From owner-freebsd-security Sun Aug 8 12:32:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from prioris.im.pw.edu.pl (prioris.im.pw.edu.pl [148.81.80.7]) by hub.freebsd.org (Postfix) with ESMTP id B8EF2150F1 for ; Sun, 8 Aug 1999 12:31:55 -0700 (PDT) (envelope-from zaks@im.pw.edu.pl) Received: from pd45.warszawa.ppp.tpnet.pl ([212.160.55.45]:260 "EHLO localhost") by prioris.im.pw.edu.pl with ESMTP id ; Sun, 8 Aug 1999 21:29:42 +0200 Received: from zaks by localhost with local (Exim 2.05 #1 (Debian)) id 11DhMK-000062-00; Mon, 9 Aug 1999 06:48:28 +0200 To: freebsd-security@FreeBSD.ORG Subject: Re: Extracted files' permissions References: <199908081418.CAA02037@aniwa.scoop.lan> From: Slawek Zak Date: 09 Aug 1999 06:48:28 +0200 In-Reply-To: Andrew McNaughton's message of "Mon, 09 Aug 1999 02:18:17 +1200" Message-ID: <871zddk19f.fsf@prioris.im.pw.edu.pl> Lines: 25 Organization: Kamikaze leming squadron User-Agent: Gnus/5.070095 (Pterodactyl Gnus v0.95) XEmacs/21.1 (Arches) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ** Andrew McNaughton wrote: Andrew> Not a bug, but perhaps a missing feature? Is there a Andrew> workable scheme whereby ownership and permissions get set Andrew> to something safe by the standard ports make process Andrew> unless a flag is set by the port specific makefile? Andrew> It might be that setting that flag becomes common to a Andrew> high proportion of flags, but at least it would mean that Andrew> the port's author had looked at the issue. Andrew> Any such scheme would have plenty of repercussions and Andrew> would need to be thought through. Not quite so. Extraction of archives is mostly done using tar. If there was an option for tar, like --no-preserve-owner in GNU tar, the task of having one owner for extracted files would be feasible. The method for files' extraction is defined in bsd.port.mk, and can be changed for the whole distribution when tar acquires such fuctionality. -- * Suavek Zak (Altkom UNIX Group) #include * email: S.Zak@altkom.com voice: +48 (0) 22 674 66 79 * PGP v2.6: 2048/9A7CBF71, finger://zaks@prioris.im.pw.edu.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 8 17:37:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.erols.com (smtp3.erols.com [207.172.3.236]) by hub.freebsd.org (Postfix) with ESMTP id A45FB14BFC for ; Sun, 8 Aug 1999 17:37:06 -0700 (PDT) (envelope-from jobaldwi@vt.edu) Received: from john.baldwin.cx (207-172-143-111.s48.as1.hgt.md.dialup.rcn.com [207.172.143.111]) by smtp3.erols.com (8.8.8/8.8.5) with ESMTP id UAA15145; Sun, 8 Aug 1999 20:34:04 -0400 (EDT) Message-Id: <199908090034.UAA15145@smtp3.erols.com> X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <14250.25026.756025.612481@avalon.east> Date: Sun, 08 Aug 1999 20:34:01 -0400 (EDT) From: John Baldwin To: Anthony Kimball Subject: Re: group bits Cc: freebsd-security@FreeBSD.ORG, wes@softweyr.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 06-Aug-99 Anthony Kimball wrote: > Quoth Wes Peters on Thu, 5 August: >: >: sudo? > > Sudo is a wonderful tool, but it far too big a hammer for such a small > nail for one thing (allows root access to everyone permitted to > perform a limited task), doesn't retrofit integrated environments with *Bzzzt* wrong! Sudo lets you specify which user a user can run a command as. You could create a sudo user pppuser, for instance, and have the people in the pppgroup group be able to run commands as pppuser. Then they are not running commands as root. Read the man page next time. --- John Baldwin -- http://members.freedomnet.com/~jbaldwin/ PGP Key: http://members.freedomnet.com/~jbaldwin/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 8 17:50:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 86FFC14D5D for ; Sun, 8 Aug 1999 17:49:59 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id UAA17328; Sun, 8 Aug 1999 20:47:19 -0400 (EDT) (envelope-from wollman) Date: Sun, 8 Aug 1999 20:47:19 -0400 (EDT) From: Garrett Wollman Message-Id: <199908090047.UAA17328@khavrinen.lcs.mit.edu> To: John Baldwin Cc: Anthony Kimball , freebsd-security@FreeBSD.ORG Subject: Re: group bits In-Reply-To: <199908090034.UAA15145@smtp3.erols.com> References: <14250.25026.756025.612481@avalon.east> <199908090034.UAA15145@smtp3.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: [Lines reformatted. Next time, please fill your lines to 72 characters or less.] > *Bzzzt* wrong! Sudo lets you specify which user a user can run a > command as. You could create a sudo user pppuser, for instance, and > have the people in the pppgroup group be able to run commands as > pppuser. Then they are not running commands as root. Read the man > page next time. Which has nothing whatsoever to do with Anthony Kimball's stated desire, which was to allow members of his sysadmin group to edit PPP configuration files *within their existing editor sessions* and without needing to unnecessarily gain additional privilege. The standard UNIX privilege model was working just fine, until the PPP program decided to substitute its judgment for that of the sysadmin. Fascist file permission policies often annoy as much as they help, particularly in large installations with multiple technically competent sysadmins. (Yes, we really do want /etc/aliases to be world-writable! The only reason anyone has an account on the machine is to edit /etc/aliases!) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 8 18:18: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.prod.itd.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id E663C14C8E; Sun, 8 Aug 1999 18:17:49 -0700 (PDT) (envelope-from cindy8520@britney.to) Received: from 154.5.137.195 (ip195.calgary5.dialup.canada.psi.net [154.5.137.195]) by swan.prod.itd.earthlink.net (8.9.3/8.9.3) with SMTP id SAA11206; Sun, 8 Aug 1999 18:13:53 -0700 (PDT) From: cindy8520@britney.to Message-Id: <199908090113.SAA11206@swan.prod.itd.earthlink.net> Date: Sun, 8 Aug 1999 15:39:01 Subject: Britney Spears Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hiya!! My name is Cindy. I am teen female from FL. I made a Britney Spears Site, its callled Britney Power! If you want to know more about me you can visit it also. Check it out. http://Britney.to/power I will be waiting!! Please visit! Cindy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 9 3: 1:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from yucca.daewoo.lublin.pl (yucca.daewoo.lublin.pl [195.205.71.11]) by hub.freebsd.org (Postfix) with ESMTP id DA2E014A14 for ; Mon, 9 Aug 1999 03:01:44 -0700 (PDT) (envelope-from raf@tb-303.org) Received: from localhost (raf@localhost) by yucca.daewoo.lublin.pl (GetMail 1.2/sliffka0.3) with SMTP id MAA21594 for ; Mon, 9 Aug 1999 12:03:08 +0200 (CEST) X-Authentication-Warning: yucca.daewoo.lublin.pl: raf owned process doing -bs Date: Mon, 9 Aug 1999 12:03:07 +0200 (CEST) From: Rafal Banaszkiewicz X-Sender: raf@yucca.daewoo.lublin.pl To: freebsd-security@FreeBSD.ORG Subject: Little question (offtopic) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I wonder if FreeBSD 3.2-RELEASE has support for Adaptec 2940 U2W scsi controller . I know that 2940U and 2940W works fine , but what with 2940U2W ? Regards /* Rafal Banaszkiewicz | mailto:raf@yucca.daewoo.lublin.pl , #lublin UIN : 35053919 | http://www.no-web.page.pl , [RaF] on IrcNet */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 9 3:16:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from elit.cinet.cn.ua (elit.cinet.cn.ua [193.125.84.11]) by hub.freebsd.org (Postfix) with ESMTP id 343DD14E51 for ; Mon, 9 Aug 1999 03:15:58 -0700 (PDT) (envelope-from noisy@itec.cn.ua) Received: from itec.cn.ua (IDENT:root@gate.itec.cn.ua [193.125.85.230]) by elit.cinet.cn.ua (8.9.3/8.9.3) with ESMTP id NAA25211 for ; Mon, 9 Aug 1999 13:12:38 +0300 (EEST) Received: from itec.cn.ua (IDENT:noisy@nearbird.iteclocal [192.168.17.75]) by itec.cn.ua (8.9.0/8.9.0) with ESMTP id NAA01539 for ; Mon, 9 Aug 1999 13:12:34 +0300 Message-ID: <37AEA968.FD94BD5A@itec.cn.ua> Date: Mon, 09 Aug 1999 10:11:52 +0000 From: "Andrej V. Aleksandrov" X-Mailer: Mozilla 4.51 [en] (X11; I; Linux 2.2.9 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: (no subject) Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 9 5:22:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (trooper.velocet.net [209.167.225.226]) by hub.freebsd.org (Postfix) with ESMTP id E1BD014E18 for ; Mon, 9 Aug 1999 05:22:39 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.9.3/8.9.3) id IAA30737; Mon, 9 Aug 1999 08:17:41 -0400 (EDT) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14254.50917.114293.619506@trooper.velocet.ca> Date: Mon, 9 Aug 1999 08:17:41 -0400 (EDT) To: "Thomas Uhrfelt" Cc: Subject: SKIP In-Reply-To: References: X-Mailer: VM 6.71 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Thomas" == Thomas Uhrfelt writes: Thomas> If anybody have successfully installed and used SKIP 1.0 Thomas> between FreeBSD 3.x machines, would you be so kind to get in Thomas> touch with me. I need help urgently. I have skip working on FreeBSD 3.2-STABLE. The main caveat that I found is that skip _doesn't_ work with tx0 network cards. The driver there corrupts the skip packets. I have it working between hosts using an ep0 and a ed1. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 9 5:29:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (trooper.velocet.net [209.167.225.226]) by hub.freebsd.org (Postfix) with ESMTP id DA53714E18 for ; Mon, 9 Aug 1999 05:29:31 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.9.3/8.9.3) id IAA30942; Mon, 9 Aug 1999 08:25:24 -0400 (EDT) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14254.51379.970618.73593@trooper.velocet.ca> Date: Mon, 9 Aug 1999 08:25:23 -0400 (EDT) To: Rafal Banaszkiewicz Cc: freebsd-security@FreeBSD.ORG Subject: Little question (offtopic) In-Reply-To: References: X-Mailer: VM 6.71 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Rafal" == Rafal Banaszkiewicz writes: Rafal> I wonder if FreeBSD 3.2-RELEASE has support for Adaptec 2940 Rafal> U2W scsi controller . I know that 2940U and 2940W works fine , Rafal> but what with 2940U2W ? I have many 2940UWs in service.... with some of the new drives you get a really nice performance kick with them. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 9 8:28:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from arbol.eece.unm.edu (arbol.eece.unm.edu [129.24.24.159]) by hub.freebsd.org (Postfix) with ESMTP id 12F80150B1; Mon, 9 Aug 1999 08:28:43 -0700 (PDT) (envelope-from jpgood@eece.unm.edu) Received: from eece.unm.edu (localhost [127.0.0.1]) by arbol.eece.unm.edu (8.9.3/8.9.3) with ESMTP id JAA22395; Mon, 9 Aug 1999 09:22:59 -0600 Message-ID: <37AEF253.7A3403C0@eece.unm.edu> Date: Mon, 09 Aug 1999 09:22:59 -0600 From: "John P. Goodman" X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.10 i686) X-Accept-Language: en MIME-Version: 1.0 To: Donald Burr Cc: FreeBSD Questions , FreeBSD Security Subject: Re: umountall requests - what does this all mean? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Donald, I'm am by no means a unix guru but you might want to start checking for intrusions into your system. This site will help: http://www.cert.org/nav/recovering.html Hopefully I'm just being paranoid and nothing happened. But I would definitely start there and eliminate the possiblity. good luck --john Donald Burr wrote: > I keep getting log messages similar to these: > > Aug 7 19:04:49 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > Aug 7 19:04:53 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > Aug 7 19:47:59 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > Aug 7 19:48:03 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > > 207.71.226.193 is the IP addressed assigned to me by my ADSL provider, so > I can only assume that these packets are coming in through the ADSL modem. > > What do these messages mean, and should I be worried about them? And how > do I block them? > > Your assistance is greatly appreciated. Thanks! > > Donald Burr WEB: http://www.Powered-By.AC/ > PO Box 91212, Santa Barbara, CA 93190-1212 Tel:(805)957-9666 FAX:(800)492-5954 > Member and software developer with The FreBSD Project - http://www.FreeBSD.ORG/ > *** FreeBSD *** A FREE, 32 Bit UNIX OS for PC's -- The Power to Serve! > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- John Paul Goodman EECE Computer Support Staff Member Room# 213, Phone# 277-3934 --Gravity is a myth, the Earth sucks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 9 8:53:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.223.3]) by hub.freebsd.org (Postfix) with ESMTP id BCED2151B5 for ; Mon, 9 Aug 1999 08:53:54 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.223.3]) (1231 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Mon, 9 Aug 1999 10:38:28 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Mon, 9 Aug 1999 10:38:17 -0500 (CDT) From: James Wyatt To: Rafal Banaszkiewicz Cc: freebsd-security@FreeBSD.ORG Subject: Re: Little question (offtopic) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 9 Aug 1999, Rafal Banaszkiewicz wrote: > I wonder if FreeBSD 3.2-RELEASE has support for Adaptec 2940 U2W > scsi controller . I know that 2940U and 2940W works fine , but what with > 2940U2W ? We have 2940s, but have switched almost completely to the TekRam (was ASUS) SCSI cards based on the NCR/SymBIOS 53C875 chip. We've been using the DC-390F UWSCSI board for about $78 at www.mcglen.com. (They also make a U2W SCSI board) I have been using pairs of them in a news server or two to handle the ccd drives for spool and history w/o any failures in the last two years. They ROCK under FreeBSD - clean and fast. HTH - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 9 16:42:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32]) by hub.freebsd.org (Postfix) with ESMTP id 265C61515A; Mon, 9 Aug 1999 16:42:40 -0700 (PDT) (envelope-from dwhite@resnet.uoregon.edu) Received: from localhost (dwhite@localhost) by resnet.uoregon.edu (8.9.3/8.9.3) with ESMTP id QAA04347; Mon, 9 Aug 1999 16:39:42 -0700 (PDT) (envelope-from dwhite@resnet.uoregon.edu) Date: Mon, 9 Aug 1999 16:39:42 -0700 (PDT) From: Doug White To: Donald Burr Cc: FreeBSD Questions , FreeBSD Security Subject: Re: umountall requests - what does this all mean? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 7 Aug 1999, Donald Burr wrote: > I keep getting log messages similar to these: > > Aug 7 19:04:49 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > Aug 7 19:04:53 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > Aug 7 19:47:59 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > Aug 7 19:48:03 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > > 207.71.226.193 is the IP addressed assigned to me by my ADSL provider, so > I can only assume that these packets are coming in through the ADSL modem. > > What do these messages mean, and should I be worried about them? And how > do I block them? What IP is 60-Hz? It's probably another machine trying to dismount partitions and mountd doesn't recognize it. Probably harmless. Doug White Internet: dwhite@resnet.uoregon.edu | FreeBSD: The Power to Serve http://gladstone.uoregon.edu/~dwhite | www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 9 22:45:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E2FD5150FF for ; Mon, 9 Aug 1999 22:44:27 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id XAA15476; Mon, 9 Aug 1999 23:43:22 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id XAA10334; Mon, 9 Aug 1999 23:43:29 -0600 (MDT) Message-Id: <199908100543.XAA10334@harmony.village.org> To: freebsd-security@freebsd.org Cc: 0x1c Subject: Re: auditors Date: Mon, 09 Aug 1999 23:43:29 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [[ Sorry I missed this before, it has just been pointed out to me ]] On Tue, 1 Jun 1999, 0x1c wrote: > Well, fixes can be submitted, but it's no use unless they are implemented. > A large number of OpenBSD patches/fixes implement non-standard behaviour, > which often appear to be frowned upon by committers. At minimum these > should be considered if an option is given to revert to the historical > behaviour. I'm aware of a couple of very specific instances where the is the case (for example, the latest restriction to root of setting flags on files is different than historical behavior), but as a general rule this isn't the case. Can you be more specific? I don't think that the facts support this assertion... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 10 9:15:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.vr.IN-Berlin.DE (gnu.in-berlin.de [192.109.42.4]) by hub.freebsd.org (Postfix) with ESMTP id 3B24A15408 for ; Tue, 10 Aug 1999 09:15:02 -0700 (PDT) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: from uriela.in-berlin.de (IDENT:root@servicia.in-berlin.de [192.109.42.145]) by mail.vr.IN-Berlin.DE (8.9.1a/8.9.1) with ESMTP id SAA19669 for ; Tue, 10 Aug 1999 18:14:58 +0200 (CEST) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m11EF0S-000VQxC; Tue, 10 Aug 1999 18:44:08 +0200 (CEST) Received: (from ripley@localhost) by nortobor.nostromo.in-berlin.de (8.8.7/8.8.7) id AAA26032 for freebsd-security@FreeBSD.ORG; Tue, 10 Aug 1999 00:58:47 +0200 (CEST) (envelope-from ripley) Date: Tue, 10 Aug 1999 00:58:46 +0200 From: "H. Eckert" To: freebsd-security@FreeBSD.ORG Subject: Re: Little question (offtopic) Message-ID: <19990810005846.A26018@nortobor.nostromo.in-berlin.de> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Rafal Banaszkiewicz on Mon, Aug 09, 1999 at 12:03:07PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Rafal Banaszkiewicz (raf@tb-303.org): > I wonder if FreeBSD 3.2-RELEASE has support for Adaptec 2940 U2W > scsi controller . I know that 2940U and 2940W works fine , but > what with 2940U2W ? While we're at it even though it's way off topic... Friday I came across a package that said "AVA 2904 SCSI Controller". I've never seen such a beast before and its price tag makes me wonder. It's so cheap it's presumably junk, but OTOH it sounds very similar to a 2940. (Gotta check the Adaptec website tomorrow if I find the spare time) Greetings, Ripley -- H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 10 11: 3:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id BABCD14F09 for ; Tue, 10 Aug 1999 11:03:10 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id TAA09032; Tue, 10 Aug 1999 19:51:50 +0200 (CEST) (envelope-from des) To: "H. Eckert" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Little question (offtopic) References: <19990810005846.A26018@nortobor.nostromo.in-berlin.de> From: Dag-Erling Smorgrav Date: 10 Aug 1999 19:51:49 +0200 In-Reply-To: "H. Eckert"'s message of "Tue, 10 Aug 1999 00:58:46 +0200" Message-ID: Lines: 13 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "H. Eckert" writes: > Friday I came across a package that said "AVA 2904 SCSI Controller". > I've never seen such a beast before and its price tag makes me > wonder. It's so cheap it's presumably junk, but OTOH it sounds > very similar to a 2940. (Gotta check the Adaptec website tomorrow > if I find the spare time) El-Cheapo SCSI-1 host adapter for scanners and suchlike. Don't even bother. