A 1361 FB38 B47A 2792 9FC4 C52F 7A68 4468 Free unices for a free world. Support *BSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 4:41:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 9730D37B422 for ; Thu, 26 Apr 2001 04:41:18 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 116341360C; Thu, 26 Apr 2001 07:41:17 -0400 (EDT) Date: Thu, 26 Apr 2001 07:41:17 -0400 From: Chris Faulhaber To: Rocco Lucia Cc: ignacio , freebsd-security@FreeBSD.ORG Subject: Re: User-Agent Message-ID: <20010426074117.A87916@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Rocco Lucia , ignacio , freebsd-security@FreeBSD.ORG References: <3AE7F976.D6F3CAC2@infovia.com.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rlucia@iscanet.com on Thu, Apr 26, 2001 at 12:41:03PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 26, 2001 at 12:41:03PM +0200, Rocco Lucia wrote: > At 7:33 -0300 26-04-2001, ignacio wrote: > >When netscape connects to a http server, > >it's sends something like this: > > > > > > GET / HTTP/1.0 > > Connection: Keep-Alive > > User-Agent: Mozilla/4.73 [en] (X11; I; FreeBSD 4.3-RC i386) > > > >And when you send a mail, in the headers you can see: > > > > X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.3-RC i386) > > > > > >So, 2 questions: > > > >1) How netscape gets info from the O.S. and version (uname perhaps?) >=20 > it is hardwired at compile time >=20 Nope. If you use the Linux version of Netscape, you can change the string to read what you want using sysctl values (sysctl -a | grep linux) allowing you to use versions like: "Mozilla/4.76 [en] (X11; U; Linux 3.1.33.7 i386)" or "Mozilla/4.76 [en] (X11; U; FreeBSD 6.3-STABLE i386)" beware: other Linux programs (like vmware) depend on this version information and may not run with odd values. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjroCV0ACgkQObaG4P6BelCJpwCcC5z+AGy0OobmKfKExwE5EBdz IQMAn2pw5bvamjbnkPPBbsUGcIZ/yra5 =Btrl -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 5:22:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id 45C0137B423 for ; Thu, 26 Apr 2001 05:22:39 -0700 (PDT) (envelope-from scheidell@Cerintha.com) Received: (from scheidell@localhost) by caerulus.cerintha.com (8.11.3/8.11.3) id f3QCMZC66145; Thu, 26 Apr 2001 08:22:35 -0400 (EDT) Date: Thu, 26 Apr 2001 08:22:35 -0400 (EDT) From: Michael S Scheidell Message-Id: <200104261222.f3QCMZC66145@caerulus.cerintha.com> To: freebsd-security@freebsd.org Subject: Re: =?ISO-2022-JP?B?c3RyYW5nZRskQiEhGyhCbG9n?= In-Reply-To: <200104260447.AA00749@fukuda.alles.ad.jp> References: <200104260447.AA00749@fukuda.alles.ad.jp> Reply-To: scheidell@fdma.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In local.freebsd.security, you wrote: >Hello. > >I would be very glad if anyone could help me. >I found a weird storange log in /var/log/message like this ... > > Apr 20 00:02:25 do0 inetd[81102]: refused connection from unknown, service > ftpd (tcp) > >How can i find out "unknown" ?? >Thank you. > > edit /etc/hosts.allow make sure the default 'fall through' is something like this: # The rest of the daemons are protected. ALL : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h[%a]." not just ALL: ALL : deny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 6:51:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from rafiu.psi-domain.co.uk (rafiu.psi-domain.co.uk [212.87.84.199]) by hub.freebsd.org (Postfix) with ESMTP id 4D38B37B423 for ; Thu, 26 Apr 2001 06:51:38 -0700 (PDT) (envelope-from heckfordj@psi-domain.co.uk) Received: from smtp.psi-domain.co.uk (mail.trident-uk.co.uk [195.166.16.10]) by rafiu.psi-domain.co.uk (8.11.3/8.11.3) with SMTP id f3QDltX41101; Thu, 26 Apr 2001 14:47:55 +0100 (BST) Date: Thu, 26 Apr 2001 15:49:56 +0100 From: Jamie Heckford To: Chris Faulhaber Cc: freebsd-security@freebsd.org Subject: Re: User-Agent Message-ID: <20010426154956.I37575@storm.psi-domain.co.uk> Reply-To: heckfordj@psi-domain.co.uk References: <3AE7F976.D6F3CAC2@infovia.com.ar> <20010426074117.A87916@peitho.fxp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit In-Reply-To: <20010426074117.A87916@peitho.fxp.org>; from jedgar@fxp.org on Thu, Apr 26, 2001 at 12:41:17 +0100 X-Mailer: Balsa 1.1.1 Lines: 71 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmm. Attempting to modify these values return: sysctl: oid 'kern.version' is read only Any way of changing these then? Jamie On 2001.04.26 12:41 Chris Faulhaber wrote: > On Thu, Apr 26, 2001 at 12:41:03PM +0200, Rocco Lucia wrote: > > At 7:33 -0300 26-04-2001, ignacio wrote: > > >When netscape connects to a http server, > > >it's sends something like this: > > > > > > > > > GET / HTTP/1.0 > > > Connection: Keep-Alive > > > User-Agent: Mozilla/4.73 [en] (X11; I; FreeBSD 4.3-RC i386) > > > > > >And when you send a mail, in the headers you can see: > > > > > > X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.3-RC i386) > > > > > > > > >So, 2 questions: > > > > > >1) How netscape gets info from the O.S. and version (uname perhaps?) > > > > it is hardwired at compile time > > > > Nope. If you use the Linux version of Netscape, you can change the > string to read what you want using sysctl values (sysctl -a | grep linux) > allowing you to use versions like: > > "Mozilla/4.76 [en] (X11; U; Linux 3.1.33.7 i386)" > > or > > "Mozilla/4.76 [en] (X11; U; FreeBSD 6.3-STABLE i386)" > > beware: other Linux programs (like vmware) depend on this version > information and may not run with odd values. > > -- > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > -------------------------------------------------------- > FreeBSD: The Power To Serve - http://www.FreeBSD.org > -- Jamie Heckford Network Operations Manager Psi-Domain - Innovative Linux Solutions. Ask Us How. FreeBSD - The power to serve Join our mailing list and stay informed by emailing majordomo@psi-domain.co.uk with the line: subscribe collective ===================================== email: heckfordj@psi-domain.co.uk web: http://www.psi-domain.co.uk/ tel: +44 (0)1737 789 246 fax: +44 (0)1737 789 245 mobile: +44 (0)7866 724 224 ===================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 6:55:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 339EE37B423 for ; Thu, 26 Apr 2001 06:55:34 -0700 (PDT) (envelope-from jedgar@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1000) id BB97313614; Thu, 26 Apr 2001 09:55:28 -0400 (EDT) Date: Thu, 26 Apr 2001 09:55:28 -0400 From: Chris Faulhaber To: Jamie Heckford Cc: freebsd-security@freebsd.org Subject: Re: User-Agent Message-ID: <20010426095528.A58764@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Jamie Heckford , freebsd-security@freebsd.org References: <3AE7F976.D6F3CAC2@infovia.com.ar> <20010426074117.A87916@peitho.fxp.org> <20010426154956.I37575@storm.psi-domain.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010426154956.I37575@storm.psi-domain.co.uk>; from heckfordj@psi-domain.co.uk on Thu, Apr 26, 2001 at 03:49:56PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 26, 2001 at 03:49:56PM +0100, Jamie Heckford wrote: > Hmm. >=20 > Attempting to modify these values return: >=20 > sysctl: oid 'kern.version' is read only >=20 > Any way of changing these then? >=20 kern.version, no. compat.linux.osname and compat.linux.osrelease, yes. As previously stated, this will only work for Linux netscape versions. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjroKNAACgkQObaG4P6BelCsiQCbBFPtuCvyVUSnB5g2bO6/Ejqj TpcAn013RjAuJnl26GUM4fM/2HO95rHH =7iWu -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 7:30:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from kottan-labs.bgsu.edu (kottan-labs.bgsu.edu [129.1.133.123]) by hub.freebsd.org (Postfix) with ESMTP id 3DAD037B423 for ; Thu, 26 Apr 2001 07:30:52 -0700 (PDT) (envelope-from memphis_ms@gmx.net) Received: (qmail 27801 invoked from network); 26 Apr 2001 10:32:14 -0400 Received: from m133-122.bgsu.edu (HELO gmx.net) (129.1.133.122) by kottan-labs.bgsu.edu with RC4-MD5 encrypted SMTP; 26 Apr 2001 10:32:14 -0400 Message-ID: <3AE831F5.9C65BDFB@gmx.net> Date: Thu, 26 Apr 2001 10:34:29 -0400 From: Raoul Schroeder X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Alan Clegg Cc: mudman , freebsd-security@freebsd.org Subject: Re: defaced websites and the like References: <20010425210621.C43159@diskfarm.firehouse.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I hate to toot my own horn, but... *TOOT* > > Check out http://www.attrition.org/mirror/attrition/ for a relatively > comprehensive list of defacements, including breakdowns (and graphs) > by OS, web server type, etc... for example: Nice page. It would be nice to have a comparison with how many systems are out there. Clearly, there is more NT out there than RedHat, and more RedHat than FreeBSD (I guess). Also, there are great fluctuations per month, which makes comparision difficult. I didn't check thoroughly - is there a yearly average somewhere? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 7:33:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id 42BAD37B422 for ; Thu, 26 Apr 2001 07:33:37 -0700 (PDT) (envelope-from scheidell@Cerintha.com) Received: (from scheidell@localhost) by caerulus.cerintha.com (8.11.3/8.11.3) id f3QEXaf70269; Thu, 26 Apr 2001 10:33:36 -0400 (EDT) Message-Id: <200104261433.f3QEXaf70269@caerulus.cerintha.com> Subject: Re: defaced websites and the like In-Reply-To: <3AE831F5.9C65BDFB@gmx.net> "from Raoul Schroeder at Apr 26, 2001 10:34:29 am" To: freebsd-security@freebsd.org Date: Thu, 26 Apr 2001 10:33:36 -0400 (EDT) From: Michael Scheidell Reply-To: Michael Scheidell X-Loop: scheidell@fdma.com X-Mailer: ELM [version 2.4ME+ PL77 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I hate to toot my own horn, but... *TOOT* > > > > Check out http://www.attrition.org/mirror/attrition/ for a relatively > > comprehensive list of defacements, including breakdowns (and graphs) > > by OS, web server type, etc... for example: > > Nice page. > It would be nice to have a comparison with how many systems are out there. > Clearly, there is more NT out there than RedHat, and more RedHat than FreeBSD > (I guess). > Also, there are great fluctuations per month, which makes comparision > difficult. I didn't check thoroughly - is there a yearly average somewhere? http://www.theregister.co.uk/content/8/18515.html -----> Records kept by security site Attrition.org indicate that an average of 55 per cent of Web site defacements so far this year are linked to exploitation of Windows NT operating systems vulnerabilities. Linux is the second most commonly hacked Web server and accounted for around 21 per cent of Web page defacement last month. