From owner-freebsd-security Sun Aug 12 2:50:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from elm.phenome.org (elm.phenome.org [194.153.169.3]) by hub.freebsd.org (Postfix) with ESMTP id 4B53E37B405 for ; Sun, 12 Aug 2001 02:50:40 -0700 (PDT) (envelope-from joshua@roughtrade.net) Received: from localhost (joshua@localhost [127.0.0.1]) by localhost (8.12.0.Beta7/8.12.0.Beta7/Debian 8.12.0.Beta7-1) with ESMTP id f7C9oXCC016124; Sun, 12 Aug 2001 10:50:33 +0100 Date: Sun, 12 Aug 2001 10:50:33 +0100 (BST) From: Joshua Goodall X-X-Sender: To: Krzysztof Zaraska Cc: John Van Boxtel , Subject: Re: distributed natd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you want to do failover between two NAT gateways, you can avoid reinventing much of the high-availability wheel with the net/vrrp port and taking things from there. VRRP was defined specifically to support router failover. Perhaps you can piggyback state onto the advertisements? You realise this generalises to high-availability aliased cluster services with distributed locking & shared state, dontcha? [1] J [1] also known as vms clustering :) On Sat, 11 Aug 2001, Krzysztof Zaraska wrote: > > Keeping with the above ping pong idea, maybe instead of icmp packets you can > > stick with TCP and have the data in the packet have some sort of "upstream > > ok" / "upstream down" bit in it... > By "ping" I did not mean sending ICMP to peer gateway, but sending a > special command over this TCP/UDP link between gateways forcing the other > end to issue a reply. However it came up to me later, that if we have > traffic, then we have state tables updated constantly, thus alive gateway > should send the others notifications all the time. So we should try to > "ping" it only it case it goes silent (=no update request within given > interval) to see if it died or workstation users went home ;) "Upstream > up/down" flag is a good idea. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 12 5:40:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from ik.ku.lt (ik.ku.lt [193.219.76.193]) by hub.freebsd.org (Postfix) with ESMTP id 239F337B509 for ; Sun, 12 Aug 2001 05:40:02 -0700 (PDT) (envelope-from garska@ik.ku.lt) Received: from daemon (daemon.ku.lt [193.219.76.199]) by ik.ku.lt (8.11.3/8.11.3) with SMTP id f7CCdvA03598 for ; Sun, 12 Aug 2001 14:39:59 +0200 (EET) (envelope-from garska@ik.ku.lt) Message-ID: <002001c1232b$b72b2af0$c74cdbc1@ku.lt> Reply-To: "Rolandas Garska" From: "Rolandas Garska" To: Subject: FreeBSD-SA-01:40.fts.asc Date: Sun, 12 Aug 2001 14:38:38 +0200 Organization: Klaipeda University MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001D_01C1233C.797F4B80" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2479.0006 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_001D_01C1233C.797F4B80 Content-Type: text/plain; charset="iso-8859-4" Content-Transfer-Encoding: quoted-printable I not find /usr/src/usr.bin/chgrp in source tree on my 4.3-RELEASE. ------=_NextPart_000_001D_01C1233C.797F4B80 Content-Type: text/html; charset="iso-8859-4" Content-Transfer-Encoding: quoted-printable
I not find = /usr/src/usr.bin/chgrp in=20 source tree on my 4.3-RELEASE.