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 10 13:27:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from elara.frii.com (elara.frii.com [216.17.128.9]) by hub.freebsd.org (Postfix) with ESMTP id 7F3D5154A0 for ; Tue, 10 Aug 1999 13:27:39 -0700 (PDT) (envelope-from jott@frii.net) Received: from localhost (jott@localhost) by elara.frii.com (8.9.3/8.9.3) with ESMTP id OAA07898; Tue, 10 Aug 1999 14:26:57 -0600 (MDT) X-Authentication-Warning: elara.frii.com: jott owned process doing -bs Date: Tue, 10 Aug 1999 14:26:57 -0600 (MDT) From: Jake Ott X-Sender: jott@elara.frii.com To: Rafal Banaszkiewicz Cc: freebsd-security@FreeBSD.ORG Subject: Re: Little question (offtopic) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We use 3 in our news server without a hitch. -Jake Systems Administrator Front Range Internet 970.224.3668 x221 On Mon, 9 Aug 1999, Rafal Banaszkiewicz wrote: > > I wonder if FreeBSD 3.2-RELEASE has support for Adaptec 2940 U2W > scsi controller . I know that 2940U and 2940W works fine , but what with > 2940U2W ? > > Regards > > /* Rafal Banaszkiewicz | mailto:raf@yucca.daewoo.lublin.pl , #lublin > UIN : 35053919 | http://www.no-web.page.pl , [RaF] on IrcNet */ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 10 14: 4:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from sf1-smtp01.hamquist.com (sf1-smtp01.hamquist.com [199.108.89.4]) by hub.freebsd.org (Postfix) with SMTP id 91E7C14CBA for ; Tue, 10 Aug 1999 14:04:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from 10.40.251.222 by sf1-smtp01.hamquist.com with ESMTP ( WorldSecure Server SMTP Relay(WSS) v3.6); Tue, 10 Aug 99 14:01:17 -0700 X-Server-Uuid: c29e0ff2-e8b9-11d1-a493-00c04fbbd7d3 Received: by sf1-mail03 with Internet Mail Service (5.5.2448.0) id ; Tue, 10 Aug 1999 10:56:01 -0700 Message-ID: From: "Childers, Richard" To: "'H. Eckert '" , "'freebsd-security@FreeBSD.ORG '" Subject: RE: Little question (offtopic) Date: Tue, 10 Aug 1999 10:56:00 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) X-WSS-ID: 1BAE4C961493-01-02 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Continuing to wander off-topic, here ... I've noticed that FreeBSD 3.1 will not allow more that four swap partitions. Does anyone know why this is? Some clarifications are in order. Hypothesize a generic system with two IDE channels, a SCSI controller and a few SCSI drives stuck into spare spaces. IDE 0 has two IDE drives; one contains the operating system and the other contains user data. IDE 1 is dedicated to the CDROM. The user opts to spread his swap partitions across all five drives - 64 MB per drive - like a good little sysadmin, spreading his I/O across multiple spindles. He can see the drives, he can FDISK the drives, he can label the drives. He can mount the filesystems on all the drives, and access the data without SCB messages splashing across his screen. (-: But when he runs 'swapon -a' it complains about the fifth swap partition (I must bow my head with shame and note that I do not have my notes regarding the precise message with me at the moment - something about 'not a swap device'). No problem, our hero thinks, dusting off his long-term memory and recalling the config files of yore; without even looking it up he can feel it come back, as to the line root on wd0 ... he adds lines specifying swap : root on wd0 swap on wd0 and wd1 and da0 and da1 and da2 and da3 Smugly, he recompiles the kernel and reboots. The same thing happens. After some experimentation he establishes that he can have any four swap partitions; but only four. Would someone care to discuss why this is? References to specific files that would allow this to be changed would be appreciated; pointers to READMEs or FAQs that are relevant would be appreciated. And I haven't even started discussing the implications of device names being relative to device discovery instead of being relative to SCSI ID ... -- richard Richard Childers Senior UNIX Systems Administrator Hambrecht & Quist, LLC (415) 439-3838 -----Original Message----- From: H. Eckert To: freebsd-security@FreeBSD.ORG Sent: 8/9/99 3:58 PM Subject: Re: Little question (offtopic) Quoting Rafal Banaszkiewicz (raf@tb-303.org): > I wonder if FreeBSD 3.2-RELEASE has support for Adaptec 2940 U2W > scsi controller . I know that 2940U and 2940W works fine , but > what with 2940U2W ? While we're at it even though it's way off topic... Friday I came across a package that said "AVA 2904 SCSI Controller". To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 10 15:44: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id C440014E6D for ; Tue, 10 Aug 1999 15:44:01 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id PAA70944; Tue, 10 Aug 1999 15:43:10 -0700 (PDT) (envelope-from dillon) Date: Tue, 10 Aug 1999 15:43:10 -0700 (PDT) From: Matthew Dillon Message-Id: <199908102243.PAA70944@apollo.backplane.com> To: "Childers, Richard" Cc: "'H. Eckert '" , "'freebsd-security@FreeBSD.ORG '" Subject: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Continuing to wander off-topic, here ... I've noticed that FreeBSD 3.1 will :not allow more that four swap partitions. Does anyone know why this is? You can compile up a kernel that allows more then four, but even having four will almost certainly going to be overkill. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 10 15:56:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (Postfix) with ESMTP id 8E5CC14C4E for ; Tue, 10 Aug 1999 15:56:31 -0700 (PDT) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.9.3/8.9.3) id RAA02953; Tue, 10 Aug 1999 17:55:50 -0500 (CDT) Date: Tue, 10 Aug 1999 17:55:50 -0500 From: "Matthew D. Fuller" To: Matthew Dillon Cc: "Childers, Richard" , "'H. Eckert '" , "'freebsd-security@FreeBSD.ORG '" Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) Message-ID: <19990810175550.A2750@futuresouth.com> References: <199908102243.PAA70944@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <199908102243.PAA70944@apollo.backplane.com>; from Matthew Dillon on Tue, Aug 10, 1999 at 03:43:10PM -0700 X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Aug 10, 1999 at 03:43:10PM -0700, a little birdie told me that Matthew Dillon remarked > :Continuing to wander off-topic, here ... I've noticed that FreeBSD 3.1 will > :not allow more that four swap partitions. Does anyone know why this is? > > You can compile up a kernel that allows more then four, but even > having four will almost certainly going to be overkill. How so? I have 5 on my personal workstation, and will probably have more whenever I add disk. I generally stick a swap partition on every physical disk (things like news spool drives are excepted for obvious reasons). Vis: [17:45:29] mortis:~ (ttyp8):{6}% pstat -s Device 1024-blocks Used Avail Capacity Type /dev/da0s1b 655232 0 655232 0% Interleaved /dev/da1s1b 524160 0 524160 0% Interleaved /dev/da2s1b 130944 0 130944 0% Interleaved /dev/da3s1b 262016 0 262016 0% Interleaved /dev/da4s1b 524160 0 524160 0% Interleaved Total 2096512 0 2096512 0% (I just rebooted, normally anywhere from 50-200 megs is used under normal conditions). -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Unix Systems Administrator | fullermd@futuresouth.com Specializing in FreeBSD | http://www.over-yonder.net/ FutureSouth Communications | ISPHelp ISP Consulting "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 10 16: 6:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 6C087154EE for ; Tue, 10 Aug 1999 16:06:19 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id QAA71254; Tue, 10 Aug 1999 16:05:39 -0700 (PDT) (envelope-from dillon) Date: Tue, 10 Aug 1999 16:05:39 -0700 (PDT) From: Matthew Dillon Message-Id: <199908102305.QAA71254@apollo.backplane.com> To: "Matthew D. Fuller" Cc: "Childers, Richard" , "'H. Eckert '" , "'freebsd-security@FreeBSD.ORG '" Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) References: <199908102243.PAA70944@apollo.backplane.com> <19990810175550.A2750@futuresouth.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> You can compile up a kernel that allows more then four, but even :> having four will almost certainly going to be overkill. : :How so? Your example below is a case in point, though I don't know the uptime on your box. What is the use of having lots of swap partitions which never get used? You are just wasting a significant amount of kernel memory to hold the management structures, especially if the swap parittions are not balanced. Yours are not. Even if you set NSWAP to exactly 5 the rlist (under STABLE) that the kernel allocates to manage swap allocation in your configuration is going to be massively fragmented. Under CURRENT the bitmap radix tree will also eat significantly more memory then it really needs to. But STABLE is going to be the worst off. With the rlist that fragmented, if you ever use more then around 130MB x 5 = 500MB of swap space (out of the 2G you have allocated), swapin operations will begin to degrade due to the scanning overhead on the rlist. I recommend reducing the swap on da0s1b to 512MB and removing the swap partitions on da2s1b and da3s1b which are too small to be usefull and cause unnecessary fragmentation, and leaving NSWAP at its default 4. This will cut kernel memory overhead in half and still leave you with 1.5GB of swap. -Matt Matthew Dillon :I have 5 on my personal workstation, and will probably have more whenever :I add disk. I generally stick a swap partition on every physical disk :(things like news spool drives are excepted for obvious reasons). : :Vis: :[17:45:29] mortis:~ :(ttyp8):{6}% pstat -s :Device 1024-blocks Used Avail Capacity Type :/dev/da0s1b 655232 0 655232 0% Interleaved :/dev/da1s1b 524160 0 524160 0% Interleaved :/dev/da2s1b 130944 0 130944 0% Interleaved :/dev/da3s1b 262016 0 262016 0% Interleaved :/dev/da4s1b 524160 0 524160 0% Interleaved :Total 2096512 0 2096512 0% : :(I just rebooted, normally anywhere from 50-200 megs is used under normal :conditions). : :-- :Matthew Fuller (MF4839) | fullermd@over-yonder.net :Unix Systems Administrator | fullermd@futuresouth.com :Specializing in FreeBSD | http://www.over-yonder.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 10 16:11:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id 6526C14C4E for ; Tue, 10 Aug 1999 16:11:47 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 45391 invoked from network); 10 Aug 1999 23:10:02 -0000 Received: from shell-1.enteract.com (dscheidt@207.229.143.40) by pop3-3.enteract.com with SMTP; 10 Aug 1999 23:10:02 -0000 Date: Tue, 10 Aug 1999 18:10:02 -0500 (CDT) From: David Scheidt To: "Matthew D. Fuller" Cc: Matthew Dillon , "Childers, Richard" , "'H. Eckert '" , "'freebsd-security@FreeBSD.ORG '" Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) In-Reply-To: <19990810175550.A2750@futuresouth.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 10 Aug 1999, Matthew D. Fuller wrote: > On Tue, Aug 10, 1999 at 03:43:10PM -0700, a little birdie told me > that Matthew Dillon remarked > > :Continuing to wander off-topic, here ... I've noticed that FreeBSD 3.1 will > > :not allow more that four swap partitions. Does anyone know why this is? > > > > You can compile up a kernel that allows more then four, but even > > having four will almost certainly going to be overkill. > > How so? How often do you swap lots? Enough that you overwhelm the throughput of four SCSI disks? Seems unlikely; if you do, you should consider adding memory. It might make sense if you had a bunch of little drives, but given you have a hard time finding a disk less than 4 GB these days, I don't really see the point. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 10 17:36:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from univ.uniyar.ac.ru (univ.uniyar.ac.ru [193.233.51.120]) by hub.freebsd.org (Postfix) with ESMTP id E6A8C154CD for ; Tue, 10 Aug 1999 17:35:00 -0700 (PDT) (envelope-from lae@univ.uniyar.ac.ru) Received: (from lae@localhost) by univ.uniyar.ac.ru (8.9.1/8.9.1) id EAA14830 for freebsd-security@freebsd.org; Wed, 11 Aug 1999 04:32:11 +0400 (MSD) Date: Wed, 11 Aug 1999 04:32:11 +0400 From: "Andrey E. Lerman" To: freebsd-security@freebsd.org Subject: info on suid/sgid files Message-ID: <19990811043211.X16510@uniyar.ac.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [I'm sorry if it was discussed before, but archives search is not working right now. :( ] I did a quick search for a suid/sgid files on our server's hd and found a lot. I really didn't expected so many. I removed bits on about 80% of it without any visible (yet) impact to system's operation. So I'm wondering, where to find info about what these suid/sgid bits was for and what I loose removing them. Some of progs I chmod'ed really amazed me, for example quota, df, ps, dump, restore, shutdown... It would be nice if info about need of increased privileges needed for given program would be clearly stated in manpage. I'm running 3.1-R now, but it will be upgraded to 3.2-S soon. -- Andrey E. Lerman @ Yaroslavl State University ICQ: 9418370, primary email: lae@uniyar.ac.ru [Lae] on IRCNet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 10 22:55:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 6AEE115518 for ; Tue, 10 Aug 1999 22:55:17 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id WAA19555; Tue, 10 Aug 1999 22:53:19 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: "H. Eckert" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Little question (offtopic) In-reply-to: Your message of "Tue, 10 Aug 1999 00:58:46 +0200." <19990810005846.A26018@nortobor.nostromo.in-berlin.de> Date: Tue, 10 Aug 1999 22:53:19 -0700 Message-ID: <19552.934350799@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's an advansys controller and it works fine. > Quoting Rafal Banaszkiewicz (raf@tb-303.org): > > I wonder if FreeBSD 3.2-RELEASE has support for Adaptec 2940 U2W > > scsi controller . I know that 2940U and 2940W works fine , but > > what with 2940U2W ? > > While we're at it even though it's way off topic... > Friday I came across a package that said "AVA 2904 SCSI Controller". > I've never seen such a beast before and its price tag makes me > wonder. It's so cheap it's presumably junk, but OTOH it sounds > very similar to a 2940. (Gotta check the Adaptec website tomorrow > if I find the spare time) > > Greetings, > Ripley > -- > H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ > ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 1:51:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from mpp.pro-ns.net (mpp.pro-ns.net [208.200.182.72]) by hub.freebsd.org (Postfix) with ESMTP id D3F25150BA; Wed, 11 Aug 1999 01:51:09 -0700 (PDT) (envelope-from mpp@mpp.pro-ns.net) Received: (from mpp@localhost) by mpp.pro-ns.net (8.9.3/8.9.3) id DAA07718; Wed, 11 Aug 1999 03:50:50 -0500 (CDT) (envelope-from mpp) From: Mike Pritchard Message-Id: <199908110850.DAA07718@mpp.pro-ns.net> Subject: Re: umountall requests - what does this all mean? In-Reply-To: from Doug White at "Aug 9, 1999 04:39:42 pm" To: dwhite@resnet.uoregon.edu (Doug White) Date: Wed, 11 Aug 1999 03:50:50 -0500 (CDT) Cc: dburr@Powered-By.AC (Donald Burr), freebsd-questions@FreeBSD.ORG (FreeBSD Questions), freebsd-security@FreeBSD.ORG (FreeBSD Security) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Sat, 7 Aug 1999, Donald Burr wrote: > > > I keep getting log messages similar to these: > > > > Aug 7 19:04:49 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > > Aug 7 19:04:53 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > > Aug 7 19:47:59 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > > Aug 7 19:48:03 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > > > > 207.71.226.193 is the IP addressed assigned to me by my ADSL provider, so > > I can only assume that these packets are coming in through the ADSL modem. > > > > What do these messages mean, and should I be worried about them? And how > > do I block them? > > What IP is 60-Hz? 60.Hz should be that hostname of the machine that generated the syslog message. Misconfiguration? Maybe you need to recompile some binaries/build/install world? > It's probably another machine trying to dismount partitions and mountd > doesn't recognize it. Probably harmless. On my own home local network I can generate these types of messages my running mount/unmount as myself (e.g. non-root). E.g. mpp% mount mpp:/shared /shared Will generate a mountd messages on my NFS server that look like what you are seeing above. Since the address you gave is supposed to be your own machine, maybe you forgot to su to root before trying to mount something? Or maybe someone is try to spoof your IP address and unmount all of your file systems. -- Mike Pritchard mpp@FreeBSD.ORG or mpp@mpp.pro-ns.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 1:57:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-193-112-19.dsl.snfc21.pacbell.net [63.193.112.19]) by hub.freebsd.org (Postfix) with ESMTP id 66D0814FE9 for ; Wed, 11 Aug 1999 01:57:20 -0700 (PDT) (envelope-from mike@snafu.adept.org) Received: from localhost (mike@localhost) by snafu.adept.org (8.9.3/8.9.3) with ESMTP id BAA71456; Wed, 11 Aug 1999 01:40:00 -0700 (PDT) Date: Wed, 11 Aug 1999 01:40:00 -0700 (PDT) From: Mike Hoskins To: "Andrey E. Lerman" Cc: freebsd-security@FreeBSD.ORG Subject: Re: info on suid/sgid files In-Reply-To: <19990811043211.X16510@uniyar.ac.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Aug 1999, Andrey E. Lerman wrote: > It would be nice if info about need of increased privileges > needed for given program would be clearly stated in manpage. I'm not sure how much info is needed about increased privileges... There's a lot of writeups (CERT's security checklist and an article I did for the FreeBSD 'Zine to name a couple) that already say 'If you don't need it ... turn it off'. Beyond saying that, I'd hope the admin could... Type: find / \( -perm -2000 -o -perm -4000 \) -print > audit.log more audit.log Think: 'I only need foo, I'll chmod the others appropriately.' Man pages generally do mention files they need/use... From which you can decide which users or groups need access to what files for a system to function appropriately. -Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 9:10:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id 320F014E03 for ; Wed, 11 Aug 1999 09:10:16 -0700 (PDT) (envelope-from jrs@enteract.com) Received: (qmail 69542 invoked from network); 11 Aug 1999 16:10:21 -0000 Received: from shell-2.enteract.com (jrs@207.229.143.41) by pop3-3.enteract.com with SMTP; 11 Aug 1999 16:10:21 -0000 Date: Wed, 11 Aug 1999 11:10:21 -0500 (CDT) From: John Sconiers To: "Matthew D. Fuller" Cc: Matthew Dillon , "Childers, Richard" , "'H. Eckert '" , "'freebsd-security@FreeBSD.ORG '" Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) In-Reply-To: <19990810175550.A2750@futuresouth.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > :Continuing to wander off-topic, here ... I've noticed that FreeBSD 3.1 will > > :not allow more that four swap partitions. Does anyone know why this is? > > You can compile up a kernel that allows more then four, but even > > having four will almost certainly going to be overkill. > How so? > I have 5 on my personal workstation, and will probably have more whenever > I add disk. I generally stick a swap partition on every physical disk > (things like news spool drives are excepted for obvious reasons). > Vis: > [17:45:29] mortis:~ > (ttyp8):{6}% pstat -s > Device 1024-blocks Used Avail Capacity Type > /dev/da0s1b 655232 0 655232 0% Interleaved > /dev/da1s1b 524160 0 524160 0% Interleaved > /dev/da2s1b 130944 0 130944 0% Interleaved > /dev/da3s1b 262016 0 262016 0% Interleaved > /dev/da4s1b 524160 0 524160 0% Interleaved > Total 2096512 0 2096512 0% > (I just rebooted, normally anywhere from 50-200 megs is used under normal > conditions). I don't know your configuration but I had a PII-400 with 4 UW-SCSI drives and 256 MB ram running -current. I dedicated 3 256MB swap partitions (over 3 drives). The machine was used a test box. It ran 1 test database instance and was used to compile source for ports, kernels, make world, nfs shares, etc. Averaged 3 users with multiple terminal sessions. Never (almost never) used the swap partitions. John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 9:29:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 4A9DF14C59 for ; Wed, 11 Aug 1999 09:29:24 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id SAA13035; Wed, 11 Aug 1999 18:29:17 +0200 (CEST) (envelope-from des) To: John Sconiers Cc: "Matthew D. Fuller" , Matthew Dillon , "Childers, Richard" , "'H. Eckert '" , "'freebsd-security@FreeBSD.ORG '" Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) References: From: Dag-Erling Smorgrav Date: 11 Aug 1999 18:29:16 +0200 In-Reply-To: John Sconiers's message of "Wed, 11 Aug 1999 11:10:21 -0500 (CDT)" Message-ID: Lines: 21 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Sconiers writes: > I don't know your configuration but I had a PII-400 with 4 UW-SCSI drives > and 256 MB ram running -current. I dedicated 3 256MB swap partitions > (over 3 drives). The machine was used a test box. It ran 1 test database > instance and was used to compile source for ports, kernels, make world, > nfs shares, etc. Averaged 3 users with multiple terminal sessions. > Never (almost never) used the swap partitions. The only cases in which I've ever actually used swap on a box with 128 MB RAM or more are: - make world with a large number of concurrent jobs - Netscape going haywire and growing to > 500 MB before dumping core - machine-assisted error correction of large OCRed documents (the PGP source code, to be precise) DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 9:39:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from dt011n65.san.rr.com (dt011n65.san.rr.com [204.210.13.101]) by hub.freebsd.org (Postfix) with ESMTP id 710DA155A4 for ; Wed, 11 Aug 1999 09:39:27 -0700 (PDT) (envelope-from Doug@gorean.org) Received: from gorean.org (master [10.0.0.2]) by dt011n65.san.rr.com (8.9.3/8.8.8) with ESMTP id JAA67313; Wed, 11 Aug 1999 09:28:18 -0700 (PDT) (envelope-from Doug@gorean.org) Message-ID: <37B1A4A3.8ACCCE48@gorean.org> Date: Wed, 11 Aug 1999 09:28:19 -0700 From: Doug Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 4.0-CURRENT-0730 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Andrey E. Lerman" Cc: freebsd-security@freebsd.org Subject: Re: info on suid/sgid files References: <19990811043211.X16510@uniyar.ac.