From owner-freebsd-security Sun Apr 23 7:23:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 8A57637B66B for ; Sun, 23 Apr 2000 07:23:46 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA22101; Sun, 23 Apr 2000 07:23:09 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda22099; Sun Apr 23 07:22:59 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA27653; Sun, 23 Apr 2000 07:22:59 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdY27651; Sun Apr 23 07:22:50 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA07623; Sun, 23 Apr 2000 07:22:47 -0700 (PDT) Message-Id: <200004231422.HAA07623@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdNL7619; Sun Apr 23 07:22:01 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: "Nick Loman" Cc: freebsd-security@FreeBSD.ORG Subject: Re: 10 days In-reply-to: Your message of "Thu, 20 Apr 2000 19:54:05 BST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 23 Apr 2000 07:22:00 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hosts.allow only protects applications that have been linked with libwrap, e.g. inetd, portmap, and sshd. To protect services that aren't libwrap aware, your options are ipfw or ipfilter. I've used both and both do a good job. For examples, take a look at freebsddiary.com. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC In message , "Nick L oman" writes: > > I've moved my mail server from RedHat 6.0/Linux over to FreeBSD > 4.0-STABLE/qmail for security (lots of relay hacking and Linux newbie > hackers). > > Anyway, pleased to see only 10 days into running a FreeBSD installation > the spam kiddies are trying to hack in again :-) > > hosts.allow: > > ALL : PARANOID : RFC931 20 : deny > ftpd : a few select hosts : allow > telnetd : a few select hosts : allow > popa3d : ALL : allow > ALL : ALL : deny > > qmail running off tcpserver. > > Hack attempts are standard trying to get in through ftp and telnet. Also a > request from a root@ to the DNS port. > > Given that I'm a FreeBSD newbie, and notwithstanding general security > tips, what should I be looking out for in these early days? > > Regards, > > Nick. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 23 11:23:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 54C0937B60D for ; Sun, 23 Apr 2000 11:23:13 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id OAA70884; Sun, 23 Apr 2000 14:22:33 -0400 (EDT) (envelope-from cjc) Date: Sun, 23 Apr 2000 14:22:33 -0400 From: "Crist J. Clark" To: Mobeen Azhar Cc: Duncan , freebsd-security@FreeBSD.ORG Subject: Re: logging (from freebsd-questions) Message-ID: <20000423142233.D70371@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <4.2.0.58.20000422083806.00b4dee0@mail.bigpond.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from moby@pcsn.net on Sat, Apr 22, 2000 at 10:26:36AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 22, 2000 at 10:26:36AM -0500, Mobeen Azhar wrote: > You need to have the "log" keyword specified in your ipfw ruiles in order to > log activities related to that rule. And was the kernel built with, options IPFIREWALL_VERBOSE #print information about And if so, did you set, options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity To something reasonable for you (100 might be kind of low for people with any serious uptime). > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Duncan > Sent: Friday, April 21, 2000 17:43 > To: freebsd-security@FreeBSD.ORG > Subject: RE: logging (from freebsd-questions) > > > yes the only thing i am getting in security is users logging in, > su and bad su etc.... > > > > >Fri Apr 21 12:36:30 EDT 2000 > >Hi, > >I get my firewall logs in /var/log/security > >Have you looked there. > >Andrew. > > > > > >On Fri, Apr 21, 2000 at 09:03:33PM +1000, Duncan wrote: > > > > Hello > > > > I'm am having trouble with my logs. > > I have tried various things like adding ' log_in_vain="YES" ' in > rc.conf > > (which i read from a post on the security list) > > > > !ipfw > > *.* /var/log/ipfw > > > > but the only information i am getting is stuff like : > > > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 01400 20 1008 deny log tcp from any to any via ppp0 setup > > 65535 602 28986 deny ip from any to any > > > > (from /var/log/ipfw.today) which by itself is useless for me. > > I am trying to set it up so i can see the source address and ports so i > at > > least > > can see more of what's going on. > > > > I have a custom kernel with the ipfirewall and divert for natd and am > currently > > running 3.2-release. > > sorry for not giving more information but i am new to this and not sure > > what else > > to put. > > > > Any help is much appreciated > > Thank you. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 23 11:25: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 44DA137B593 for ; Sun, 23 Apr 2000 11:24:57 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id OAA70894; Sun, 23 Apr 2000 14:24:47 -0400 (EDT) (envelope-from cjc) Date: Sun, 23 Apr 2000 14:24:47 -0400 From: "Crist J. Clark" To: Alfred Perlstein Cc: Ron Smith , freebsd-security@FreeBSD.ORG Subject: Re: Using proxys with ipfw Message-ID: <20000423142447.E70371@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000421175830.78962.qmail@hotmail.com> <20000421114110.D10782@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000421114110.D10782@fw.wintelcom.net>; from bright@wintelcom.net on Fri, Apr 21, 2000 at 11:41:10AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Apr 21, 2000 at 11:41:10AM -0700, Alfred Perlstein wrote: > * Ron Smith [000421 11:28] wrote: > > Hello All, > > > > I'm trying to determine if it's possible to implement smtp/pop, ftp, and www > > proxys with ipfw rules in place. If it is possible, which proxy software > > would be the best to use. I have a dual-homed gateway with ipfw rules in > > place. Everything works great , but I only have access to and from the > > Internet with NAT, at this point. I would like to add the ability to access > > a mail server behind a firewall from the outside world. I would also like to > > do the same for www and ftp services as well. Any pointers? > > I'm pretty sure both ipfw and natd offer a "forward port" option, > just check out the docs, it should be there. I would try the ipfw > stuff first as it's probably more effecient. No. The 'forward' in ipfw(8) is not meant to be used in this way. Since the original poster seems to be already using natd(8), have a look at 'redirect_port' on the natd(8) manpage. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 23 19:59:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from teapot29.domain7.bigpond.com (teapot29.domain7.bigpond.com [139.134.5.236]) by hub.freebsd.org (Postfix) with SMTP id 0DFC137B976 for ; Sun, 23 Apr 2000 19:59:38 -0700 (PDT) (envelope-from arakias@bigpond.com) Received: from localhost (localhost [127.0.0.1]) by teapot29.domain7.bigpond.com (NTMail 3.02.13) with ESMTP id ya591030 for ; Mon, 24 Apr 2000 12:50:02 +1000 Received: from MLIP-A-002-pool-103.tmns.net.au ([139.134.240.103]) by mail7.bigpond.com (Claudes-Delicate-MailRouter V2.7e 15/9595266); 24 Apr 2000 12:50:01 Message-Id: <4.2.0.58.20000424124146.009695e0@mail.bigpond.com> X-Sender: arakias@mail.bigpond.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 24 Apr 2000 12:46:46 +1000 To: freebsd-security@freebsd.org From: Duncan Subject: RE: logging Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org yes i have the ipfirewall_verbose and verbose_limit i'm not sure what i've overlooked but i've just ordered 4.0 so i won't worry too much for now since i'll be doing a clean install. Thanks for all the advice >And was the kernel built with, >options IPFIREWALL_VERBOSE #print information about >And if so, did you set, >options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity >To something reasonable for you (100 might be kind of low for people >with any serious uptime). > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Duncan > Sent: Friday, April 21, 2000 17:43 > To: freebsd-security@FreeBSD.ORG > Subject: RE: logging (from freebsd-questions) > > > yes the only thing i am getting in security is users logging in, > su and bad su etc.... > > > > >Fri Apr 21 12:36:30 EDT 2000 > >Hi, > >I get my firewall logs in /var/log/security > >Have you looked there. > >Andrew. > > > > > >On Fri, Apr 21, 2000 at 09:03:33PM +1000, Duncan wrote: > > > > Hello > > > > I'm am having trouble with my logs. > > I have tried various things like adding ' log_in_vain="YES" ' in > rc.conf > > (which i read from a post on the security list) > > > > !ipfw > > *.* /var/log/ipfw > > > > but the only information i am getting is stuff like : > > > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 01400 20 1008 deny log tcp from any to any via ppp0 setup > > 65535 602 28986 deny ip from any to any > > > > (from /var/log/ipfw.today) which by itself is useless for me. > > I am trying to set it up so i can see the source address and ports so i > at > > least > > can see more of what's going on. > > > > I have a custom kernel with the ipfirewall and divert for natd and am > currently > > running 3.2-release. > > sorry for not giving more information but i am new to this and not sure > > what else > > to put. > > > > Any help is much appreciated > > Thank you. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 23 20:17:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-051.resnet.wisc.edu [146.151.42.51]) by hub.freebsd.org (Postfix) with SMTP id 012FD37B718 for ; Sun, 23 Apr 2000 20:17:41 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 41689 invoked by uid 1000); 24 Apr 2000 03:17:39 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Apr 2000 03:17:39 -0000 Date: Sun, 23 Apr 2000 22:17:39 -0500 (CDT) From: Mike Silbersack To: Wes Peters Cc: security@FreeBSD.ORG Subject: Re: stream.c followup / MFC request In-Reply-To: <38FFB270.C4C8DD9F@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 Apr 2000, Wes Peters wrote: > Mike Silbersack wrote: > > > > So, my question is this: Would someone be willing to give Wes's patch > > one more lookover and commit it to the RELENG_3 branch? > > If everyone is comfortable with it, I'll commit it. Hm, looks like nobody on this list is running 3.x anymore. FWIW, I haven't had any problems since I started using a kernel with the patch applied, I think it's safe to go ahead. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 23 21: 4: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from rock.ghis.net (rock.ghis.net [209.222.164.7]) by hub.freebsd.org (Postfix) with ESMTP id 4BC9A37BAAC for ; Sun, 23 Apr 2000 21:04:04 -0700 (PDT) (envelope-from will@blackdawn.com) Received: from argon.blackdawn.com (05-065.dial.008.popsite.net [209.69.13.65]) by rock.ghis.net (8.9.3/8.9.3) with ESMTP id VAA77288; Sun, 23 Apr 2000 21:03:59 -0700 (PDT) Received: by argon.blackdawn.com (Postfix, from userid 1000) id BE4381939; Mon, 24 Apr 2000 00:03:45 -0400 (EDT) Date: Mon, 24 Apr 2000 00:03:45 -0400 From: Will Andrews To: Mike Silbersack Cc: Wes Peters , security@FreeBSD.ORG Subject: Re: stream.c followup / MFC request Message-ID: <20000424000345.C85896@argon.blackdawn.com> References: <38FFB270.C4C8DD9F@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from silby@silby.com on Sun, Apr 23, 2000 at 10:17:39PM -0500 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Apr 23, 2000 at 10:17:39PM -0500, Mike Silbersack wrote: > Hm, looks like nobody on this list is running 3.x anymore. I do, but I don't get attacked often enough to care. :-P > FWIW, I haven't had any problems since I started using a kernel with the > patch applied, I think it's safe to go ahead. I didn't make any sort of technical review, but if it works on 4-STABLE, then it should be MFC'd. -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 23 21:26:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 26B6F37B7BA for ; Sun, 23 Apr 2000 21:26:36 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id WAA07867; Sun, 23 Apr 2000 22:26:21 -0600 (MDT) Message-Id: <4.3.1.2.20000423215640.00aea820@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Sun, 23 Apr 2000 21:59:19 -0600 To: Mike Silbersack , Wes Peters From: Brett Glass Subject: Re: stream.c followup / MFC request Cc: security@FreeBSD.ORG In-Reply-To: References: <38FFB270.C4C8DD9F@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I applied my own patch. I certainly HOPE that the 3.x branch is being updated. 4.0 shows promise, but we never run any new version on a production machine until it's at least at .2 or .3. It's unfortunate that many of the developers seem to concentrate on the bleeding edge when BSD gets its reputation for stability from the "stable" branches. --Brett Glass At 09:17 PM 4/23/2000, Mike Silbersack wrote: >On Thu, 20 Apr 2000, Wes Peters wrote: > > > Mike Silbersack wrote: > > > > > > So, my question is this: Would someone be willing to give Wes's patch > > > one more lookover and commit it to the RELENG_3 branch? > > > > If everyone is comfortable with it, I'll commit it. > >Hm, looks like nobody on this list is running 3.x anymore. > >FWIW, I haven't had any problems since I started using a kernel with the >patch applied, I think it's safe to go ahead. > >Mike "Silby" Silbersack > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 24 8:10:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 8C82B37BB2F for ; Mon, 24 Apr 2000 08:10:42 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA25571; Mon, 24 Apr 2000 08:09:50 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda25569; Mon Apr 24 08:09:45 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA00535; Mon, 24 Apr 2000 08:09:44 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdCGJ533; Mon Apr 24 08:09:30 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id IAA13292; Mon, 24 Apr 2000 08:09:29 -0700 (PDT) Message-Id: <200004241509.IAA13292@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdu13274; Mon Apr 24 08:08:37 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: Alex Michlin Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 21 Apr 2000 14:26:40 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 24 Apr 2000 08:08:37 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Alex Michlin writes: > How can a hacker enable promiscious mode though an ftp connection? > I did a `last` to see who, if anyone, logged on and the only logon I saw > was an ftp connection from an @home machine. I don't see any extra > programs running on the machine. Do I need to be concerned about telnet > passwords, etc? > > Apr 20 13:10:12 hostname /kernel: xl0: promiscuous mode enabled Are you sure it's a hacker? Do these "events" coincide with other events, e.g. system boot, an application starting, etc.? For example, we use an application called egd (entropy gathering daemon) on our servers on our raised floors, which puts the interfaces into promiscuous mode, among other entropy gathering things done, just after boot to initially set up its entropy pool. Therefore I can directly correlate promiscuous mode with system boot. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 24 11:50:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 537DC37BB46 for ; Mon, 24 Apr 2000 11:50:20 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1959 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Mon, 24 Apr 2000 13:44:42 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Mon, 24 Apr 2000 13:44:41 -0500 (CDT) From: James Wyatt To: Cy Schubert - ITSD Open Systems Group Cc: Alex Michlin , freebsd-security@FreeBSD.ORG Subject: Re: egd vs /dev/random on FBSD In-Reply-To: <200004241509.IAA13292@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Apr 2000, Cy Schubert - ITSD Open Systems Group wrote: > In message e.com>, Alex Michlin writes: > > How can a hacker enable promiscious mode though an ftp connection? > > I did a `last` to see who, if anyone, logged on and the only logon I saw > > was an ftp connection from an @home machine. I don't see any extra > > programs running on the machine. Do I need to be concerned about telnet > > passwords, etc? > > > > Apr 20 13:10:12 hostname /kernel: xl0: promiscuous mode enabled > > Are you sure it's a hacker? Do these "events" coincide with other > events, e.g. system boot, an application starting, etc.? For example, > we use an application called egd (entropy gathering daemon) on our > servers on our raised floors, which puts the interfaces into > promiscuous mode, among other entropy gathering things done, just after > boot to initially set up its entropy pool. Therefore I can directly > correlate promiscuous mode with system boot. I thought that /dev/random was good enough on FreeBSD, given a reasonably busy IRQ (no problem around here!). I have to run egd on an AIX box to get a reasonable amount of entropy - and still can't get GPG to compile quite right on it... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 24 12:32:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 2824437BB99; Mon, 24 Apr 2000 12:32:11 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id MAA84002; Mon, 24 Apr 2000 12:32:10 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 24 Apr 2000 12:32:10 -0700 (PDT) From: Kris Kennaway To: Przemyslaw Frasunek Cc: BUGTRAQ@SECURITYFOCUS.COM, freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: freebsd libncurses overflow In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Apr 2000, Kris Kennaway wrote: > On Mon, 24 Apr 2000, Przemyslaw Frasunek wrote: > > > - 3.4-STABLE -- vulnerable > > - 4.0-STABLE -- not tested (probably *not* vulnerable) > > -- *not* vulnerable > > > - 5.0-CURRENT -- *not* vulnerable > > Unfortunately, Mr Frasunek didn't see fit to notifying us before releasing > his advisory - it will probably be a day or two before this gets > fixed. Sorry all. Furthermore, it is not actually a vulnerability. It seems that setuid programs will not accept an alternate termcap file via TERMCAP even under the old version of ncurses in FreeBSD 3.x. Therefore this "exploit" can only be used on your own binaries. (If we'd have been told beforehand I could have saved Mr Frasunek the embarrassment ;-) Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 24 15:46:49 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id EEF4B37BBB4; Mon, 24 Apr 2000 15:46:35 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:15.imap-uw Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000424224635.EEF4B37BBB4@hub.freebsd.org> Date: Mon, 24 Apr 2000 15:46:35 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:15 Security Advisory FreeBSD, Inc. Topic: imap-uw allows local users to deny service to any mailbox Category: ports Module: imap-uw Announced: 2000-04-24 Credits: Alex Mottram via BugTraq Affects: Ports collection. Corrected: See below. Vendor status: Notified. FreeBSD only: NO I. Background imap-uw is a popular IMAP4/POP2/POP3 mail server from the University of Washington. II. Problem Description The imap-uw port supplies a "libc-client" library which provides various functionality common to mail servers. The algorithm used for locking of mailbox files contains a weakness which allows an unprivileged local user to lock an arbitrary local mailbox. In the case of POP2/POP3 servers, this means that the mailbox will not be able to be accessed at all by the owner. In the case of IMAP4 servers, the folder can be opened for reading, but not writing (i.e. can only be accessed read-only). Note that this is a different vulnerability than that described in FreeBSD Security Advisory 00:14, and affects all imap-uw servers which provide shell-level access to users. However note that by virtue of advisory 00:14, all users who can access their mail remotely via imap can acquire such access even without explicit shell login access. The imap-uw port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3200 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A user who has, or who can obtain (see advisory 00:14) shell access to the mail server can prevent an arbitrary mailbox from being opened via pop2/pop3, or can force the mailbox to be only opened read-only via imap. If you have not chosen to install the imap-uw port/package, then your system is not vulnerable to this problem. IV. Workaround 1) Deinstall the imap-uw port/package, if you you have installed it. 2) Consider using another POP2/POP3 server if you do not require IMAP functionality. See the notes regarding alternative IMAP servers in FreeBSD Security Advisory 00:14. V. Solution No patch is currently available. It is encumbent on the imap-uw developers to redesign the mailbox locking scheme to provide a secure locking mechanism which is not vulnerable to local denial-of-service attacks. This advisory will be updated once the known vulnerabilities in imap-uw have been addressed. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOQTN8FUuHi5z0oilAQH58gP+JtkvDh4EFR13jGKxb6PERkt9x6Cpy+DY 1P56XODBiK4tnbTjdke2JLLNUHpSYtN23h8zt1DtnlxnxunQa8Y6fhptbpgHUWAu ZIJlLLnl0iQcjj3Lqwz2E2BaFsyZxlVSGQnD/EmI+tyZcY+oTYbomCgi1RW3kbn+ fmNJXmwTXCg= =TwTN -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 24 15:46:50 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8A4B337B5AA; Mon, 24 Apr 2000 15:46:34 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:14.imap-uw Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000424224634.8A4B337B5AA@hub.freebsd.org> Date: Mon, 24 Apr 2000 15:46:34 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:14 Security Advisory FreeBSD, Inc. Topic: imap-uw contains security vulnerabilities for "closed" mail servers Category: ports Module: imap-uw Announced: 2000-04-24 Credits: Michal Zalewski Michal Szymanski via BugTraq Affects: Ports collection. Corrected: See below. Vendor status: Aware of the problem, no satisfactory solution provided. FreeBSD only: NO I. Background imap-uw is a popular IMAP4/POP2/POP3 mail server from the University of Washington. II. Problem Description There are numerous buffer overflows available to an imap user after they have successfully logged into their mail account (i.e. authenticated themselves by giving the correct password, etc). Once the user logs in, imapd has dropped root privileges and is running as the user ID of the mail account which has been logged into, so the buffer overflow can only allow code to be executed as that user. Thus, the vulnerability is only relevant on a "closed" mail server, i.e. one which does not normally allow interactive logins by mail users. For a system which allows users to log in or execute code on the system, there is minimal vulnerability. Note that once a user has successfully exploited the vulnerability to gain access to their user account they may be able to mount further attacks against the local (or a remote) machine to upgrade their privileges. The imap-uw port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3200 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A user with a mail account on the imap server can execute arbitrary code as themselves on that machine. This is only likely to be a security issue on "closed" mail servers which do not allow interactive shell logins. Only imapd is known to be vulnerable to this time - the other daemons installed by the imap-uw port (ipop2d/ipop3d) are not known to suffer from the same vulnerability. If you have not chosen to install the imap-uw port/package, then your system is not vulnerable to this problem. IV. Workaround 1) Deinstall the imap-uw port/package, if you you have installed it. 2) If you do not specifically require imap functionality (i.e. pop2/pop3 is sufficient) then disable the imap daemon in /etc/inetd.conf and restart inetd (e.g. with the command 'killall -HUP inetd') V. Solution Unfortunately the vulnerabilities in imapd are quite extensive and no patch is currently available to address them. There is also no "drop-in" replacement for imap-uw currently available in ports, although the mail/cyrus port is another imap server which may be a suitable replacement. Cyrus has different configuration and operational requirements than imap-uw however, which may make it unsuitable for many users. Until a security audit of the imap-uw source can be completed and the vulnerabilities patched, it is recommended that operators of "closed" imapd servers take steps to minimize the impact of users being able to run code on the server (i.e., by tightening the local security on the machine to minimize the damage an intruding user can cause). This advisory will be updated once the known vulnerabilities in imap-uw have been addressed. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOQTN61UuHi5z0oilAQEe9QQAhoPtcTPFYv4RSvh0x/FYe1x8J4kmvi0x I5fFL3Am8Yfjra/ETGE/WQpGttIFluyfs7RmOc7aglJHp9Aeii9zgCU0dv+3TIZb FA0NUpode09tfEOP4ciuL1Diae9utoPc+80mitbGFoNL1uAUj4QKWxNNCJ1K6Jyd plUnZwIFx64= =qaIn -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 24 23:50:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.point.sk (mail.point.sk [62.168.114.68]) by hub.freebsd.org (Postfix) with ESMTP id C6FF137BCD8 for ; Mon, 24 Apr 2000 23:50:16 -0700 (PDT) (envelope-from AlexII@point.sk) Received: from auriga (remus-gw.ke.gtsi.sk [62.168.107.30] (may be forged)) by mail.point.sk (8.9.3/8.9.3/Debian/GNU) with SMTP id IAA13762 for ; Tue, 25 Apr 2000 08:50:15 +0200 From: "AlexII" To: Subject: Date: Tue, 25 Apr 2000 08:49:57 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth a750c830 subscribe freebsd-security AlexII@point.sk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 1:41:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from nic.mmc.net.ge (nic.mmc.net.ge [212.72.145.2]) by hub.freebsd.org (Postfix) with ESMTP id 10E1A37BC70 for ; Tue, 25 Apr 2000 01:41:29 -0700 (PDT) (envelope-from dima@mmc.net.ge) Received: from mmc.net.ge (wondy.mmc.net.ge [212.72.145.9]) by nic.mmc.net.ge (8.9.3/8.9.3) with ESMTP id NAA25189 for ; Tue, 25 Apr 2000 13:48:09 +0500 (GET) Message-ID: <390567C0.AD1ADC3E@mmc.net.ge> Date: Tue, 25 Apr 2000 13:39:12 +0400 From: dima@mmc.net.ge X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: SPAM Problem!! Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Someone, claiming to be my mail user (different usernames), sends spam mails to the internet. I have recieved a lot of messages from admins and postmasters of different servers. At the same time I have the following in my mail log, look below. What shall I do to find this spamer, or how can I protect my domain reputation. ------ Apr 25 13:21:07 nic sendmail[24796]: NAA24796: ... User unknown Apr 25 13:21:08 nic sendmail[24796]: NAA24796: from=<>, size=8645, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=lisa.ionsys.com [206.49.34.7] Apr 25 13:21:45 nic sendmail[24801]: NAA24801: ... User unknown Apr 25 13:21:48 nic sendmail[24801]: NAA24801: from=<>, size=15585, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[194.73.73.176] Apr 25 13:22:28 nic sendmail[24806]: NAA24806: ... User unknown Apr 25 13:22:28 nic sendmail[24806]: NAA24806: from=<>, size=15585, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[194.73.73.176] Apr 25 13:23:22 nic sendmail[24816]: NAA24816: ... User unknown Apr 25 13:23:23 nic sendmail[24816]: NAA24816: from=<>, size=1922, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=sibelius.demon.co.uk [158.152.83.160] -- Apr 25 13:25:51 nic sendmail[24832]: NAA24832: ... User unknown Apr 25 13:25:53 nic sendmail[24832]: NAA24832: from=<>, size=15585, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=praseodumium.btinternet.com [194.73.73.82] -- Apr 25 13:28:17 nic sendmail[24858]: NAA24855: to=, delay=00:00:05, xdelay=00:00:01, mailer=local, stat=Sent Apr 25 13:28:17 nic sendmail[24857]: NAA24857: from=<>, size=7592, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[192.12.130.44] -- Apr 25 13:31:07 nic sendmail[24901]: NAA24901: ... User unknown Apr 25 13:31:09 nic sendmail[24901]: NAA24901: from=<>, size=7744, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail2.infohouse.com [204.143.176.5] -- Apr 25 13:32:04 nic sendmail[24915]: NAA24915: ... User unknown Apr 25 13:32:05 nic sendmail[24915]: NAA24915: from=<>, size=7795, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail2.infohouse.com [204.143.176.5] -- Apr 25 13:33:26 nic sendmail[24928]: NAA24928: ... User unknown Apr 25 13:33:27 nic sendmail[24928]: NAA24928: from=<>, size=2270, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[216.79.19.1] -- Apr 25 13:36:50 nic sendmail[24961]: NAA24956: to=, ctladdr= (1002/0), delay=00:00:27, xdelay=00:00:07, mailer=esmtp, relay=praseodumium.btinternet.com. [194.73.73.82], stat=Sent (OK id=12k0i6-0002NB-00) Apr 25 13:36:56 nic sendmail[24977]: NAA24977: from=<>, size=2670, class=0, pri=32670, nrcpts=1, msgid=, proto=ESMTP, relay=praseodumium.btinternet.com [194.73.73.82] -- Apr 25 13:37:21 nic sendmail[24993]: NAA24993: ... User unknown Apr 25 13:37:21 nic sendmail[24993]: NAA24993: from=<>, size=9338, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=pluto.psn.net [207.211.58.12] Apr 25 13:37:26 nic sendmail[24997]: NAA24997: from=<>, size=2634, class=0, pri=32634, nrcpts=1, msgid=, proto=ESMTP, relay=tungsten.btinternet.com [194.73.73.81] -- Apr 25 13:38:40 nic sendmail[25025]: NAA25025: ... User unknown Apr 25 13:38:41 nic sendmail[25025]: NAA25025: from=<>, size=7925, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[207.104.89.13] -- Apr 25 13:41:54 nic sendmail[25075]: NAA25075: ... User unknown Apr 25 13:41:55 nic sendmail[25075]: NAA25075: from=<>, size=11085, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail.xmission.com [198.60.22.22] -- Apr 25 13:42:06 nic sendmail[25079]: NAA25079: ... User unknown Apr 25 13:42:06 nic sendmail[25079]: NAA25079: from=<>, size=6364, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=rmx05.iname.net [165.251.8.203] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 1:51:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [212.182.117.180]) by hub.freebsd.org (Postfix) with SMTP id B30EB37BCC1 for ; Tue, 25 Apr 2000 01:51:40 -0700 (PDT) (envelope-from venglin@freebsd.lublin.pl) Received: (qmail 29849 invoked from network); 25 Apr 2000 08:51:45 -0000 Received: from lubi.freebsd.lublin.pl (qmailr@212.182.118.90) by lagoon.freebsd.lublin.pl with SMTP; 25 Apr 2000 08:51:45 -0000 Received: (qmail 76411 invoked by uid 0); 25 Apr 2000 08:51:37 -0000 Received: from localhost.freebsd.lublin.pl (HELO own3d) (root@127.0.0.1) by localhost.freebsd.lublin.pl with SMTP; 25 Apr 2000 08:51:37 -0000 Message-ID: <002801bfae93$5b7e69a0$0273b6d4@freebsd.lublin.pl> From: "Przemyslaw Frasunek" To: "Kris Kennaway" Cc: , References: Subject: Re: freebsd libncurses overflow Date: Tue, 25 Apr 2000 10:50:42 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Furthermore, it is not actually a vulnerability. It seems that setuid > programs will not accept an alternate termcap file via TERMCAP even under > the old version of ncurses in FreeBSD 3.x. Therefore this "exploit" can > only be used on your own binaries. Sure? lubi:venglin:~> uname -a FreeBSD lubi.freebsd.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #1: Wed Mar 1 11:18:54 CET 2000 venglin@lubi.freebsd.lublin.pl:/mnt/elite/usr/src/sys/compile/GADACZKA i386 lubi:venglin:~> cat dupa.c main() { initscr(); } lubi:venglin:~> cc -o d dupa.c -lncurses lubi:venglin:~> su s/key 76 ve15188 Password: lubi:venglin:/home/venglin# chmod 4755 d ; chown root.wheel d lubi:venglin:/home/venglin# exit lubi:venglin:~> ./d lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'` lubi:venglin:~> ./d Segmentation fault lubi:venglin:~> ./dupaexp 4000 ret: 0xbfbfba8c # id uid=0(root) gid=1001(users) groups=1001(users), 0(wheel) Obviously, *most* binaries are dropping root privileges before using any ncurses functions. -- * Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE * * Inet: venglin@freebsd.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 2:34:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from as.tksoft.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 14B0037B5E9 for ; Tue, 25 Apr 2000 02:34:06 -0700 (PDT) (envelope-from tjk@tksoft.com) Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id CAA01507; Tue, 25 Apr 2000 02:35:37 -0700 From: "tjk@tksoft.com" Message-Id: <200004250935.CAA01507@uno.tksoft.com> Subject: Re: SPAM Problem!! To: dima@mmc.net.ge Date: Tue, 25 Apr 2000 02:35:37 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <390567C0.AD1ADC3E@mmc.net.ge> from "dima@mmc.net.ge" at Apr 25, 0 01:39:12 pm Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Without digging into whose who in the below logs, I can only guess. Anyway, it seems that you either received emails targeted at your server or someone used your mail server as a relay. There isn't much you can do to protect yourself against spam, beyond filtering and blocking abusive IPs. You can limit access to your mail server, so it can't be used to relay emails. You should look into the docs for the version of sendmail you have, and block relaying. If you don't have the docs, look into /etc/sendmail.cf and see which files specify allowed relays. They vary based on the sendmail distribution. E.g. /etc/sendmail.cR, or /etc/mail/ip_allow, name_allow Troy > > Someone, claiming to be my mail user (different usernames), sends spam > mails to the internet. > I have recieved a lot of messages from admins and postmasters of > different servers. > At the same time I have the following in my mail log, look below. > What shall I do to find this spamer, or how can I protect my domain > reputation. > > ------ > Apr 25 13:21:07 nic sendmail[24796]: NAA24796: > ... User unknown > Apr 25 13:21:08 nic sendmail[24796]: NAA24796: from=<>, size=8645, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=lisa.ionsys.com > [206.49.34.7] > Apr 25 13:21:45 nic sendmail[24801]: NAA24801: ... > User unknown > Apr 25 13:21:48 nic sendmail[24801]: NAA24801: from=<>, size=15585, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[194.73.73.176] > Apr 25 13:22:28 nic sendmail[24806]: NAA24806: ... > User unknown > Apr 25 13:22:28 nic sendmail[24806]: NAA24806: from=<>, size=15585, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[194.73.73.176] > Apr 25 13:23:22 nic sendmail[24816]: NAA24816: > ... User unknown > Apr 25 13:23:23 nic sendmail[24816]: NAA24816: from=<>, size=1922, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=sibelius.demon.co.uk > [158.152.83.160] > -- > Apr 25 13:25:51 nic sendmail[24832]: NAA24832: ... > User unknown > Apr 25 13:25:53 nic sendmail[24832]: NAA24832: from=<>, size=15585, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=praseodumium.btinternet.com > [194.73.73.82] > -- > Apr 25 13:28:17 nic sendmail[24858]: NAA24855: to=, > delay=00:00:05, xdelay=00:00:01, mailer=local, stat=Sent > Apr 25 13:28:17 nic sendmail[24857]: NAA24857: from=<>, size=7592, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[192.12.130.44] > -- > Apr 25 13:31:07 nic sendmail[24901]: NAA24901: ... > User unknown > Apr 25 13:31:09 nic sendmail[24901]: NAA24901: from=<>, size=7744, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail2.infohouse.com > [204.143.176.5] > -- > Apr 25 13:32:04 nic sendmail[24915]: NAA24915: > ... User unknown > Apr 25 13:32:05 nic sendmail[24915]: NAA24915: from=<>, size=7795, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail2.infohouse.com > [204.143.176.5] > -- > Apr 25 13:33:26 nic sendmail[24928]: NAA24928: > ... User unknown > Apr 25 13:33:27 nic sendmail[24928]: NAA24928: from=<>, size=2270, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[216.79.19.1] > -- > Apr 25 13:36:50 nic sendmail[24961]: NAA24956: > to=, ctladdr= > (1002/0), delay=00:00:27, xdelay=00:00:07, mailer=esmtp, > relay=praseodumium.btinternet.com. [194.73.73.82], stat=Sent (OK > id=12k0i6-0002NB-00) > Apr 25 13:36:56 nic sendmail[24977]: NAA24977: from=<>, size=2670, > class=0, pri=32670, nrcpts=1, > msgid=, proto=ESMTP, > relay=praseodumium.btinternet.com [194.73.73.82] > -- > Apr 25 13:37:21 nic sendmail[24993]: NAA24993: > ... User unknown > Apr 25 13:37:21 nic sendmail[24993]: NAA24993: from=<>, size=9338, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=pluto.psn.net > [207.211.58.12] > Apr 25 13:37:26 nic sendmail[24997]: NAA24997: from=<>, size=2634, > class=0, pri=32634, nrcpts=1, > msgid=, proto=ESMTP, > relay=tungsten.btinternet.com [194.73.73.81] > -- > Apr 25 13:38:40 nic sendmail[25025]: NAA25025: ... > User unknown > Apr 25 13:38:41 nic sendmail[25025]: NAA25025: from=<>, size=7925, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[207.104.89.13] > -- > Apr 25 13:41:54 nic sendmail[25075]: NAA25075: ... > User unknown > Apr 25 13:41:55 nic sendmail[25075]: NAA25075: from=<>, size=11085, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail.xmission.com > [198.60.22.22] > -- > Apr 25 13:42:06 nic sendmail[25079]: NAA25079: ... > User unknown > Apr 25 13:42:06 nic sendmail[25079]: NAA25079: from=<>, size=6364, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=rmx05.iname.net > [165.251.8.203] > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 8:24: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 75E3637BDBC for ; Tue, 25 Apr 2000 08:24:04 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA29451; Tue, 25 Apr 2000 08:23:27 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda29449; Tue Apr 25 08:23:19 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA07556; Tue, 25 Apr 2000 08:23:18 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdiC7535; Tue Apr 25 08:22:30 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id IAA03533; Tue, 25 Apr 2000 08:22:30 -0700 (PDT) Message-Id: <200004251522.IAA03533@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdPj3527; Tue Apr 25 08:21:46 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: James Wyatt Cc: Cy Schubert - ITSD Open Systems Group , Alex Michlin , freebsd-security@FreeBSD.ORG Subject: Re: egd vs /dev/random on FBSD In-reply-to: Your message of "Mon, 24 Apr 2000 13:44:41 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 25 Apr 2000 08:21:46 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , James Wyatt writes: > On Mon, 24 Apr 2000, Cy Schubert - ITSD Open Systems Group wrote: > > In message .hom > > e.com>, Alex Michlin writes: > > > How can a hacker enable promiscious mode though an ftp connection? > > > I did a `last` to see who, if anyone, logged on and the only logon I saw > > > was an ftp connection from an @home machine. I don't see any extra > > > programs running on the machine. Do I need to be concerned about telnet > > > passwords, etc? > > > > > > Apr 20 13:10:12 hostname /kernel: xl0: promiscuous mode enabled > > > > Are you sure it's a hacker? Do these "events" coincide with other > > events, e.g. system boot, an application starting, etc.? For example, > > we use an application called egd (entropy gathering daemon) on our > > servers on our raised floors, which puts the interfaces into > > promiscuous mode, among other entropy gathering things done, just after > > boot to initially set up its entropy pool. Therefore I can directly > > correlate promiscuous mode with system boot. > > I thought that /dev/random was good enough on FreeBSD, given a reasonably > busy IRQ (no problem around here!). I have to run egd on an AIX box to get > a reasonable amount of entropy - and still can't get GPG to compile quite > right on it... - Jy@ We use egd on our Suns and Alphas. On our FreeBSD systems we use /dev/random. There was a whole discussion about this on -security or -stable about a year ago regarding which interrupts were best to use which might have a better chance of causing the system to crash. Keyboards were O.K., disk controllers and NIC cards were generally not O.K. Can FreeBSD-4 handle more interrupt latency than [23].x did (cannot recall whether the thread was talking about FreeBSD-2 or 3)? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 9:56:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from Rigel.orionsys.com (rigel.orionsys.com [205.148.224.9]) by hub.freebsd.org (Postfix) with ESMTP id EE30337BFFF for ; Tue, 25 Apr 2000 09:56:20 -0700 (PDT) (envelope-from root@Rigel.orionsys.com) Received: from localhost (root@localhost) by Rigel.orionsys.com (8.9.3/8.9.3) with ESMTP id JAA45844; Tue, 25 Apr 2000 09:56:02 -0700 (PDT) (envelope-from root@Rigel.orionsys.com) X-Envelope-From: root@Rigel.orionsys.com X-Envelope-To: freebsd-security@FreeBSD.ORG X-Envelope-Host: freebsd.org. Date: Tue, 25 Apr 2000 09:56:01 -0700 (PDT) From: David Babler To: dima@mmc.net.ge Cc: freebsd-security@FreeBSD.ORG Subject: Re: SPAM Problem!! In-Reply-To: <390567C0.AD1ADC3E@mmc.net.ge> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Apr 2000 dima@mmc.net.ge wrote: > Someone, claiming to be my mail user (different usernames), sends spam > mails to the internet. > I have recieved a lot of messages from admins and postmasters of > different servers. > At the same time I have the following in my mail log, look below. > What shall I do to find this spamer, or how can I protect my domain > reputation. The log entries are bounces ("from=<>"), which are coming to you because, as you said, some spammer is forging addresses in your domain as the envelope sender and/or "from" address. I'd contact the postmasters of the systems sending you bounces or complaints to see if they can send you complete copies (or sendmail logs) of the spam they are bouncing. Using that, you may be able to track down the spammer (only if you can get at least one message with complete headers). If the bounces continue to arrive from the forged addresses (like "polaris1050racer@mmc.net.ge"), define an alias for these phony addresses so you can receive one or two so you can examine them. Good luck. -Dave > ------ > Apr 25 13:21:07 nic sendmail[24796]: NAA24796: > ... User unknown > Apr 25 13:21:08 nic sendmail[24796]: NAA24796: from=<>, size=8645, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=lisa.ionsys.com > [206.49.34.7] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 10:51:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from mh-a01.dmz.another.com (www.funmail.co.uk [212.62.7.9]) by hub.freebsd.org (Postfix) with SMTP id D325D37B737 for ; Tue, 25 Apr 2000 10:51:19 -0700 (PDT) (envelope-from hazed@another.co.uk) Received: (qmail 8906 invoked from network); 25 Apr 2000 17:49:16 -0000 Received: from www-a21.backend.funmail.co.uk (HELO localhost) (172.16.100.21) by mh-a01.backend.another.com with SMTP; 25 Apr 2000 17:49:16 -0000 Message-ID: <6112239.956685042682.JavaMail.root@mh-a01.backend.another.com> Date: Tue, 25 Apr 2000 18:50:42 +0100 (GMT+01:00) From: hazed@another.co.uk To: freebsd-security@FreeBSD.ORG Subject: Re: SPAM Problem!! Cc: dima@mmc.net.ge Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="18945809.956685042666.JavaMail.root@localhost" X-Funmail-UID: 1945591 X-Senders-IP: 194.73.82.245 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --18945809.956685042666.JavaMail.root@localhost Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit On Tue, Apr 25, 2000 at 09:56:01AM -0700, David Babler wrote: > > Someone, claiming to be my mail user (different usernames), sends spam > mails to the internet. ... > What shall I do to find this spamer, or how can I protect my domain > reputation. If the spammer is using dialup accounts from a certain very large global ISP mentioning no three letter names ;-) it would appear that there is little you can do about your domain's reputation :-( I see 450+ bounces per day, each one listing tens or hundreds of email recipients that have failed. I have sent headers from a few hundred of a day's bounces with usable headers (i.e. those that didn't pass through MSN's dumb mailers which strip Received: lines!!) to $BIG_ISP abuse email address but not even received a human acknowledgement. In the meantime, they appear to silently drop emails from our legitimate customers - well, only if they use sensible email addresses - same people, same mail server, make up a random address with a couple of letters and some numbers and they get through ...!) While all this is going on, they also seem to ignore emails following their "Mail test" procedure as detailed on their postmaster auto-bounce. Isn't life great........if only our customers would believe us when we tell them that we've delievered the email to the other ISP, and it's disappeared "somewhere after that" it would be fine, but they seem to have the idea that just because the other ISP is a multinational corporations means they have clue... I think that the only useful thing you can do with the spam bounces is to identify the abused open relays and report them to relays.mail-abuse.org, ORBS and maybe the relevant postmaster. If anyone has any handy scripts to automate processing bounced spams (*as opposed to received spams*) that they'd be willing to share, please post ;-) I'm not sure if this is really on-topic for freebsd-security, if anyone would care to suggest a better home please do...(I'm sure it's a bit of a cross-platform issue!) -- Apologies for any webmail-related mangling of this message. whatever you want to be (before and after the @) http://www.another.com --18945809.956685042666.JavaMail.root@localhost-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 11:12:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from as.tksoft.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id ECB7D37B810 for ; Tue, 25 Apr 2000 11:12:30 -0700 (PDT) (envelope-from tjk@tksoft.com) Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id LAA07694; Tue, 25 Apr 2000 11:16:02 -0700 From: "tjk@tksoft.com" Message-Id: <200004251816.LAA07694@uno.tksoft.com> Subject: Re: SPAM Problem!! To: hazed@another.co.uk Date: Tue, 25 Apr 2000 11:16:02 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG, dima@mmc.net.ge In-Reply-To: <6112239.956685042682.JavaMail.root@mh-a01.backend.another.com> from "hazed@another.co.uk" at Apr 25, 0 06:50:42 pm Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There was an article in L.A. Times, Saturday, April 22, 2000 Home Edition Section: Business Page: C-1 (available on L.A. Times online) About a certain Very big ISP silently dropping emails from another big ISP, Pacific Bell. "AOL Blocking E-Mail From Some Pacific Bell Customers" (Blocking should have said "silently dropping.") Email has certainly become lot less reliable than what it used to be. At least if you need to communicate with AOL customers, it seems. Troy > > --18945809.956685042666.JavaMail.root@localhost > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > > On Tue, Apr 25, 2000 at 09:56:01AM -0700, David Babler wrote: > > > > Someone, claiming to be my mail user (different usernames), sends spam > > mails to the internet. > ... > > What shall I do to find this spamer, or how can I protect my domain > > reputation. > > If the spammer is using dialup accounts from a certain very large global ISP mentioning no three letter names ;-) it would appear that there is little you can do about your domain's reputation :-( > > I see 450+ bounces per day, each one listing tens or hundreds of email recipients that have failed. I have sent headers from a few hundred of a day's bounces with usable headers (i.e. those that didn't pass through MSN's dumb mailers which strip Received: lines!!) to $BIG_ISP abuse email address but not even received a human acknowledgement. In the meantime, they appear to silently drop emails from our legitimate customers - well, only if they use sensible email addresses - same people, same mail server, make up a random address with a couple of letters and some numbers and they get through ...!) > > While all this is going on, they also seem to ignore emails following their "Mail test" procedure as detailed on their postmaster auto-bounce. Isn't life great........if only our customers would believe us when we tell them that we've delievered the email to the other ISP, and it's disappeared "somewhere after that" it would be fine, but they seem to have the idea that just because the other ISP is a multinational corporations means they have clue... > > I think that the only useful thing you can do with the spam bounces is to identify the abused open relays and report them to relays.mail-abuse.org, ORBS and maybe the relevant postmaster. If anyone has any handy scripts to automate processing bounced spams (*as opposed to received spams*) that they'd be willing to share, please post ;-) > > I'm not sure if this is really on-topic for freebsd-security, if anyone would care to suggest a better home please do...(I'm sure it's a bit of a cross-platform issue!) > > -- > Apologies for any webmail-related mangling of this message. > > whatever you want to be (before and after the @) > http://www.another.com > > > --18945809.956685042666.JavaMail.root@localhost-- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 12: 2:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 2B8A737BD4A for ; Tue, 25 Apr 2000 12:02:43 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id NAA27708; Tue, 25 Apr 2000 13:02:22 -0600 (MDT) Message-Id: <4.3.1.2.20000425125525.00bc8930@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Tue, 25 Apr 2000 13:01:20 -0600 To: dima@mmc.net.ge, freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: SPAM Problem!! In-Reply-To: <390567C0.AD1ADC3E@mmc.net.ge> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org First of all, make sure that your server ISN'T the problem. Are you running the latest version of Sendmail? Are the anti-spamming and anti-relaying provisions in place? If you are an open relay, you may be getting complaints. Or it could be that you are being used as a multi-level relay -- that is, if people are sending spam to one of your machines, which is relaying it to another of your machines, which is then relayig it to the Net. If you can get samples of the spam, you can see. If your domain is simply being used in forged "from" addresses, find some of the spam and complain to the ISP that's letting the spammer send it. You have a legal cause of action if they don't kick the spammer off their net. (AOL has won several cases against spammers who used spoofed AOL "from" addresses, and has prodded quite a few ISPs to take action against such spammers.) --Brett Glass At 03:39 AM 4/25/2000, dima@mmc.net.ge wrote: >Someone, claiming to be my mail user (different usernames), sends spam >mails to the internet. >I have recieved a lot of messages from admins and postmasters of >different servers. >At the same time I have the following in my mail log, look below. >What shall I do to find this spamer, or how can I protect my domain >reputation. > >------ >Apr 25 13:21:07 nic sendmail[24796]: NAA24796: >... User unknown >Apr 25 13:21:08 nic sendmail[24796]: NAA24796: from=<>, size=8645, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=lisa.ionsys.com >[206.49.34.7] >Apr 25 13:21:45 nic sendmail[24801]: NAA24801: ... >User unknown >Apr 25 13:21:48 nic sendmail[24801]: NAA24801: from=<>, size=15585, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[194.73.73.176] >Apr 25 13:22:28 nic sendmail[24806]: NAA24806: ... >User unknown >Apr 25 13:22:28 nic sendmail[24806]: NAA24806: from=<>, size=15585, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[194.73.73.176] >Apr 25 13:23:22 nic sendmail[24816]: NAA24816: >... User unknown >Apr 25 13:23:23 nic sendmail[24816]: NAA24816: from=<>, size=1922, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=sibelius.demon.co.uk >[158.152.83.160] >-- >Apr 25 13:25:51 nic sendmail[24832]: NAA24832: ... >User unknown >Apr 25 13:25:53 nic sendmail[24832]: NAA24832: from=<>, size=15585, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=praseodumium.btinternet.com >[194.73.73.82] >-- >Apr 25 13:28:17 nic sendmail[24858]: NAA24855: to=, >delay=00:00:05, xdelay=00:00:01, mailer=local, stat=Sent >Apr 25 13:28:17 nic sendmail[24857]: NAA24857: from=<>, size=7592, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[192.12.130.44] >-- >Apr 25 13:31:07 nic sendmail[24901]: NAA24901: ... >User unknown >Apr 25 13:31:09 nic sendmail[24901]: NAA24901: from=<>, size=7744, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail2.infohouse.com >[204.143.176.5] >-- >Apr 25 13:32:04 nic sendmail[24915]: NAA24915: >... User unknown >Apr 25 13:32:05 nic sendmail[24915]: NAA24915: from=<>, size=7795, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail2.infohouse.com >[204.143.176.5] >-- >Apr 25 13:33:26 nic sendmail[24928]: NAA24928: >... User unknown >Apr 25 13:33:27 nic sendmail[24928]: NAA24928: from=<>, size=2270, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[216.79.19.1] >-- >Apr 25 13:36:50 nic sendmail[24961]: NAA24956: >to=, ctladdr= >(1002/0), delay=00:00:27, xdelay=00:00:07, mailer=esmtp, >relay=praseodumium.btinternet.com. [194.73.73.82], stat=Sent (OK >id=12k0i6-0002NB-00) >Apr 25 13:36:56 nic sendmail[24977]: NAA24977: from=<>, size=2670, >class=0, pri=32670, nrcpts=1, >msgid=, proto=ESMTP, >relay=praseodumium.btinternet.com [194.73.73.82] >-- >Apr 25 13:37:21 nic sendmail[24993]: NAA24993: >... User unknown >Apr 25 13:37:21 nic sendmail[24993]: NAA24993: from=<>, size=9338, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=pluto.psn.net >[207.211.58.12] >Apr 25 13:37:26 nic sendmail[24997]: NAA24997: from=<>, size=2634, >class=0, pri=32634, nrcpts=1, >msgid=, proto=ESMTP, >relay=tungsten.btinternet.com [194.73.73.81] >-- >Apr 25 13:38:40 nic sendmail[25025]: NAA25025: ... >User unknown >Apr 25 13:38:41 nic sendmail[25025]: NAA25025: from=<>, size=7925, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[207.104.89.13] >-- >Apr 25 13:41:54 nic sendmail[25075]: NAA25075: ... >User unknown >Apr 25 13:41:55 nic sendmail[25075]: NAA25075: from=<>, size=11085, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail.xmission.com >[198.60.22.22] >-- >Apr 25 13:42:06 nic sendmail[25079]: NAA25079: ... >User unknown >Apr 25 13:42:06 nic sendmail[25079]: NAA25079: from=<>, size=6364, >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=rmx05.iname.net >[165.251.8.203] > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 12:17:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [216.227.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 8238937BDB2 for ; Tue, 25 Apr 2000 12:17:21 -0700 (PDT) (envelope-from darren@nighttide.net) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.9.3/8.9.3) with ESMTP id PAA00273 for ; Tue, 25 Apr 2000 15:17:13 -0400 (EDT) Date: Tue, 25 Apr 2000 15:17:12 -0400 (EDT) From: Darren Henderson To: freebsd-security@FreeBSD.ORG Subject: Re: SPAM Problem!! In-Reply-To: <200004251816.LAA07694@uno.tksoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Apr 2000, tjk@tksoft.com wrote: > Email has certainly become lot less reliable than what it used > to be. At least if you need to communicate with AOL customers, > it seems. Probably its being done somewhere already, if so I would like to see pointers to it... perhaps its time to start looking at a replacement for smtp. SMTP-NG or some snazzier acronym for secure messaging. Something that is designed for the environment that now exists. What features would we want to see, what features would be reasonable? - secure transmission - verifiable transmission path, every system that touches it is verifiable and authenticated - each system encapsulates the entire message, think nested pgp signed messages - make the forging of headers very difficult - etc etc etc What would a secure, difficult to forge, auditable messaging system look like? ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 14:10:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (jcicorp-gw.compt.com [207.231.193.3]) by hub.freebsd.org (Postfix) with ESMTP id 5850C37BE57 for ; Tue, 25 Apr 2000 14:10:08 -0700 (PDT) (envelope-from klaus@kobold.compt.com) Date: Tue, 25 Apr 2000 17:10:01 -0400 From: Klaus Steden To: freebsd-security@freebsd.org Subject: VPN solutions? Message-ID: <20000425171001.L26650@cthulu.compt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, We use a commercial firewall/VPN solution for two of our three network presences; the third is a FreeBSD box running IPfilter (yay, FreeBSD!)... I would like to, if possible, integrate this third system, and its subsequent network, into the VPN. What kind of VPN solutions does FreeBSD offer? thanks, Klaus -- Klaus Steden | Unix Systems Administrator | Command Post Toybox | TODO: http://www.compt.com/ | 1) Learn to use my new Unix account. klaus@compt.com | 2) Learn how to change this list. Phone: (416) 585-9995 x345 | Fax: (416) 979-0428 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 14:26:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from red.juniper.net (red.juniper.net [208.197.169.254]) by hub.freebsd.org (Postfix) with ESMTP id CF00437BD91 for ; Tue, 25 Apr 2000 14:26:28 -0700 (PDT) (envelope-from pbauer@juniper.net) Received: from garnet.juniper.net (garnet.juniper.net [208.197.169.237]) by red.juniper.net (8.8.8/8.8.5) with ESMTP id OAA10556 for ; Tue, 25 Apr 2000 14:26:24 -0700 (PDT) Received: from garnet.juniper.net (localhost [127.0.0.1]) by garnet.juniper.net (8.9.3/8.9.3) with ESMTP id OAA52590 for ; Tue, 25 Apr 2000 14:26:23 -0700 (PDT) (envelope-from pbauer@garnet.juniper.net) Message-Id: <200004252126.OAA52590@garnet.juniper.net> X-Mailer: exmh version 2.1.1 10/15/1999 To: freebsd-security@freebsd.org Subject: encryption using wavelan Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 25 Apr 2000 14:26:23 -0700 From: Paul Bauer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone gotten the wavelan cards (802.11 compliant) working using encryption and FreeBSD 3.4? or any version really. I would like to use the encryption capabilities and find that windows and Linux both have this feature but that FreeBSD doesn't to my knowledge. Is this correct? Any plans on it if not in the process already? Need a guinea pig? Thank You. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 14:38:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [209.192.237.190]) by hub.freebsd.org (Postfix) with ESMTP id 359DE37BEA0 for ; Tue, 25 Apr 2000 14:38:39 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 12kD2Q-0003H4-00 for freebsd-security@freebsd.org; Tue, 25 Apr 2000 17:38:34 -0400 Date: Tue, 25 Apr 2000 17:38:34 -0400 From: Peter Radcliffe To: freebsd-security@freebsd.org Subject: Re: encryption using wavelan Message-ID: <20000425173834.L3930@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@freebsd.org References: <200004252126.OAA52590@garnet.juniper.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200004252126.OAA52590@garnet.juniper.net>; from pbauer@juniper.net on Tue, Apr 25, 2000 at 02:26:23PM -0700 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Paul Bauer probably said: > Has anyone gotten the wavelan cards (802.11 compliant) working using > encryption and FreeBSD 3.4? or any version really. I would like to > use the encryption capabilities and find that windows and Linux both > have this feature but that FreeBSD doesn't to my knowledge. Is this > correct? Support for silver/gold card encryption is in the wi driver and wicontrol as shipped with 4.0-R. The diffs can be patched back into 3.4-(PAO|R|S). I'm using it at home with a 3.4-PAO laptop as a base station and a 4.0-S and windows dual boot client laptop. Works great. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 15: 5:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from as.tksoft.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id B61FD37BE31 for ; Tue, 25 Apr 2000 15:05:02 -0700 (PDT) (envelope-from tjk@tksoft.com) Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id PAA10330; Tue, 25 Apr 2000 15:05:43 -0700 From: "tjk@tksoft.com" Message-Id: <200004252205.PAA10330@uno.tksoft.com> Subject: Re: SPAM Problem!! To: brett@lariat.org (Brett Glass) Date: Tue, 25 Apr 2000 15:05:42 -0700 (PDT) Cc: dima@mmc.net.ge, freebsd-security@FreeBSD.ORG In-Reply-To: <4.3.1.2.20000425125525.00bc8930@localhost> from "Brett Glass" at Apr 25, 0 01:01:20 pm Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you set postmaster to receive copies of all errors, you will see the bounced emails. You might not get the full messages, but at least you will know which systems were involved. The line in /etc/sendmail.cf is O PostMasterCopy=postmaster@yourdomain.com Troy > > First of all, make sure that your server ISN'T the problem. Are > you running the latest version of Sendmail? Are the anti-spamming > and anti-relaying provisions in place? If you are an open relay, > you may be getting complaints. Or it could be that you are > being used as a multi-level relay -- that is, if people are sending > spam to one of your machines, which is relaying it to another of your > machines, which is then relayig it to the Net. If you can get samples > of the spam, you can see. > > If your domain is simply being used in forged "from" addresses, > find some of the spam and complain to the ISP that's letting the > spammer send it. You have a legal cause of action if they don't kick > the spammer off their net. (AOL has won several cases against spammers > who used spoofed AOL "from" addresses, and has prodded quite a few > ISPs to take action against such spammers.) > > --Brett Glass > > At 03:39 AM 4/25/2000, dima@mmc.net.ge wrote: > > >Someone, claiming to be my mail user (different usernames), sends spam > >mails to the internet. > >I have recieved a lot of messages from admins and postmasters of > >different servers. > >At the same time I have the following in my mail log, look below. > >What shall I do to find this spamer, or how can I protect my domain > >reputation. > > > >------ > >Apr 25 13:21:07 nic sendmail[24796]: NAA24796: > >... User unknown > >Apr 25 13:21:08 nic sendmail[24796]: NAA24796: from=<>, size=8645, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=lisa.ionsys.com > >[206.49.34.7] > >Apr 25 13:21:45 nic sendmail[24801]: NAA24801: ... > >User unknown > >Apr 25 13:21:48 nic sendmail[24801]: NAA24801: from=<>, size=15585, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[194.73.73.176] > >Apr 25 13:22:28 nic sendmail[24806]: NAA24806: ... > >User unknown > >Apr 25 13:22:28 nic sendmail[24806]: NAA24806: from=<>, size=15585, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[194.73.73.176] > >Apr 25 13:23:22 nic sendmail[24816]: NAA24816: > >... User unknown > >Apr 25 13:23:23 nic sendmail[24816]: NAA24816: from=<>, size=1922, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=sibelius.demon.co.uk > >[158.152.83.160] > >-- > >Apr 25 13:25:51 nic sendmail[24832]: NAA24832: ... > >User unknown > >Apr 25 13:25:53 nic sendmail[24832]: NAA24832: from=<>, size=15585, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=praseodumium.btinternet.com > >[194.73.73.82] > >-- > >Apr 25 13:28:17 nic sendmail[24858]: NAA24855: to=, > >delay=00:00:05, xdelay=00:00:01, mailer=local, stat=Sent > >Apr 25 13:28:17 nic sendmail[24857]: NAA24857: from=<>, size=7592, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[192.12.130.44] > >-- > >Apr 25 13:31:07 nic sendmail[24901]: NAA24901: ... > >User unknown > >Apr 25 13:31:09 nic sendmail[24901]: NAA24901: from=<>, size=7744, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail2.infohouse.com > >[204.143.176.5] > >-- > >Apr 25 13:32:04 nic sendmail[24915]: NAA24915: > >... User unknown > >Apr 25 13:32:05 nic sendmail[24915]: NAA24915: from=<>, size=7795, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail2.infohouse.com > >[204.143.176.5] > >-- > >Apr 25 13:33:26 nic sendmail[24928]: NAA24928: > >... User unknown > >Apr 25 13:33:27 nic sendmail[24928]: NAA24928: from=<>, size=2270, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[216.79.19.1] > >-- > >Apr 25 13:36:50 nic sendmail[24961]: NAA24956: > >to=, ctladdr= > >(1002/0), delay=00:00:27, xdelay=00:00:07, mailer=esmtp, > >relay=praseodumium.btinternet.com. [194.73.73.82], stat=Sent (OK > >id=12k0i6-0002NB-00) > >Apr 25 13:36:56 nic sendmail[24977]: NAA24977: from=<>, size=2670, > >class=0, pri=32670, nrcpts=1, > >msgid=, proto=ESMTP, > >relay=praseodumium.btinternet.com [194.73.73.82] > >-- > >Apr 25 13:37:21 nic sendmail[24993]: NAA24993: > >... User unknown > >Apr 25 13:37:21 nic sendmail[24993]: NAA24993: from=<>, size=9338, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=pluto.psn.net > >[207.211.58.12] > >Apr 25 13:37:26 nic sendmail[24997]: NAA24997: from=<>, size=2634, > >class=0, pri=32634, nrcpts=1, > >msgid=, proto=ESMTP, > >relay=tungsten.btinternet.com [194.73.73.81] > >-- > >Apr 25 13:38:40 nic sendmail[25025]: NAA25025: ... > >User unknown > >Apr 25 13:38:41 nic sendmail[25025]: NAA25025: from=<>, size=7925, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[207.104.89.13] > >-- > >Apr 25 13:41:54 nic sendmail[25075]: NAA25075: ... > >User unknown > >Apr 25 13:41:55 nic sendmail[25075]: NAA25075: from=<>, size=11085, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail.xmission.com > >[198.60.22.22] > >-- > >Apr 25 13:42:06 nic sendmail[25079]: NAA25079: ... > >User unknown > >Apr 25 13:42:06 nic sendmail[25079]: NAA25079: from=<>, size=6364, > >class=0, pri=0, nrcpts=0, proto=ESMTP, relay=rmx05.iname.net > >[165.251.8.203] > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 15: 6: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from itsy.spiders.net (itsy.spiders.net [206.24.0.5]) by hub.freebsd.org (Postfix) with SMTP id DA1EC37BDC8 for ; Tue, 25 Apr 2000 15:05:56 -0700 (PDT) (envelope-from lamont@itsy.spiders.net) Received: (qmail 90279 invoked by uid 1023); 25 Apr 2000 22:04:05 -0000 Date: Tue, 25 Apr 2000 18:04:05 -0400 From: Lamont Lucas To: Paul Bauer Cc: freebsd-security@freebsd.org Subject: Re: encryption using wavelan Message-ID: <20000425180405.F15217@itsy.spiders.net> References: <200004252126.OAA52590@garnet.juniper.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200004252126.OAA52590@garnet.juniper.net>; from pbauer@juniper.net on Tue, Apr 25, 2000 at 02:26:23PM -0700 Organization: Cluepon Consulting, Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +--- | Has anyone gotten the wavelan cards (802.11 compliant) working using | encryption and FreeBSD 3.4? or any version really. I would like to use the | encryption capabilities and find that windows and Linux both have this feature | but that FreeBSD doesn't to my knowledge. Is this correct? Encryption works under 4.0, and someone I know backported the changes to 3.4. I have the 128 bit WEP working at home with my cards. Mail me if you want the info on the backporting To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 16:26:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from katroo.Sendmail.COM (katroo.Sendmail.COM [209.246.26.35]) by hub.freebsd.org (Postfix) with ESMTP id D5D2837B5A2 for ; Tue, 25 Apr 2000 16:26:31 -0700 (PDT) (envelope-from chrisd@sendmail.com) Received: from sendmail.com (gabriel.Sendmail.COM [10.210.100.74]) by katroo.Sendmail.COM (8.9.3/8.9.3) with ESMTP id QAA29535; Tue, 25 Apr 2000 16:26:15 -0700 (PDT) Message-ID: <39062997.B18132A0@sendmail.com> Date: Tue, 25 Apr 2000 16:26:15 -0700 From: Christian DeKonink Organization: Sendmail, Inc - Services Department X-Mailer: Mozilla 4.61 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Darren Henderson Cc: freebsd-security@FreeBSD.ORG Subject: Re: SPAM Problem!! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Henderson wrote: > > > Probably its being done somewhere already, if so I would like to see > pointers to it... perhaps its time to start looking at a replacement for > smtp. SMTP-NG or some snazzier acronym for secure messaging. While there isn't a pointer just yet, there will be soon I hope. > > Something that is designed for the environment that now exists. How about Sendmail? It runs IPv4 and also on IPv6. > > What features would we want to see, what features would be reasonable? > Lets hear some suggestions. Maybe they are already implemented. The sendmail code is opensource and the sendmail consortium is open to suggestions. > - secure transmission The next version of OpenSource sendmail, 8.11, will have the ability to encrypt messages while in transit as long as both source and destination MTAs are using TLS. The current _commercial_ version of Sendmail supports server to server encryption of email messages using TLS. It would be necessary, that all hops that an email touches, use TLS in order for the message to be transferred securely. If one hop doesn't support TLS then incoming and outgoing messages to that hop won't get encrypted. > - verifiable transmission path, every system that touches it is > verifiable and authenticated This framework for this system is already in place. In order for this suggestion to work everyone would have to participate using Digital Certificates. Say for example you would only accept email from a machine who can verify they are who they say they are using digitally signed certificates. This requires you to be able to verify the signature of all of the various Certificate Authorities people might use. Not a problem if you trust the Certificate Authority who signed the cert. With openssl it is possible to be your own CA, and sign your own Digital Certificates. The question is, who is going to trust someone who says I am so and so because I said I am. Encryption will still work, using self signed certs, but will others verify you. Authentication methods are in place (MTA-MTA Auth using DIGEST-MD5 encryption or MUA-MTA auth using TLS) to authenticate with a username and password. > - each system encapsulates the entire message, think nested pgp signed > messages > - make the forging of headers very difficult This could be done if everyone uses digitally signed certificates. Unfortunately you can't force people to use them. There is a mechanism already there in Commercial Sendmail, and soon Sendmail 8.11 OpenSource, called STARTTLS which lets you reject messages that are not verified to be from the domain they claim to be. STARTTLS can be used to allow relaying based on certificates, and to restrict incoming or outgoing connections. For this purpose, several rulesets are available which require some new macros and the access map. here is the URL http://www.sendmail.org/~ca/email/starttls > - etc etc etc > > What would a secure, difficult to forge, auditable messaging system look > like? Please, I'd like to hear. Thanks Christian -- Christian DeKonink Technical Support www.sendmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 25 16:55:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from as.tksoft.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 2F36E37B56A for ; Tue, 25 Apr 2000 16:55:36 -0700 (PDT) (envelope-from tjk@tksoft.com) Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id QAA12838; Tue, 25 Apr 2000 16:58:36 -0700 From: "tjk@tksoft.com" Message-Id: <200004252358.QAA12838@uno.tksoft.com> Subject: Re: SPAM Problem!! To: darren@nighttide.net (Darren Henderson) Date: Tue, 25 Apr 2000 16:58:36 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Darren Henderson" at Apr 25, 0 03:17:12 pm Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unfortunately complicated systems have a very poor record of success on the Internet. I think good old fashioned prison sentences and fines would work the best. I am not saying imprison every spammer; just the ones who engage in fraud. In my books, using somebody else's email address, or a non-existent email address, for sending millions of emails is definitely fraud. There are laws to book these people. Too bad nobody cares to enforce the law when it involves some actual hard work. (It takes more effort per offender to arrest and convict these people, than passing out speeding tickets. Therefore, the cities, states, etc. get less revenue from these kinds of cases. And nobody wants to pay more taxes.) More than 90% of spam which I see, and nearly 100% of the spam I feel strongly about, has a fraudulent sender's email address. Troy > > On Tue, 25 Apr 2000, tjk@tksoft.com wrote: > > > Email has certainly become lot less reliable than what it used > > to be. At least if you need to communicate with AOL customers, > > it seems. > > Probably its being done somewhere already, if so I would like to see > pointers to it... perhaps its time to start looking at a replacement for > smtp. SMTP-NG or some snazzier acronym for secure messaging. > > Something that is designed for the environment that now exists. > > What features would we want to see, what features would be reasonable? > > - secure transmission > - verifiable transmission path, every system that touches it is > verifiable and authenticated > - each system encapsulates the entire message, think nested pgp signed > messages > - make the forging of headers very difficult > - etc etc etc > > What would a secure, difficult to forge, auditable messaging system look > like? > > ______________________________________________________________________ > Darren Henderson darren@nighttide.net > > Help fight junk e-mail, visit http://www.cauce.org/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 26 0:11:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.antix.org (satan.antix.org [209.68.237.171]) by hub.freebsd.org (Postfix) with ESMTP id 098C637B765 for ; Wed, 26 Apr 2000 00:11:23 -0700 (PDT) (envelope-from panic@antix.org) Received: from WALES (wales.antix.org [209.68.237.170]) by mail.antix.org (8.9.3/8.9.2) with ESMTP id AAA09090 for ; Wed, 26 Apr 2000 00:12:27 -0700 (PDT) Message-Id: <4.2.0.58.20000426001631.00aec008@satan.antix.org> X-Sender: panic@satan.antix.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 26 Apr 2000 00:20:21 -0700 To: freebsd-security@FreeBSD.ORG From: "Col.Panic" Subject: RE: log-in-vain [ was: 10 days ] In-Reply-To: <6381A6A8826BD31199500090279CAFBA106958@FOGHORN> References: <6381A6A8826BD31199500090279CAFBA0D8BC2@FOGHORN> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org wow... sorry for the late reply, but the software you are referring to is called portsentry, and was developed by Psionic software (http://www.psionic.com/abacus/portsentry/) I've been running the software, and it seems to do a pretty solid job of finding and blocking port scan attempts. They also have a cool module-based program called hostsentry. It 'watches' your user's login behaviors, and blocks out abnormalities. -Jason At 11:17 AM 4/21/2000 -0400, you wrote: > > > > > Something you might want to do, if you haven't already, is enable > > > log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. > > > It will log connection attempts on ports that have nothing listening on > > > them. It can be very enlightening. > > > >Same thing goes for logging ipfw on the rejects. It's interesting sometimes >to fire up >another IP alias and see the people scanning by... > > > but what does one *do* with the info? there is so much scanning and so > > many baby cracker attempts that it does little good writing to source >address > > admins. and the sources are spoofed in the majority of the cases anyway. > >The best defense is to have as much control or rather restriction as >possible over >what goes on. If it's not needed why have it running. If a service on a >machine >only needs to talk to one other machine use ipfw and restrict it. Every >little bit helps. > >Then sit back, keep things up to date, watch the mailing lists for bugs, and >just watch what's >going on. Like with spam you probably don't send complaints about everyone >of them. > > > > > while i think log watching is important, it can be massive > > data. so i try to keep it down to those data about which i can do >something, > > either by changing my defenses or by dealing with the source of the >problem. > > > >I saw something mentioned a while back on the list that might be of help. >It was a program >that would watch for network scanners. Then when one was found scanning >around it would send >a route packet to your core router to forward all traffic from that scanners >IP to the scan watching machine. The server then would route the detected >scanner to I believe a null device or just let the scanner rescan that box >again. You would just route small chunks of your network(s) to the scan >detection machine. I thought it sounded great but haven't had the time to >contact the author about it. > >I don't recall any further discussion on it but what do others think about >that? Curious to know... > >Jason Portwood - jason@iac.net >Systems Administrator - Strategic/Internet Access Cincinnati >Sales and Tech Support - 513-860-9052 > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -[TR] Col.Panic The /-----\ |----\ Founder | | | Webmaster | |----/ Postmaster |ech's | \ evenge Hostaster "Out you demons of Stupidity!" http://www.antix.org unreal.cts.com:7777 UT CTF 413a http://www.techsrevenge.com unreal.cts.com:7788 UT Assult 413a http://www.heartofevil.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 26 2:53:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from bg.sics.se (bg.sics.se [193.10.66.124]) by hub.freebsd.org (Postfix) with ESMTP id 779EE37B7D8 for ; Wed, 26 Apr 2000 02:53:16 -0700 (PDT) (envelope-from bg@bg.sics.se) Received: (from bg@localhost) by bg.sics.se (8.9.3/8.9.3) id LAA42958; Wed, 26 Apr 2000 11:53:53 +0200 (CEST) (envelope-from bg) To: freebsd-security@FreeBSD.ORG Subject: Re: encryption using wavelan References: <200004252126.OAA52590@garnet.juniper.net> <20000425173834.L3930@pir.net> From: Bjoern Groenvall Date: 26 Apr 2000 11:53:53 +0200 In-Reply-To: Peter Radcliffe's message of Tue, 25 Apr 2000 17:38:34 -0400 Message-ID: Lines: 15 X-Mailer: Red Gnus v0.52/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Radcliffe writes: > I'm using it at home with a 3.4-PAO laptop as a base station and a 4.0-S > and windows dual boot client laptop. Works great. When you say that you run it as a base station, do you mean that it is not running in ad-hoc mode? -- _ _ ,_______________. Bjorn Gronvall (Björn Grönvall) /_______________/| Swedish Institute of Computer Science | || PO Box 1263, S-164 29 Kista, Sweden | Schroedingers || Email: bg@sics.se, Phone +46 -8 633 15 25 | Cat |/ Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30 `---------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 26 5: 1:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id C0B0237B543 for ; Wed, 26 Apr 2000 05:01:35 -0700 (PDT) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id IAA63274; Wed, 26 Apr 2000 08:01:35 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id IAA14358; Wed, 26 Apr 2000 08:01:33 -0400 (EDT) Message-Id: <4.2.2.20000426075811.0395d2d8@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 26 Apr 2000 08:00:21 -0400 To: Klaus Steden , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: VPN solutions? In-Reply-To: <20000425171001.L26650@cthulu.compt.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:10 PM 4/25/2000 -0400, Klaus Steden wrote: >Hi, > >We use a commercial firewall/VPN solution for two of our three network >presences; the third is a FreeBSD box running IPfilter (yay, FreeBSD!)... > >I would like to, if possible, integrate this third system, and its subsequent >network, into the VPN. > >What kind of VPN solutions does FreeBSD offer? What protocols do the other firewalls support ? Some commercial products support SKIP, and you might in that case use it on FreeBSD. see http://www.skip.org and /usr/ports/security/skip Also, you have ipsec available to you. It might interoperate with your firewalls as well. Similarly if you have to, /usr/ports/security/poptop which is MS PPTP might do the trick. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 26 6:12:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id D94E837BB6A for ; Wed, 26 Apr 2000 06:12:13 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id JAA06480; Wed, 26 Apr 2000 09:11:43 -0400 (EDT) Date: Wed, 26 Apr 2000 09:11:43 -0400 (EDT) From: Jim Flowers To: Bjoern Groenvall Cc: freebsd-security@FreeBSD.ORG Subject: Re: encryption using wavelan In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would be interested in this for 4.0-STABLE, too. The documentation for= =20 wicontrol still says: Note: this option is provided for experimental purposes only: enabling the= =20 creation of an IBSS on a host system doesn't appear to actually work. Jim Flowers #4 ISP on C|NET, #1 in Ohio On 26 Apr 2000, Bjoern Groenvall wrote: > Peter Radcliffe writes: >=20 > > I'm using it at home with a 3.4-PAO laptop as a base station and a 4.0-= S > > and windows dual boot client laptop. Works great. >=20 > When you say that you run it as a base station, do you mean that it is > not running in ad-hoc mode? >=20 > --=20 > _ _ ,_______________.