------=_NextPart_000_001D_01C1233C.797F4B80-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 12 7:37:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from kawoserv.kawo2.rwth-aachen.de (kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by hub.freebsd.org (Postfix) with ESMTP id 47EC837B409 for ; Sun, 12 Aug 2001 07:37:47 -0700 (PDT) (envelope-from doegi@kawo2.rwth-aachen.de) Received: (from doegi@localhost) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) id QAA17420 for freebsd-security@FreeBSD.org; Sun, 12 Aug 2001 16:37:46 +0200 Date: Sun, 12 Aug 2001 16:37:46 +0200 From: Alexander Langer To: freebsd-security@FreeBSD.org Subject: providing security patches, patching live kernels Message-ID: <20010812163746.A17136@kawoserv.kawo2.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3us X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I've created a kernel module, which replaces the insecure nfs_mount() function (from nfs_vfsops.c) with the fixed version Peter Wemm committed on Friday in a running kernel. (it modifies the nfs_vfsops structure, for those that are interested; I also tried a different approach, that can be used with any arbitrary function in the kernel). Having such a thing, I had the idea to create some distribution channel (a ports category or signed packages from ftp [I prefer the latter]) for security fixes (similar to the fixes to the RELENG_4_3 branch!). Those packages could be applied to a running system w/o the need to rebuild/reboot a kernel or fix network daemones (in case of telnetd etc). The next security advisories could then describe either how to manually apply a patch, or just say "To fix, just do pkg_install ftp://ftp.freebsd.org/pub/FreeBSD/security-fixes/RELENG_4/foobar-fix-01.tgz". Could be quite handy. I strongly believe that even most kernel security flaws can be fixed by modules that provide their own function. However, this is only a temporary solution until the administrator was able to build a new kernel(!), but it's _really_ useful if you want the security fix but mustn't reboot a system. However, having such a service would be quite cool! As an example, see the nfspatch kernel mod at http://people.freebsd.org/~alex/nfspatch.tar.gz Just build and load the module. To verify that it actually replaces the function, you might want to add a printf() and mount_nfs some volume. A fix package could install some script that load the kernel modul only until a fixed kernel was built (however this is done) Comments? Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 12 8:16:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs.rpi.edu (mumble.cs.rpi.edu [128.213.8.16]) by hub.freebsd.org (Postfix) with ESMTP id 31B1737B409; Sun, 12 Aug 2001 08:15:51 -0700 (PDT) (envelope-from sundlm@rpi.edu) Received: from monica.cs.rpi.edu (monica.cs.rpi.edu [128.213.7.2]) by cs.rpi.edu (8.9.3/8.9.3) with ESMTP id LAA96001; Sun, 12 Aug 2001 11:15:49 -0400 (EDT) Received: from localhost (sundlm@localhost) by monica.cs.rpi.edu (8.9.3/8.9.2) with ESMTP id LAA82648; Sun, 12 Aug 2001 11:15:49 -0400 (EDT) X-Authentication-Warning: monica.cs.rpi.edu: sundlm owned process doing -bs Date: Sun, 12 Aug 2001 11:15:49 -0400 (EDT) From: Matthew Sundling X-Sender: sundlm@monica.cs.rpi.edu To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Cc: sundlm@rpi.edu Subject: security check output: questionable setuid diffs help? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am new to the land of maintaining and securing my own unix-like box, and so I have been presented with all the new problems (interesting learning experiences?) that lie therein. FYI: my machine = FreeBSD 4.3-RELEASE #2: Fri Aug 3 19:32:28 GMT 2001 I just started reading/following online security related websites on how to secure my machine yesturday (before yesturday my machine was running at securelevel=-1, with finger/telnet/ftp all still active in the default manner), and curiously messages appeared in my daily security check emails today (pasted below). Please note the change in time stamp. I would also point out the fact that I started logging TCP/UDP connection attempts yesturday, and it looked like several (~7) machines were port scanning. Also, my ISP is a rather open cable modem network. Also, I know little about true security and the art of detecting breaches. And I have not done any recent make worlds or installed any new system software since yesturday that would cause these changes. I did remove all services from the inetd, though... Also, the header of the daily security log included: > To: undisclosed-recipients:; Is this normal? I ask because I have no 'original' logs to compare the header against, so I can't tell if this is normal. I Checked my crontab,/etc/periodic/* stuff and it _seems_ like root is the only recipient, but I can't really tell. Any suggestions? Has my machine been penetrated? Any advice? (Please excuse the long posting, but the entries are repetative and the pattern easy to see) my.hostaddr.goes.here setuid diffs: 1,74c1,79 < 31242 -r-xr-sr-x 1 root operator 56892 Apr 21 09:05:46 2001 /bin/df < 31254 -r-sr-xr-x 1 root wheel 317400 Apr 21 09:13:35 2001 /bin/rcp < 46878 -r-xr-sr-x 1 root kmem 62792 Apr 21 09:08:02 2001 /sbin/ccdconfig < 46884 -r-xr-sr-x 1 root kmem 69512 Apr 21 09:08:03 2001 /sbin/dmesg < 46946 -r-xr-sr-x 2 root tty 329912 Apr 21 09:14:14 2001 /sbin/dump < 46922 -r-sr-xr-x 1 root wheel 196376 Apr 21 09:08:15 2001 /sbin/ping < 46923 -r-sr-xr-x 1 root bin 191380 Apr 21 09:08:15 2001 /sbin/ping6 < 46946 -r-xr-sr-x 2 root tty 329912 Apr 21 09:14:14 2001 /sbin/rdump < 46948 -r-xr-sr-x 2 root tty 356520 Apr 21 09:14:18 2001 /sbin/restore < 46885 -r-sr-xr-x 1 root wheel 192484 Apr 21 09:08:16 2001 /sbin/route < 46948 -r-xr-sr-x 2 root tty 356520 Apr 21 09:14:18 2001 /sbin/rrestore < 46932 -r-sr-x--- 1 root operator 165008 Apr 21 09:08:17 2001 /sbin/shutdown < 548209 -rwsr-xr-x 1 root wheel 7533 Mar 22 05:28:49 2001 /usr/X11R6/bin/Xwrapper < 548170 -rwsr-xr-x 1 root wheel 11980 Mar 22 05:27:06 2001 /usr/X11R6/bin/dga < 326018 -r-sr-xr-x 1 root wheel 8948 Apr 18 21:44:29 2001 /usr/X11R6/bin/gnome-pty-helper < 548203 -rwsr-xr-x 1 root wheel 166040 Mar 22 05:27:26 2001 /usr/X11R6/bin/xterm < 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 09:09:19 2001 /usr/bin/at < 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 09:09:19 2001 /usr/bin/atq < 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 09:09:19 2001 /usr/bin/atrm < 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 09:09:19 2001 /usr/bin/batch < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/chfn < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/chpass < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/chsh < 8247 -r-sr-xr-x 1 root wheel 24508 Apr 21 09:09:59 2001 /usr/bin/crontab < 7937 -r-sr-sr-x 1 uucp dialer 123888 Apr 21 09:06:15 2001 /usr/bin/cu < 8079 -r-xr-sr-x 1 root kmem 13108 Apr 21 09:09:26 2001 /usr/bin/fstat < 8094 -r-xr-sr-x 1 root kmem 9832 Apr 21 09:09:27 2001 /usr/bin/ipcs < 8100 -r-sr-xr-x 1 root wheel 510 Apr 21 09:09:28 2001 /usr/bin/keyinfo < 8101 -r-sr-xr-x 1 root wheel 7444 Apr 21 09:09:28 2001 /usr/bin/keyinit < 8118 -r-sr-xr-x 1 root wheel 7004 Apr 21 09:09:31 2001 /usr/bin/lock < 8121 -r-sr-xr-x 1 root wheel 20436 Apr 21 09:14:06 2001 /usr/bin/login < 8252 -r-sr-sr-x 1 root daemon 23720 Apr 21 09:10:26 2001 /usr/bin/lpq < 8253 -r-sr-sr-x 1 root daemon 27304 Apr 21 09:10:26 2001 /usr/bin/lpr < 8254 -r-sr-sr-x 1 root daemon 22668 Apr 21 09:10:26 2001 /usr/bin/lprm < 7993 -r-sr-xr-x 1 man wheel 28512 Apr 21 09:06:46 2001 /usr/bin/man < 8140 -r-xr-sr-x 1 root kmem 85712 Apr 21 09:09:35 2001 /usr/bin/netstat < 8142 -r-xr-sr-x 1 root kmem 9936 Apr 21 09:09:35 2001 /usr/bin/nfsstat < 8270 -r-sr-xr-x 2 root wheel 30636 Apr 21 09:14:08 2001 /usr/bin/passwd < 8156 -r-sr-xr-x 1 root wheel 10440 Apr 21 09:09:37 2001 /usr/bin/quota < 8150 -r-sr-xr-x 1 root wheel 17564 Apr 21 09:14:09 2001 /usr/bin/rlogin < 8152 -r-sr-xr-x 1 root wheel 14748 Apr 21 09:14:10 2001 /usr/bin/rsh < 8161 -r-sr-xr-x 1 root wheel 11560 Apr 21 09:14:10 2001 /usr/bin/su < 8179 -r-xr-sr-x 1 root kmem 56144 Apr 21 09:09:41 2001 /usr/bin/systat < 8187 -r-xr-sr-x 1 root kmem 32344 Apr 21 09:09:42 2001 /usr/bin/top < 7938 -r-sr-xr-x 1 uucp wheel 88228 Apr 21 09:06:16 2001 /usr/bin/uucp < 7940 -r-sr-xr-x 1 uucp wheel 37312 Apr 21 09:06:16 2001 /usr/bin/uuname < 7943 -r-sr-sr-x 1 uucp dialer 96752 Apr 21 09:06:16 2001 /usr/bin/uustat < 7945 -r-sr-xr-x 1 uucp wheel 88844 Apr 21 09:06:16 2001 /usr/bin/uux < 8212 -r-xr-sr-x 1 root kmem 16368 Apr 21 09:09:47 2001 /usr/bin/vmstat < 8214 -r-xr-sr-x 1 root tty 9040 Apr 21 09:09:47 2001 /usr/bin/wall < 8222 -r-xr-sr-x 1 root tty 7500 Apr 21 09:09:48 2001 /usr/bin/write < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/ypchfn < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/ypchpass < 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 09:09:21 2001 /usr/bin/ypchsh < 8270 -r-sr-xr-x 2 root wheel 30636 Apr 21 09:14:08 2001 /usr/bin/yppasswd < 730141 -r-xr-sr-x 1 root games 7176 Apr 21 09:05:56 2001 /usr/games/dm < 476168 -r-sr-xr-x 1 root wheel 398740 Apr 21 09:10:28 2001 /usr/libexec/sendmail/sendmail < 492035 -r-sr-sr-x 1 uucp dialer 220704 Apr 21 09:06:15 2001 /usr/libexec/uucp/uucico < 492036 -r-sr-s--- 1 uucp uucp 99584 Apr 21 09:06:17 2001 /usr/libexec/uucp/uuxqt < 183184 -rwsr-xr-x 1 root wheel 641862 Aug 4 14:18:49 2001 /usr/local/bin/xscreensaver < 507951 -r-xr-sr-x 1 root kmem 4664 Apr 21 09:10:01 2001 /usr/sbin/ifmcstat < 507953 -r-xr-sr-x 1 root kmem 9608 Apr 21 09:10:01 2001 /usr/sbin/iostat < 508068 -r-xr-sr-x 1 root daemon 30196 Apr 21 09:10:25 2001 /usr/sbin/lpc < 507971 -r-sr-xr-x 1 root wheel 16348 Apr 21 09:10:04 2001 /usr/sbin/mrinfo < 507973 -r-sr-xr-x 1 root wheel 29896 Apr 21 09:10:05 2001 /usr/sbin/mtrace < 508111 -r-sr-xr-- 1 root network 295124 Apr 21 09:10:16 2001 /usr/sbin/ppp < 508112 -r-sr-xr-x 1 root wheel 95388 Apr 21 09:10:16 