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Andrey E. Lerman" wrote: > > [I'm sorry if it was discussed before, but archives search is > not working right now. :( ] > I did a quick search for a suid/sgid files on our server's hd > and found a lot. I really didn't expected so many. I removed > bits on about 80% of it without any visible (yet) impact to > system's operation. So I'm wondering, where to find info about > what these suid/sgid bits was for and what I loose removing > them. Some of progs I chmod'ed really amazed me, for example > quota, df, ps, dump, restore, shutdown... Well, it's unfortunate because I know you said it's down, but the best source for this info is the archive. This is definitely a frequent topic of conversation. And I agree, the list is quite long, and contains many seldom-used items that I would like to see made into ports. > It would be nice if info about need of increased privileges > needed for given program would be clearly stated in manpage. Here is your chance to contribute to the project! After you've done your research, submit diffs to the current man pages. You are not the first to ask for this, but you *could* be the first to actually get it done. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 10:26:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from tgn2.tgn.net (tgn2.tgn.net [205.241.85.2]) by hub.freebsd.org (Postfix) with ESMTP id 5C70114CCF for ; Wed, 11 Aug 1999 10:26:45 -0700 (PDT) (envelope-from butlermd@tgn.net) Received: from dial105.tgn.net (dial105.tgn.net [205.241.85.35]) by tgn2.tgn.net (8.9.3/8.8.8) with SMTP id MAA29568 for ; Wed, 11 Aug 1999 12:29:31 -0500 (CDT) From: butlermd@tgn.net (Michael Butler) To: freebsd-security@FreeBSD.ORG Subject: tzo.com, dynamic dns? Date: Wed, 11 Aug 1999 12:25:30 -0500 Organization: Texas GulfNet Reply-To: butlermd@tgn.net Message-ID: <37b4b1b4.41428996@mail.tgn.net> X-Mailer: Forte Agent 1.5/32.451 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This may be old stuff but is anyone getting dns mods fromtzo.com hijacking ip addresses to their domains? What do we do about it? see www.tzo.com They're about to be cut off at the FW TIA ____________________________________________________________ Michael Butler, Texas GulfNet, | www.tgn.net =20 908 South Brooks, PO Box 2089 |=20 Brazoria, TX 77422-2089 | Voice 409-798-NETT Part of the Pointecom International| FAX 409-798-6398 =20 Network and the Global Internet | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 10:49:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 7EC711562E for ; Wed, 11 Aug 1999 10:49:34 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 740D41C0F; Wed, 11 Aug 1999 12:51:10 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by jade.chc-chimes.com (Postfix) with ESMTP id 654FD381F; Wed, 11 Aug 1999 12:51:10 -0400 (EDT) Date: Wed, 11 Aug 1999 12:51:10 -0400 (EDT) From: Bill Fumerola To: Dag-Erling Smorgrav Cc: John Sconiers , "Matthew D. Fuller" , Matthew Dillon , "Childers, Richard" , "'H. Eckert '" , "'freebsd-security@FreeBSD.ORG '" Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 11 Aug 1999, Dag-Erling Smorgrav wrote: > The only cases in which I've ever actually used swap on a box with > 128 MB RAM or more are: - Opening a 120 meg mailfile with pine - Opening that same mail file in pine and trying '20000G ; dG' Both of the above operations destoryed 128M of RAM + 256M swapfile. -- - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 11:21:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 521FE14E17 for ; Wed, 11 Aug 1999 11:21:23 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.9.3/8.9.3) with ESMTP id OAA64172 for ; Wed, 11 Aug 1999 14:21:05 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Wed, 11 Aug 1999 14:21:20 -0400 To: freebsd-security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 6:29 PM +0200 8/11/99, Dag-Erling Smorgrav wrote: >The only cases in which I've ever actually used swap on a box with >128 MB RAM or more are: > > - make world with a large number of concurrent jobs > - Netscape going haywire and growing to > 500 MB before dumping core > - machine-assisted error correction of large OCRed documents (the PGP > source code, to be precise) I've seen swap used on my machine with 192 meg of RAM, and it wasn't due to an error condition or something going haywire. It just depended on what was running on that given machine. However, my guess is that the freebsd-security list does not need us all to talk about what machines we've seen in our lives, and how much swap they've used. It is probably a good time for this "little question (offtopic)" to die out or to move to some other mailing list... --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 11:39:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (trooper.velocet.net [209.167.225.226]) by hub.freebsd.org (Postfix) with ESMTP id DA178155A8 for ; Wed, 11 Aug 1999 11:39:26 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.9.3/8.9.3) id OAA66504; Wed, 11 Aug 1999 14:39:21 -0400 (EDT) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14257.50009.162402.381699@trooper.velocet.ca> Date: Wed, 11 Aug 1999 14:39:21 -0400 (EDT) To: Dag-Erling Smorgrav Cc: John Sconiers , "Matthew D. Fuller" , Matthew Dillon , "Childers, Richard" , "'H. Eckert '" , "'freebsd-security@FreeBSD.ORG '" Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) In-Reply-To: References: X-Mailer: VM 6.71 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Dag-Erling" == Dag-Erling Smorgrav writes: Dag-Erling> The only cases in which I've ever actually used swap on a Dag-Erling> box with 128 MB RAM or more are: Since people are posting on this topic, I generally configure a workstation for myself (these days) with 1Gig of swap. My current workstation runs for a numder of dumb X-terminals as well as my own display. I have 256M of memory. There are 355 processes running on the machine... and... Device 512-blocks Used Avail Capacity Type /dev/da0s1b 1048576 296128 752192 28% Interleaved /dev/wd1s1b 1048576 291128 757192 28% Interleaved Total 2096640 587256 1509384 28% One curious aspect of FreeBSD that I havn't explained to my own satisfaction is why it appears to consume more swap than linux. I see a lot of linux installations running on 32 or 64M of swap, but I'm loathe to set up BSD boxes with less than 256M of swap. Not that I have scientific evidence of this, but it has been a general feeling of a number of people I know. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 11:52:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from orion.ac.hmc.edu (Orion.AC.HMC.Edu [134.173.32.20]) by hub.freebsd.org (Postfix) with ESMTP id 7E801155A8 for ; Wed, 11 Aug 1999 11:52:05 -0700 (PDT) (envelope-from brooks@one-eyed-alien.net) Received: from localhost (brdavis@localhost) by orion.ac.hmc.edu (8.8.8/8.8.8) with ESMTP id LAA14101; Wed, 11 Aug 1999 11:51:11 -0700 (PDT) From: brooks@one-eyed-alien.net X-Authentication-Warning: orion.ac.hmc.edu: brdavis owned process doing -bs Date: Wed, 11 Aug 1999 11:51:11 -0700 (PDT) X-Sender: brdavis@orion.ac.hmc.edu To: David Gilbert Cc: "'freebsd-security@FreeBSD.ORG '" Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) In-Reply-To: <14257.50009.162402.381699@trooper.velocet.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Aug 1999, David Gilbert wrote: > One curious aspect of FreeBSD that I havn't explained to my own > satisfaction is why it appears to consume more swap than linux. I see > a lot of linux installations running on 32 or 64M of swap, but I'm > loathe to set up BSD boxes with less than 256M of swap. > > Not that I have scientific evidence of this, but it has been a general > feeling of a number of people I know. Lots of people get this feeling, which is why it's a FAQ :-): --cut-- 12.1: FreeBSD uses far more swap space than Linux. Why? FreeBSD only appears to use more swap than Linux. In actual fact, it does not. The main difference between FreeBSD and Linux in this regard is that FreeBSD will proactively move entirely idle, unused pages of main memory into swap in order to make more main memory available for active use. Linux tends to only move pages to swap as a last resort. The perceived heavier use of swap is balanced by the more efficient use of main memory. Note that while FreeBSD is proactive in this regard, it does not arbitrarily decide to swap pages when the system is truely idle. Thus you will not find your system all paged out when you get up in the morning after leaving it idle overnight. --cut-- -- Brooks P.S. trimmed the CC list since this wasn't very on-topic. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 11:52:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from eagle.aitken.com (eagle.aitken.com [209.249.97.250]) by hub.freebsd.org (Postfix) with ESMTP id A7ADD155DE for ; Wed, 11 Aug 1999 11:52:12 -0700 (PDT) (envelope-from jaitken@aitken.com) Received: (from jaitken@localhost) by eagle.aitken.com (8.9.1a/8.9.1) id OAA21052; Wed, 11 Aug 1999 14:51:03 -0400 From: Jeff Aitken Message-Id: <199908111851.OAA21052@eagle.aitken.com> Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) In-Reply-To: <14257.50009.162402.381699@trooper.velocet.ca> from David Gilbert at "Aug 11, 1999 02:39:21 pm" To: dgilbert@velocet.ca (David Gilbert) Date: Wed, 11 Aug 1999 14:51:03 -0400 (EDT) Cc: des@flood.ping.uio.no, jrs@enteract.com, fullermd@futuresouth.com, dillon@apollo.backplane.com, RCHILDER@hamquist.com, ripley@nostromo.in-berlin.de, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL53 (25)] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Gilbert writes: > One curious aspect of FreeBSD that I havn't explained to my own > satisfaction is why it appears to consume more swap than linux. From: http://www.freebsd.org/FAQ/FAQ235.html#238 12.1. FreeBSD uses far more swap space than Linux. Why? FreeBSD only appears to use more swap than Linux. In actual fact, it does not. The main difference between FreeBSD and Linux in this regard is that FreeBSD will proactively move entirely idle, unused pages of main memory into swap in order to make more main memory available for active use. Linux tends to only move pages to swap as a last resort. The perceived heavier use of swap is balanced by the more efficient use of main memory. Note that while FreeBSD is proactive in this regard, it does not arbitrarily decide to swap pages when the system is truely idle. Thus you will not find your system all paged out when you get up in the morning after leaving it idle overnight. --Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 12: 1:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from alice.gba.oz.au (gba-254.tmx.com.au [203.9.155.254]) by hub.freebsd.org (Postfix) with SMTP id 588D4155D3 for ; Wed, 11 Aug 1999 12:01:26 -0700 (PDT) (envelope-from gjb-freebsd@gba.oz.au) Received: (qmail 8383 invoked by uid 1001); 12 Aug 1999 03:19:43 +1000 Message-ID: <19990811171943.8382.qmail@alice.gba.oz.au> X-Posted-By: GBA-Post 1.03 20-Sep-1998 X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B C249 1CE1 493B 2B5A CE30 Date: Thu, 12 Aug 1999 03:19:42 +1000 From: Greg Black To: Doug White Cc: Donald Burr , FreeBSD Questions , FreeBSD Security Subject: Re: umountall requests - what does this all mean? References: In-reply-to: of Mon, 09 Aug 1999 16:39:42 MST Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Doug White writes: > > Aug 7 19:04:49 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > > > > 207.71.226.193 is the IP addressed assigned to me by my ADSL provider, so > > I can only assume that these packets are coming in through the ADSL modem. > > > > What do these messages mean, and should I be worried about them? And how > > do I block them? > > What IP is 60-Hz? > > It's probably another machine trying to dismount partitions and mountd > doesn't recognize it. Probably harmless. I got some similar messages on a 3.2 box a couple of days ago. At the time it was connected only to my home LAN and no machines outside of my office were physically connected to the LAN for some hours before or after the messages appeared. I was doing some NFS mounts to that box, but there was no genuine umount request at the time the message appeared. In fact, now that I check the log, the IP that the alleged request came from was the IP of the host that complained -- there was no umount ever done on the box that day. I would have looked at it a bit harder, but I was in the middle of determining why the box was suffering repeated panics. Since each panic took 45 minutes to induce and it took ten panics and a few new kernels to find a solution and a few more iterations of my test to feel confident that the panics were over, and this minor detail got ignored. The umountall notices came in the following sequence [I've folded long lines and indented the continuations]: Aug 10 12:30:37 bambi /kernel: changing root device to wd0s1a Aug 10 12:30:37 bambi named[102]: starting. named 8.1.2 Tue May 18 03:29:06 GMT 1999 jkh@cathair:/usr/obj/usr/src/usr.sbin/named Aug 10 12:30:37 bambi named[103]: Ready to answer queries. Aug 10 12:31:33 bambi login: ROOT LOGIN (root) ON ttyv0 Aug 10 12:54:39 bambi mountd[120]: umountall request from 192.168.1.12 from unprivileged port Aug 10 12:54:43 bambi mountd[120]: umountall request from 192.168.1.12 from unprivileged port Aug 10 13:05:21 bambi mountd[120]: mount request succeeded from 192.168.1.52 for /gba2 Aug 10 13:37:16 bambi /kernel: Out of mbuf clusters - adjust NMBCLUSTERS or increase maxusers! Aug 10 13:37:16 bambi /kernel: xl0: no memory for rx list -- packet dropped! The first line is the end of the immediately previous reboot after the previous panic. The log continues in full up to the next panic. The root login at 12:31 was genuine and it was partly to ensure that the DNS stuff was all working correctly. The IP of the machine in question (bambi) was 192.168.1.12. The two umountall lines from that same IP at 12:54:{39,43} were spurious. The mount from 192.168.1.52 was the NFS mount that I ran as part of the next test that was destined to crash the machine 32 minutes later when it ran out of mbufs. Nothing else was happening at the time. These messages did not appear during any other tests. -- Greg Black -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 12: 3:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from metriclient-1.uoregon.edu (metriclient-1.uoregon.edu [128.223.172.1]) by hub.freebsd.org (Postfix) with ESMTP id 4354815676 for ; Wed, 11 Aug 1999 12:03:39 -0700 (PDT) (envelope-from gurney_j@efn.org) Received: (from jmg@localhost) by metriclient-1.uoregon.edu (8.9.1/8.8.7) id MAA10953; Wed, 11 Aug 1999 12:02:48 -0700 (PDT) Message-ID: <19990811120248.23702@hydrogen.fircrest.net> Date: Wed, 11 Aug 1999 12:02:48 -0700 From: John-Mark Gurney To: Jeff Aitken Cc: des@flood.ping.uio.no, dillon@apollo.backplane.com, freebsd-security@FreeBSD.ORG Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) References: <14257.50009.162402.381699@trooper.velocet.ca> <199908111851.OAA21052@eagle.aitken.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <199908111851.OAA21052@eagle.aitken.com>; from Jeff Aitken on Wed, Aug 11, 1999 at 02:51:03PM -0400 Reply-To: John-Mark Gurney Organization: Cu Networking X-Operating-System: FreeBSD 3.0-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jeff Aitken scribbled this message on Aug 11: > David Gilbert writes: > > One curious aspect of FreeBSD that I havn't explained to my own > > satisfaction is why it appears to consume more swap than linux. > > From: http://www.freebsd.org/FAQ/FAQ235.html#238 > > 12.1. FreeBSD uses far more swap space than Linux. Why? > > FreeBSD only appears to use more swap than Linux. In actual fact, it > does not. The main difference between FreeBSD and Linux in this > regard is that > FreeBSD will proactively move entirely idle, unused pages of main > memory into swap in order to make more main memory available for > active use. > Linux tends to only move pages to swap as a last resort. The > perceived heavier use of swap is balanced by the more efficient use > of main memory. > > Note that while FreeBSD is proactive in this regard, it does not > arbitrarily decide to swap pages when the system is truely idle. > Thus you will not find > your system all paged out when you get up in the morning after > leaving it idle overnight. this should also be updated to say that it doesn't dump and zero the pages... it just puts them on disk so if there is an immediate need for a large chunk of memory that it can dump pages that have been swapped out w/o having to wait for them to be swapped out.. so the more use of swap actually helps performance because you can get large chunks of memory faster... -- John-Mark Gurney Voice: +1 541 684 8449 Cu Networking P.O. Box 5693, 97405 "The soul contains in itself the event that shall presently befall it. The event is only the actualizing of its thought." -- Ralph Waldo Emerson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 13:52:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id C1F1314BFE for ; Wed, 11 Aug 1999 13:52:07 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id NAA77694; Wed, 11 Aug 1999 13:51:58 -0700 (PDT) (envelope-from dillon) Date: Wed, 11 Aug 1999 13:51:58 -0700 (PDT) From: Matthew Dillon Message-Id: <199908112051.NAA77694@apollo.backplane.com> To: John-Mark Gurney Cc: Jeff Aitken , des@flood.ping.uio.no, freebsd-security@FreeBSD.ORG Subject: Re: 4 Swap partitions limit (was Re: RE: Little question (offtopic)) References: <14257.50009.162402.381699@trooper.velocet.ca> <199908111851.OAA21052@eagle.aitken.com> <19990811120248.23702@hydrogen.fircrest.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :this should also be updated to say that it doesn't dump and zero the :pages... it just puts them on disk so if there is an immediate need :for a large chunk of memory that it can dump pages that have been swapped :out w/o having to wait for them to be swapped out.. : :so the more use of swap actually helps performance because you can get :large chunks of memory faster... : :-- : John-Mark Gurney Voice: +1 541 684 8449 : Cu Networking P.O. Box 5693, 97405 Most systems work this way. You have dirty pages, clean pages, and free pages. The act of allocating swap and writing a dirty page to the swap block simply changes the page from dirty to clean and does not remove it. If the page is touched again prior to being reused, the underlying swap allocation is simply thrown away. If the page is accessed prior to being reused its LRU position is reset but the swap remains allocated. If the page is reused and then later touched or accessed, the page is loaded in from its swap backing store and (if the page is being touched), the swap backing store is deallocated. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 14:17:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from post.mail.nl.demon.net (post-10.mail.nl.demon.net [194.159.73.20]) by hub.freebsd.org (Postfix) with ESMTP id 792F714E38; Wed, 11 Aug 1999 14:17:32 -0700 (PDT) (envelope-from marc@oldserver.demon.nl) Received: from [212.238.105.241] (helo=interim) by post.mail.nl.demon.net with smtp (Exim 2.02 #1) id 11Efja-00014Y-00; Wed, 11 Aug 1999 21:16:30 +0000 Message-ID: <014501bee43e$ce854ba0$0300000a@oldserver.demon.nl> From: "Marc Schneiders" To: "Greg Black" , "Doug White" Cc: "Donald Burr" , "FreeBSD Questions" , "FreeBSD Security" References: <19990811171943.8382.qmail@alice.gba.oz.au> Subject: Re: umountall requests - what does this all mean? Date: Wed, 11 Aug 1999 23:16:40 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greg Black writes: > Doug White writes: > > > > Aug 7 19:04:49 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port > > > > > > 207.71.226.193 is the IP addressed assigned to me by my ADSL provider, so > > > I can only assume that these packets are coming in through the ADSL modem. > > > > > > What do these messages mean, and should I be worried about them? And how > > > do I block them? > > > > What IP is 60-Hz? > > > > It's probably another machine trying to dismount partitions and mountd > > doesn't recognize it. Probably harmless. > > I got some similar messages on a 3.2 box a couple of days ago. > At the time it was connected only to my home LAN and no machines > outside of my office were physically connected to the LAN for > some hours before or after the messages appeared. I was doing > some NFS mounts to that box, but there was no genuine umount > request at the time the message appeared. In fact, now that I > check the log, the IP that the alleged request came from was the > IP of the host that complained -- there was no umount ever done > on the box that day. [...] I get the message in the following circumstances: I kill mountd on another NFS-server *through telnet*.(It happens to be running OpenBSD.) The FreeBSD box (4.0 snapshot 4 July), also configured as an NFS-server (because I use it for src/CVSUP for another FreeBSD, dual PPro, machine), gives the complaint mentioned in the subject, blaming itself for the request. Apparently it listens to this request telnetted to another NFS-host on some (unpriviliged) port and finds it worthwile to tell us. Is this a bug or a stupid user who misconfigured his LAN? Marc Schneiders marc@oldserver.demon.nl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 14:53: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from univ.uniyar.ac.ru (univ.uniyar.ac.ru [193.233.51.120]) by hub.freebsd.org (Postfix) with ESMTP id E0ECE152CA for ; Wed, 11 Aug 1999 14:45:22 -0700 (PDT) (envelope-from lae@univ.uniyar.ac.ru) Received: (from lae@localhost) by univ.uniyar.ac.ru (8.9.1/8.9.1) id BAA10432; Thu, 12 Aug 1999 01:09:34 +0400 (MSD) Date: Thu, 12 Aug 1999 01:09:33 +0400 From: "Andrey E. Lerman" To: Mike Hoskins Cc: freebsd-security@freebsd.org Subject: Re: info on suid/sgid files Message-ID: <19990812010933.A6691@univ.uniyar.ac.ru> References: <19990811043211.X16510@uniyar.ac.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.3i In-Reply-To: ; from Mike Hoskins on Wed, Aug 11, 1999 at 01:40:00AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 11, 1999 at 01:40:00AM -0700, Mike Hoskins wrote: > On Wed, 11 Aug 1999, Andrey E. Lerman wrote: > > > It would be nice if info about need of increased privileges > > needed for given program would be clearly stated in manpage. > > I'm not sure how much info is needed about increased privileges... > There's a lot of writeups (CERT's security checklist and an article I did > for the FreeBSD 'Zine to name a couple) that already say 'If you don't > need it ... turn it off'. Beyond saying that, I'd hope the admin could... > > Type: find / \( -perm -2000 -o -perm -4000 \) -print > audit.log > more audit.log Actually, this is done every day in cron job. > > Think: 'I only need foo, I'll chmod the others appropriately.' > > Man pages generally do mention files they need/use... From which you can > decide which users or groups need access to what files for a system to > function appropriately. I just want to know "what will change if I turn that bit off". I saw references to files, but, say, manpage for ps mentiones /dev/kmem, /kernel, etc. but it isn't clear what it will use that files/devices for. I killed suid on ps and it continues working for me. I haven't tested it fully though. Sometimes I don't have the machine to experiment on. I will have problems if I screw something up which will be fatal to users' operation (such as users will not be able to do their job). In my case situation is better as I don't really have many shell accounts on that machine. -- Andrey E. Lerman @ Yaroslavl State University ICQ: 9418370, primary email: lae@uniyar.ac.ru [Lae] on IRCNet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 15: 7:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (secure.smtp.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 0CA91155F2 for ; Wed, 11 Aug 1999 15:07:08 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from JHowie - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Wed, 11 Aug 1999 15:07:04 -0700 Message-ID: <013701bee446$e05a98f0$fe01a8c0@pacbell.net> From: "John Howie" To: "Andrey E. Lerman" , Subject: Fw: info on suid/sgid files Date: Wed, 11 Aug 1999 15:14:27 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrey wrote: > I did a quick search for a suid/sgid files on our server's hd > and found a lot. I really didn't expected so many. I removed > bits on about 80% of it without any visible (yet) impact to > system's operation. So I'm wondering, where to find info about > what these suid/sgid bits was for and what I loose removing > them. Some of progs I chmod'ed really amazed me, for example > quota, df, ps, dump, restore, shutdown... Many of those programs require privileges to access kernel memory, the raw hard disk, etc. Ordinary users will not have the necessary permissions to access these parts of the OS hence the SUID bit. Many system administrators freak out but the reality is that these utilities rarely (but not never) expose a risk to system security. While the truly paranoid might remove the SUID bit, it is often unnecessary and can cause legitimate, non-root, users problems when they want to see what is running on the system, what their disk quota usage is, etc. You mentioned that you found these on your server. I am assuming that this is a file and print server. If your users cannot access this system interactively, either at the console or over the network by disabling the telnet and r* daemons, then you have very little to worry about. I, personally, would not remove them from workstations. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 16:49:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from univ.uniyar.ac.ru (univ.uniyar.ac.ru [193.233.51.120]) by hub.freebsd.org (Postfix) with ESMTP id 3A60814D23 for ; Wed, 11 Aug 1999 16:48:17 -0700 (PDT) (envelope-from lae@univ.uniyar.ac.ru) Received: (from lae@localhost) by univ.uniyar.ac.ru (8.9.1/8.9.1) id DAA27513; Thu, 12 Aug 1999 03:41:38 +0400 (MSD) Date: Thu, 12 Aug 1999 03:41:38 +0400 From: "Andrey E. Lerman" To: John Howie Cc: freebsd-security@freebsd.org Subject: Re: Fw: info on suid/sgid files Message-ID: <19990812034137.E6691@univ.uniyar.ac.ru> References: <013701bee446$e05a98f0$fe01a8c0@pacbell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.3i In-Reply-To: <013701bee446$e05a98f0$fe01a8c0@pacbell.net>; from John Howie on Wed, Aug 11, 1999 at 03:14:27PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 11, 1999 at 03:14:27PM -0700, John Howie wrote: > Andrey wrote: > > > I did a quick search for a suid/sgid files on our server's hd > > and found a lot. I really didn't expected so many. I removed > > bits on about 80% of it without any visible (yet) impact to > > system's operation. So I'm wondering, where to find info about > > what these suid/sgid bits was for and what I loose removing > > them. Some of progs I chmod'ed really amazed me, for example > > quota, df, ps, dump, restore, shutdown... > > Many of those programs require privileges to access kernel memory, the raw > hard disk, etc. Ordinary users will not have the necessary permissions to > access these parts of the OS hence the SUID bit. Many system administrators > freak out but the reality is that these utilities rarely (but not never) > expose a risk to system security. While the truly paranoid might remove the > SUID bit, it is often unnecessary and can cause legitimate, non-root, users > problems when they want to see what is running on the system, what their > disk quota usage is, etc. We just don't know what kind of security risk they expose. Imagine tomorrow bugtraq and -security lists filled with messages about new vulnerability. Who will be faster, you pathching your system or hackers breaking into it? Who knows. The risk is low, but not zero. People (developers are people too) sometimes make mistakes. Same for auditors of code. I agree, some will call it paranoid. I will consider restoring these suid/sgid bit if there will be complains from the users (or me :). We are balancing between confortable working and security again. > You mentioned that you found these on your server. I am assuming that this > is a file and print server. If your users cannot access this system > interactively, either at the console or over the network by disabling the > telnet and r* daemons, then you have very little to worry about. You guessed quite right, it is also ftp and www server and gateway. But we plan to set this box also as a server for X terminals. I also admin another box running Linux, which is terminal server. I found a lot less number of suid programs on it. -- Andrey E. Lerman @ Yaroslavl State University ICQ: 9418370, primary email: lae@uniyar.ac.ru [Lae] on IRCNet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 17: 2:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 1416215674 for ; Wed, 11 Aug 1999 17:02:41 -0700 (PDT) (envelope-from rgrimes@gndrsh.aac.dev.com) Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.9.3/8.9.3) id RAA09255; Wed, 11 Aug 1999 17:02:29 -0700 (PDT) (envelope-from rgrimes) From: "Rodney W. Grimes" Message-Id: <199908120002.RAA09255@gndrsh.aac.dev.com> Subject: Re: Little question (offtopic) In-Reply-To: <19552.934350799@localhost> from "Jordan K. Hubbard" at "Aug 10, 1999 10:53:19 pm" To: jkh@zippy.cdrom.com (Jordan K. Hubbard) Date: Wed, 11 Aug 1999 17:02:29 -0700 (PDT) Cc: ripley@nostromo.in-berlin.de (H. Eckert), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=UNKNOWN-8BIT Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It's an advansys controller and it works fine. No, it's an Adaptec Controller, and it don't work for crap: gndrsh:root {241}# man 4 adv ... DESCRIPTION This driver provides access to the 8bit SCSI bus connected to the Ad- vanced Systems Products, Inc. ASC900, ASC1000, ASC1090, ASC1200, ASC3050, and ASC3150 host adapter chips. The following tables list the AdvanSys products using these chips, their bus attachment type, maximum sync rate, and the maximum number of commands that can be handled by the adapter concurrently. Connectivity Products: Adapter Bus Floppy MaxSync Commands Footnotes ABP510/5150 ISA No 10MHz 240 1 ABP5140 ISA PnP No 10MHz 16 1, 3 ABP5142 ISA PnP Yes 10MHz 16 4 ABP920 PCI No 10MHz 16 ABP930 PCI No 10MHz 16 5 ABP930U PCI No 20MHz 16 ABP930UA PCI No 20MHz 16 ABP960 PCI No 10MHz 16 2 ABP960U PCI No 20MHz 16 2 No AVA 2904's in there, and like someone else already posted, these are SCSI cards for running scanners mostly... They are kinda a PCI version of the AIC-6260/6360 chip used on the Adaptec AH152x, 1504, etc. > > > Quoting Rafal Banaszkiewicz (raf@tb-303.org): > > > I wonder if FreeBSD 3.2-RELEASE has support for Adaptec 2940 U2W > > > scsi controller . I know that 2940U and 2940W works fine , but > > > what with 2940U2W ? > > > > While we're at it even though it's way off topic... > > Friday I came across a package that said "AVA 2904 SCSI Controller". > > I've never seen such a beast before and its price tag makes me > > wonder. It's so cheap it's presumably junk, but OTOH it sounds > > very similar to a 2940. (Gotta check the Adaptec website tomorrow > > if I find the spare time) > > > > Greetings, > > Ripley > > -- > > H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ > > ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 18:58:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from sludge.pgh.pa.us (sludge.pgh.pa.us [206.210.78.220]) by hub.freebsd.org (Postfix) with ESMTP id 10F4214E5D for ; Wed, 11 Aug 1999 18:58:49 -0700 (PDT) (envelope-from durham@sludge.pgh.pa.us) Received: (from durham@localhost) by sludge.pgh.pa.us (8.8.8/8.8.8) id VAA03527 for freebsd-security@freebsd.org; Wed, 11 Aug 1999 21:57:24 -0400 (EDT) (envelope-from durham) Date: Wed, 11 Aug 1999 21:57:24 -0400 (EDT) From: "James C. Durham" Message-Id: <199908120157.VAA03527@sludge.pgh.pa.us> To: freebsd-security@freebsd.org Subject: ssh dropping connections/sendmail IP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am using ssh to tunnel from my "remote server" located at a remote location with a public IP number to my "local server" behind an ISP's firewall using a DSL connection. The ssh connection keeps dropping out. I have KeepAlive "YES" and IdleTime set to 104w (2 years). I have just started having a little script on the remote machine send me the date/time every 30 seconds and that seems to keep it up. Is this behavior normal? Also, I'm having problems sending mail from sendmail on my local machine because the IP gets translated to something that doesn't resolve at the ISP's firewall. This means I can't send to some sites (freebsd-security being one of them!). I've been trying to see a way that I can relay the sendmail feed through my remote server using port redirection. I can't run the sendmail daemon on the remote server because port 25 is already bound to ssh. (I need sendmail to run on the local machine because I'm doing some stuff which requires that). Thanks, Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 19:44:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailsvr2.telebot.net (mailsvr2.telebot.com [209.249.218.81]) by hub.freebsd.org (Postfix) with ESMTP id 99AAD14DFA for ; Wed, 11 Aug 1999 19:44:08 -0700 (PDT) (envelope-from jschwab@telebot.com) Received: from telebot.com (unverified [209.249.218.73]) by mailsvr2.telebot.net (Rockliffe SMTPRA 3.4.2) with SMTP id for ; Wed, 11 Aug 1999 19:40:08 -0700 From: "Jason Schwab" Reply-To: jschwab@telebot.com To: freebsd-security@freebsd.org Date: Wed, 11 Aug 1999 19:44:14 -800 Subject: ipfw Message-id: <37b234fe.c8.0@telebot.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org what rules should I add to my ipfw ruleset to block out icmp floods and smurf attacts, etc thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 20: 4:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from camel.local.mha.ca (camel.mha.ca [209.153.196.151]) by hub.freebsd.org (Postfix) with ESMTP id 7EA4614CC0 for ; Wed, 11 Aug 1999 20:04:18 -0700 (PDT) (envelope-from vince@MHA.ca) Received: by camel.local.mha.ca with Internet Mail Service (5.5.1960.3) id ; Wed, 11 Aug 1999 20:03:01 -0700 Message-ID: <71281E6E6644D311882F005004D16880395A@camel.local.mha.ca> From: Vincent Power To: freebsd-security@FreeBSD.ORG Subject: question about ipfw/natd Date: Wed, 11 Aug 1999 20:03:00 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org With ipfw/natd, I am having trouble blocking access to certain ports on the ip's I have redirected with "natd -redirect_address". Can it be done... and is there a reference to setting up this kind of configuration? or does someone have a sample configuration file for this type of setup? Regards, Vincent Power To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 20: 4:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from tasam.com (tasam.com [206.161.83.22]) by hub.freebsd.org (Postfix) with ESMTP id 4E025156BC for ; Wed, 11 Aug 1999 20:04:49 -0700 (PDT) (envelope-from freebsd.list@bug.tasam.com) Received: from bug (216-164-241-26.s26.tnt10.lnh.md.dialup.rcn.com [216.164.241.26]) by tasam.com (8.9.3/8.9.1) with SMTP id XAA26983; Wed, 11 Aug 1999 23:04:32 -0400 (EDT) Message-ID: <003901bee46f$5b90ed80$0286860a@tasam.com> From: "Joe Gleason" To: , References: <37b234fe.c8.0@telebot.com> Subject: Re: ipfw Date: Wed, 11 Aug 1999 23:02:03 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Probably the best way to block floods of that sort of dummynet and put some rate limiting there. ----- Original Message ----- From: Jason Schwab To: Sent: Wednesday, August 11, 1999 23:44 Subject: ipfw > what rules should I add to my ipfw ruleset to block out icmp > floods and smurf attacts, etc thanks. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 21: 5:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id E6DCE14C15 for ; Wed, 11 Aug 1999 21:05:15 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 23894 invoked by uid 1000); 12 Aug 1999 03:57:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Aug 1999 03:57:48 -0000 Date: Wed, 11 Aug 1999 23:57:48 -0400 (EDT) From: Barrett Richardson To: "James C. Durham" Cc: freebsd-security@freebsd.org Subject: Re: ssh dropping connections/sendmail IP In-Reply-To: <199908120157.VAA03527@sludge.pgh.pa.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Aug 1999, James C. Durham wrote: > I am using ssh to tunnel from my "remote server" located > at a remote location with a public IP number to my "local > server" behind an ISP's firewall using a DSL connection. > > The ssh connection keeps dropping out. I have KeepAlive "YES" and > IdleTime set to 104w (2 years). I have just started having a little > script on the remote machine send me the date/time every 30 seconds > and that seems to keep it up. Is this behavior normal? > The frequency of the keepalives isn't sufficient traffic to keep the firewall from snipping the connection. It doesn't consider the connection active if traffic drops below a threshold. > Also, I'm having problems sending mail from sendmail on my local > machine because the IP gets translated to something that doesn't > resolve at the ISP's firewall. This means I can't send to > some sites (freebsd-security being one of them!). I've been trying > to see a way that I can relay the sendmail feed through my remote server > using port redirection. I can't run the sendmail daemon on the remote > server because port 25 is already bound to ssh. The remote server is the one outside the firewall, right? Any reason you can't run sshd on the de facto port 22? - Barrett > > (I need sendmail to run on the local machine because I'm doing some > stuff which requires that). > > Thanks, > > Jim Durham > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 23:16:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id F083314E83 for ; Wed, 11 Aug 1999 23:16:24 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id AAA80642; Thu, 12 Aug 1999 00:16:07 -0600 (MDT) Date: Thu, 12 Aug 1999 00:16:07 -0600 (MDT) From: Nick Rogness To: Jason Schwab Cc: freebsd-security@freebsd.org Subject: Re: ipfw In-Reply-To: <37b234fe.c8.0@telebot.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Aug 1999, Jason Schwab wrote: > what rules should I add to my ipfw ruleset to block out icmp > floods and smurf attacts, etc thanks. For smurf attacks, I've done it 2 different ways before, assuming your local net is 192.168.0.0/24: # Permit traffic from local net 192.168.0.0/24 to broadcast addr. ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32 # Deny log traffic from outside local net to local broadcast ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0 or: # Deny log ICMP echo requests to broadcast from anywhere (1 line) ipfw add 2000 deny log icmp from any to 192.168.0.255/32 in via de0 icmptypes 8 Flood pinging is a bit more difficult. You probably can use DUMMYNET for this but I have never used it for that before, so I can't wave you in one direction or the other from using it. We block this garbage with our Cisco's so I'm not sure on it. But look in LINT at 'options ICMP_BANDLIM' or the sysctl switch. ******************************************************************* Nick Rogness Shaw's Principle: System Administrator Build a system that even a fool RapidNet, INC can use, and only a fool will nick@rapidnet.com want to use it. ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 23:33:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 69D5714C82 for ; Wed, 11 Aug 1999 23:33:43 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id AAA84234; Thu, 12 Aug 1999 00:33:15 -0600 (MDT) Date: Thu, 12 Aug 1999 00:33:15 -0600 (MDT) From: Nick Rogness To: "James C. Durham" Cc: freebsd-security@freebsd.org Subject: Re: ssh dropping connections/sendmail IP In-Reply-To: <199908120157.VAA03527@sludge.pgh.pa.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Aug 1999, James C. Durham wrote: > Also, I'm having problems sending mail from sendmail on my local > machine because the IP gets translated to something that doesn't > resolve at the ISP's firewall. This means I can't send to I'm assuming that sendmail responds with a 451 error: ...sender domain must resolve... Sendmail has the capability to do this. You just have to build a sendmail cf file to relay/masquerade your mail off of another server that has an actual reverse lookup. ******************************************************************* Nick Rogness Shaw's Principle: System Administrator Build a system that even a fool RapidNet, INC can use, and only a fool will nick@rapidnet.com want to use it. ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 11 23:58:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (Postfix) with ESMTP id 7F90314E69 for ; Wed, 11 Aug 1999 23:58:26 -0700 (PDT) (envelope-from carol@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma016165; Thu Aug 12 01:39:57 1999 Received: by localhost (8.8.8/8.8.8) id BAA20230; Thu, 12 Aug 1999 01:54:44 -0500 (CDT) Message-ID: <37B27077.C4021672@tinker.com> Date: Thu, 12 Aug 1999 01:57:59 -0500 From: Carol Deihl Organization: Shrier and Deihl X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Vincent Power Cc: freebsd-security@FreeBSD.ORG Subject: Re: question about ipfw/natd References: <71281E6E6644D311882F005004D16880395A@camel.local.mha.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Vincent, The key to making this work is thinking about when the natd happens, so that you'll know what addresses you're working with. Here's an example of a setup I did some time ago, which may or may not match your situation, but I hope it will shed some light for you. We needed to translate addresses for some public servers. We placed them behind a FreeBSD box with ipfw/natd, using redirect_address statements in a natd.conf file. We did our natd on the *external* interface. Our ipfw rules were (schematically) like this (we used a shell file): $rule 1000 pass all from 127.0.0.1 to 127.0.0.1 # Anti-spoofing, block incoming with internal sources $rule deny log all from $i_net to any in via $oif # Stop RFC1918 nets and loopback on the outside interface $rule deny log all from 192.168.0.0:255.255.0.0 to any in via $oif $rule deny log all from 172.16.0.0:255.240.0.0 to any in via $oif $rule deny log all from 10.0.0.0:255.0.0.0 to any in via $oif $rule deny log all from 127.0.0.1 to any in via $oif # process through NAT $rule divert natd all from any to any via $oif # Allow inbound to public web servers that require NAT # Rule 1 for discussion below: $rule pass tcp from any $HIGH to $t_public $HTTP in via $oif # Rule 2 $rule pass tcp from any $HIGH to $t_public $HTTP out via $iif # Rule 3 $rule pass tcp from $t_public $HTTP to any $HIGH in via $iif established # Rule 4 $rule pass tcp from $r_public $HTTP to any $HIGH out via $oif established # ditto 1-4 for other services and other blocks of addresses requiring nat The sequence of processing for a sample web connection is this: 1. first packet comes in $oif (outside interface) 2. packet examined for anti-spoofing 3. packet translated by natd 4. packet (with translated address) passed across $oif by Rule 1 above 5. packet (still with translated address) passed across $iif (inside interface) by Rule 2 6. packet received by web server, generates reply packet 7. reply packet (with translated address) comes in $iif 8. reply packet (with translated address) passed across $iif by Rule 3 9. reply packet (with translated address) hits $oif on way out 10. reply packet goes through nat, gets translated to *outside* address 11. reply packet (with *outside* address) passed to outside across $oif by Rule 4 In our topology, note that Rules 1-3 refer to the translated (inside) address, while Rule 4 refers to the *outside* address (since the nat happens before that rule gets hit). Note that even if you're using RFC1918 nets on the inside, the RFC1918 rules above won't cause a problem, since they are applied only to packets that are coming *in* from the outside interface. Another thing that took me some time to figure out originally is this: The "in" and "out" are from the point of view of the *interface* involved, *not* relative to the "inside" or "outside" network. So, for packets that are transiting the gateway box headed into the internal network, these packets will be going *out* the internal interface to the internal network. Hope I've shed light, not confusion... Carol Vincent Power wrote: > > With ipfw/natd, I am having trouble blocking access to certain ports on > the ip's I have redirected with "natd -redirect_address". Can it be > done... and is there a reference to setting up this kind of > configuration? or does someone have a sample configuration file for this > type of setup? -- Carol Deihl - principal, Shrier and Deihl - mailto:carol@tinker.com Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 0: 8:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from tasam.com (tasam.com [206.161.83.22]) by hub.freebsd.org (Postfix) with ESMTP id 309A414E69 for ; Thu, 12 Aug 1999 00:08:43 -0700 (PDT) (envelope-from clash@tasam.com) Received: from bug (209-122-199-84.s338.tnt4.lnh.md.dialup.rcn.com [209.122.199.84]) by tasam.com (8.9.3/8.9.1) with SMTP id DAA00218 for ; Thu, 12 Aug 1999 03:08:50 -0400 (EDT) Message-ID: <007701bee491$7c14a070$0286860a@tasam.com> From: "Joe Gleason" To: Subject: making sshd2 check user expiration dates Date: Thu, 12 Aug 1999 03:08:25 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not sure if security is the right list, but this has to do with allowing or denying access to a system based on expiration date, which I consider relevant to security. Does anyone know how to make sshd2 check user expiration dates? I did a quick test, and telnet, pop3, ftpd and sshd1 all do NOT allow a user with an expired account to login. sshd2 however does. By expired I mean field 7 in master.passwd file having a number that is between 0 and the current time in seconds exclusive. I am running FreeBSD 3.2-stable (a few days old) I installed ssh via installing /usr/ports/security/ssh and then /usr/ports/security/ssh2 (that way I have all the ssh1 stuff for compatibility). I haven't touched the config's much, if at all. I looked through the man page and config files real quick and didn't see anything about user expiration dates. It is 3am, so I could have easily missed something. Anyone with any ideas of experience with this, any help would be appreicated. I would really prefer not to have to hack something odd togather to support expiration dates. Joe Gleason Tasam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 3:10:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from twilight.tpgi.com.au (twilight.tpgi.com.au [203.29.147.17]) by hub.freebsd.org (Postfix) with SMTP id D43441564C for ; Thu, 12 Aug 1999 03:10:28 -0700 (PDT) (envelope-from chris@twilight.tpgi.com.au) Received: (qmail 43023 invoked by uid 1002); 12 Aug 1999 10:10:30 -0000 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Thu, 12 Aug 1999 20:10:30 +1000 (EST) Reply-To: chrisk@tpgi.com.au From: Chris Keladis To: freebsd-security@freebsd.org Subject: SSH on FreeBSD. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi folks, I am considering using SSH to tunnel backups over SSH on some FreeBSD boxes. I havent played with SSH in a while, and i remember last time i did a major stumbling block was getting SSH to authenticate without asking for a password. (The way r* utilities work). Would it be possible to setup my FreeBSD boxes to work in a similar way to r* utils, so i can do ssh myhost.mydomain.com and be presented with a shell on the remote machine, with the appropriate authentication pre-configured? Are there any how-to's, or faq's on this? Thanks, Chris. ---------------------------------- Chris Keladis TPG Internet System Administrator E-Mail: Chris Keladis Local Date: 12-Aug-99 Local Time: 20:02:45 ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 3:37:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from shiva.eu.org (cx943344-a.fed1.sdca.home.com [24.0.167.187]) by hub.freebsd.org (Postfix) with ESMTP id 82D2514F3A for ; Thu, 12 Aug 1999 03:37:14 -0700 (PDT) (envelope-from bigby@shiva.eu.org) Received: from localhost (bigby@localhost) by shiva.eu.org (8.9.3/8.9.3) with ESMTP id DAA10714; Thu, 12 Aug 1999 03:35:51 -0700 (PDT) (envelope-from bigby@shiva.eu.org) Date: Thu, 12 Aug 1999 03:35:46 -0700 (PDT) From: Bigby Findrake To: chrisk@tpgi.com.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH on FreeBSD. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Aug 1999, Chris Keladis wrote: > Hi folks, > > I am considering using SSH to tunnel backups over SSH on some FreeBSD boxes. > > I havent played with SSH in a while, and i remember last time i did a major > stumbling block was getting SSH to authenticate without asking for a > password. (The way r* utilities work). > > Would it be possible to setup my FreeBSD boxes to work in a similar way to r* > utils, so i can do ssh myhost.mydomain.com and be presented with a shell on the > remote machine, with the appropriate authentication pre-configured? Sure. I do it. What I do is use RSA keys. Use the ssh-keygen utility that installs with the ssh package to generate a RSA key for a user. When it prompts you for a password for the RSA key, hit return. By default this installs the key pair(public & private) into $HOME/.ssh/{identity,identity.pub. Put the public key ($HOME/.ssh/identity.pub) into the target machine, in the target user's $HOME/.ssh/authorized_keys. Make sure the target machine is running sshd, and that /etc/sshd_config says "RSAAuthentication yes". Now you can ssh from the source machine to the target machine without a password IF you didn't specify a password for the RSA key on the source machine. If you're sshing to the target machine as a different user from the source machine, you'll have to specify the user on the ssh command line with the -l command line option. For example: host1> tar -czf - /file1 /file2 | ssh host2 -l some_user "cd /backup_dir \ ; tar -xzf -" Do note that there are security implications for creating RSA keys without passwords. Essentially it's the same issue with using rhosts: if an account is compromised on a local machine, it is thereby compromised on the remote machine. > Are there any how-to's, or faq's on this? Aside from the above? I don't know. Maybe someone else can help you out there. /-------------------------------------------------------------------------/ Giving something away is the ultimate subversive act in a society the economic system of which is structurally based on greed and egotism. finger bigby@shiva.eu.org for my pgpkey e-mail bigby@pager.shiva.eu.org to page me /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 4: 0:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from shiva.eu.org (cx943344-a.fed1.sdca.home.com [24.0.167.187]) by hub.freebsd.org (Postfix) with ESMTP id AC40615705 for ; Thu, 12 Aug 1999 04:00:27 -0700 (PDT) (envelope-from bigby@shiva.eu.org) Received: from localhost (bigby@localhost) by shiva.eu.org (8.9.3/8.9.3) with ESMTP id DAA20863; Thu, 12 Aug 1999 03:59:34 -0700 (PDT) (envelope-from bigby@shiva.eu.org) Date: Thu, 12 Aug 1999 03:59:30 -0700 (PDT) From: Bigby Findrake To: Joe Gleason Cc: freebsd-security@FreeBSD.ORG Subject: Re: making sshd2 check user expiration dates In-Reply-To: <007701bee491$7c14a070$0286860a@tasam.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Aug 1999, Joe Gleason wrote: > I'm not sure if security is the right list, but this has to do with allowing > or denying access to a system based on expiration date, which I consider > relevant to security. > > Does anyone know how to make sshd2 check user expiration dates? > > I did a quick test, and telnet, pop3, ftpd and sshd1 all do NOT allow a user > with an expired account to login. > sshd2 however does. > > By expired I mean field 7 in master.passwd file having a number that is > between 0 and the current time in seconds exclusive. > > I am running FreeBSD 3.2-stable (a few days old) > > I installed ssh via installing /usr/ports/security/ssh and then > /usr/ports/security/ssh2 (that way I have all the ssh1 stuff for > compatibility). I haven't touched the config's much, if at all. I looked > through the man page and config files real quick and didn't see anything > about user expiration dates. It is 3am, so I could have easily missed > something. Anyone with any ideas of experience with this, any help would be > appreicated. I would really prefer not to have to hack something odd > togather to support expiration dates. This is a shot in the dark but I would suggest playing with the "UseLogin" parameter in the /etc/sshd_config file. /-------------------------------------------------------------------------/ Experience is something you don't get until just after you need it. finger bigby@shiva.eu.org for my pgpkey e-mail bigby@pager.shiva.eu.org to page me /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 8:44:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 89E43157CE for ; Thu, 12 Aug 1999 08:44:22 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Thu, 12 Aug 1999 09:41:35 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma020736; Thu, 12 Aug 99 09:41:32 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id JAA62962; Thu, 12 Aug 1999 09:39:56 -0600 (MDT) Date: Thu, 12 Aug 1999 09:39:56 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Nick Rogness Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Aug 1999, Nick Rogness wrote: > > what rules should I add to my ipfw ruleset to block out icmp > > floods and smurf attacts, etc thanks. > > For smurf attacks, I've done it 2 different ways before, assuming > your local net is 192.168.0.0/24: > > # Permit traffic from local net 192.168.0.0/24 to broadcast addr. > ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32 > # Deny log traffic from outside local net to local broadcast > ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0 Doesn't that just stop you from being used as a smurf amplifier? I think the original poster wanted to know how to defend against being a smurf victim, which is much more difficult. The best resources I've seen for understanding smurf attacks are: http://users.quadrunner.com/chuegen/smurf.cgi http://www.netscan.org/ http://www.powertech.no/smurf/ Defending against smurf attacks is hard because by the time you receive the smurf traffic on your network, much of the damage has already been done. And believe me, you WILL notice that something is happening when you're feeling the brunt of a 60 Mb/s sustained smurf attack. :-) Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 9:20:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from uni-sb.de (uni-sb.de [134.96.252.33]) by hub.freebsd.org (Postfix) with ESMTP id E46591581C for ; Thu, 12 Aug 1999 09:20:38 -0700 (PDT) (envelope-from netchild@Vodix.CS.Uni-SB.de) Received: from work.net.local (maxtnt-025.telip.uni-sb.de [134.96.70.152]) by uni-sb.de (8.9.3/1999070600) with ESMTP id SAA04348; Thu, 12 Aug 1999 18:19:58 +0200 (CEST) X-Authentication-Warning: uni-sb.de: Host maxtnt-025.telip.uni-sb.de [134.96.70.152] claimed to be work.net.local Received: from Vodix.CS.Uni-SB.de (localhost.net.local [127.0.0.1]) by work.net.local (8.9.3/8.9.3) with ESMTP id RAA01161; Thu, 12 Aug 1999 17:49:26 +0200 (CEST) (envelope-from netchild@Vodix.CS.Uni-SB.de) Message-Id: <199908121549.RAA01161@work.net.local> Date: Thu, 12 Aug 1999 17:49:25 +0200 (CEST) From: A.Leidinger@WJPServer.CS.Uni-SB.de Subject: Re: SSH on FreeBSD. To: Bigby Findrake Cc: chrisk@tpgi.com.au, freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 12 Aug, Bigby Findrake wrote: >> Would it be possible to setup my FreeBSD boxes to work in a similar way to r* >> utils, so i can do ssh myhost.mydomain.com and be presented with a shell on the >> remote machine, with the appropriate authentication pre-configured? > > Sure. I do it. What I do is use RSA keys. Use the ssh-keygen utility > that installs with the ssh package to generate a RSA key for a user. When > it prompts you for a password for the RSA key, hit return. By default > this installs the key pair(public & private) into > $HOME/.ssh/{identity,identity.pub. Put the public key > ($HOME/.ssh/identity.pub) into the target machine, in the target user's > $HOME/.ssh/authorized_keys. Make sure the target machine is running sshd, > and that /etc/sshd_config says "RSAAuthentication yes". Now you can ssh > from the source machine to the target machine without a password IF you > didn't specify a password for the RSA key on the source machine. If you didnt want to use it from a cronjob (or anything other non interactive) you could use ssh-agent and ssh-add. I've configured my xdm-login to start my X session with ssh-agent. In my .xsession I have the ssh-add command, it asks me at login time for my password for the RSA key. /usr/X11R6/lib/X11/xdm/Xsession: [...] ---snip--- startup=$HOME/.xsession resources=$HOME/.Xresources if [ -f "$startup" ]; then exec ssh-agent "$startup" else if [ -f "$resources" ]; then xrdb -load "$resources" fi exec ssh-agent xsm fi ---snip--- $HOME/.xsession: ---snip--- #!/bin/-sh # loading default X resources xrdb -merge .Xresources # ssh-passwd if [ $?SSH_AGENT_PID ]; then ssh-add 2>&1 /dev/null fi ---snip--- > host1> tar -czf - /file1 /file2 | ssh host2 -l some_user "cd /backup_dir \ > ; tar -xzf -" What about "ssh username@host2 ..."? Bye, Alexander. P.S.: It's also possible to use it in a non interactive environment, but you have to do tricky/nasty things. -- Animal testing is futile: they always get nervous and give the wrong answers. http://netchild.home.pages.de A.Leidinger+Home @ WJPServer.CS.Uni-SB.