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 7:54:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 3753637B423 for ; Thu, 26 Apr 2001 07:54:52 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA21751; Thu, 26 Apr 2001 10:54:35 -0400 (EDT) (envelope-from wollman) Date: Thu, 26 Apr 2001 10:54:35 -0400 (EDT) From: Garrett Wollman Message-Id: <200104261454.KAA21751@khavrinen.lcs.mit.edu> To: ignacio Cc: "freebsd-security@FreeBSD.ORG" Subject: User-Agent In-Reply-To: <3AE7F976.D6F3CAC2@infovia.com.ar> References: <3AE7F976.D6F3CAC2@infovia.com.ar> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > 2) How can I hide that info. Use a proxy such as squid. I run two proxies: one that completely anonymizes the headers, and one that doesn't. (The former is vastly more popular.) The anonymizing proxy is configured to supply: User-Agent: ANONYM/1.0 (ITS; KL-10) (something of an in-joke). It used to be configured not to supply any User-Agent header, but then I ran into a broken Web site (I think IMDB) which absolutely insisted on getting one, so I made something up for its benefit. If you do this, you will run into many Web sites which (in violation of standards) use the User-Agent header to determine which content to serve to you -- or, as happens more often, which content to refuse to serve to you. For this reason, it's probably safest to pretend that you are running IE5 on Win98. What this has to do with security I have no idea, so please move follow-ups to a more appropriate mailing-list. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 9:46:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from ebola.biohz.net (ebola.biohz.net [206.80.1.35]) by hub.freebsd.org (Postfix) with ESMTP id E389537B423 for ; Thu, 26 Apr 2001 09:46:17 -0700 (PDT) (envelope-from renaud@waldura.org) Received: from renaud (localhost [127.0.0.1]) by ebola.biohz.net (Postfix) with SMTP id 5739E11527C; Thu, 26 Apr 2001 09:46:17 -0700 (PDT) Message-ID: <006501c0ce70$6e383410$2301010a@zerog.int> From: "Renaud Waldura" To: "ignacio" Cc: References: <3AE7F976.D6F3CAC2@infovia.com.ar> Subject: Re: User-Agent Date: Thu, 26 Apr 2001 09:46:24 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > 2) How can I hide that info. An easy way to do so would be by having your browser go through an anonymizing proxy. Bonus: get one that strips off banner ads, controls cookies, etc. E.g. the junkbuster (in ports). Or you could patch the binary directly; M-x binary-overwrite-mode in Emacs. The real question is "why do you want to do that?" --Renaud ----- Original Message ----- From: "ignacio" To: Sent: Thursday, April 26, 2001 3:33 AM Subject: User-Agent > > When netscape connects to a http server, > it's sends something like this: > > > GET / HTTP/1.0 > Connection: Keep-Alive > User-Agent: Mozilla/4.73 [en] (X11; I; FreeBSD 4.3-RC i386) > > And when you send a mail, in the headers you can see: > > X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.3-RC i386) > > > So, 2 questions: > > 1) How netscape gets info from the O.S. and version (uname perhaps?) > 2) How can I hide that info. > > I remember that wwwoffled has an option to hide the user agent, but > i want to know how to prevent netscape to get it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 10:59:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from firehouse.net (rdu26-60-051.nc.rr.com [66.26.60.51]) by hub.freebsd.org (Postfix) with SMTP id 5489737B422 for ; Thu, 26 Apr 2001 10:59:20 -0700 (PDT) (envelope-from abc@firehouse.net) Received: (qmail 62234 invoked by uid 1000); 26 Apr 2001 18:03:58 -0000 Date: Thu, 26 Apr 2001 14:03:58 -0400 From: Alan Clegg To: freebsd-security@freebsd.org Subject: Re: defaced websites and the like Message-ID: <20010426140358.A62175@diskfarm.firehouse.net> References: <20010425210621.C43159@diskfarm.firehouse.net> <3AE831F5.9C65BDFB@gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <3AE831F5.9C65BDFB@gmx.net>; from memphis_ms@gmx.net on Thu, Apr 26, 2001 at 10:34:29AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unless the network is lying to me again, Raoul Schroeder said: > It would be nice to have a comparison with how many systems are out there. I think if you go to: The Netcraft Web Server Survey http://www.netcraft.com/survey/ (see the bottom of the page: http://www.attrition.org/mirror/attrition/stats.html ) You can get that information. > Also, there are great fluctuations per month, which makes comparision > difficult. I didn't check thoroughly - is there a yearly average somewhere? Look at the links from the stat.html page above. AlanC -- Alan Clegg I do UNIX and Networks alan@clegg.com I don't have any certification I have experience To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 16:10:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 24FAC37B42C for ; Thu, 26 Apr 2001 16:10:27 -0700 (PDT) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust68.tnt1.clarksburg.wv.da.uu.net [63.21.114.68]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id QAA13559 for ; Thu, 26 Apr 2001 16:10:22 -0700 (PDT) Message-ID: <3AE8ABBA.7E0B19C8@colltech.com> Date: Thu, 26 Apr 2001 19:14:02 -0400 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Security HOW-TO out of date... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The FreeBSD Security How-to (http://people.freebsd.org/~jkb/howto.html) linked off of freebsd.org/security/ is a bit out of date (it seems to apply to 3.x systems). Is anyone working on producing an updated version? If not, I may take on a project similar to the existing HOW-TO. I was thinking about producing documents on how to secure -RELEASE systems on the -STABLE branch (starting w/ 4.3-RELEASE). By dealing with the release systems, I could present specific steps and procedures instead of having to offer blanket advice. I'll probably start some of the ground-level research for this when I get my 4.3 CDs and then get back to you guys with a basic document for feedback later. Anyone know of an on-going effort that I should join instead of starting this on my own? Thanks, Daniel -- Consultant, Collective Technologies http://www.collectivetech.com/ Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 16:24: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 4DCA137B423 for ; Thu, 26 Apr 2001 16:24:04 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.11.2) id f3QNO3c61310; Thu, 26 Apr 2001 16:24:03 -0700 (PDT) (envelope-from dillon) Date: Thu, 26 Apr 2001 16:24:03 -0700 (PDT) From: Matt Dillon Message-Id: <200104262324.f3QNO3c61310@earth.backplane.com> To: Daniel Hagan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security HOW-TO out of date... References: <3AE8ABBA.7E0B19C8@colltech.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :The FreeBSD Security How-to (http://people.freebsd.org/~jkb/howto.html) :linked off of freebsd.org/security/ is a bit out of date (it seems to :apply to 3.x systems). Is anyone working on producing an updated :version? If not, I may take on a project similar to the existing :HOW-TO. I was thinking about producing documents on how to secure :-RELEASE systems on the -STABLE branch (starting w/ 4.3-RELEASE). By :dealing with the release systems, I could present specific steps and :procedures instead of having to offer blanket advice. I'll probably :start some of the ground-level research for this when I get my 4.3 CDs :and then get back to you guys with a basic document for feedback later. :Anyone know of an on-going effort that I should join instead of starting :this on my own? : :Thanks, : :Daniel I'm working on a two-part DaemonNews series about security. It could probably be adapted. I recommend waiting until the series comes out (a month from now and a month after that) and then adapting as necessary. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 19:16:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0C9AE37B422 for ; Thu, 26 Apr 2001 19:16:02 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id TAA11453 for ; Thu, 26 Apr 2001 19:16:01 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda11449; Thu Apr 26 19:15:49 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3R2Fhb03873 for ; Thu, 26 Apr 2001 19:15:43 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdwS3871; Thu Apr 26 19:15:16 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3R2FHP61668 for ; Thu, 26 Apr 2001 19:15:17 -0700 (PDT) Message-Id: <200104270215.f3R2FHP61668@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdU61664; Thu Apr 26 19:15:02 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: freebsd-security@freebsd.org Subject: Security advisory: krb5 ftpd buffer overflows (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 26 Apr 2001 19:15:02 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Looks like we need to patch our krb5 port. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message [headers removed] Message-ID: Date: Wed, 25 Apr 2001 20:51:48 -0400 Reply-To: Tom Yu Sender: Bugtraq List From: Tom Yu Subject: Security advisory: krb5 ftpd buffer overflows X-To: kerberos@MIT.EDU X-cc: krbdev@MIT.EDU To: BUGTRAQ@SECURITYFOCUS.COM - -----BEGIN PGP SIGNED MESSAGE----- KRB5 FTPD BUFFER OVERFLOWS 2001-04-25 SUMMARY: Buffer overflows exist in the FTP daemon included with MIT krb5. IMPACT: * If anonymous FTP is enabled, a remote user may gain unauthorized root access. * A user with access to a local account may gain unauthorized root access. * A remote user who can successfully authenticate to the FTP daemon may obtain unauthorized root access, regardless of whether anonymous FTP is enabled or whether access is granted to a local account. This vulnerability is believed to be somewhat difficult to exploit. VULNERABLE DISTRIBUTIONS: * MIT Kerberos 5, all releases. FIXES: The recommended approach is to apply the included patches and to rebuild your ftpd. The included patches are against krb5-1.2.2. If you cannot patch your ftpd currently, workarounds include disabling anonymous FTP access, if you have it enabled; this will limit the most likely exploitation to users with local account access or who can successfully authenticate to the daemon. This announcement and code patches related to it may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/www/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/www/index.html ACKNOWLEDGEMENTS: Thanks to Matt Crawford for providing some insight into the specific ways in which krb5 ftpd is vulnerable. DETAILS: The remote vulnerability exploitable via anonymous FTP or local account access results from a buffer overflow in code that calls ftpglob(), a function responsible for expanding glob characters in pathnames. Recent versions of ftpd (krb5-1.2 or later) should not contain buffer overflows in the ftpglob() function itself. Remote users able to authenticate to the FTP daemon may be able to exploit a lack of bounds-checking in calling radix_encode(). Login access is not required; the ability to force arbitrary data to be base64-encoded by radix_encode() is sufficient. This vulnerability is believed to be somewhat difficult to exploit (but by no means impossible) due to the need for an attacker to inject data that will base64-encode to the desired machine code and target address. PATCHES