= =20 > Bjorn Gronvall (Bj=F6rn Gr=F6nvall) /_____________= __/| =20 > Swedish Institute of Computer Science | || > PO Box 1263, S-164 29 Kista, Sweden | Schroedingers || > Email: bg@sics.se, Phone +46 -8 633 15 25 | Cat |/ > Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30 `---------------'= =20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 26 7:30:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [209.192.237.190]) by hub.freebsd.org (Postfix) with ESMTP id 301EC37BDEE for ; Wed, 26 Apr 2000 07:30:50 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 12kSq0-0001Il-00 for freebsd-security@FreeBSD.ORG; Wed, 26 Apr 2000 10:30:48 -0400 Date: Wed, 26 Apr 2000 10:30:47 -0400 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: encryption using wavelan Message-ID: <20000426103047.A4578@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from jflowers@ezo.net on Wed, Apr 26, 2000 at 09:11:43AM -0400 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org please trim replies to minimum text and don't use the M$ style asnwer-at-top-leaving-a-big-chunk-of-bandwidth-wasting-underneath. Jim Flowers probably said: > On 26 Apr 2000, Bjoern Groenvall wrote: > > When you say that you run it as a base station, do you mean that it is > > not running in ad-hoc mode? It's a base station, but it's running in ad-hoc mode, unfortunately. > I would be interested in this for 4.0-STABLE, too. The documentation for > wicontrol still says: > Note: this option is provided for experimental purposes only: enabling the > creation of an IBSS on a host system doesn't appear to actually work. Lots of us would be interested in IBSS working on a FreeBSD box, unfortunately I don't believe any of the free unixes have this working. Bill Paul could probably tell you why it doesn't work (since he wrote the driver). P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 26 9:12:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from sirius.hq.netzmarkt.de (a-194-24-217-99.easynet.de [194.24.217.99]) by hub.freebsd.org (Postfix) with ESMTP id 759BB37B6D2 for ; Wed, 26 Apr 2000 09:12:24 -0700 (PDT) (envelope-from shu@sirius.hq.netzmarkt.de) Received: by sirius.hq.netzmarkt.de (Postfix, from userid 1001) id 7FB21131; Wed, 26 Apr 2000 18:12:21 +0200 (CEST) Date: Wed, 26 Apr 2000 18:12:21 +0200 From: Sven Huster To: freebsd-security@freebsd.org Subject: make world ; make release Message-ID: <20000426181221.A5712@sirius.hq.netzmarkt.de> Reply-To: shup@netzmarkt.de Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi there, i got the sources under /usr/src and in addition the crypto stuff from the internat mirror. does freebsd build any of the cryto doing 'make world'? if not could i force it to do so and what is (not) build? how about 'make release'? regards sven To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 26 9:28:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from tisch.mail.mindspring.net (tisch.mail.mindspring.net [207.69.200.157]) by hub.freebsd.org (Postfix) with ESMTP id AA19E37BF1C for ; Wed, 26 Apr 2000 09:28:06 -0700 (PDT) (envelope-from steve_b@ix.netcom.com) Received: from sb (ali-ca33-21.ix.netcom.com [209.110.232.21]) by tisch.mail.mindspring.net (8.9.3/8.8.5) with SMTP id MAA20815 for ; Wed, 26 Apr 2000 12:28:02 -0400 (EDT) Message-ID: <003201bfaf9c$5e436fa0$6564a8c0@napanet.net> From: "Steve Brown" To: References: <390567C0.AD1ADC3E@mmc.net.ge> Subject: Re: SPAM Problem!! Date: Wed, 26 Apr 2000 09:27:48 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The worst thing I've came across is when they use a fake to: address like allusers@myisp.com maillist@myisp.com customers@myisp.com which really gets the customers mailing in "STOP PUTTING ME ON YOUR SPAM DISTRIBUTION LISTS!" and the like ... Steve ----- Original Message ----- From: To: Sent: Tuesday, April 25, 2000 2:39 AM Subject: SPAM Problem!! > Someone, claiming to be my mail user (different usernames), sends spam > mails to the internet. > I have recieved a lot of messages from admins and postmasters of > different servers. > At the same time I have the following in my mail log, look below. > What shall I do to find this spamer, or how can I protect my domain > reputation. > > ------ > Apr 25 13:21:07 nic sendmail[24796]: NAA24796: > ... User unknown > Apr 25 13:21:08 nic sendmail[24796]: NAA24796: from=<>, size=8645, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=lisa.ionsys.com > [206.49.34.7] > Apr 25 13:21:45 nic sendmail[24801]: NAA24801: ... > User unknown > Apr 25 13:21:48 nic sendmail[24801]: NAA24801: from=<>, size=15585, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[194.73.73.176] > Apr 25 13:22:28 nic sendmail[24806]: NAA24806: ... > User unknown > Apr 25 13:22:28 nic sendmail[24806]: NAA24806: from=<>, size=15585, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[194.73.73.176] > Apr 25 13:23:22 nic sendmail[24816]: NAA24816: > ... User unknown > Apr 25 13:23:23 nic sendmail[24816]: NAA24816: from=<>, size=1922, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=sibelius.demon.co.uk > [158.152.83.160] > -- > Apr 25 13:25:51 nic sendmail[24832]: NAA24832: ... > User unknown > Apr 25 13:25:53 nic sendmail[24832]: NAA24832: from=<>, size=15585, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=praseodumium.btinternet.com > [194.73.73.82] > -- > Apr 25 13:28:17 nic sendmail[24858]: NAA24855: to=, > delay=00:00:05, xdelay=00:00:01, mailer=local, stat=Sent > Apr 25 13:28:17 nic sendmail[24857]: NAA24857: from=<>, size=7592, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[192.12.130.44] > -- > Apr 25 13:31:07 nic sendmail[24901]: NAA24901: ... > User unknown > Apr 25 13:31:09 nic sendmail[24901]: NAA24901: from=<>, size=7744, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail2.infohouse.com > [204.143.176.5] > -- > Apr 25 13:32:04 nic sendmail[24915]: NAA24915: > ... User unknown > Apr 25 13:32:05 nic sendmail[24915]: NAA24915: from=<>, size=7795, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail2.infohouse.com > [204.143.176.5] > -- > Apr 25 13:33:26 nic sendmail[24928]: NAA24928: > ... User unknown > Apr 25 13:33:27 nic sendmail[24928]: NAA24928: from=<>, size=2270, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[216.79.19.1] > -- > Apr 25 13:36:50 nic sendmail[24961]: NAA24956: > to=, ctladdr= > (1002/0), delay=00:00:27, xdelay=00:00:07, mailer=esmtp, > relay=praseodumium.btinternet.com. [194.73.73.82], stat=Sent (OK > id=12k0i6-0002NB-00) > Apr 25 13:36:56 nic sendmail[24977]: NAA24977: from=<>, size=2670, > class=0, pri=32670, nrcpts=1, > msgid=, proto=ESMTP, > relay=praseodumium.btinternet.com [194.73.73.82] > -- > Apr 25 13:37:21 nic sendmail[24993]: NAA24993: > ... User unknown > Apr 25 13:37:21 nic sendmail[24993]: NAA24993: from=<>, size=9338, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=pluto.psn.net > [207.211.58.12] > Apr 25 13:37:26 nic sendmail[24997]: NAA24997: from=<>, size=2634, > class=0, pri=32634, nrcpts=1, > msgid=, proto=ESMTP, > relay=tungsten.btinternet.com [194.73.73.81] > -- > Apr 25 13:38:40 nic sendmail[25025]: NAA25025: ... > User unknown > Apr 25 13:38:41 nic sendmail[25025]: NAA25025: from=<>, size=7925, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=[207.104.89.13] > -- > Apr 25 13:41:54 nic sendmail[25075]: NAA25075: ... > User unknown > Apr 25 13:41:55 nic sendmail[25075]: NAA25075: from=<>, size=11085, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=mail.xmission.com > [198.60.22.22] > -- > Apr 25 13:42:06 nic sendmail[25079]: NAA25079: ... > User unknown > Apr 25 13:42:06 nic sendmail[25079]: NAA25079: from=<>, size=6364, > class=0, pri=0, nrcpts=0, proto=ESMTP, relay=rmx05.iname.net > [165.251.8.203] > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 26 16:48:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from winschoten.vuurwerk.nl (winschoten.vuurwerk.nl [194.178.232.122]) by hub.freebsd.org (Postfix) with SMTP id 9A89437B8E1 for ; Wed, 26 Apr 2000 16:48:51 -0700 (PDT) (envelope-from petervd@vuurwerk.nl) Received: (qmail 3698 invoked from network); 26 Apr 2000 23:42:08 -0000 Received: from kesteren.vuurwerk.nl (HELO vuurwerk.nl) (194.178.232.59) by winschoten.vuurwerk.nl with SMTP; 26 Apr 2000 23:42:08 -0000 Received: (qmail 96960 invoked by uid 11109); 26 Apr 2000 23:42:09 -0000 Mail-Followup-To: freebsd-security@FreeBSD.ORG Date: Thu, 27 Apr 2000 01:42:09 +0200 From: Peter van Dijk To: freebsd-security@FreeBSD.ORG Subject: Re: make world ; make release Message-ID: <20000427014209.B96710@vuurwerk.nl> References: <20000426181221.A5712@sirius.hq.netzmarkt.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000426181221.A5712@sirius.hq.netzmarkt.de>; from shup@netzmarkt.de on Wed, Apr 26, 2000 at 06:12:21PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 26, 2000 at 06:12:21PM +0200, Sven Huster wrote: > hi there, > > i got the sources under /usr/src and in addition the crypto stuff from the internat mirror. > > does freebsd build any of the cryto doing 'make world'? > if not could i force it to do so and what is (not) build? It builds it for me after a crypto cvsup from cvsup.internat.freebsd.org, so same should apply to you. Greetz, Peter. -- Peter van Dijk - student/sysadmin/ircoper/madly in love/pretending coder | | 'C makes it easy to shoot yourself in the foot; | C++ makes it harder, but when you do it blows your whole leg off.' | Bjarne Stroustrup, Inventor of C++ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 26 17: 1:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 463E137B8E1 for ; Wed, 26 Apr 2000 17:01:52 -0700 (PDT) (envelope-from randy@psg.com) Received: from randy by rip.psg.com with local (Exim 3.13 #1) id 12kbkd-000GUd-00; Wed, 26 Apr 2000 17:01:51 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: Randy Bush Cc: freebsd-security@freebsd.org To: Paul Bauer Subject: Re: encryption using wavelan Message-Id: Date: Wed, 26 Apr 2000 17:01:51 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Has anyone gotten the wavelan cards (802.11 compliant) working using > encryption and FreeBSD 3.4? or any version really. I would like to use > the encryption capabilities and find that windows and Linux both have this > feature but that FreeBSD doesn't to my knowledge. Is this correct? the encryption is weak. do not use radio without all traffic being seriously encrypted, e.g. with ssh, ipsec, ... randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 26 17: 6:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id B84B437B986 for ; Wed, 26 Apr 2000 17:06:11 -0700 (PDT) (envelope-from carl@xena.aipo.gov.au) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.9.3/8.9.3) id KAA33339; Thu, 27 Apr 2000 10:06:03 +1000 (EST) (envelope-from carl@xena.aipo.gov.au) Received: from newton.aipo.gov.au(10.0.100.18) by pericles.IPAustralia.gov.au via smap (V2.0) id xma033331; Thu, 27 Apr 00 10:06:02 +1000 Received: from localhost (carl@localhost) by newton.aipo.gov.au (8.9.3/8.9.3) with ESMTP id KAA27078; Thu, 27 Apr 2000 10:08:29 +1000 (EST) (envelope-from carl@xena.aipo.gov.au) X-Authentication-Warning: newton.aipo.gov.au: carl owned process doing -bs Date: Thu, 27 Apr 2000 10:08:29 +1000 (EST) From: Carl Makin X-Sender: carl@newton.aipo.gov.au To: Peter van Dijk Cc: freebsd-security@FreeBSD.ORG Subject: Re: make world ; make release In-Reply-To: <20000427014209.B96710@vuurwerk.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Apr 2000, Peter van Dijk wrote: > On Wed, Apr 26, 2000 at 06:12:21PM +0200, Sven Huster wrote: > > does freebsd build any of the cryto doing 'make world'? > > if not could i force it to do so and what is (not) build? > It builds it for me after a crypto cvsup from cvsup.internat.freebsd.org, > so same should apply to you. What about those of us using CTM? I'm currently trying to bring in the internat crypto and I can't see an easy way to do it using CTM. Carl. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 27 2:24: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 857C837B5E1; Thu, 27 Apr 2000 02:23:56 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA62851; Thu, 27 Apr 2000 11:23:41 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: Kris Kennaway Cc: Otterley , Cy Schubert - ITSD Open Systems Group , Robert Watson , "Michael S. Fischer" , security@FreeBSD.ORG Subject: Re: Fw: Re: imapd4r1 v12.264 (fwd) References: From: Dag-Erling Smorgrav Date: 27 Apr 2000 11:23:40 +0200 In-Reply-To: Kris Kennaway's message of "Fri, 21 Apr 2000 14:39:44 -0700 (PDT)" Message-ID: Lines: 14 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway writes: > Basically, the bottom line is that imap-uw is not safe to use in an > environment where you have users who you don't want to have shell access > to your machine, but unfortunately there isn't much in the way of > alternatives. It's slightly more serious than that. The hole means you get shell access using someone's mail password, which may be easy to retrieve from the client machine's registry, MUA configuration file or what have you. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 27 2:26:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id E57B537B766 for ; Thu, 27 Apr 2000 02:26:54 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA62897; Thu, 27 Apr 2000 11:26:40 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: Vladimir Girnetz Cc: security@FreeBSD.ORG Subject: Re: about spwd.db References: <18790.000418@dnt.md> From: Dag-Erling Smorgrav Date: 27 Apr 2000 11:26:40 +0200 In-Reply-To: Vladimir Girnetz's message of "Tue, 18 Apr 2000 18:58:10 +0300" Message-ID: Lines: 12 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Vladimir Girnetz writes: > I have on FreeBSD machine about 33000 users and this number grow! > To add a new user takes about 1 minute.At this time the machine is > very busy :( > I use the standart pw, and pwd_mkdb When using pwd_mkdb(8), use the -u option (see the man page). pw(8) already does that. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 27 12:42:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 6D13737B681; Thu, 27 Apr 2000 12:42:22 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id MAA00563; Thu, 27 Apr 2000 12:42:22 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 27 Apr 2000 12:42:22 -0700 (PDT) From: Kris Kennaway To: Dag-Erling Smorgrav Cc: security@FreeBSD.ORG Subject: Re: Fw: Re: imapd4r1 v12.264 (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 27 Apr 2000, Dag-Erling Smorgrav wrote: > It's slightly more serious than that. The hole means you get shell > access using someone's mail password, which may be easy to retrieve > from the client machine's registry, MUA configuration file or what > have you. Well, that much is basically a given, it's just a correspondence with the fact that under normal operating circumstances a person who does that can read their email. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 27 13:19:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 9F1B237B52F; Thu, 27 Apr 2000 13:19:46 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA06226; Thu, 27 Apr 2000 13:19:46 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 27 Apr 2000 13:19:45 -0700 (PDT) From: Kris Kennaway To: Carl Makin Cc: Peter van Dijk , freebsd-security@FreeBSD.ORG Subject: Re: make world ; make release In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Apr 2000, Carl Makin wrote: > What about those of us using CTM? I'm currently trying to bring in the > internat crypto and I can't see an easy way to do it using CTM. There's a crypto CTM list run by (I think) Mark Murray (markm@freebsd.org)..see if it's mentioned in the handbook about how to subscribe. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 27 19:19:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from usc.edu (usc.edu [128.125.253.136]) by hub.freebsd.org (Postfix) with ESMTP id 602F537B5A9 for ; Thu, 27 Apr 2000 19:19:33 -0700 (PDT) (envelope-from walker@usc.edu) Received: from skat.usc.edu (walker@skat.usc.edu [128.125.253.131]) by usc.edu (8.9.3.1/8.9.3/usc) with ESMTP id TAA01046 for ; Thu, 27 Apr 2000 19:19:32 -0700 (PDT) Received: from localhost (walker@localhost) by skat.usc.edu (8.10.1/8.10.1/usc) with ESMTP id e3S2JWK07389 for ; Thu, 27 Apr 2000 19:19:32 -0700 (PDT) Date: Thu, 27 Apr 2000 19:19:31 -0700 (PDT) From: Mike Walker To: security@freebsd.org Subject: Re: about spwd.db (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org would using NIS from another server solve his problem? ---------- Forwarded message ---------- Date: 27 Apr 2000 11:26:40 +0200 From: Dag-Erling Smorgrav To: Vladimir Girnetz Cc: security@FreeBSD.ORG Subject: Re: about spwd.db Vladimir Girnetz writes: > I have on FreeBSD machine about 33000 users and this number grow! > To add a new user takes about 1 minute.At this time the machine is > very busy :( > I use the standart pw, and pwd_mkdb When using pwd_mkdb(8), use the -u option (see the man page). pw(8) already does that. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 27 23:44:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from grimreaper.grondar.za (grimreaper.grondar.za [196.7.18.138]) by hub.freebsd.org (Postfix) with ESMTP id 0331237BE0B for ; Thu, 27 Apr 2000 23:44:27 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grimreaper.grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.9.3/8.9.3) with ESMTP id IAA02439; Fri, 28 Apr 2000 08:44:17 +0200 (SAST) (envelope-from mark@grimreaper.grondar.za) Message-Id: <200004280644.IAA02439@grimreaper.grondar.za> To: shup@netzmarkt.de Cc: freebsd-security@FreeBSD.ORG Subject: Re: make world ; make release References: <20000426181221.A5712@sirius.hq.netzmarkt.de> In-Reply-To: <20000426181221.A5712@sirius.hq.netzmarkt.de> ; from Sven Huster "Wed, 26 Apr 2000 18:12:21 +0200." Date: Fri, 28 Apr 2000 08:44:17 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > does freebsd build any of the cryto doing 'make world'? > if not could i force it to do so and what is (not) build? Look in /etc/[defaults/]make.conf for the tweaks. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 28 21:19:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from srv4inet.mymail.com.br (srv4inet.mymail.com.br [200.202.37.5]) by hub.freebsd.org (Postfix) with ESMTP id A6B6C37B9EA for ; Fri, 28 Apr 2000 21:19:44 -0700 (PDT) (envelope-from fsc@mymail.com.br) Received: from [200.248.180.105] by srv4inet.mymail.com.br (NTMail 5.03.0001/NT7478.00.fa8025c8) with ESMTP id fqftbaaa for freebsd-security@freebsd.org; Sat, 29 Apr 2000 01:14:42 -0300 Message-Id: <3.0.6.32.20000429012053.014f1ec0@mymail.com.br> X-Sender: fsc@mymail.com.br X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Sat, 29 Apr 2000 01:20:53 -0300 To: freebsd-security@freebsd.org From: Fabio da Silva Cunha Subject: e-mail auditing in sendmail 8.9.3/8.10.1 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Friends! I need to copy all mail processed (in / out) through my mail server (FreeBSD/Sendmail) to one user account (auditor@mydomain.com.br) it's possible with sendmail 8.9.3/8.10.1 ? - For incoming, i used the /etc/alias file, but for outgoing i don't have a solution. :( Thanks in advance! F=E1bio S. Cunha To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 28 22:21:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from tsolab.org (dnn.rockefeller.edu [129.85.40.126]) by hub.freebsd.org (Postfix) with ESMTP id 0729C37B87F for ; Fri, 28 Apr 2000 22:21:33 -0700 (PDT) (envelope-from dan@tsolab.org) Received: from tsolab.org (ts007d07.sun-fl.concentric.net [206.173.68.67]) by tsolab.org (8.8.7/8.8.7) with SMTP id BAA17065; Sat, 29 Apr 2000 01:11:26 -0400 (EDT) (envelope-from dan@tsolab.org) Message-ID: <390A7095.368ACB80@tsolab.org> Date: Sat, 29 Apr 2000 01:18:14 -0400 From: Dan Tso Reply-To: dan@tsolab.org Organization: The Rockefeller University X-Mailer: Mozilla 4.51 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Fabio da Silva Cunha Cc: freebsd-security@FreeBSD.ORG Subject: Re: e-mail auditing in sendmail 8.9.3/8.10.1 References: <3.0.6.32.20000429012053.014f1ec0@mymail.com.br> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I need to copy all mail processed (in / out) through my mail server > (FreeBSD/Sendmail) to one user account (auditor@mydomain.com.br) it's > possible with sendmail 8.9.3/8.10.1 ? > > - For incoming, i used the /etc/alias file, but for outgoing i don't have a > solution. :( This is really a question for the sendmail forums and it comes up all the time. At least when I researched it, the basic message was that sendmail doesn't come with a canned solution for this (logging outgoing mail) on purpose, primarily due to invasion of privacy issues felt by the core developers/maintainers. However there are possibilities: 1) obviously, used something other than sendmail. I believe qmail and postfix provide this feature, 2) there is a C source level hack to include this feature in sendmail which has been posted to USENET, 3) you can alter the sendmail.cf file to do it, either using something like procmail, or sendmail itself. This method, while not the most efficient, is the easiest. I am using a version of solution 3, modified from an example posted to USENET (which didn't seem to be completely tested as far as I could tell). The nasties are like if you ever do bulk mailing (mailing lists, etc), you may want an escape mechanism to avoid 1000's of copies of the same email in your log file. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 28 23:24: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b058.neo.rr.com [24.93.181.58]) by hub.freebsd.org (Postfix) with ESMTP id 81DAE37BA7C for ; Fri, 28 Apr 2000 23:23:57 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id CAA13712; Sat, 29 Apr 2000 02:23:16 -0400 Date: Sat, 29 Apr 2000 02:23:15 -0400 (EDT) From: Mike Nowlin To: Dan Tso Cc: Fabio da Silva Cunha , freebsd-security@FreeBSD.ORG Subject: Re: e-mail auditing in sendmail 8.9.3/8.10.1 In-Reply-To: <390A7095.368ACB80@tsolab.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I need to copy all mail processed (in / out) through my mail server > > (FreeBSD/Sendmail) to one user account (auditor@mydomain.com.br) it's > > possible with sendmail 8.9.3/8.10.1 ? > > This is really a question for the sendmail forums and it comes up all > the time. At least when I researched it, the basic message was that > sendmail doesn't come with a canned solution for this (logging outgoing > mail) on purpose, primarily due to invasion of privacy issues felt by > the core developers/maintainers. However there are possibilities: > 1) obviously, used something other than sendmail. I believe qmail and > postfix provide this feature, > 2) there is a C source level hack to include this feature in sendmail > which has been posted to USENET, > 3) you can alter the sendmail.cf file to do it, either using something > like procmail, or sendmail itself. This method, while not the most > efficient, is the easiest. It also depends on what you're trying to catch. It's trivial for someone to bypass whatever you do to sendmail for outgoing messages - just open a connection directly to the receiving machine on port 25 and "emulate" sendmail - some mail readers can do this anyway, avoiding sendmail. Firewalling can help -- if I remember correctly, there's some sort of rule in ipfw or ipf that provides "only allow packets destined for port 25 of some other machine if they're originating on a program running as root" capability.... If you're just trying to catch someone doing a particular thing, and you have enough drive space available, tcpdump and ports/net/tcpshow can record everything on port 25 as sorta-text... --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 29 15:50:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-051.resnet.wisc.edu [146.151.42.51]) by hub.freebsd.org (Postfix) with SMTP id 807E537B5B9 for ; Sat, 29 Apr 2000 15:50:42 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 7375 invoked by uid 1000); 29 Apr 2000 22:50:41 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Apr 2000 22:50:41 -0000 Date: Sat, 29 Apr 2000 17:50:41 -0500 (CDT) From: Mike Silbersack To: Brett Glass Cc: Wes Peters , security@FreeBSD.ORG Subject: Re: stream.c followup / MFC request In-Reply-To: <4.3.1.2.20000423215640.00aea820@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks to Wes, the patch was committed to 3.x on the 24th, so anyone who has cvsup'd since then can now sleep (a bit) easier. Mike "Silby" Silbersack On Sun, 23 Apr 2000, Brett Glass wrote: > I applied my own patch. I certainly HOPE that the 3.x branch > is being updated. 4.0 shows promise, but we never run any new > version on a production machine until it's at least at .2 or > .3. It's unfortunate that many of the developers seem to concentrate > on the bleeding edge when BSD gets its reputation for stability from > the "stable" branches. > > --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 29 18:17:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from turtle.looksharp.net (cc360882-a.strhg1.mi.home.com [24.2.221.22]) by hub.freebsd.org (Postfix) with ESMTP id 964F937B559 for ; Sat, 29 Apr 2000 18:17:20 -0700 (PDT) (envelope-from bsdx@looksharp.net) Received: from localhost (bsdx@localhost) by turtle.looksharp.net (8.9.3/8.9.3) with ESMTP id VAA25530; Sat, 29 Apr 2000 21:16:02 -0400 (EDT) (envelope-from bsdx@looksharp.net) Date: Sat, 29 Apr 2000 21:16:02 -0400 (EDT) From: Adam To: Mike Nowlin Cc: Dan Tso , Fabio da Silva Cunha , freebsd-security@FreeBSD.ORG Subject: Re: e-mail auditing in sendmail 8.9.3/8.10.1 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe mailsnarf from http://www.monkey.org/~dugsong/dsniff/ will log mails going over the wire, this should help you out. There is also a port for it in the ports tree. On Sat, 29 Apr 2000, Mike Nowlin wrote: > > >> > I need to copy all mail processed (in / out) through my mail server >> > (FreeBSD/Sendmail) to one user account (auditor@mydomain.com.br) it's >> > possible with sendmail 8.9.3/8.10.1 ? >> >> This is really a question for the sendmail forums and it comes up all >> the time. At least when I researched it, the basic message was that >> sendmail doesn't come with a canned solution for this (logging outgoing >> mail) on purpose, primarily due to invasion of privacy issues felt by >> the core developers/maintainers. However there are possibilities: >> 1) obviously, used something other than sendmail. I believe qmail and >> postfix provide this feature, >> 2) there is a C source level hack to include this feature in sendmail >> which has been posted to USENET, >> 3) you can alter the sendmail.cf file to do it, either using something >> like procmail, or sendmail itself. This method, while not the most >> efficient, is the easiest. > > >It also depends on what you're trying to catch. It's trivial for someone >to bypass whatever you do to sendmail for outgoing messages - just open a >connection directly to the receiving machine on port 25 and "emulate" >sendmail - some mail readers can do this anyway, avoiding sendmail. >Firewalling can help -- if I remember correctly, there's some >sort of rule in ipfw or ipf that provides "only allow packets destined for >port 25 of some other machine if they're originating on a program running >as root" capability.... If you're just trying to catch someone doing a >particular thing, and you have enough drive space available, tcpdump and >ports/net/tcpshow can record everything on port 25 as sorta-text... > >--mike > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 29 23:48:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from ady.warpnet.ro (ady.warpnet.ro [194.102.224.1]) by hub.freebsd.org (Postfix) with ESMTP id 0898A37BC18; Sat, 29 Apr 2000 23:48:08 -0700 (PDT) (envelope-from ady@warpnet.ro) Received: from localhost (ady@localhost) by ady.warpnet.ro (8.9.3/8.9.3) with ESMTP id JAA36875; Sun, 30 Apr 2000 09:50:45 +0300 (EEST) (envelope-from ady@warpnet.ro) Date: Sun, 30 Apr 2000 09:50:45 +0300 (EEST) From: Adrian Penisoara To: freebsd-security@freebsd.org Cc: Kris Kennaway Subject: mail/imap-uw port: upgraded from 4.7b to 4.7c(1) [still 12.264] Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Could you please check out the new version committed yesterday ? BTW, while we're at it: the port auditing folks should take a look at mlock sources (in imap-utils source tarball) -- it's a SGID executable! Thanks, Ady (@freebsd.ady.ro) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 29 23:51: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id E869237B51A; Sat, 29 Apr 2000 23:51:00 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id XAA08239; Sat, 29 Apr 2000 23:51:00 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sat, 29 Apr 2000 23:51:00 -0700 (PDT) From: Kris Kennaway To: Adrian Penisoara Cc: freebsd-security@freebsd.org Subject: Re: mail/imap-uw port: upgraded from 4.7b to 4.7c(1) [still 12.264] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 30 Apr 2000, Adrian Penisoara wrote: > Hi, > > Could you please check out the new version committed yesterday ? Yeah, I will when I get the chance. THanks for the reminder :) > BTW, while we're at it: the port auditing folks should take a look at > mlock sources (in imap-utils source tarball) -- it's a SGID executable! One would hope this is okay, given they imap-uw folks claim to have performed a comprehensive audit on the set[ug]id parts of their code. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message