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 9:52:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.veriguard.com (relay.securify.com [207.5.63.61]) by hub.freebsd.org (Postfix) with ESMTP id 25FA815845 for ; Thu, 12 Aug 1999 09:52:12 -0700 (PDT) (envelope-from tomb@securify.com) Received: by relay.veriguard.com; id JAA02394; Thu, 12 Aug 1999 09:51:26 -0700 (PDT) Received: from unknown(10.5.63.6) by relay.veriguard.com via smap (4.1) id xma002389; Thu, 12 Aug 99 09:51:14 -0700 Received: from beetroot.securify.com (beetroot.securify.com [10.5.63.102]) by dude.veriguard.com (8.8.7/8.8.7) with SMTP id JAA02289; Thu, 12 Aug 1999 09:51:12 -0700 Received: by beetroot.securify.com with Microsoft Mail id <01BEE4A6.75DBDD80@beetroot.securify.com>; Thu, 12 Aug 1999 09:38:40 -0700 Message-ID: <01BEE4A6.75DBDD80@beetroot.securify.com> From: Tom Brown To: Nick Rogness , "'Paul Hart'" Cc: "freebsd-security@FreeBSD.ORG" Subject: RE: ipfw Date: Thu, 12 Aug 1999 09:38:39 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You can add a rule to block incoming ICMP replies but it's kind of = convenient to have ping. I get fine results by using natd with the -d = option that way you can still ping but incoming traffic is rejected = unless it was initialized from within, though not much help if it is a = "client" ipfw on a single box. Tom ---------- From: Paul Hart Sent: Thursday, August 12, 1999 2:40 AM To: Nick Rogness Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw On Thu, 12 Aug 1999, Nick Rogness wrote: > > what rules should I add to my ipfw ruleset to block out icmp=20 > > floods and smurf attacts, etc thanks. >=20 > For smurf attacks, I've done it 2 different ways before, assuming > your local net is 192.168.0.0/24: >=20 > # Permit traffic from local net 192.168.0.0/24 to broadcast addr. > ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32 > # Deny log traffic from outside local net to local broadcast > ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0 Doesn't that just stop you from being used as a smurf amplifier? I = think the original poster wanted to know how to defend against being a smurf victim, which is much more difficult. The best resources I've seen for understanding smurf attacks are: http://users.quadrunner.com/chuegen/smurf.cgi http://www.netscan.org/ http://www.powertech.no/smurf/ Defending against smurf attacks is hard because by the time you receive the smurf traffic on your network, much of the damage has already been done. And believe me, you WILL notice that something is happening when you're feeling the brunt of a 60 Mb/s sustained smurf attack. :-)=20 Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 10: 6:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.veriguard.com (relay.securify.com [207.5.63.61]) by hub.freebsd.org (Postfix) with ESMTP id 15D2F1581B for ; Thu, 12 Aug 1999 10:06:12 -0700 (PDT) (envelope-from tomb@securify.com) Received: by relay.veriguard.com; id KAA03199; Thu, 12 Aug 1999 10:05:26 -0700 (PDT) Received: from unknown(10.5.63.6) by relay.veriguard.com via smap (4.1) id xma003195; Thu, 12 Aug 99 10:05:19 -0700 Received: from beetroot.securify.com (beetroot.securify.com [10.5.63.102]) by dude.veriguard.com (8.8.7/8.8.7) with SMTP id KAA02456 for ; Thu, 12 Aug 1999 10:05:18 -0700 Received: by beetroot.securify.com with Microsoft Mail id <01BEE4A8.6FE3EEC0@beetroot.securify.com>; Thu, 12 Aug 1999 09:52:49 -0700 Message-ID: <01BEE4A8.6FE3EEC0@beetroot.securify.com> From: Tom Brown To: "'freebsd-security@freebsd.org'" Subject: "Secure-FreeBSD" Idea Date: Thu, 12 Aug 1999 09:52:48 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org HI, Just come back from "websec" which was a bit dull, but I did get the = feeling whilst fighting off the sleep that there is a really good = opening for a quality secure O/S. =20 Now realistically all this would have to be is a really anal = installation process, forcing the user to positively select services = such as ftp,telnet, sendmail etc. So if you don't select anything, you = can't much. It would also have carefully set UMASKS and probably come = with some easy way to get the user to set-up tripwire and ipfw for = example. I suspect that most of the readers of this list spend a fair amount of = time going through the same laborious process of tying down each server = they built. How about we pools this vast collection of procedures = together and try to build some kind of a security release. We all know = (well at least I hope we do!) what a solid O/S FreeBSD is, wouldn't this = be the ideal opportunity, to push the OS further into the public eye? Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 11: 2:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (Postfix) with SMTP id 9ABFA14E91 for ; Thu, 12 Aug 1999 11:02:11 -0700 (PDT) (envelope-from andrewr@slack.net) Received: (qmail 3498 invoked by uid 1077); 12 Aug 1999 17:57:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Aug 1999 17:57:05 -0000 Date: Thu, 12 Aug 1999 13:57:05 -0400 (EDT) From: andrewr To: Tom Brown Cc: "'freebsd-security@freebsd.org'" Subject: Re: "Secure-FreeBSD" Idea In-Reply-To: <01BEE4A8.6FE3EEC0@beetroot.securify.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe myself as well as a few others have had this idea and, basically, when we attempted to start such a project up, many people said "Yah,sure Id help"...but the bottom line is, we're all too busy ;) Andrew On Thu, 12 Aug 1999, Tom Brown wrote: > HI, > > Just come back from "websec" which was a bit dull, but I did get the feeling whilst fighting off the sleep that there is a really good opening for a quality secure O/S. > > Now realistically all this would have to be is a really anal installation process, forcing the user to positively select services such as ftp,telnet, sendmail etc. So if you don't select anything, you can't much. It would also have carefully set UMASKS and probably come with some easy way to get the user to set-up tripwire and ipfw for example. > > I suspect that most of the readers of this list spend a fair amount of time going through the same laborious process of tying down each server they built. How about we pools this vast collection of procedures together and try to build some kind of a security release. We all know (well at least I hope we do!) what a solid O/S FreeBSD is, wouldn't this be the ideal opportunity, to push the OS further into the public eye? > > Tom > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 11:10:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from tasam.com (tasam.com [206.161.83.22]) by hub.freebsd.org (Postfix) with ESMTP id 7C4D814CF3 for ; Thu, 12 Aug 1999 11:10:30 -0700 (PDT) (envelope-from clash@tasam.com) Received: from bug (209-122-238-170.s170.tnt2.lnh.md.dialup.rcn.com [209.122.238.170]) by tasam.com (8.9.3/8.9.1) with SMTP id OAA09033; Thu, 12 Aug 1999 14:10:34 -0400 (EDT) Message-ID: <009101bee4ed$f01395b0$0286860a@tasam.com> From: "Joe Gleason" To: "Bigby Findrake" Cc: References: Subject: Re: making sshd2 check user expiration dates Date: Thu, 12 Aug 1999 14:08:43 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Thu, 12 Aug 1999, Joe Gleason wrote: > > > I'm not sure if security is the right list, but this has to do with allowing > > or denying access to a system based on expiration date, which I consider > > relevant to security. > > > > Does anyone know how to make sshd2 check user expiration dates? > > > > I did a quick test, and telnet, pop3, ftpd and sshd1 all do NOT allow a user > > with an expired account to login. > > sshd2 however does. > > > > By expired I mean field 7 in master.passwd file having a number that is > > between 0 and the current time in seconds exclusive. > > > > I am running FreeBSD 3.2-stable (a few days old) > > > > I installed ssh via installing /usr/ports/security/ssh and then > > /usr/ports/security/ssh2 (that way I have all the ssh1 stuff for > > compatibility). I haven't touched the config's much, if at all. I looked > > through the man page and config files real quick and didn't see anything > > about user expiration dates. It is 3am, so I could have easily missed > > something. Anyone with any ideas of experience with this, any help would be > > appreicated. I would really prefer not to have to hack something odd > > togather to support expiration dates. > > This is a shot in the dark but I would suggest playing with the "UseLogin" > parameter in the /etc/sshd_config file. > My sshd_config is in /usr/local/etc, but that is unimportant. I'm pretty sure sshd_config is for sshd1 only. sshd2 has it's own config: /usr/local/etc/ssh2/sshd2_config In my tests, sshd1 works fine, even with the UseLogin option off. sshd2_config doesn't mention anything like that. If I remember correct from expermination I did back in the 2.2.x days, UseLogin for sshd1 was required only to get login class restrictions to work. I could be mistaken about that. Joe Gleason Tasam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 12:33:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id EB32314D54 for ; Thu, 12 Aug 1999 12:33:41 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id NAA63946; Thu, 12 Aug 1999 13:33:40 -0600 (MDT) Date: Thu, 12 Aug 1999 13:33:40 -0600 (MDT) From: Nick Rogness To: Tom Brown Cc: "'Paul Hart'" , "freebsd-security@FreeBSD.ORG" Subject: RE: ipfw In-Reply-To: <01BEE4A6.75DBDD80@beetroot.securify.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Aug 1999, Tom Brown wrote: > > > what rules should I add to my ipfw ruleset to block out icmp > > > floods and smurf attacts, etc thanks. > > > > For smurf attacks, I've done it 2 different ways before, assuming > > your local net is 192.168.0.0/24: > > > > # Permit traffic from local net 192.168.0.0/24 to broadcast addr. > > ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32 > > # Deny log traffic from outside local net to local broadcast > > ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0 > > Doesn't that just stop you from being used as a smurf amplifier? I think > the original poster wanted to know how to defend against being a smurf > victim, which is much more difficult. The best resources I've seen for No this DENIES anyone from outside trying to hit the broadcast on your local net. How are they suppose to hit your broadcast if it is blocked at your gateways? I was assuming that this FreeBSD machine IS the 'gateway' to his internal network and there was no other path into his local net. In the example I gave de0 is the outside interface to the world and his entire LAN is behind that. That will stop Smurf & Fraggle attacks from outside to his Local LAN. This attack should be blocked on ALL outside gateways or your local net will get nailed. I'm not concerned with anyone from the local LAN smurf attacking the local LAN because they will be affected just as well. However, you could add ipfw entries to DETECT this activity, but not block it. ******************************************************************* Nick Rogness Shaw's Principle: System Administrator Build a system that even a fool RapidNet, INC can use, and only a fool will nick@rapidnet.com want to use it. ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 12:41:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from saturn.terahertz.net (saturn.terahertz.net [209.83.5.170]) by hub.freebsd.org (Postfix) with ESMTP id 984C915859 for ; Thu, 12 Aug 1999 12:41:05 -0700 (PDT) (envelope-from mustang@TeraHertz.Net) Received: from localhost (mustang@localhost) by saturn.terahertz.net (8.9.3/8.9.3) with ESMTP id OAA54992 for ; Thu, 12 Aug 1999 14:41:19 -0500 (CDT) Date: Thu, 12 Aug 1999 14:41:18 -0500 (CDT) From: Chris Malayter To: "freebsd-security@FreeBSD.ORG" Subject: RE: ipfw In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In order to truely isolate your LAN, you would need to propgate those rules to your upstream providers border router. Since, if it makes it to your gateway, your link is esentaly saturated. In my experience anyway. Regards, Chris Malayter Mustang@TeraHertz.Net ------------------------------------------------------------------------- Administrator, TeraHertz Communications | | | InterNIC CM3647 | Chief Engineer - 95.1 WVUR - Valparaiso,Indiana | | ------------------------------------------------------------------------- "Behavior is hard to change...but character is nearly impossible" On Thu, 12 Aug 1999, Nick Rogness wrote: > On Thu, 12 Aug 1999, Tom Brown wrote: > > > > > what rules should I add to my ipfw ruleset to block out icmp > > > > floods and smurf attacts, etc thanks. > > > > > > For smurf attacks, I've done it 2 different ways before, assuming > > > your local net is 192.168.0.0/24: > > > > > > # Permit traffic from local net 192.168.0.0/24 to broadcast addr. > > > ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32 > > > # Deny log traffic from outside local net to local broadcast > > > ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0 > > > > Doesn't that just stop you from being used as a smurf amplifier? I think > > the original poster wanted to know how to defend against being a smurf > > victim, which is much more difficult. The best resources I've seen for > > No this DENIES anyone from outside trying to hit the broadcast on > your local net. How are they suppose to hit your broadcast if it > is blocked at your gateways? I was assuming that this FreeBSD > machine IS the 'gateway' to his internal network and there was no > other path into his local net. In the example I gave de0 is the > outside interface to the world and his entire LAN is behind that. > That will stop Smurf & Fraggle attacks from outside to his Local > LAN. This attack should be blocked on ALL outside gateways or > your local net will get nailed. > > I'm not concerned with anyone from the local LAN smurf attacking > the local LAN because they will be affected just as well. > However, you could add ipfw entries to DETECT this activity, but > not block it. > > ******************************************************************* > Nick Rogness Shaw's Principle: > System Administrator Build a system that even a fool > RapidNet, INC can use, and only a fool will > nick@rapidnet.com want to use it. > ******************************************************************* > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 13: 2:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 48FD014E8E for ; Thu, 12 Aug 1999 13:02:28 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Thu, 12 Aug 1999 14:02:07 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma009768; Thu, 12 Aug 99 14:01:47 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id OAA63479; Thu, 12 Aug 1999 14:00:10 -0600 (MDT) Date: Thu, 12 Aug 1999 14:00:10 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com Reply-To: Paul Hart To: Nick Rogness Cc: freebsd-security@freebsd.org Subject: RE: ipfw In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Aug 1999, Nick Rogness wrote: > No this DENIES anyone from outside trying to hit the broadcast on your > local net. How are they suppose to hit your broadcast if it is blocked > at your gateways? ... and that means that you won't be used as a smurf amplifier, as I said. > That will stop Smurf & Fraggle attacks from outside to his Local LAN. There are three parties involved in a smurf attack -- the attacker, one or more amplifiers, and the vicitim. Blocking outside packets directed at the broadcast address does not prevent yourself from being a smurf vicitim! Read up on how the attack works: http://users.quadrunner.com/chuegen/smurf.cgi When you play the victim in a smurf attack you get hit by packets to a specific address of yours coming from hundreds (maybe even thousands) of remote machines. How will filtering packets from the outside to the broadcast addresses deflect anything? Better yet, how will filtering *anything* at your site stop the attack? By the time the packets make it to your firewall, your external bandwidth is already saturated and you're toasted before you can react and there's very little you can do about it. That's what makes the attack so insidious -- it works because thousands of amplifier networks exist on the Internet and you (the vicitim) have no control over them to get them fixed. We've been hit here before by smurf attacks in excess of 60 Mb/s that lasted several hours, and yes, they really suck. :-) Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 14: 8:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.veriguard.com (relay.securify.com [207.5.63.61]) by hub.freebsd.org (Postfix) with ESMTP id 70305158A0 for ; Thu, 12 Aug 1999 14:08:43 -0700 (PDT) (envelope-from tomb@securify.com) Received: by relay.veriguard.com; id OAA18139; Thu, 12 Aug 1999 14:07:32 -0700 (PDT) Received: from unknown(10.5.63.6) by relay.veriguard.com via smap (4.1) id xma018132; Thu, 12 Aug 99 14:07:11 -0700 Received: from beetroot.securify.com (beetroot.securify.com [10.5.63.102]) by dude.veriguard.com (8.8.7/8.8.7) with SMTP id OAA06666; Thu, 12 Aug 1999 14:07:09 -0700 Received: by beetroot.securify.com with Microsoft Mail id <01BEE4CA.388639C0@beetroot.securify.com>; Thu, 12 Aug 1999 13:54:39 -0700 Message-ID: <01BEE4CA.388639C0@beetroot.securify.com> From: Tom Brown To: Nick Rogness , "'Paul Hart'" Cc: "freebsd-security@FreeBSD.ORG" Subject: RE: ipfw Date: Thu, 12 Aug 1999 13:54:38 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What is said about the ping's arriving at the gateway is true. There = is nothing you can do about you bandwadth being saturated but you can at = least take action to protect your hosts from the storm. ---------- From: Paul Hart Sent: Thursday, August 12, 1999 7:00 AM To: Nick Rogness Cc: freebsd-security@FreeBSD.ORG Subject: RE: ipfw On Thu, 12 Aug 1999, Nick Rogness wrote: > No this DENIES anyone from outside trying to hit the broadcast on your > local net. How are they suppose to hit your broadcast if it is = blocked > at your gateways?=20 ... and that means that you won't be used as a smurf amplifier, as I = said.=20 > That will stop Smurf & Fraggle attacks from outside to his Local LAN.=20 There are three parties involved in a smurf attack -- the attacker, one = or more amplifiers, and the vicitim. Blocking outside packets directed at the broadcast address does not prevent yourself from being a smurf vicitim! Read up on how the attack works:=20 http://users.quadrunner.com/chuegen/smurf.cgi When you play the victim in a smurf attack you get hit by packets to a specific address of yours coming from hundreds (maybe even thousands) of remote machines. How will filtering packets from the outside to the broadcast addresses deflect anything? Better yet, how will filtering *anything* at your site stop the attack? By the time the packets make = it to your firewall, your external bandwidth is already saturated and = you're toasted before you can react and there's very little you can do about = it. That's what makes the attack so insidious -- it works because thousands = of amplifier networks exist on the Internet and you (the vicitim) have no control over them to get them fixed. We've been hit here before by smurf attacks in excess of 60 Mb/s that lasted several hours, and yes, they really suck. :-)=20 Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 14:15:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.veriguard.com (relay.securify.com [207.5.63.61]) by hub.freebsd.org (Postfix) with ESMTP id 6C420158A3 for ; Thu, 12 Aug 1999 14:15:54 -0700 (PDT) (envelope-from tomb@securify.com) Received: by relay.veriguard.com; id OAA18519; Thu, 12 Aug 1999 14:14:33 -0700 (PDT) Received: from unknown(10.5.63.6) by relay.veriguard.com via smap (4.1) id xma018458; Thu, 12 Aug 99 14:13:49 -0700 Received: from beetroot.securify.com (beetroot.securify.com [10.5.63.102]) by dude.veriguard.com (8.8.7/8.8.7) with SMTP id OAA06729; Thu, 12 Aug 1999 14:13:48 -0700 Received: by beetroot.securify.com with Microsoft Mail id <01BEE4CB.26C21460@beetroot.securify.com>; Thu, 12 Aug 1999 14:01:19 -0700 Message-ID: <01BEE4CB.26C21460@beetroot.securify.com> From: Tom Brown To: Tom Brown , "'andrewr'" Cc: "'freebsd-security@freebsd.org'" Subject: "Secure-FreeBSD" Idea should be paied for and marketed by Walnut Creek Date: Thu, 12 Aug 1999 14:01:17 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I know exactly where this is going and you're quite right. If 'we' the = contributors did it then it would take time out of our schedules. =20 But this would best be marketed by walnut creek, they should pay for it = to happen and launch it as another packaged item, you know the kind of = thing 'nice bunch of CD's with some flashy graphics'. I recon it would = be a sound investment and could if pushed correctly sell by the bucket = load. Tom ---------- From: andrewr Sent: Thursday, August 12, 1999 6:57 AM To: Tom Brown Cc: 'freebsd-security@freebsd.org' Subject: Re: "Secure-FreeBSD" Idea I believe myself as well as a few others have had this idea and, basically, when we attempted to start such a project up, many people = said "Yah,sure Id help"...but the bottom line is, we're all too busy ;) Andrew On Thu, 12 Aug 1999, Tom Brown wrote: > HI, >=20 > Just come back from "websec" which was a bit dull, but I did get the = feeling whilst fighting off the sleep that there is a really good = opening for a quality secure O/S. =20 >=20 > Now realistically all this would have to be is a really anal = installation process, forcing the user to positively select services = such as ftp,telnet, sendmail etc. So if you don't select anything, you = can't much. It would also have carefully set UMASKS and probably come = with some easy way to get the user to set-up tripwire and ipfw for = example. >=20 > I suspect that most of the readers of this list spend a fair amount of = time going through the same laborious process of tying down each server = they built. How about we pools this vast collection of procedures = together and try to build some kind of a security release. We all know = (well at least I hope we do!) what a solid O/S FreeBSD is, wouldn't this = be the ideal opportunity, to push the OS further into the public eye? >=20 > Tom >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 15:39:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id DA3BF1580A for ; Thu, 12 Aug 1999 15:39:16 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id PAA25445; Thu, 12 Aug 1999 15:37:26 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Tom Brown Cc: "'andrewr'" , "'freebsd-security@freebsd.org'" Subject: Re: "Secure-FreeBSD" Idea should be paied for and marketed by Walnut Creek In-reply-to: Your message of "Thu, 12 Aug 1999 14:01:17 PDT." <01BEE4CB.26C21460@beetroot.securify.com> Date: Thu, 12 Aug 1999 15:37:26 -0700 Message-ID: <25442.934497446@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > But this would best be marketed by walnut creek, they should pay for it to ha > ppen and launch it as another packaged item, you know the kind of thing 'nice b We don't have the time or money either. Well, we sorta have the money, but we definitely don't have the time. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 16:21:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from demos.su (mx.demos.su [194.87.0.32]) by hub.freebsd.org (Postfix) with ESMTP id 950DB14E07 for ; Thu, 12 Aug 1999 16:21:07 -0700 (PDT) (envelope-from mishania%yormungandr.demos.su%sinbin.demos.su@kremvax.demos.su) Received: from kremvax.demos.su ([194.87.0.20] verified) by demos.su (CommuniGate Pro SMTP 3.1b7) with ESMTP id 1069994 for freebsd-security@freebsd.org; Fri, 13 Aug 1999 03:20:54 +0400 Received: by kremvax.demos.su (8.6.13/D) from 0@sinbin.demos.su [194.87.5.31] with ESMTP id DAA16719; Fri, 13 Aug 1999 03:20:07 +0400 Received: from yormungandr.demos.su by sinbin.demos.su with ESMTP id DAA26254; (8.6.12/D) Fri, 13 Aug 1999 03:19:06 +0400 Received: (from mishania@localhost) by yormungandr.demos.su (8.9.3/8.9.2) id DAA94236; Fri, 13 Aug 1999 03:18:14 +0400 (MSD) (envelope-from mishania) Date: Fri, 13 Aug 1999 03:18:14 +0400 From: "Mikhail A. Sokolov" To: Tom Brown Cc: "'freebsd-security@freebsd.org'" Subject: Re: "Secure-FreeBSD" Idea Message-ID: <19990813031813.A94114@demos.su> References: <01BEE4A8.6FE3EEC0@beetroot.securify.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <01BEE4A8.6FE3EEC0@beetroot.securify.com>; from Tom Brown on Thu, Aug 12, 1999 at 09:52:48AM -0700 X-Point-of-View: Gravity is myth, - the earth sucks. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 12, 1999 at 09:52:48AM -0700, Tom Brown wrote: # HI, # # Now realistically all this would have to be is a really anal installation process, forcing the user to positively select services such as ftp,telnet, sendmail etc. So if you don't select anything, you can't much. It would also have carefully set UMASKS and probably come with some easy way to get the user to set-up tripwire and ipfw for example. # # I suspect that most of the readers of this list spend a fair amount of time going through the same laborious process of tying down each server they built. How about we pools this vast collection of procedures together and try to build some kind of a security release. We all know (well at least I hope we do!) what a solid O/S FreeBSD is, wouldn't this be the ideal opportunity, to push the OS further into the public eye? Robert Watson has some tools, which are supposed to be bringing standard system install to somewhat more secure state, it was under the idea of 'the freebsd hardening project'. I guess he reads this list and could comment, actually. # # Tom -- -mishania P.S. Please wrap lines when composing mails. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 17:41:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from camel.local.mha.ca (camel.mha.ca [209.153.196.151]) by hub.freebsd.org (Postfix) with ESMTP id C508014E45 for ; Thu, 12 Aug 1999 17:41:27 -0700 (PDT) (envelope-from vince@MHA.ca) Received: by camel.local.mha.ca with Internet Mail Service (5.5.1960.3) id ; Thu, 12 Aug 1999 17:39:44 -0700 Message-ID: <71281E6E6644D311882F005004D16880396C@camel.local.mha.ca> From: Vincent Power To: "'freebsd-security@freebsd.org'" Cc: "'firewalls@lists.gnac.net'" Subject: Question on ipfw Date: Thu, 12 Aug 1999 17:39:44 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How do you specify a range of ports with ipfw, example 1024-65535? like in /sbin/ipfw add allow all from 192.168.0.0:255.255.0.0 1024-65535 to any via xl0 Regards, Vincent Power System Administrator Macdonald Harris & Associates To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 17:56:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 9C2BA155B8 for ; Thu, 12 Aug 1999 17:56:10 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id SAA14356 for ; Thu, 12 Aug 1999 18:54:18 -0600 (MDT) Message-Id: <4.2.0.58.19990812185216.043c1160@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 12 Aug 1999 18:54:16 -0600 To: security@freebsd.org From: Brett Glass Subject: Another SMTP name-guessing attack Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yesterday, one of the hosts I administer was subjected to an account name guessing attack. The attack does not appear to have been mounted via the a program previously mentioned on Bugtraq, but rather by a new program and/or by a homebrew script. Here's what the logs look like (I've changed the name of the host that was attacked, but nothing else): Aug 11 211554 myhost sendmail[5107] VAA05107 ... User unknown Aug 11 211554 myhost sendmail[5107] VAA05107 from=, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211601 myhost sendmail[5119] VAA05119 ... User unknown Aug 11 211601 myhost sendmail[5120] VAA05120 ... User unknown Aug 11 211602 myhost sendmail[5119] VAA05119 ... User unknown Aug 11 211602 myhost sendmail[5120] VAA05120 ... User unknown Aug 11 211606 myhost sendmail[5120] VAA05120 ... User unknown Aug 11 211607 myhost sendmail[5119] VAA05119 ... User unknown Aug 11 211607 myhost sendmail[5126] VAA05126 ... User unknown Aug 11 211608 myhost sendmail[5126] VAA05126 ... User unknown Aug 11 211610 myhost sendmail[5126] VAA05126 ... User unknown Aug 11 211610 myhost sendmail[5135] VAA05135 ... User unknown Aug 11 211611 myhost sendmail[5137] VAA05137 ... User unknown Aug 11 211611 myhost sendmail[5131] VAA05131 <3@myhost.com>... User unknown Aug 11 211612 myhost sendmail[5132] VAA05132 ... User unknown Aug 11 211612 myhost sendmail[5126] VAA05126 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211612 myhost sendmail[5131] VAA05131 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211612 myhost sendmail[5137] VAA05137 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211612 myhost sendmail[5138] NOQUEUE Null connection from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5135] VAA05135 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5137] VAA05137 from=, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5131] VAA05131 from=, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5135] VAA05135 from=, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5126] VAA05126 from=, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5136] VAA05136 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5136] VAA05136 from=, size=0, class=0, pri=0, nrcpts=1, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5132] VAA05132 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5132] VAA05132 from=, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5145] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "220 myhost.myhost.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 11 Aug 1999 211613 -0600 (MDT)" Broken pipe Aug 11 211613 myhost sendmail[5145] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "250 myhost.myhost.com Hello ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176], pleased to meet you" Broken pipe Aug 11 211613 myhost sendmail[5144] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "220 myhost.myhost.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 11 Aug 1999 211613 -0600 (MDT)" Broken pipe Aug 11 211613 myhost sendmail[5144] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "250 myhost.myhost.com Hello ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176], pleased to meet you" Broken pipe Aug 11 211613 myhost sendmail[5144] NOQUEUE Null connection from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5148] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "220 myhost.myhost.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 11 Aug 1999 211613 -0600 (MDT)" Broken pipe Aug 11 211613 myhost sendmail[5148] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "250 myhost.myhost.com Hello ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176], pleased to meet you" Broken pipe Aug 11 211613 myhost sendmail[5119] VAA05119 SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "550 ... User unknown" Broken pipe Aug 11 211613 myhost sendmail[5119] VAA05119 ... User unknown In short, it's guessing at common first and last names -- alone and with the digits 1 through 5 appended. It's making a separate connection for each name but is trying the combinations with appended digits on the same connection as the "bare" name. It doesn't seem to be sending more RCPT TO: commands until it receives the results of earlier ones, nor does it seem to send more than 6 commands per connection -- clearly an attempt to get by the preventive measures installed to defeat earlier scans of this kind. Has anyone else seen this style of attack, or are we honored to be the first? Any ideas on how to patch Sendmail to thwart it? (FreeBSD's particular configuration for Sendmail seems particularly susceptible to this because it imposes a limit on connections; all legitimate mail stopped during the attack.) --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 20:31:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from topsecret.net (gill.apk.net [207.54.148.62]) by hub.freebsd.org (Postfix) with SMTP id 0F2CE14CB1 for ; Thu, 12 Aug 1999 20:31:31 -0700 (PDT) (envelope-from gill@topsecret.net) Received: from stumpy by topsecret.net with SMTP (MDaemon.v2.7.SP5.R) for ; Thu, 12 Aug 1999 23:27:44 -0400 From: "James Gill" To: "Tom Brown" , "'andrewr'" Cc: "'freebsd-security@freebsd.org'" Subject: RE: "Secure-FreeBSD" Idea Date: Thu, 12 Aug 1999 23:27:24 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: <01BEE4CB.26C21460@beetroot.securify.com> Importance: Normal X-MDaemon-Deliver-To: freebsd-security@FreeBSD.ORG X-Return-Path: gill@topsecret.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wait, wasn't the NetBSD project kinda the same thing from day one? If we've got a sibling OS out there that is totally focused on security, then shouldn't we work together to make them more alike? I am just getting into this scene, but i was thinking of running NetBSD on a firewall and FreeBSD on a public server for both security and edutainment value. I digress... what's the feasability of comarketing the two OSes? I am not the most knowledgeable as to the whole concept and direction of FreeBSD, but perhaps fbsd could take a tack more aimed at what it seems to currently do well, large and powerful servers and nbsd take the hardened OS tack. TOGETHER WE COULD RULE THE WORLD! (or at least have root access) #i'm sure that *nobody* has *ever* thought of this before, huh? --gill > > I know exactly where this is going and you're quite right. > If 'we' the contributors did it then it would take time out > of our schedules. > > But this would best be marketed by walnut creek, they > should pay for it to happen and launch it as another > packaged item, you know the kind of thing 'nice bunch of > CD's with some flashy graphics'. I recon it would be a > sound investment and could if pushed correctly sell by the > bucket load. > > Tom > > ---------- > From: andrewr > Sent: Thursday, August 12, 1999 6:57 AM > To: Tom Brown > Cc: 'freebsd-security@freebsd.org' > Subject: Re: "Secure-FreeBSD" Idea > > > I believe myself as well as a few others have had this idea and, > basically, when we attempted to start such a project up, > many people said > "Yah,sure Id help"...but the bottom line is, we're all too busy ;) > > Andrew > > On Thu, 12 Aug 1999, Tom Brown wrote: > > > HI, > > > > Just come back from "websec" which was a bit dull, but I > did get the feeling whilst fighting off the sleep that > there is a really good opening for a quality secure O/S. > > > > Now realistically all this would have to be is a really > anal installation process, forcing the user to positively > select services such as ftp,telnet, sendmail etc. So if > you don't select anything, you can't much. It would also > have carefully set UMASKS and probably come with some easy > way to get the user to set-up tripwire and ipfw for example. > > > > I suspect that most of the readers of this list spend a > fair amount of time going through the same laborious > process of tying down each server they built. How about we > pools this vast collection of procedures together and try > to build some kind of a security release. We all know (well > at least I hope we do!) what a solid O/S FreeBSD is, > wouldn't this be the ideal opportunity, to push the OS > further into the public eye? > > > > Tom > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 21: 5:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 6ACE5156D8 for ; Thu, 12 Aug 1999 21:05:12 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id WAA77349; Thu, 12 Aug 1999 22:04:29 -0600 (MDT) Date: Thu, 12 Aug 1999 22:04:29 -0600 (MDT) From: Nick Rogness To: Vincent Power Cc: "'freebsd-security@freebsd.org'" , "'firewalls@lists.gnac.net'" Subject: Re: Question on ipfw In-Reply-To: <71281E6E6644D311882F005004D16880396C@camel.local.mha.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Aug 1999, Vincent Power wrote: > How do you specify a range of ports with ipfw, example 1024-65535? > > like in > /sbin/ipfw add allow all from 192.168.0.0:255.255.0.0 1024-65535 to any > via xl0 ipfw add 30000 allow udp from 192.168.0.0/16 1024-65535 to any via xl0 ipfw add 30001 allow tcp from 192.168.0.0/16 1024-65535 to any via xl0 ******************************************************************* Nick Rogness Shaw's Principle: System Administrator Build a system that even a fool RapidNet, INC can use, and only a fool will nick@rapidnet.com want to use it. ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 21:25:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from garlic.acadiau.ca (garlic.acadiau.ca [131.162.2.48]) by hub.freebsd.org (Postfix) with ESMTP id 22DA614C3B for ; Thu, 12 Aug 1999 21:25:39 -0700 (PDT) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon (dragon.acadiau.ca [131.162.200.56]) by garlic.acadiau.ca (8.8.5/8.8.5) with ESMTP id BAA22673; Fri, 13 Aug 1999 01:24:55 -0300 (ADT) Date: Fri, 13 Aug 1999 01:24:54 -0300 (ADT) From: Michael Richards <026809r@dragon.acadiau.ca> X-Sender: 026809r@dragon To: "Mikhail A. Sokolov" Cc: Tom Brown , "'freebsd-security@freebsd.org'" Subject: Re: "Secure-FreeBSD" Idea In-Reply-To: <19990813031813.A94114@demos.su> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 13 Aug 1999, Mikhail A. Sokolov wrote: > On Thu, Aug 12, 1999 at 09:52:48AM -0700, Tom Brown wrote: > # HI, > # > # Now realistically all this would have to be is a really anal installation process, forcing the user to positively select services such as ftp,telnet, sendmail etc. So if you don't select anything, you can't much. It would also have carefully set UMASKS and probably come with some easy way to get the user to set-up tripwire and ipfw for example. > # > # I suspect that most of the readers of this list spend a fair amount of time going through the same laborious process of tying down each server they built. How about we pools this vast collection of procedures together and try to build some kind of a security release. We all know (well at least I hope we do!) what a solid O/S FreeBSD is, wouldn't this be the ideal opportunity, to push the OS further into the public eye? > > Robert Watson has some tools, which are supposed to be bringing standard > system install to somewhat more secure state, it was under the idea > of 'the freebsd hardening project'. I guess he reads this list and could > comment, actually. I was toying with this idea too. People often say when comparing FreeBSD and linux that "FreeBSD is harder to install." Although I don't agree with that statement, I had to take note on how easy my install of BeOS went. Basically I popped the CD in, selected the partition and hit install. It whirled rebooted and presto, I was running Be. How about presenting the user with a few choices: a) web server b) POP server c) firewall ... etc. Then automagically do up a complete whatever install. This way, joe in the office gets pissed with NT and iis, he can sit down and have a fully running web server in 15 minutes and a few keystrokes. Who says it's easy to install NT and iis because it's all GUI? I believe it's just as easy to do without all kinds of graphic animated bloat. -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 21:28:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from topsecret.net (gill.apk.net [207.54.148.62]) by hub.freebsd.org (Postfix) with SMTP id 2659714D03 for ; Thu, 12 Aug 1999 21:27:59 -0700 (PDT) (envelope-from gill@topsecret.net) Received: from stumpy by topsecret.net with SMTP (MDaemon.v2.7.SP5.R) for ; Fri, 13 Aug 1999 00:24:37 -0400 From: "James Gill" To: "User SCARR" , "James Gill" Cc: "Tom Brown" , "'andrewr'" , Subject: RE: "Secure-FreeBSD" Idea Date: Fri, 13 Aug 1999 00:24:17 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: Importance: Normal X-MDaemon-Deliver-To: freebsd-security@freebsd.org X-Return-Path: gill@topsecret.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I'm amazed nobody has mentioned OpenBSD yet. I literally > just installed > 2.5 today on a second box I have, and it's very nice. The > install is > relatively trouble free compared to other releases (like 2.4 etc). > > On Thu, 12 Aug 1999, James Gill wrote: > > > > > Wait, wasn't the NetBSD project kinda the same thing from > day one? I sit corrected, I was thinking of OpenBSD when I mentioned NetBSD. Thanks to all the ppl who caught that for me. heh... "sending kiddies to /dev/null since 1995" heheheheee --gill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 12 21:32:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 972DC14C3B for ; Thu, 12 Aug 1999 21:31:55 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id OAA23238; Fri, 13 Aug 1999 14:31:45 +1000 (EST) From: Darren Reed Message-Id: <199908130431.OAA23238@cheops.anu.edu.au> Subject: Re: "Secure-FreeBSD" Idea To: gill@topsecret.net (James Gill) Date: Fri, 13 Aug 1999 14:31:44 +1000 (EST) Cc: tomb@securify.com, andrewr@slack.net, freebsd-security@FreeBSD.ORG In-Reply-To: from "James Gill" at Aug 12, 99 11:27:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from James Gill, sie said: [...] > I digress... what's the feasability of comarketing the two OSes? I am > not the most knowledgeable as to the whole concept and direction of > FreeBSD, but perhaps fbsd could take a tack more aimed at what it > seems to currently do well, large and powerful servers and nbsd take > the hardened OS tack. TOGETHER WE COULD RULE THE WORLD! (or at least > have root access) I think you've got the wrong idea. OpenBSD's prime goal is for a secure OS. NetBSD's primarily goal is stability and portability although they seem to discover new security problems more often than OpenBSD people do. By that I mean problems which involve more than program X having a new buffer overflow problem. If you wanted my opinion of FreeBSD (and what's its goals were), it would be to be a better Linux than Linux - i.e. primarily focused on x86 support (I don't see FreeBSD on alpha as being anything serious - especially given the UltraSparc project failure), light weight, user friendly, etc. But maybe that's changing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 13 0:15:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 7198A156DF for ; Fri, 13 Aug 1999 00:15:34 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id BAA26162; Fri, 13 Aug 1999 01:14:47 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id BAA08901; Fri, 13 Aug 1999 01:14:44 -0600 (MDT) Message-Id: <199908130714.BAA08901@harmony.village.org> To: Darren Reed Subject: Re: "Secure-FreeBSD" Idea Cc: gill@topsecret.net (James Gill), tomb@securify.com, andrewr@slack.net, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 13 Aug 1999 14:31:44 +1000." <199908130431.OAA23238@cheops.anu.edu.au> References: <199908130431.OAA23238@cheops.anu.edu.au> Date: Fri, 13 Aug 1999 01:14:44 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199908130431.OAA23238@cheops.anu.edu.au> Darren Reed writes: : NetBSD's primarily goal is stability and portability although they seem : to discover new security problems more often than OpenBSD people do. By : that I mean problems which involve more than program X having a new buffer : overflow problem. Are you counting the hundreds of buffer overflows that OpenBSD fixed to begin with? I've seen many many many more buffer overflows from OpenBSD than from NetBSD. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 13 1:29:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 0756D14D29 for ; Fri, 13 Aug 1999 01:29:46 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id SAA25334; Fri, 13 Aug 1999 18:29:21 +1000 (EST) From: Darren Reed Message-Id: <199908130829.SAA25334@cheops.anu.edu.au> Subject: Re: "Secure-FreeBSD" Idea To: imp@village.org (Warner Losh) Date: Fri, 13 Aug 1999 18:29:20 +1000 (EST) Cc: avalon@coombs.anu.edu.au, gill@topsecret.net, tomb@securify.com, andrewr@slack.net, freebsd-security@FreeBSD.ORG In-Reply-To: <199908130714.BAA08901@harmony.village.org> from "Warner Losh" at Aug 13, 99 01:14:44 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Warner Losh, sie said: > > In message <199908130431.OAA23238@cheops.anu.edu.au> Darren Reed writes: > : NetBSD's primarily goal is stability and portability although they seem > : to discover new security problems more often than OpenBSD people do. By > : that I mean problems which involve more than program X having a new buffer > : overflow problem. > > Are you counting the hundreds of buffer overflows that OpenBSD fixed > to begin with? I've seen many many many more buffer overflows from > OpenBSD than from NetBSD. No, but then buffer overflows don't really interest me. They're not hard to find, fix or exploit. Nor are they `new'. OpenBSD's audit didn't find the recent profil(2) bug, which the NetBSD folks did. There are many types of security problems, and those OpenBSD have been addressing, whilst essential and very worthy, have been simple to spot and solve. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 13 5:45: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdserve1.comsite.net (bsdserve1.comsite.net [205.238.176.2]) by hub.freebsd.org (Postfix) with ESMTP id 42EC014BCC for ; Fri, 13 Aug 1999 05:44:56 -0700 (PDT) (envelope-from dave@comsite.net) Received: from localhost (dave@localhost) by bsdserve1.comsite.net (8.9.1/8.9.1) with SMTP id HAA12005; Fri, 13 Aug 1999 07:42:27 -0500 (CDT) Date: Fri, 13 Aug 1999 07:42:27 -0500 (CDT) From: dave To: Michael Richards <026809r@dragon.acadiau.ca> Cc: "Mikhail A. Sokolov" , Tom Brown , "'freebsd-security@freebsd.org'" Subject: Re: "Secure-FreeBSD" Idea In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 13 Aug 1999, Michael Richards wrote: > > I was toying with this idea too. People often say when comparing FreeBSD > and linux that "FreeBSD is harder to install." Although I don't agree with > that statement, I had to take note on how easy my install of BeOS went. > Basically I popped the CD in, selected the partition and hit install. It > whirled rebooted and presto, I was running Be. I recently installed Redhat and FreeBSD...I am familiar with both, but the Redhat install took 3 runs through the install process to get right, and FreeBSD took only one...Granted, they were minor problems in redhat that most people wouldn't come across, but it is still one valid experience of mine...(The FreeBSD install was more flexible than the redhat one). --dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 13 6:41:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 8C8B414E66 for ; Fri, 13 Aug 1999 06:41:09 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id PAA16919; Fri, 13 Aug 1999 15:41:20 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 26B69870B; Fri, 13 Aug 1999 14:31:49 +0200 (CEST) Date: Fri, 13 Aug 1999 14:31:49 +0200 From: Ollivier Robert To: security@freebsd.org Cc: Brett Glass Subject: Re: Another SMTP name-guessing attack Message-ID: <19990813143148.A73411@keltia.freenix.fr> Mail-Followup-To: security@freebsd.org, Brett Glass References: <4.2.0.58.19990812185216.043c1160@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.5i In-Reply-To: <4.2.0.58.19990812185216.043c1160@localhost>; from Brett Glass on Thu, Aug 12, 1999 at 06:54:16PM -0600 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5543 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Brett Glass: > Aug 11 211612 myhost sendmail[5126] VAA05126 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Why do you allow dialups POPs to directly connect to your mail server ? Use the DUL system and be happy (and put others manually into your access file). I use "maps_rbl_domains = rbl.maps.vix.com, dul.maps.vix.com". > Has anyone else seen this style of attack, or are we honored to be the > first? Any ideas on how to patch Sendmail to thwart it? (FreeBSD's > particular configuration for Sendmail seems particularly susceptible to this > because it imposes a limit on connections; all legitimate mail stopped > during the attack.) Use Postfix. It won't probably stop the attack (although its rate limitations will make it far less of a problem than sendmail) but you'll get legitimate mail across. PS: your lines are far too long, please cut them down. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #73: Sat Jul 31 15:36:05 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 13 8: 9:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 1659914BF3 for ; Fri, 13 Aug 1999 08:09:24 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id JAA27250; Fri, 13 Aug 1999 09:07:27 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id JAA10483; Fri, 13 Aug 1999 09:07:28 -0600 (MDT) Message-Id: <199908131507.JAA10483@harmony.village.org> To: Darren Reed Subject: Re: "Secure-FreeBSD" Idea Cc: gill@topsecret.net, tomb@securify.com, andrewr@slack.net, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 13 Aug 1999 18:29:20 +1000." <199908130829.SAA25334@cheops.anu.edu.au> References: <199908130829.SAA25334@cheops.anu.edu.au> Date: Fri, 13 Aug 1999 09:07:28 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199908130829.SAA25334@cheops.anu.edu.au> Darren Reed writes: : No, but then buffer overflows don't really interest me. They're not hard : to find, fix or exploit. Nor are they `new'. OpenBSD's audit didn't find : the recent profil(2) bug, which the NetBSD folks did. There are many other examples that the folks working on OpenBSD have done. Randomizing things (pids, socket endpoints, tcp and IP sequences, etc), killing races, etc are all things that were implemented early on in OpenBSD and the other BSDs have played catchup. NetBSD has also found some interesting problems, but to characterize the number and type of them as much greater than OpenBSD is disengenuous. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 13 8:47:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 51D9E14E63 for ; Fri, 13 Aug 1999 08:47:31 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id BAA28035; Sat, 14 Aug 1999 01:43:58 +1000 (EST) From: Darren Reed Message-Id: <199908131543.BAA28035@cheops.anu.edu.au> Subject: Re: "Secure-FreeBSD" Idea To: dave@comsite.net (dave) Date: Sat, 14 Aug 1999 01:43:57 +1000 (EST) Cc: 026809r@dragon.acadiau.ca, mishania@demos.net, tomb@securify.com, freebsd-security@FreeBSD.ORG In-Reply-To: from "dave" at Aug 13, 99 07:42:27 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from dave, sie said: > > > > On Fri, 13 Aug 1999, Michael Richards wrote: > > > > I was toying with this idea too. People often say when comparing FreeBSD > > and linux that "FreeBSD is harder to install." Although I don't agree with > > that statement, I had to take note on how easy my install of BeOS went. > > Basically I popped the CD in, selected the partition and hit install. It > > whirled rebooted and presto, I was running Be. > > I recently installed Redhat and FreeBSD...I am familiar with both, but the > Redhat install took 3 runs through the install process to get right, and > FreeBSD took only one...Granted, they were minor problems in redhat that > most people wouldn't come across, but it is still one valid experience of > mine...(The FreeBSD install was more flexible than the redhat one). Be careful when trying to compare people's experience with Linux installs. "Linux" is rather obscure in this subject - what you need to know is whether or not it is Debian or Caldera or Redhat or Slackware or Suse or ... I've not seen the most recent RedHat install, but 5.x and earlier were a lot harder to install, if you were using SCSI or had a device anywhere but a preprogrammed slot, than FreeBSD. Caldera's latest is meant to be much better. If anyone can make a Unix install better than Solaris's, I'd be very impressed. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 13 8:57:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdserve1.comsite.net (bsdserve1.comsite.net [205.238.176.2]) by hub.freebsd.org (Postfix) with ESMTP id EBB781501A for ; Fri, 13 Aug 1999 08:57:31 -0700 (PDT) (envelope-from dave@comsite.net) Received: from localhost (dave@localhost) by bsdserve1.comsite.net (8.9.1/8.9.1) with SMTP id KAA15653; Fri, 13 Aug 1999 10:52:36 -0500 (CDT) Date: Fri, 13 Aug 1999 10:52:36 -0500 (CDT) From: dave To: Darren Reed Cc: 026809r@dragon.acadiau.ca, mishania@demos.net, tomb@securify.com, freebsd-security@FreeBSD.ORG Subject: Re: "Secure-FreeBSD" Idea In-Reply-To: <199908131543.BAA28035@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, after just installing 20 solaris boxes last week I'm not too impressed with Solaris' either...I guess functionally it is good, it didn't die and I end up with a working system, but it has a lot to be desired. I can give examples but I guess this thread is getting way too far off of the security topic... --dave On Sat, 14 Aug 1999, Darren Reed wrote: [ much cut out ....] > better. If anyone can make a Unix install better than Solaris's, I'd be > very impressed. > > Darren > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 13 8:57:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 73BFC151F2 for ; Fri, 13 Aug 1999 08:57:40 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id JAA19902; Fri, 13 Aug 1999 09:57:08 -0600 (MDT) Message-Id: <4.2.0.58.19990813091645.048468a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 13 Aug 1999 09:57:03 -0600 To: Ollivier Robert , security@freebsd.org From: Brett Glass Subject: Re: Another SMTP name-guessing attack In-Reply-To: <19990813143148.A73411@keltia.freenix.fr> References: <4.2.0.58.19990812185216.043c1160@localhost> <4.2.0.58.19990812185216.043c1160@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:31 PM 8/13/99 +0200, Ollivier Robert wrote: >According to Brett Glass: > > Aug 11 211612 myhost sendmail[5126] VAA05126 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] > >Why do you allow dialups POPs to directly connect to your mail server ? Use >the DUL system and be happy (and put others manually into your access file). We do use the RBL. But as far as I can tell, the DUL system doesn't reject the mail until after the whole message is sent; it doesn't stop Sendmail from listening to the dial-in node beforehand. So, I am not sure that it would defeat this attack. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 13 9: 5:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from kremvax.demos.su (kremvax.demos.su [194.87.0.20]) by hub.freebsd.org (Postfix) with ESMTP id A468A1504B for ; Fri, 13 Aug 1999 09:05:34 -0700 (PDT) (envelope-from sinbin.demos.su!yormungandr.demos.su!mishania@kremvax.demos.su) Received: by kremvax.demos.su (8.6.13/D) from 0@sinbin.demos.su [194.87.5.31] with ESMTP id TAA19113; Fri, 13 Aug 1999 19:57:25 +0400 Received: from yormungandr.demos.su by sinbin.demos.su with ESMTP id TAA10616; (8.6.12/D) Fri, 13 Aug 1999 19:57:03 +0400 Received: (from mishania@localhost) by yormungandr.demos.su (8.9.3/8.9.2) id TAA21040; Fri, 13 Aug 1999 19:56:08 +0400 (MSD) (envelope-from mishania) Date: Fri, 13 Aug 1999 19:56:07 +0400 From: "Mikhail A. Sokolov" To: Darren Reed Cc: dave , 026809r@dragon.acadiau.ca, mishania@demos.net, tomb@securify.com, freebsd-security@FreeBSD.ORG Subject: Re: "Secure-FreeBSD" Idea Message-ID: <19990813195607.A20710@demos.su> References: <199908131543.BAA28035@cheops.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <199908131543.BAA28035@cheops.anu.edu.au>; from Darren Reed on Sat, Aug 14, 1999 at 01:43:57AM +1000 X-Point-of-View: Gravity is myth, - the earth sucks. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Aug 14, 1999 at 01:43:57AM +1000, Darren Reed wrote: # In some mail from dave, sie said: # > > Basically I popped the CD in, selected the partition and hit install. It # > > whirled rebooted and presto, I was running Be. # > I recently installed Redhat and FreeBSD...I am familiar with both, but the # > Redhat install took 3 runs through the install process to get right, and # Be careful when trying to compare people's experience with Linux installs. # "Linux" is rather obscure in this subject - what you need to know is whether # or not it is Debian or Caldera or Redhat or Slackware or Suse or ... # I've not seen the most recent RedHat install, but 5.x and earlier were a # lot harder to install, if you were using SCSI or had a device anywhere but # a preprogrammed slot, than FreeBSD. Caldera's latest is meant to be much # better. If anyone can make a Unix install better than Solaris's, I'd be # very impressed. Indeed, but weren't we talking about having an option of levels of secureness of the box whilst installation stage? ;) afair, no OS's provide such. # # Darren -- -mishania To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 13 10: 6: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.monmouth.com (shell.monmouth.com [205.231.236.9]) by hub.freebsd.org (Postfix) with ESMTP id 8FD6914FF5 for ; Fri, 13 Aug 1999 10:06:05 -0700 (PDT) (envelope-from pechter@shell.monmouth.com) Received: (from pechter@localhost) by shell.monmouth.com (8.9.0/8.9.0) id NAA14114 for freebsd-security@freebsd.org; Fri, 13 Aug 1999 13:05:13 -0400 (EDT) From: Bill/Carolyn Pechter Message-Id: <199908131705.NAA14114@shell.monmouth.com> Subject: Re: "Secure-FreeBSD" Idea To: avalon@coombs.anu.edu.au (Darren Reed) Date: Fri, 13 Aug 1999 13:03:27 -0400 (EDT) In-Reply-To: <199908131543.BAA28035@cheops.anu.edu.au> from "Darren Reed" at Aug 14, 99 01:43:57 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > In some mail from dave, sie said: > > > > > > > > On Fri, 13 Aug 1999, Michael Richards wrote: > > > > > > I was toying with this idea too. People often say when comparing FreeBSD > > > and linux that "FreeBSD is harder to install." Although I don't agree with > > > that statement, I had to take note on how easy my install of BeOS went. > > > Basically I popped the CD in, selected the partition and hit install. It > > > whirled rebooted and presto, I was running Be. > > > > I recently installed Redhat and FreeBSD...I am familiar with both, but the > > Redhat install took 3 runs through the install process to get right, and > > FreeBSD took only one...Granted, they were minor problems in redhat that > > most people wouldn't come across, but it is still one valid experience of > > mine...(The FreeBSD install was more flexible than the redhat one). > > Be careful when trying to compare people's experience with Linux installs. > "Linux" is rather obscure in this subject - what you need to know is whether > or not it is Debian or Caldera or Redhat or Slackware or Suse or ... > > I've not seen the most recent RedHat install, but 5.x and earlier were a > lot harder to install, if you were using SCSI or had a device anywhere but > a preprogrammed slot, than FreeBSD. Caldera's latest is meant to be much > better. If anyone can make a Unix install better than Solaris's, I'd be > very impressed. > > Darren > This is a resend. Looks like my dynamic dns is blocked at the freebsd mail server... Perhaps -chat might be a better place than -security > > > On Fri, 13 Aug 1999, Michael Richards wrote: > > > > I was toying with this idea too. People often say when comparing FreeBSD > > and linux that "FreeBSD is harder to install." Although I don't agree with > > that statement, I had to take note on how easy my install of BeOS went. > > Basically I popped the CD in, selected the partition and hit install. It > > whirled rebooted and presto, I was running Be. > > I recently installed Redhat and FreeBSD...I am familiar with both, but the > Redhat install took 3 runs through the install process to get right, and > FreeBSD took only one...Granted, they were minor problems in redhat that > most people wouldn't come across, but it is still one valid experience of > mine...(The FreeBSD install was more flexible than the redhat one). > > --dave > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Another data point. I had the same problem with RedHat 5.x and 6.x. FreeBSD, NetBSD and OpenBSD seemed to work more logically to me with regards to fdisk (disk druid is almost worthless.) Caldera OpenLinux 2.2 took two tries to get right but once I figured out the one trick it was the easiest to do. Great hardware discovery in Caldera 2.2. I've been less than impressed with Solaris on Intel. Bill +---------------------------------------------------------------------------+ | Bill and/or Carolyn Pechter | pechter@shell.monmouth.com | | Bill Gates is a Persian cat and a monocle away from being a villain in | | a James Bond movie -- Dennis Miller | +---------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 13 10:31: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id A61C714BF7 for ; Fri, 13 Aug 1999 10:30:57 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id TAA26658 for security@freebsd.org; Fri, 13 Aug 1999 19:30:50 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 2E823870B; Fri, 13 Aug 1999 19:11:48 +0200 (CEST) Date: Fri, 13 Aug 1999 19:11:48 +0200 From: Ollivier Robert To: security@freebsd.org Subject: Re: Another SMTP name-guessing attack Message-ID: <19990813191148.A78023@keltia.freenix.fr> Mail-Followup-To: security@freebsd.org References: <4.2.0.58.19990812185216.043c1160@localhost> <4.2.0.58.19990812185216.043c1160@localhost> <19990813143148.A73411@keltia.freenix.fr> <4.2.0.58.19990813091645.048468a0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.5i In-Reply-To: <4.2.0.58.19990813091645.048468a0@localhost>; from Brett Glass on Fri, Aug 13, 1999 at 09:57:03AM -0600 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5543 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Brett Glass: > We do use the RBL. But as far as I can tell, the DUL system doesn't reject > the mail until after the whole message is sent; it doesn't stop Sendmail from > listening to the dial-in node beforehand. So, I am not sure that it would > defeat this attack. Yes it does. This is the same as RBL except only dialup pool addresses are kept into it. They'll be rejected at connect time if you use sendmail. Postfix would delay the reject up to RCPT TO: time because some broken clients don't expect the dialog to be cut at connect time and re-connect immediately. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #73: Sat Jul 31 15:36:05 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message