AGAINST krb5-1.2.2: These patches are against the krb5-1.2.2 release. They may also apply against earlier releases, though. The patches may also be found at: http://web.mit.edu/kerberos/www/advisories/ftpbuf_122_patch.txt Index: ftpcmd.y =================================================================== RCS file: /cvs/krbdev/krb5/src/appl/gssftp/ftpd/ftpcmd.y,v retrieving revision 1.14.4.2 diff -c -r1.14.4.2 ftpcmd.y *** ftpcmd.y 2001/01/17 23:25:16 1.14.4.2 - - --- ftpcmd.y 2001/04/25 20:16:45 *************** *** 805,815 **** * This is a valid reply in some cases but not in others. */ if (logged_in && $1 && strncmp((char *) $1, "~", 1) == 0) { ! *(char **)&($$) = *ftpglob((char *) $1); ! if (globerr != NULL) { reply(550, globerr); $$ = NULL; ! } free((char *) $1); } else $$ = $1; - - --- 805,819 ---- * This is a valid reply in some cases but not in others. */ if (logged_in && $1 && strncmp((char *) $1, "~", 1) == 0) { ! char **vv; ! ! vv = ftpglob((char *) $1); ! if (vv == NULL || globerr != NULL) { reply(550, globerr); $$ = NULL; ! } else ! $$ = *vv; ! free((char *) $1); } else $$ = $1; Index: ftpd.c =================================================================== RCS file: /cvs/krbdev/krb5/src/appl/gssftp/ftpd/ftpd.c,v retrieving revision 1.43.2.1 diff -c -r1.43.2.1 ftpd.c *** ftpd.c 2000/05/23 21:39:07 1.43.2.1 - - --- ftpd.c 2001/04/25 20:16:48 *************** *** 761,767 **** - - --- 761,777 ---- int result; #ifdef GSSAPI if (auth_type && strcmp(auth_type, "GSSAPI") == 0) { + int len; + authorized = ftpd_gss_userok(&client_name, name) == 0; + len = sizeof("GSSAPI user is not authorized as " + "; Password required.") + + strlen(client_name.value) + + strlen(name); + if (len >= sizeof(buf)) { + syslog(LOG_ERR, "user: username too long"); + name = "[username too long]"; + } sprintf(buf, "GSSAPI user %s is%s authorized as %s", client_name.value, authorized ? "" : " not", name); *************** *** 772,778 **** - - --- 782,800 ---- #endif /* GSSAPI */ #ifdef KRB5_KRB4_COMPAT if (auth_type && strcmp(auth_type, "KERBEROS_V4") == 0) { + int len; + authorized = kuserok(&kdata,name) == 0; + len = sizeof("Kerberos user .@ is not authorized as " + "; Password required.") + + strlen(kdata.pname) + + strlen(kdata.pinst) + + strlen(kdata.prealm) + + strlen(name); + if (len >= sizeof(buf)) { + syslog(LOG_ERR, "user: username too long"); + name = "[username too long]"; + } sprintf(buf, "Kerberos user %s%s%s@%s is%s authorized as %s", kdata.pname, *kdata.pinst ? "." : "", kdata.pinst, kdata.prealm, *************** *** 1179,1184 **** - - --- 1201,1211 ---- } else { char line[FTP_BUFSIZ]; + if (strlen(cmd) + strlen(name) + 1 >= sizeof(line)) { + syslog(LOG_ERR, "retrieve: filename too long"); + reply(501, "filename too long"); + return; + } (void) sprintf(line, cmd, name), name = line; fin = ftpd_popen(line, "r"), closefunc = ftpd_pclose; st.st_size = -1; *************** *** 1417,1422 **** - - --- 1444,1453 ---- return (file); } + /* + * XXX callers need to limit total length of output string to + * FTP_BUFSIZ + */ #ifdef STDARG secure_error(char *fmt, ...) #else *************** *** 1616,1628 **** { char line[FTP_BUFSIZ]; FILE *fin; ! int c; char str[FTP_BUFSIZ], *p; (void) sprintf(line, "/bin/ls -lgA %s", filename); fin = ftpd_popen(line, "r"); lreply(211, "status of %s:", filename); p = str; while ((c = getc(fin)) != EOF) { if (c == '\n') { if (ferror(stdout)){ - - --- 1647,1665 ---- { char line[FTP_BUFSIZ]; FILE *fin; ! int c, n; char str[FTP_BUFSIZ], *p; + if (strlen(filename) + sizeof("/bin/ls -lgA ") + >= sizeof(line)) { + reply(501, "filename too long"); + return; + } (void) sprintf(line, "/bin/ls -lgA %s", filename); fin = ftpd_popen(line, "r"); lreply(211, "status of %s:", filename); p = str; + n = 0; while ((c = getc(fin)) != EOF) { if (c == '\n') { if (ferror(stdout)){ *************** *** 1639,1645 **** *p = '\0'; reply(0, "%s", str); p = str; ! } else *p++ = c; } if (p != str) { *p = '\0'; - - --- 1676,1691 ---- *p = '\0'; reply(0, "%s", str); p = str; ! n = 0; ! } else { ! *p++ = c; ! n++; ! if (n >= sizeof(str)) { ! reply(551, "output line too long"); ! (void) ftpd_pclose(fin); ! return; ! } ! } } if (p != str) { *p = '\0'; *************** *** 1723,1728 **** - - --- 1769,1778 ---- char cont_char = ' '; + /* + * XXX callers need to limit total length of output string to + * FTP_BUFSIZ bytes for now. + */ #ifdef STDARG reply(int n, char *fmt, ...) #else *************** *** 1744,1765 **** #endif if (auth_type) { ! char in[FTP_BUFSIZ], out[FTP_BUFSIZ]; int length, kerror; if (n) sprintf(in, "%d%c", n, cont_char); else in[0] = '\0'; strncat(in, buf, sizeof (in) - strlen(in) - 1); #ifdef KRB5_KRB4_COMPAT if (strcmp(auth_type, "KERBEROS_V4") == 0) { ! if ((length = clevel == PROT_P ? ! krb_mk_priv((unsigned char *)in, ! (unsigned char *)out, ! strlen(in), schedule, &kdata.session, ! &ctrl_addr, &his_addr) ! : krb_mk_safe((unsigned char *)in, ! (unsigned char *)out, ! strlen(in), &kdata.session, ! &ctrl_addr, &his_addr)) == -1) { syslog(LOG_ERR, "krb_mk_%s failed for KERBEROS_V4", clevel == PROT_P ? "priv" : "safe"); - - --- 1794,1825 ---- #endif if (auth_type) { ! /* ! * Deal with expansion in mk_{safe,priv}, ! * radix_encode, gss_seal, plus slop. ! */ ! char in[FTP_BUFSIZ*3/2], out[FTP_BUFSIZ*3/2]; int length, kerror; if (n) sprintf(in, "%d%c", n, cont_char); else in[0] = '\0'; strncat(in, buf, sizeof (in) - strlen(in) - 1); #ifdef KRB5_KRB4_COMPAT if (strcmp(auth_type, "KERBEROS_V4") == 0) { ! if (clevel == PROT_P) ! length = krb_mk_priv((unsigned char *)in, ! (unsigned char *)out, ! strlen(in), ! schedule, &kdata.session, ! &ctrl_addr, ! &his_addr); ! else ! length = krb_mk_safe((unsigned char *)in, ! (unsigned char *)out, ! strlen(in), ! &kdata.session, ! &ctrl_addr, ! &his_addr); ! if (length == -1) { syslog(LOG_ERR, "krb_mk_%s failed for KERBEROS_V4", clevel == PROT_P ? "priv" : "safe"); *************** *** 1803,1815 **** } #endif /* GSSAPI */ /* Other auth types go here ... */ ! if (kerror = radix_encode(out, in, &length, 0)) { syslog(LOG_ERR, "Couldn't encode reply (%s)", radix_error(kerror)); fputs(in,stdout); } else ! printf("%s%c%s", clevel == PROT_P ? "632" : "631", ! n ? cont_char : '-', in); } else { if (n) printf("%d%c", n, cont_char); fputs(buf, stdout); - - --- 1863,1878 ---- } #endif /* GSSAPI */ /* Other auth types go here ... */ ! if (length >= sizeof(in) / 4 * 3) { ! syslog(LOG_ERR, "input to radix_encode too long"); ! fputs(in, stdout); ! } else if (kerror = radix_encode(out, in, &length, 0)) { syslog(LOG_ERR, "Couldn't encode reply (%s)", radix_error(kerror)); fputs(in,stdout); } else ! printf("%s%c%s", clevel == PROT_P ? "632" : "631", ! n ? cont_char : '-', in); } else { if (n) printf("%d%c", n, cont_char); fputs(buf, stdout); *************** *** 1822,1827 **** - - --- 1885,1894 ---- } } + /* + * XXX callers need to limit total length of output string to + * FTP_BUFSIZ + */ #ifdef STDARG lreply(int n, char *fmt, ...) #else *************** *** 1866,1872 **** if (cp = strchr(cbuf,'\n')) *cp = '\0'; ! reply(500, "'%s': command not understood.", cbuf); } delete_file(name) - - --- 1933,1940 ---- if (cp = strchr(cbuf,'\n')) *cp = '\0'; ! reply(500, "'%.*s': command not understood.", ! FTP_BUFSIZ - sizeof("'': command not understood."), cbuf); } delete_file(name) *************** *** 2143,2149 **** int code; char *string; { ! reply(code, "%s: %s.", string, strerror(errno)); } auth(type) - - --- 2211,2233 ---- int code; char *string; { ! char *err_string; ! size_t extra_len; ! ! err_string = strerror(errno); ! if (err_string == NULL) ! err_string = "(unknown error)"; ! extra_len = strlen(err_string) + sizeof("(truncated): ."); ! ! /* ! * XXX knows about FTP_BUFSIZ in reply() ! */ ! if (strlen(string) + extra_len > FTP_BUFSIZ) { ! reply(code, "(truncated)%.*s: %s.", ! FTP_BUFSIZ - extra_len, string, err_string); ! } else { ! reply(code, "%s: %s.", string, err_string); ! } } auth(type) *************** *** 2226,2231 **** - - --- 2310,2319 ---- secure_error("ADAT: krb_mk_safe failed"); return(0); } + if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) { + secure_error("ADAT: reply too long"); + return(0); + } if (kerror = radix_encode(out_buf, buf, &length, 0)) { secure_error("Couldn't encode ADAT reply (%s)", radix_error(kerror)); *************** *** 2360,2365 **** - - --- 2448,2463 ---- } if (out_tok.length) { + if (out_tok.length >= ((FTP_BUFSIZ - sizeof("ADAT=")) + / 4 * 3)) { + secure_error("ADAT: reply too long"); + syslog(LOG_ERR, "ADAT: reply too long"); + (void) gss_release_cred(&stat_min, &server_creds); + if (ret_flags & GSS_C_DELEG_FLAG) + (void) gss_release_cred(&stat_min, + &deleg_creds); + return(0); + } if (kerror = radix_encode(out_tok.value, gbuf, &out_tok.length, 0)) { secure_error("Couldn't encode ADAT reply (%s)", radix_error(kerror)); *************** *** 2458,2463 **** - - --- 2556,2564 ---- * n>=0 on success * -1 on error * -2 on security error + * + * XXX callers need to limit total length of output string to + * FTP_BUFSIZ */ #ifdef STDARG secure_fprintf(FILE *stream, char *fmt, ...) *************** *** 2575,2580 **** - - --- 2676,2690 ---- dir->d_name[2] == '\0') continue; + if (strlen(dirname) + strlen(dir->d_name) + + 1 /* slash */ + + 2 /* CRLF */ + + 1 > sizeof(nbuf)) { + syslog(LOG_ERR, + "send_file_list: pathname too long"); + ret = -2; /* XXX */ + goto data_err; + } sprintf(nbuf, "%s/%s", dirname, dir->d_name); /* - -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBOudtAKbDgE/zdoE9AQHhJgP/RFEDX/KL3YoavQSP9jJYO+GTg2MBfWRd B4wakx2PYbt4LSGSNu/VyZKFGQhVqe0F38C7oGBrCyRzZfC5MPSBmo/B6pxaeM9P oUo3Bny+JgybyOZ9wp7pGW2cRHH/zKbakrsaGFWgeAucceZeDana+TEZqGlQLIst wfRPsXU7WA8= =+0c0 - -----END PGP SIGNATURE----- ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 19:55: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id C7C7C37B424 for ; Thu, 26 Apr 2001 19:54:57 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 10744 invoked by uid 1000); 27 Apr 2001 02:54:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Apr 2001 02:54:56 -0000 Date: Thu, 26 Apr 2001 21:54:56 -0500 (CDT) From: Mike Silbersack To: Michael Scheidell Cc: Subject: Re: Connection attempts (& active ids) In-Reply-To: <200104260303.f3Q33CK49974@caerulus.cerintha.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 25 Apr 2001, Michael Scheidell wrote: > > On Wed, 25 Apr 2001, David Goddard wrote: > > > > > Simply by being sat there listening to port 111, portsentry blocks > > > several probably compromised systems a day from talking to my servers. > > > Why should I not use it as a part of my security strategy? > > > > Soooooo... if you weren't running portsentry, wouldn't they be talking to > > a closed port, and hence leave you alone as well? > > Sooooooo... if I lock all my doors and windows, and they don't get it, I > should be happy, right? > > The problem is, if I don't keep an eye on what is going on, I don't know > they are trying. > > If I don't know they are trying, they WILL get in. Well, by listening on more ports, you're just making yourself a more appealing target. As such, I don't think you're really increasing your security. It's attacks on the services that you're running which matter. As for the concept of an automated attack-attempt tracking system, it seems like a good idea. Maybe I'll look more at how it's done when I have some free time. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 26 21:36:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from hecky.it.northwestern.edu (hecky.acns.nwu.edu [129.105.16.51]) by hub.freebsd.org (Postfix) with ESMTP id 931DA37B422 for ; Thu, 26 Apr 2001 21:36:42 -0700 (PDT) (envelope-from stuyman@confusion.net) Received: (from mailnull@localhost) by hecky.it.northwestern.edu (8.8.7/8.8.7) id XAA15118; Thu, 26 Apr 2001 23:36:40 -0500 (CDT) Received: from confusion.net (dhcp089069.res-hall.nwu.edu [199.74.89.69]) by hecky.acns.nwu.edu via smap (V2.0) id xma015081; Thu, 26 Apr 01 23:36:34 -0500 Message-ID: <3AE8F712.472BAEC0@confusion.net> Date: Thu, 26 Apr 2001 23:35:31 -0500 From: Laurence Berland X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Alan Clegg Cc: mudman , freebsd-security@FreeBSD.ORG Subject: Re: defaced websites and the like References: <20010425210621.C43159@diskfarm.firehouse.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So you're the one who solved the list issues? Thank you. Defaced is a good resource and is, if nothing else, a good source of amusement when tired of reading real web pages. Thanks a million L: Alan Clegg wrote: > > Unless the network is lying to me again, mudman said: > > > Maybe as a good follow up, would using one OS over another OS change > > the risk assessment for this kind of thing? (although I admit this last > > question would take into account a lot of different variables) > > I hate to toot my own horn, but... *TOOT* > > Check out http://www.attrition.org/mirror/attrition/ for a relatively > comprehensive list of defacements, including breakdowns (and graphs) > by OS, web server type, etc... for example: > > http://www.attrition.org/mirror/attrition/os.html#APRIL2001 > > While I'm not part of the attrition team, I do now host their defacement > mailing list. To be advised of defacements as they are "snapshotted", > send an e-mail to: > > defaced-l-subscribe@mailinglists.org > > Each annoucement includes the type of system defaced (OS), web service > running (apache, IIS, etc etc), and the "group" that did the defacement. > > There is also a link back to the attrition mirror so you can see what > the defaced page looked like even after the owner 'fixes' the problem. > > AlanC > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Laurence Berland Northwestern '04 stuyman@confusion.net http://www.isp.northwestern.edu/~laurence "The world has turned and left me here" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 27 6: 1:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id F1C1D37B423 for ; Fri, 27 Apr 2001 06:00:56 -0700 (PDT) (envelope-from nectar@nectar.com) Received: by gw.nectar.com (Postfix, from userid 1001) id 2207B193BD; Fri, 27 Apr 2001 08:00:56 -0500 (CDT) Date: Fri, 27 Apr 2001 08:00:56 -0500 From: "Jacques A. Vidrine" To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@freebsd.org Subject: Re: Security advisory: krb5 ftpd buffer overflows (fwd) Message-ID: <20010427080055.A30839@spawn.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Cy Schubert - ITSD Open Systems Group , freebsd-security@freebsd.org References: <200104270215.f3R2FHP61668@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104270215.f3R2FHP61668@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Thu, Apr 26, 2001 at 07:15:02PM -0700 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Will do today. Thanks. Please cc: maintainers on port issues. -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org On Thu, Apr 26, 2001 at 07:15:02PM -0700, Cy Schubert - ITSD Open Systems Group wrote: > Looks like we need to patch our krb5 port. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > ------- Forwarded Message > > [headers removed] > Message-ID: > Date: Wed, 25 Apr 2001 20:51:48 -0400 > Reply-To: Tom Yu > Sender: Bugtraq List > From: Tom Yu > Subject: Security advisory: krb5 ftpd buffer overflows > X-To: kerberos@MIT.EDU > X-cc: krbdev@MIT.EDU > To: BUGTRAQ@SECURITYFOCUS.COM > > - -----BEGIN PGP SIGNED MESSAGE----- > > KRB5 FTPD BUFFER OVERFLOWS > > 2001-04-25 > > SUMMARY: > > Buffer overflows exist in the FTP daemon included with MIT krb5. > > IMPACT: > > * If anonymous FTP is enabled, a remote user may gain unauthorized > root access. > > * A user with access to a local account may gain unauthorized root > access. > > * A remote user who can successfully authenticate to the FTP daemon > may obtain unauthorized root access, regardless of whether anonymous > FTP is enabled or whether access is granted to a local account. > This vulnerability is believed to be somewhat difficult to exploit. > > VULNERABLE DISTRIBUTIONS: > > * MIT Kerberos 5, all releases. > > FIXES: > > The recommended approach is to apply the included patches and to > rebuild your ftpd. The included patches are against krb5-1.2.2. > > If you cannot patch your ftpd currently, workarounds include disabling > anonymous FTP access, if you have it enabled; this will limit the most > likely exploitation to users with local account access or who can > successfully authenticate to the daemon. > > This announcement and code patches related to it may be found on the > MIT Kerberos security advisory page at: > > http://web.mit.edu/kerberos/www/advisories/index.html > > The main MIT Kerberos web page is at: > > http://web.mit.edu/kerberos/www/index.html > > ACKNOWLEDGEMENTS: > > Thanks to Matt Crawford for providing some insight into the specific > ways in which krb5 ftpd is vulnerable. > > DETAILS: > > The remote vulnerability exploitable via anonymous FTP or local > account access results from a buffer overflow in code that calls > ftpglob(), a function responsible for expanding glob characters in > pathnames. Recent versions of ftpd (krb5-1.2 or later) should not > contain buffer overflows in the ftpglob() function itself. > > Remote users able to authenticate to the FTP daemon may be able to > exploit a lack of bounds-checking in calling radix_encode(). Login > access is not required; the ability to force arbitrary data to be > base64-encoded by radix_encode() is sufficient. > > This vulnerability is believed to be somewhat difficult to exploit > (but by no means impossible) due to the need for an attacker to inject > data that will base64-encode to the desired machine code and target > address. > > PATCHES AGAINST krb5-1.2.2: > > These patches are against the krb5-1.2.2 release. They may also apply > against earlier releases, though. The patches may also be found at: > > http://web.mit.edu/kerberos/www/advisories/ftpbuf_122_patch.txt > > Index: ftpcmd.y > =================================================================== > RCS file: /cvs/krbdev/krb5/src/appl/gssftp/ftpd/ftpcmd.y,v > retrieving revision 1.14.4.2 > diff -c -r1.14.4.2 ftpcmd.y > *** ftpcmd.y 2001/01/17 23:25:16 1.14.4.2 > - - --- ftpcmd.y 2001/04/25 20:16:45 > *************** > *** 805,815 **** > * This is a valid reply in some cases but not in others. > */ > if (logged_in && $1 && strncmp((char *) $1, "~", 1) == 0) { > ! *(char **)&($$) = *ftpglob((char *) $1); > ! if (globerr != NULL) { > reply(550, globerr); > $$ = NULL; > ! } > free((char *) $1); > } else > $$ = $1; > - - --- 805,819 ---- > * This is a valid reply in some cases but not in others. > */ > if (logged_in && $1 && strncmp((char *) $1, "~", 1) == 0) { > ! char **vv; > ! > ! vv = ftpglob((char *) $1); > ! if (vv == NULL || globerr != NULL) { > reply(550, globerr); > $$ = NULL; > ! } else > ! $$ = *vv; > ! > free((char *) $1); > } else > $$ = $1; > Index: ftpd.c > =================================================================== > RCS file: /cvs/krbdev/krb5/src/appl/gssftp/ftpd/ftpd.c,v > retrieving revision 1.43.2.1 > diff -c -r1.43.2.1 ftpd.c > *** ftpd.c 2000/05/23 21:39:07 1.43.2.1 > - - --- ftpd.c 2001/04/25 20:16:48 > *************** > *** 761,767 **** > - - --- 761,777 ---- > int result; > #ifdef GSSAPI > if (auth_type && strcmp(auth_type, "GSSAPI") == 0) { > + int len; > + > authorized = ftpd_gss_userok(&client_name, name) == 0; > + len = sizeof("GSSAPI user is not authorized as " > + "; Password required.") > + + strlen(client_name.value) > + + strlen(name); > + if (len >= sizeof(buf)) { > + syslog(LOG_ERR, "user: username too long"); > + name = "[username too long]"; > + } > sprintf(buf, "GSSAPI user %s is%s authorized as %s", > client_name.value, authorized ? "" : " not", > name); > *************** > *** 772,778 **** > - - --- 782,800 ---- > #endif /* GSSAPI */ > #ifdef KRB5_KRB4_COMPAT > if (auth_type && strcmp(auth_type, "KERBEROS_V4") == 0) { > + int len; > + > authorized = kuserok(&kdata,name) == 0; > + len = sizeof("Kerberos user .@ is not authorized as " > + "; Password required.") > + + strlen(kdata.pname) > + + strlen(kdata.pinst) > + + strlen(kdata.prealm) > + + strlen(name); > + if (len >= sizeof(buf)) { > + syslog(LOG_ERR, "user: username too long"); > + name = "[username too long]"; > + } > sprintf(buf, "Kerberos user %s%s%s@%s is%s authorized as %s", > kdata.pname, *kdata.pinst ? "." : "", > kdata.pinst, kdata.prealm, > *************** > *** 1179,1184 **** > - - --- 1201,1211 ---- > } else { > char line[FTP_BUFSIZ]; > > + if (strlen(cmd) + strlen(name) + 1 >= sizeof(line)) { > + syslog(LOG_ERR, "retrieve: filename too long"); > + reply(501, "filename too long"); > + return; > + } > (void) sprintf(line, cmd, name), name = line; > fin = ftpd_popen(line, "r"), closefunc = ftpd_pclose; > st.st_size = -1; > *************** > *** 1417,1422 **** > - - --- 1444,1453 ---- > return (file); > } > > + /* > + * XXX callers need to limit total length of output string to > + * FTP_BUFSIZ > + */ > #ifdef STDARG > secure_error(char *fmt, ...) > #else > *************** > *** 1616,1628 **** > { > char line[FTP_BUFSIZ]; > FILE *fin; > ! int c; > char str[FTP_BUFSIZ], *p; > > (void) sprintf(line, "/bin/ls -lgA %s", filename); > fin = ftpd_popen(line, "r"); > lreply(211, "status of %s:", filename); > p = str; > while ((c = getc(fin)) != EOF) { > if (c == '\n') { > if (ferror(stdout)){ > - - --- 1647,1665 ---- > { > char line[FTP_BUFSIZ]; > FILE *fin; > ! int c, n; > char str[FTP_BUFSIZ], *p; > > + if (strlen(filename) + sizeof("/bin/ls -lgA ") > + >= sizeof(line)) { > + reply(501, "filename too long"); > + return; > + } > (void) sprintf(line, "/bin/ls -lgA %s", filename); > fin = ftpd_popen(line, "r"); > lreply(211, "status of %s:", filename); > p = str; > + n = 0; > while ((c = getc(fin)) != EOF) { > if (c == '\n') { > if (ferror(stdout)){ > *************** > *** 1639,1645 **** > *p = '\0'; > reply(0, "%s", str); > p = str; > ! } else *p++ = c; > } > if (p != str) { > *p = '\0'; > - - --- 1676,1691 ---- > *p = '\0'; > reply(0, "%s", str); > p = str; > ! n = 0; > ! } else { > ! *p++ = c; > ! n++; > ! if (n >= sizeof(str)) { > ! reply(551, "output line too long"); > ! (void) ftpd_pclose(fin); > ! return; > ! } > ! } > } > if (p != str) { > *p = '\0'; > *************** > *** 1723,1728 **** > - - --- 1769,1778 ---- > > char cont_char = ' '; > > + /* > + * XXX callers need to limit total length of output string to > + * FTP_BUFSIZ bytes for now. > + */ > #ifdef STDARG > reply(int n, char *fmt, ...) > #else > *************** > *** 1744,1765 **** > #endif > > if (auth_type) { > ! char in[FTP_BUFSIZ], out[FTP_BUFSIZ]; > int length, kerror; > if (n) sprintf(in, "%d%c", n, cont_char); > else in[0] = '\0'; > strncat(in, buf, sizeof (in) - strlen(in) - 1); > #ifdef KRB5_KRB4_COMPAT > if (strcmp(auth_type, "KERBEROS_V4") == 0) { > ! if ((length = clevel == PROT_P ? > ! krb_mk_priv((unsigned char *)in, > ! (unsigned char *)out, > ! strlen(in), schedule, &kdata.session, > ! &ctrl_addr, &his_addr) > ! : krb_mk_safe((unsigned char *)in, > ! (unsigned char *)out, > ! strlen(in), &kdata.session, > ! &ctrl_addr, &his_addr)) == -1) { > syslog(LOG_ERR, > "krb_mk_%s failed for KERBEROS_V4", > clevel == PROT_P ? "priv" : "safe"); > - - --- 1794,1825 ---- > #endif > > if (auth_type) { > ! /* > ! * Deal with expansion in mk_{safe,priv}, > ! * radix_encode, gss_seal, plus slop. > ! */ > ! char in[FTP_BUFSIZ*3/2], out[FTP_BUFSIZ*3/2]; > int length, kerror; > if (n) sprintf(in, "%d%c", n, cont_char); > else in[0] = '\0'; > strncat(in, buf, sizeof (in) - strlen(in) - 1); > #ifdef KRB5_KRB4_COMPAT > if (strcmp(auth_type, "KERBEROS_V4") == 0) { > ! if (clevel == PROT_P) > ! length = krb_mk_priv((unsigned char *)in, > ! (unsigned char *)out, > ! strlen(in), > ! schedule, &kdata.session, > ! &ctrl_addr, > ! &his_addr); > ! else > ! length = krb_mk_safe((unsigned char *)in, > ! (unsigned char *)out, > ! strlen(in), > ! &kdata.session, > ! &ctrl_addr, > ! &his_addr); > ! if (length == -1) { > syslog(LOG_ERR, > "krb_mk_%s failed for KERBEROS_V4", > clevel == PROT_P ? "priv" : "safe"); > *************** > *** 1803,1815 **** > } > #endif /* GSSAPI */ > /* Other auth types go here ... */ > ! if (kerror = radix_encode(out, in, &length, 0)) { > syslog(LOG_ERR, "Couldn't encode reply (%s)", > radix_error(kerror)); > fputs(in,stdout); > } else > ! printf("%s%c%s", clevel == PROT_P ? "632" : "631", > ! n ? cont_char : '-', in); > } else { > if (n) printf("%d%c", n, cont_char); > fputs(buf, stdout); > - - --- 1863,1878 ---- > } > #endif /* GSSAPI */ > /* Other auth types go here ... */ > ! if (length >= sizeof(in) / 4 * 3) { > ! syslog(LOG_ERR, "input to radix_encode too long"); > ! fputs(in, stdout); > ! } else if (kerror = radix_encode(out, in, &length, 0)) { > syslog(LOG_ERR, "Couldn't encode reply (%s)", > radix_error(kerror)); > fputs(in,stdout); > } else > ! printf("%s%c%s", clevel == PROT_P ? "632" : "631", > ! n ? cont_char : '-', in); > } else { > if (n) printf("%d%c", n, cont_char); > fputs(buf, stdout); > *************** > *** 1822,1827 **** > - - --- 1885,1894 ---- > } > } > > + /* > + * XXX callers need to limit total length of output string to > + * FTP_BUFSIZ > + */ > #ifdef STDARG > lreply(int n, char *fmt, ...) > #else > *************** > *** 1866,1872 **** > > if (cp = strchr(cbuf,'\n')) > *cp = '\0'; > ! reply(500, "'%s': command not understood.", cbuf); > } > > delete_file(name) > - - --- 1933,1940 ---- > > if (cp = strchr(cbuf,'\n')) > *cp = '\0'; > ! reply(500, "'%.*s': command not understood.", > ! FTP_BUFSIZ - sizeof("'': command not understood."), cbuf); > } > > delete_file(name) > *************** > *** 2143,2149 **** > int code; > char *string; > { > ! reply(code, "%s: %s.", string, strerror(errno)); > } > > auth(type) > - - --- 2211,2233 ---- > int code; > char *string; > { > ! char *err_string; > ! size_t extra_len; > ! > ! err_string = strerror(errno); > ! if (err_string == NULL) > ! err_string = "(unknown error)"; > ! extra_len = strlen(err_string) + sizeof("(truncated): ."); > ! > ! /* > ! * XXX knows about FTP_BUFSIZ in reply() > ! */ > ! if (strlen(string) + extra_len > FTP_BUFSIZ) { > ! reply(code, "(truncated)%.*s: %s.", > ! FTP_BUFSIZ - extra_len, string, err_string); > ! } else { > ! reply(code, "%s: %s.", string, err_string); > ! } > } > > auth(type) > *************** > *** 2226,2231 **** > - - --- 2310,2319 ---- > secure_error("ADAT: krb_mk_safe failed"); > return(0); > } > + if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) { > + secure_error("ADAT: reply too long"); > + return(0); > + } > if (kerror = radix_encode(out_buf, buf, &length, 0)) { > secure_error("Couldn't encode ADAT reply (%s)", > radix_error(kerror)); > *************** > *** 2360,2365 **** > - - --- 2448,2463 ---- > } > > if (out_tok.length) { > + if (out_tok.length >= ((FTP_BUFSIZ - sizeof("ADAT=")) > + / 4 * 3)) { > + secure_error("ADAT: reply too long"); > + syslog(LOG_ERR, "ADAT: reply too long"); > + (void) gss_release_cred(&stat_min, &server_creds); > + if (ret_flags & GSS_C_DELEG_FLAG) > + (void) gss_release_cred(&stat_min, > + &deleg_creds); > + return(0); > + } > if (kerror = radix_encode(out_tok.value, gbuf, &out_tok.length, > 0)) { > secure_error("Couldn't encode ADAT reply (%s)", > radix_error(kerror)); > *************** > *** 2458,2463 **** > - - --- 2556,2564 ---- > * n>=0 on success > * -1 on error > * -2 on security error > + * > + * XXX callers need to limit total length of output string to > + * FTP_BUFSIZ > */ > #ifdef STDARG > secure_fprintf(FILE *stream, char *fmt, ...) > *************** > *** 2575,2580 **** > - - --- 2676,2690 ---- > dir->d_name[2] == '\0') > continue; > > + if (strlen(dirname) + strlen(dir->d_name) > + + 1 /* slash */ > + + 2 /* CRLF */ > + + 1 > sizeof(nbuf)) { > + syslog(LOG_ERR, > + "send_file_list: pathname too long"); > + ret = -2; /* XXX */ > + goto data_err; > + } > sprintf(nbuf, "%s/%s", dirname, dir->d_name); > > /* > > - -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > > iQCVAwUBOudtAKbDgE/zdoE9AQHhJgP/RFEDX/KL3YoavQSP9jJYO+GTg2MBfWRd > B4wakx2PYbt4LSGSNu/VyZKFGQhVqe0F38C7oGBrCyRzZfC5MPSBmo/B6pxaeM9P > oUo3Bny+JgybyOZ9wp7pGW2cRHH/zKbakrsaGFWgeAucceZeDana+TEZqGlQLIst > wfRPsXU7WA8= > =+0c0 > - -----END PGP SIGNATURE----- > > ------- End of Forwarded Message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 27 6:52:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fdma.com (mail.fdma.com [216.241.67.73]) by hub.freebsd.org (Postfix) with ESMTP id 1831837B424 for ; Fri, 27 Apr 2001 06:52:11 -0700 (PDT) (envelope-from scheidell@fdma.com) Received: from MIKELT (mikelt.fdma.lan [192.168.3.5]) by mail.fdma.com (8.11.3/8.11.3) with SMTP id f3RDptV75615 for ; Fri, 27 Apr 2001 09:51:59 -0400 (EDT) Message-ID: <001f01c0cf21$3b25fe70$0503a8c0@fdma.com> From: "Michael Scheidell" To: References: <200104260303.f3Q33CK49974@caerulus.cerintha.com> Subject: Re: Connection attempts (& active ids) Date: Fri, 27 Apr 2001 09:51:46 -0400 Organization: Florida Datamation, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: "Mike Silbersack" > Well, by listening on more ports, you're just making yourself a more > appealing target. As such, I don't think you're really increasing your > security. It's attacks on the services that you're running which matter. > who said I was listening on any ports? icmp echo is blocked (ipfw deny) I just parse the ipfw log for 'Reject|Deny' Just added rules for hosts.allow also, in case you allow telnet form some hosts and not others. easy to implement. register at mynetwatchman.com (get a username/password) install the tarbal for freebsd (perl script, puts sh in /usr/local/etc/rc.d) fire up up and go away. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 27 8:12:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from merchandisewholesale.com (ci392057-b.ruthfd1.tn.home.com [24.15.72.99]) by hub.freebsd.org (Postfix) with SMTP id 0917E37B627 for ; Fri, 27 Apr 2001 08:12:18 -0700 (PDT) (envelope-from cs@merchandisewholesale.com) From: "Merchandise WholeSale" To: Subject: Grand Opening Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Fri, 27 Apr 2001 10:06:52 -0700 Reply-To: "Merchandise WholeSale" Content-Transfer-Encoding: 8bit Message-Id: <20010427151219.0917E37B627@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org First off I would like to Thank You for taking time to read this letter. Second of all your e-mail address was pulled from an on-line source. This is the only & last message you'll receive from us, so you don't have to worry about an unsubscribe list or spam. Nor will we give your e-mail out to any one else. I'd like to stop, and tell you about a new ON-LINE Retail store. Merchandise Wholesale, a retail store that has over 2,000 products for home,travel,jewelry,personal needs etc... Please take time out when you have it to browse our ON-LINE directory at http://www.merchandisewholesale.com Click on any images of the item to enlarge. Our site is always under constant change for the better. Thanks for your precious time, HTTP://MERCHANDISEWHOLESALE.COM promotions@merchandisewholesale.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 27 9:46:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.24.102.10]) by hub.freebsd.org (Postfix) with ESMTP id 1DAF737B422 for ; Fri, 27 Apr 2001 09:45:59 -0700 (PDT) (envelope-from buliwyf@libertad.univalle.edu.co) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by mafalda.univalle.edu.co (8.11.3/8.11.3) with ESMTP id f3RGjS811283 for ; Fri, 27 Apr 2001 11:45:28 -0500 (GMT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id f3RGmfR92015 for ; Fri, 27 Apr 2001 11:48:47 -0500 (COT) Date: Fri, 27 Apr 2001 11:48:41 -0500 (COT) From: Buliwyf McGraw To: security@FreeBSD.ORG Subject: All network ports in use! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Help, my server can not allow more connections from the users... When somebody do telnet, then get this message: All network ports in use Connection Closed... :( What i can do? Thanks for any help. ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 27 10:34: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from infoviaplus.net.ar (adv27.infoviaplus.net.ar [200.9.212.21]) by hub.freebsd.org (Postfix) with ESMTP id 4904937B43C for ; Fri, 27 Apr 2001 10:34:01 -0700 (PDT) (envelope-from izelaya@infovia.com.ar) Received: from infovia.com.ar ([200.51.199.11]) by infoviaplus.net.ar (Tid InfoMail Exchanger v2.20) with SMTP id #988392412.124350001; Fri, 27 Apr 2001 14:26:52 -0300 Message-ID: <3AE9AD21.79BD9BAE@infovia.com.ar> Date: Fri, 27 Apr 2001 14:32:17 -0300 From: ignacio X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.3-STABLE i386) MIME-Version: 1.0 To: Buliwyf McGraw , "freebsd-security@FreeBSD.ORG" Subject: Re: All network ports in use! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Infomail-Id: 988392412.309301AC1E03A8.12412 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If i'm not wrong you must recompile the kernel: pseudo-device pty The number indicates the number of ptys to create. If you need more than the default of 16 simultaneous xterm windows and/or remote logins, be sure to increase this number accordingly, up to a maximum of 256. Then you must make un /dev as root: sh MAKEDEV pty7 Buliwyf McGraw wrote: > > Help, my server can not allow more connections from the users... > > When somebody do telnet, then get this message: > > All network ports in use > Connection Closed... :( > > What i can do? > Thanks for any help. > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Saludos,Ignacio. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 27 10:39:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from dualcpus.com (dualcpus.com [65.160.20.195]) by hub.freebsd.org (Postfix) with SMTP id 67A7A37B422 for ; Fri, 27 Apr 2001 10:39:07 -0700 (PDT) (envelope-from data@irev.net) Received: (qmail 37252 invoked from network); 27 Apr 2001 17:39:06 -0000 Received: from sherline.cts.com (HELO britney) (204.216.163.132) by dualcpus.com with SMTP; 27 Apr 2001 17:39:06 -0000 Message-ID: <002e01c0cf40$f40886f0$015778d8@sherline.net> From: "Jeremiah Gowdy" To: "Buliwyf McGraw" , References: Subject: Re: All network ports in use! Date: Fri, 27 Apr 2001 10:39:03 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Help, my server can not allow more connections from the users... > > When somebody do telnet, then get this message: > > All network ports in use > Connection Closed... :( > > What i can do? > Thanks for any help. > Edit your kernel config, add more ptys > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 27 12:38: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from finch-post-11.mail.demon.net (finch-post-11.mail.demon.net [194.217.242.39]) by hub.freebsd.org (Postfix) with ESMTP id 383CF37B424 for ; Fri, 27 Apr 2001 12:37:58 -0700 (PDT) (envelope-from goddard@acm.org) Received: from shootthemlater.demon.co.uk ([194.222.93.84] helo=cerebus.parse.net) by finch-post-11.mail.demon.net with esmtp (Exim 2.12 #1) id 14tE3w-000LZf-0B; Fri, 27 Apr 2001 19:37:56 +0000 Received: from wbra0013.cognos.com ([10.0.0.3] helo=acm.org) by cerebus.parse.net with esmtp (Exim 3.16 #1) id 14tD1J-000MCG-00; Fri, 27 Apr 2001 19:31:09 +0100 Message-ID: <3AE9BB34.B6C1676B@acm.org> Date: Fri, 27 Apr 2001 19:32:20 +0100 From: David Goddard X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Michael Scheidell Cc: freebsd-security@freebsd.org, silby@silby.com Subject: Re: Connection attempts (& active ids) References: <200104260303.f3Q33CK49974@caerulus.cerintha.com> <001f01c0cf21$3b25fe70$0503a8c0@fdma.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Scheidell wrote: > > From: "Mike Silbersack" > > Well, by listening on more ports, you're just making yourself a more > > appealing target. As such, I don't think you're really increasing your > > security. It's attacks on the services that you're running which matter. > > > > who said I was listening on any ports? Going back a few messages, it was me that said I was listening on additional ports, with portsentry listening to port 111 among others. I disagree that it makes you a more appealing target - by connecting to those ports, you get blocked and hence it no longer appears that there is anything listening whatsoever. I've had very few repeated connection attempts from machines that have been blackholed by portsentry (although they could always be coming back from another IP). I still maintain that careful use of portsentry is a good thing, although I'm open to any decent argument to the contrary. > icmp echo is blocked (ipfw deny) I did this for a while but felt uncomfortable about it for no reason that I could pin down (but probably because there are people who would have a legitimate reason to ping). I pass but log pings nowadays - I get a surprisingly large number of people pinging me. Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 27 12:51: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from forbidden.dough.net (forbidden.dough.net [24.219.84.249]) by hub.freebsd.org (Postfix) with ESMTP id DFCC837B422 for ; Fri, 27 Apr 2001 12:51:06 -0700 (PDT) (envelope-from archon@forbidden.dough.net) Received: (from archon@localhost) by forbidden.dough.net (8.11.3/8.9.3) id f3RJp1D71072 for security@FreeBSD.ORG; Fri, 27 Apr 2001 14:51:01 -0500 (CDT) (envelope-from archon) Date: Fri, 27 Apr 2001 14:51:01 -0500 From: Dennis Moore To: security@FreeBSD.ORG Subject: Re: All network ports in use! Message-ID: <20010427145101.A71021@forbidden.dough.net> Mail-Followup-To: security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from buliwyf@libertad.univalle.edu.co on Fri, Apr 27, 2001 at 11:48:41AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Apr 27, 2001 at 11:48:41AM -0500, Buliwyf McGraw wrote: > > Help, my server can not allow more connections from the users... > > When somebody do telnet, then get this message: > > All network ports in use > Connection Closed... :( > as others suggested, first increase the pseudo-tty number and create more devices. however, when creating devices be sure to do them consecutively. if you are missing any in the series, telnetd will stop searching at the last consecutive one. in other words, if you have /dev/ptyp* and /dev/ptyr* but you are missing /dev/ptyq*, you will only be able to use /dev/ptyp*. HTH, HAND. -- Dennis Moore jesus sewed my pants Pro Bono Devil's Advocate it's a love affair archon@EFnet irc mainly jesus http://forbidden.dough.net/ and my pants To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 27 15: 3:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from softweyr.com (mail.dobox.com [208.187.122.44]) by hub.freebsd.org (Postfix) with ESMTP id 382A037B423 for ; Fri, 27 Apr 2001 15:03:19 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=30f717f7c7ec04e159bdf4baa75d0f03) by softweyr.com with esmtp (Exim 3.16 #1) id 14sma5-0000Se-00; Thu, 26 Apr 2001 08:17:17 -0600 Message-ID: <3AE82DED.7798C0A1@softweyr.com> Date: Thu, 26 Apr 2001 08:17:17 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: heckfordj@psi-domain.co.uk Cc: Chris Faulhaber , freebsd-security@freebsd.org Subject: Re: User-Agent References: <3AE7F976.D6F3CAC2@infovia.com.ar> <20010426074117.A87916@peitho.fxp.org> <20010426154956.I37575@storm.psi-domain.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jamie Heckford wrote: > > Hmm. > > Attempting to modify these values return: > > sysctl: oid 'kern.version' is read only > > Any way of changing these then? Recompile your kernel after editing the appropriate parts of the source. I'm certainly not going to bother tracking those down for such a silly exercise. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 27 23:27:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from electra.cc.umanitoba.ca (electra.cc.umanitoba.ca [130.179.16.23]) by hub.freebsd.org (Postfix) with ESMTP id BE38537B422; Fri, 27 Apr 2001 23:27:27 -0700 (PDT) (envelope-from ummacius@cc.UManitoba.CA) Received: from videon69711 (24-109-3-10.ivideon.com [24.109.3.10]) by electra.cc.umanitoba.ca (8.9.0/8.9.0) with SMTP id BAA24809 ; Sat, 28 Apr 2001 01:27:26 -0500 (CDT) Message-ID: <001a01c0cfac$361bf3e0$0a036d18@ivideon.com> From: "Maciuszonek Artur" To: , Subject: outlook express, ipx and ftp :) Date: Sat, 28 Apr 2001 01:26:50 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well I have read and read, searched and searched but I guess it's time to consult the experts :) please reply to me directly for I am not subscribed to this group. Here is the dillema: I have set up a firewall/router and have recompiled the kernel for ipfw and natd. Here is my current setup: => cable modem => ep1(external nic 24.109.xxx.xxx) **router/firewall** ep0(internal nic192.168.xxx.xxx) <=> HUB <=> 192.168.xxx.xxx Computer(Win ME) <=> 192.168.xxx.xxx Laptop (Win 2000) What I am having problems with is that on the main computer on the subnet I am unable to use Outlook express to view newsgroups. I can suft the web, download files, I can use napster, ICQ. I have read the man pages for ipfw but I'm still at a loss. The error message I receive is: Server cannot be found: Configuration: Account: news Server: news Protocol: NNTP Port: 119 Secure(SSL): 0 Code: 800ccc0d I added the line in the rc.firewall.current ( see below ) after the rule for ssh (port 22) but without any luck. $fwcmd add allow tcp from any 119 to any 119 setup I have looked through /etc/protocols but none are listed for NNTP......:( I also would like to be able to let IPX thought the firewall to the outside and let it back in. again there is no listing for IPX in /etc/protocols :( The same goes for acess to an ftp server that in on the main computer in the internal subnet. The server is on port 27015. Again I have tried to use add allow tcp from any 27015 to any 27015 setup add allow ipx-in-ip from any to any setup and again no luck. I have also modified # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif >From deny to allow in order for the internal network to be able to acess the outside. Does this pose any security issues? Hmm sorry about the lengthy e-mail but I hope someone will help me tackle this problem. ###########################################################3 # Simple stateful network firewall rules for IPFW with NAT v. 1.01 # See bottom of file for instructions and description of rules # Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great # deal of help from freebsd-security@freebsd.org). Specific questions # about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or # more general security questions to freebsd-security@freebsd.org. # Use this script at your own risk. # # if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet # calculator can help you. /usr/ports/net/ipsc-0.4.2 # ########################### # # Brief Installation instructions # # Name this script /etc/rc.firewall.current # Edit /etc/rc.conf to include # gateway_enable="YES" # firewall_enable="YES" # firewall_script="/etc/rc.firewall.current" # natd_enable="YES" # natd_interface="***" #replace with your external ifX # natd_flags="-dynamic" # Make sure your kernel is configured to handle ipfw and natd # See the FreeBSD handbook on how to do this. # ############################ # # Define your variables # fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="oifx" #set to outside interface name onwr="a.b.c.d/24" #set to outside network range oip="a.b.c.d" #set to outside ip address iif="ifx" #set to internal interface name inwr="x.y.z.x/24" #set to internal network range iip="x.y.z.x" #set to internal ip address ns1="e.f.g.h" #set to primary name server best if = oif #ntp="i.j.k.l" #set to ip of NTP server or leave as is # # End of required user input if you only intend to allow ssh connections to # this box from the outside. If other services are required, edit line 96 # as necessary. # # Rules with descriptions # # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via $oif $fwcmd add deny all from 169.254.0.0/16 to any in via $oif $fwcmd add deny all from 192.0.2.0/24 to any in via $oif $fwcmd add deny all from 224.0.0.0/4 to any in via $oif $fwcmd add deny all from 240.0.0.0/4 to any in via $oif $fwcmd add deny all from any to 0.0.0.0/8 in via $oif $fwcmd add deny all from any to 169.254.0.0/16 in via $oif $fwcmd add deny all from any to 192.0.2.0/24 in via $oif $fwcmd add deny all from any to 224.0.0.0/4 in via $oif $fwcmd add deny all from any to 240.0.0.0/4 in via $oif # # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established # # Allow incomming requests to reach the following services: # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup $fwcmd add allow tcp from any to $oip 22 setup # # NOTE: you may have to change your client to passive or active mode # to get ftp to work once enabled, only ssh enabled by default. # 21:ftp # 22:ssh enabled by default # 23:telnet # 25:smtp # 110:pop # 143:imap # 80:http # 443:ssl # # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. # $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). $fwcmd add allow udp from any 53 to $ns1 53 # # Allow time update traffic # $fwcmd add allow udp from $ntp 123 to $oip 123 # # Checks packets against dynamic rule set below. $fwcmd add check-state # # Allow any traffic from firewall ip to any going out the # external interface $fwcmd add allow ip from $oip to any keep-state out via $oif # # Allow any traffic from local network to any passing through the # internal interface $fwcmd add allow ip from $inwr to any keep-state via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 28 0: 5:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 66ECC37B423 for ; Sat, 28 Apr 2001 00:05:07 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 615 invoked by uid 1000); 28 Apr 2001 07:03:17 -0000 Date: Sat, 28 Apr 2001 10:03:17 +0300 From: Peter Pentchev To: Maciuszonek Artur Cc: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Re: outlook express, ipx and ftp :) Message-ID: <20010428100317.A415@ringworld.oblivion.bg> Mail-Followup-To: Maciuszonek Artur , freebsd-questions@freebsd.org, freebsd-security@freebsd.org References: <001a01c0cfac$361bf3e0$0a036d18@ivideon.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001a01c0cfac$361bf3e0$0a036d18@ivideon.com>; from ummacius@cc.UManitoba.CA on Sat, Apr 28, 2001 at 01:26:50AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 28, 2001 at 01:26:50AM -0500, Maciuszonek Artur wrote: > Well I have read and read, searched and searched but I guess it's time to > consult the experts :) > please reply to me directly for I am not subscribed to this group. > > Here is the dillema: I have set up a firewall/router and have recompiled > the kernel for ipfw and natd. > Here is my current setup: > > => cable modem => ep1(external nic 24.109.xxx.xxx) > **router/firewall** > ep0(internal nic192.168.xxx.xxx) > <=> HUB > <=> 192.168.xxx.xxx Computer(Win ME) > <=> 192.168.xxx.xxx Laptop (Win 2000) > > What I am having problems with is that on the main computer on the subnet I > am unable to use Outlook express to view newsgroups. > I can suft the web, download files, I can use napster, ICQ. I have read the > man pages for ipfw but I'm still at a loss. > > The error message I receive is: > > Server cannot be found: > Configuration: > Account: news > Server: news > Protocol: NNTP > Port: 119 > Secure(SSL): 0 > Code: 800ccc0d I think the problem might be somewhere else. Outlook is trying to retrieve newsgroups from a server named 'news' (supposedly there should be a default domain appended to it). Is there an address associated with 'news' in your - or your ISP's - DNS setup? If you do 'ping news' from the Windows machine that you are using Outlook on, does Windows resolve 'news' to an IP address successfully? If not, you might want to check the Outlook setup, and change the name of the news server it tries to contact. G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 28 4:26:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail19.sdc1.sfba.home.com (femail19.sdc1.sfba.home.com [24.0.95.128]) by hub.freebsd.org (Postfix) with ESMTP id 616DE37B422; Sat, 28 Apr 2001 04:26:35 -0700 (PDT) (envelope-from devotwo@home.com) Received: from sardarji19 ([24.14.186.233]) by femail19.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010428112634.KYP28040.femail19.sdc1.sfba.home.com@sardarji19>; Sat, 28 Apr 2001 04:26:34 -0700 Message-ID: <000d01c0cfd5$de1f70c0$0201a8c0@sardarji19> From: "Sean Chisek" To: "Maciuszonek Artur" , , References: <001a01c0cfac$361bf3e0$0a036d18@ivideon.com> Subject: Re: outlook express, ipx and ftp :) Date: Sat, 28 Apr 2001 06:25:02 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I do the same type of thing with an OpenBSD firewall. In Windoze, when setting up Outlook, you will need to enter the full path to your news server like news.whatever.com. Also, make sure you are allowing your outside interface to get to your news server's IP address. ----- Original Message ----- From: "Maciuszonek Artur" To: ; Sent: Saturday, April 28, 2001 1:26 AM Subject: outlook express, ipx and ftp :) > Well I have read and read, searched and searched but I guess it's time to > consult the experts :) > please reply to me directly for I am not subscribed to this group. > > Here is the dillema: I have set up a firewall/router and have recompiled > the kernel for ipfw and natd. > Here is my current setup: > > => cable modem => ep1(external nic 24.109.xxx.xxx) > **router/firewall** > ep0(internal nic192.168.xxx.xxx) > <=> HUB > <=> 192.168.xxx.xxx Computer(Win ME) > <=> 192.168.xxx.xxx Laptop (Win 2000) > > What I am having problems with is that on the main computer on the subnet I > am unable to use Outlook express to view newsgroups. > I can suft the web, download files, I can use napster, ICQ. I have read the > man pages for ipfw but I'm still at a loss. > > The error message I receive is: > > Server cannot be found: > Configuration: > Account: news > Server: news > Protocol: NNTP > Port: 119 > Secure(SSL): 0 > Code: 800ccc0d > > I added the line in the rc.firewall.current ( see below ) after the rule for > ssh (port 22) but without any > luck. > $fwcmd add allow tcp from any 119 to any 119 setup > I have looked through /etc/protocols but none are listed for NNTP......:( > > I also would like to be able to let IPX thought the firewall to the outside > and let it back in. > again there is no listing for IPX in /etc/protocols :( > The same goes for acess to an ftp server that in on the main computer in the > internal subnet. > The server is on port 27015. Again I have tried to use > > add allow tcp from any 27015 to any 27015 setup > add allow ipx-in-ip from any to any setup > > and again no luck. > I have also modified > # Stop spoofing of your internal network range > $fwcmd add deny log ip from $inwr to any in via $oif > > >From deny to allow in order for the internal network to be able to acess > the > outside. Does this pose any > security issues? > > Hmm sorry about the lengthy e-mail but I hope someone will help me tackle > this problem. > > ###########################################################3 > # Simple stateful network firewall rules for IPFW with NAT v. 1.01 > # See bottom of file for instructions and description of rules > # Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great > # deal of help from freebsd-security@freebsd.org). Specific questions > # about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or > # more general security questions to freebsd-security@freebsd.org. > # Use this script at your own risk. > # > # if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet > # calculator can help you. /usr/ports/net/ipsc-0.4.2 > # > ########################### > # > # Brief Installation instructions > # > # Name this script /etc/rc.firewall.current > # Edit /etc/rc.conf to include > # gateway_enable="YES" > # firewall_enable="YES" > # firewall_script="/etc/rc.firewall.current" > # natd_enable="YES" > # natd_interface="***" #replace with your external ifX > # natd_flags="-dynamic" > # Make sure your kernel is configured to handle ipfw and natd > # See the FreeBSD handbook on how to do this. > # > ############################ > # > # Define your variables > # > fwcmd="/sbin/ipfw" #leave as is if using ipfw > oif="oifx" #set to outside interface name > onwr="a.b.c.d/24" #set to outside network range > oip="a.b.c.d" #set to outside ip address > > iif="ifx" #set to internal interface name > inwr="x.y.z.x/24" #set to internal network range > iip="x.y.z.x" #set to internal ip address > > ns1="e.f.g.h" #set to primary name server best if = oif > #ntp="i.j.k.l" #set to ip of NTP server or leave as is > > # > # End of required user input if you only intend to allow ssh connections to > # this box from the outside. If other services are required, edit line 96 > # as necessary. > # > # Rules with descriptions > # > # > # Force a flush of the current firewall rules before we reload > $fwcmd -f flush > # > # Allow your loop back to work > $fwcmd add allow all from any to any via lo0 > # > # Prevent spoofing of your loopback > $fwcmd add deny log all from any to 127.0.0.0/8 > # > # Stop spoofing of your internal network range > $fwcmd add deny log ip from $inwr to any in via $oif > # > # Stop spoofing from inside your private ip range > $fwcmd add deny log ip from not $inwr to any in via $iif > # > # Stop private networks (RFC1918) from entering the outside interface. > $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif > $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif > $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif > $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif > $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif > $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif > # > # Stop draft-manning-dsua-01.txt nets on the outside interface > $fwcmd add deny all from 0.0.0.0/8 to any in via $oif > $fwcmd add deny all from 169.254.0.0/16 to any in via $oif > $fwcmd add deny all from 192.0.2.0/24 to any in via $oif > $fwcmd add deny all from 224.0.0.0/4 to any in via $oif > $fwcmd add deny all from 240.0.0.0/4 to any in via $oif > $fwcmd add deny all from any to 0.0.0.0/8 in via $oif > $fwcmd add deny all from any to 169.254.0.0/16 in via $oif > $fwcmd add deny all from any to 192.0.2.0/24 in via $oif > $fwcmd add deny all from any to 224.0.0.0/4 in via $oif > $fwcmd add deny all from any to 240.0.0.0/4 in via $oif > # > # Divert all packets through natd > $fwcmd add divert natd all from any to any via $oif > # > # Allow all established connections to persist (setup required > # for new connections). > $fwcmd add allow tcp from any to any established > # > # Allow incomming requests to reach the following services: > # To allow multiple services you may list them separated > # by a coma, for example ...to $oip 22,25,110,80 setup > $fwcmd add allow tcp from any to $oip 22 setup > # > # NOTE: you may have to change your client to passive or active mode > # to get ftp to work once enabled, only ssh enabled by default. > # 21:ftp > # 22:ssh enabled by default > # 23:telnet > # 25:smtp > # 110:pop > # 143:imap > # 80:http > # 443:ssl > # > # Allow icmp packets for diagnostic purposes (ping traceroute) > # you may wish to leave commented out. > # $fwcmd add allow icmp from any to any > # > # Allow required ICMP > $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 > # > # Allow DNS traffic from internet to query your DNS (for reverse > # lookups etc). > $fwcmd add allow udp from any 53 to $ns1 53 > # > # Allow time update traffic > # $fwcmd add allow udp from $ntp 123 to $oip 123 > # > # Checks packets against dynamic rule set below. > $fwcmd add check-state > # > # Allow any traffic from firewall ip to any going out the > # external interface > $fwcmd add allow ip from $oip to any keep-state out via $oif > # > # Allow any traffic from local network to any passing through the > # internal interface > $fwcmd add allow ip from $inwr to any keep-state via $iif > # > # Deny everything else > $fwcmd add 65435 deny log ip from any to any > # > ##################################################### > # > # End firewall script. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 28 8:11:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from threat.tjhsst.edu (threat.tjhsst.edu [198.38.16.9]) by hub.freebsd.org (Postfix) with ESMTP id 478CA37B424; Sat, 28 Apr 2001 08:11:12 -0700 (PDT) (envelope-from abarros@threat.tjhsst.edu) Received: (from abarros@localhost) by threat.tjhsst.edu (8.11.3/8.11.3) id f3SF01S25523; Sat, 28 Apr 2001 11:00:01 -0400 Date: Sat, 28 Apr 2001 11:00:01 -0400 From: Andrew Barros To: Maciuszonek Artur Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: outlook express, ipx and ftp :) Message-ID: <20010428110000.I24869@tjhsst.edu> Mail-Followup-To: Maciuszonek Artur , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <001a01c0cfac$361bf3e0$0a036d18@ivideon.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7IgncvKP0CVPV/ZZ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001a01c0cfac$361bf3e0$0a036d18@ivideon.com>; from ummacius@cc.UManitoba.CA on Sat, Apr 28, 2001 at 01:26:50AM -0500 X-Operating-System: Linux threat.tjhsst.edu 2.2.17 X-I-Graduate-In: 57.2020486111111 days Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --7IgncvKP0CVPV/ZZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm going to take a stab, and guess that you are using Road Runner. When they install Road Runner for you, they set the default search domain to your local rr domain (mine is cox.rr.com). Your news server's name isn't re= ally=20 "news" its "news.cox.rr.com" (replace cox with your local rr affiliate).=20 -ajb On Sat, Apr 28, 2001 at 01:26:50AM -0500, Maciuszonek Artur wrote: ->Well I have read and read, searched and searched but I guess it's time to ->consult the experts :) ->please reply to me directly for I am not subscribed to this group. -> ->Here is the dillema: I have set up a firewall/router and have recompiled ->the kernel for ipfw and natd. ->Here is my current setup: -> ->=3D> cable modem =3D> ep1(external nic 24.109.xxx.xxx) -> **router/firewall** -> ep0(internal nic192.168.xxx.xxx) -> <=3D> HUB -> <=3D> 192.168.xxx.xxx Computer(Win ME) -> <=3D> 192.168.xxx.xxx Laptop (Win 2000) -> ->What I am having problems with is that on the main computer on the subnet= I ->am unable to use Outlook express to view newsgroups. ->I can suft the web, download files, I can use napster, ICQ. I have read = the ->man pages for ipfw but I'm still at a loss. -> ->The error message I receive is: -> ->Server cannot be found: ->Configuration: -> Account: news -> Server: news -> Protocol: NNTP -> Port: 119 -> Secure(SSL): 0 -> Code: 800ccc0d -> ->I added the line in the rc.firewall.current ( see below ) after the rule = for ->ssh (port 22) but without any ->luck. ->$fwcmd add allow tcp from any 119 to any 119 setup ->I have looked through /etc/protocols but none are listed for NNTP......:( -> ->I also would like to be able to let IPX thought the firewall to the outsi= de ->and let it back in. ->again there is no listing for IPX in /etc/protocols :( ->The same goes for acess to an ftp server that in on the main computer in = the ->internal subnet. ->The server is on port 27015. Again I have tried to use -> ->add allow tcp from any 27015 to any 27015 setup ->add allow ipx-in-ip from any to any setup -> ->and again no luck. ->I have also modified -># Stop spoofing of your internal network range -> $fwcmd add deny log ip from $inwr to any in via $oif -> ->>From deny to allow in order for the internal network to be able to acess ->the ->outside. Does this pose any ->security issues? -> ->Hmm sorry about the lengthy e-mail but I hope someone will help me tackle ->this problem. -> --=20 Andrew Barros PGP Key Fingerprint: D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 --7IgncvKP0CVPV/ZZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE66trwChurNrZVH7gRAs86AJ99qAsEAEu+9EPC7uiThZ1CT8wiRgCcDki1 O5Jny6xcfEX2XvTzVSW2LgI= =D/8e -----END PGP SIGNATURE----- --7IgncvKP0CVPV/ZZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 28 11: 8:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from catastrophe.net (ss189-189.dvsn-chi-il.outlook.net [208.45.189.189]) by hub.freebsd.org (Postfix) with SMTP id CE8AD37B422 for ; Sat, 28 Apr 2001 11:08:19 -0700 (PDT) (envelope-from bill@catastrophe.net) Received: (qmail 20682 invoked by uid 40001); 28 Apr 2001 18:08:18 -0000 Date: Sat, 28 Apr 2001 13:08:18 -0500 (CDT) From: Casey Jones To: Subject: Boot Security Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello - I was hoping some of you could share your thoughts on how to best secure the FreeBSD boot process. I've taken the time to harden the system and verify that console and the like are "insecure", but I would also like to limit anyone from even getting to the "ok" prompt. note that I cannot disable going to this prompt as I may need to. Is there a way to set a password on it? Thanks. Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 28 11:34:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 669F537B422 for ; Sat, 28 Apr 2001 11:34:19 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA19118; Sat, 28 Apr 2001 11:33:44 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda19116; Sat Apr 28 11:33:37 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3SIXVB18947; Sat, 28 Apr 2001 11:33:31 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdo18945; Sat Apr 28 11:33:14 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3SIXEP03219; Sat, 28 Apr 2001 11:33:14 -0700 (PDT) Message-Id: <200104281833.f3SIXEP03219@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdWY3215; Sat Apr 28 11:32:42 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Casey Jones Cc: freebsd-security@FreeBSD.ORG Subject: Re: Boot Security In-reply-to: Your message of "Sat, 28 Apr 2001 13:08:18 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 28 Apr 2001 11:32:42 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , C asey Jones writes: > > Hello - > > I was hoping some of you could share your thoughts on how to best > secure the FreeBSD boot process. I've taken the time to harden the > system and verify that console and the like are "insecure", but I > would also like to limit anyone from even getting to the "ok" > prompt. > > note that I cannot disable going to this prompt as I may need to. Is > there a way to set a password on it? Lock the machine in a secure location. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 28 11:41:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 79A7837B423 for ; Sat, 28 Apr 2001 11:41:08 -0700 (PDT) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f3SIf8S54886 for ; Sat, 28 Apr 2001 11:41:09 -0700 (PDT) (envelope-from oldfart@gtonet.net) Reply-To: From: "Charles Ulysses Farley" To: "freebsd-security@FreeBSD. ORG" Subject: RE: Boot Security Date: Sat, 28 Apr 2001 11:41:05 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <200104281833.f3SIXEP03219@cwsys.cwsent.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Or you can install a key switch on the power switch :) > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Cy Schubert - > ITSD Open Systems Group > Sent: Saturday, April 28, 2001 11:33 AM > To: Casey Jones > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Boot Security > > > In message net>, C > asey Jones writes: > > > > Hello - > > > > I was hoping some of you could share your thoughts on how to best > > secure the FreeBSD boot process. I've taken the time to harden the > > system and verify that console and the like are "insecure", but I > > would also like to limit anyone from even getting to the "ok" > > prompt. > > > > note that I cannot disable going to this prompt as I may need to. Is > > there a way to set a password on it? > > Lock the machine in a secure location. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 28 11:42:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from catastrophe.net (ss189-189.dvsn-chi-il.outlook.net [208.45.189.189]) by hub.freebsd.org (Postfix) with SMTP id A081B37B422 for ; Sat, 28 Apr 2001 11:42:35 -0700 (PDT) (envelope-from bill@catastrophe.net) Received: (qmail 20830 invoked by uid 40001); 28 Apr 2001 18:42:34 -0000 Date: Sat, 28 Apr 2001 13:42:34 -0500 (CDT) From: Casey Jones To: Charles Ulysses Farley Cc: "freebsd-security@FreeBSD. ORG" Subject: RE: Boot Security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Not a bad idea - apparently the ISP has remote poewr off interface over SSL. I don't know if they're using token based authentication for it - I'd hope so. On Sat, 28 Apr 2001, Charles Ulysses Farley wrote: > Or you can install a key switch on the power switch :) > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Cy Schubert - > > ITSD Open Systems Group > > Sent: Saturday, April 28, 2001 11:33 AM > > To: Casey Jones > > Cc: freebsd-security@FreeBSD.ORG > > Subject: Re: Boot Security > > > > > > In message > net>, C > > asey Jones writes: > > > > > > Hello - > > > > > > I was hoping some of you could share your thoughts on how to best > > > secure the FreeBSD boot process. I've taken the time to harden the > > > system and verify that console and the like are "insecure", but I > > > would also like to limit anyone from even getting to the "ok" > > > prompt. > > > > > > note that I cannot disable going to this prompt as I may need to. Is > > > there a way to set a password on it? > > > > Lock the machine in a secure location. > > > > > > Regards, Phone: (250)387-8437 > > Cy Schubert Fax: (250)387-5766 > > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > > Open Systems Group, ITSD, ISTA > > Province of BC > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message