2001 /usr/sbin/pppd < 508009 -r-xr-sr-x 2 root kmem 14808 Apr 21 09:10:16 2001 /usr/sbin/pstat < 508032 -r-sr-x--- 1 root network 11112 Apr 21 09:10:19 2001 /usr/sbin/sliplogin < 508009 -r-xr-sr-x 2 root kmem 14808 Apr 21 09:10:16 2001 /usr/sbin/swapinfo < 508040 -r-sr-xr-x 1 root wheel 15112 Apr 21 09:10:20 2001 /usr/sbin/timedc < 508041 -r-sr-xr-x 1 root wheel 13168 Apr 21 09:10:20 2001 /usr/sbin/traceroute < 508042 -r-sr-xr-x 1 root bin 14952 Apr 21 09:10:20 2001 /usr/sbin/traceroute6 < 508043 -r-xr-sr-x 1 root kmem 8040 Apr 21 09:10:20 2001 /usr/sbin/trpt --- > 31242 -r-xr-sr-x 1 root operator 56892 Apr 21 05:05:46 2001 /bin/df > 31254 -r-sr-xr-x 1 root wheel 317400 Apr 21 05:13:35 2001 /bin/rcp > 46878 -r-xr-sr-x 1 root kmem 62792 Apr 21 05:08:02 2001 /sbin/ccdconfig > 46884 -r-xr-sr-x 1 root kmem 69512 Apr 21 05:08:03 2001 /sbin/dmesg > 46946 -r-xr-sr-x 2 root tty 329912 Apr 21 05:14:14 2001 /sbin/dump > 46922 -r-sr-xr-x 1 root wheel 196376 Apr 21 05:08:15 2001 /sbin/ping > 46923 -r-sr-xr-x 1 root bin 191380 Apr 21 05:08:15 2001 /sbin/ping6 > 46946 -r-xr-sr-x 2 root tty 329912 Apr 21 05:14:14 2001 /sbin/rdump > 46948 -r-xr-sr-x 2 root tty 356520 Apr 21 05:14:18 2001 /sbin/restore > 46885 -r-sr-xr-x 1 root wheel 192484 Apr 21 05:08:16 2001 /sbin/route > 46948 -r-xr-sr-x 2 root tty 356520 Apr 21 05:14:18 2001 /sbin/rrestore > 46932 -r-sr-x--- 1 root operator 165008 Apr 21 05:08:17 2001 /sbin/shutdown > 548209 -rwsr-xr-x 1 root wheel 7533 Mar 22 00:28:49 2001 /usr/X11R6/bin/Xwrapper > 548170 -rwsr-xr-x 1 root wheel 11980 Mar 22 00:27:06 2001 /usr/X11R6/bin/dga > 326018 -r-sr-xr-x 1 root wheel 8948 Apr 18 17:44:29 2001 /usr/X11R6/bin/gnome-pty-helper > 548203 -rwsr-xr-x 1 root wheel 166040 Mar 22 00:27:26 2001 /usr/X11R6/bin/xterm > 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 05:09:19 2001 /usr/bin/at > 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 05:09:19 2001 /usr/bin/atq > 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 05:09:19 2001 /usr/bin/atrm > 8039 -r-sr-xr-x 4 root wheel 19540 Apr 21 05:09:19 2001 /usr/bin/batch > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/chfn > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/chpass > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/chsh > 8247 -r-sr-xr-x 1 root wheel 24508 Apr 21 05:09:59 2001 /usr/bin/crontab > 7937 -r-sr-sr-x 1 uucp dialer 123888 Apr 21 05:06:15 2001 /usr/bin/cu > 8079 -r-xr-sr-x 1 root kmem 13108 Apr 21 05:09:26 2001 /usr/bin/fstat > 8094 -r-xr-sr-x 1 root kmem 9832 Apr 21 05:09:27 2001 /usr/bin/ipcs > 8100 -r-sr-xr-x 1 root wheel 510 Apr 21 05:09:28 2001 /usr/bin/keyinfo > 8101 -r-sr-xr-x 1 root wheel 7444 Apr 21 05:09:28 2001 /usr/bin/keyinit > 8118 -r-sr-xr-x 1 root wheel 7004 Apr 21 05:09:31 2001 /usr/bin/lock > 8121 -r-sr-xr-x 1 root wheel 20436 Apr 21 05:14:06 2001 /usr/bin/login > 8252 -r-sr-sr-x 1 root daemon 23720 Apr 21 05:10:26 2001 /usr/bin/lpq > 8253 -r-sr-sr-x 1 root daemon 27304 Apr 21 05:10:26 2001 /usr/bin/lpr > 8254 -r-sr-sr-x 1 root daemon 22668 Apr 21 05:10:26 2001 /usr/bin/lprm > 7993 -r-sr-xr-x 1 man wheel 28512 Apr 21 05:06:46 2001 /usr/bin/man > 8140 -r-xr-sr-x 1 root kmem 85712 Apr 21 05:09:35 2001 /usr/bin/netstat > 8142 -r-xr-sr-x 1 root kmem 9936 Apr 21 05:09:35 2001 /usr/bin/nfsstat > 8270 -r-sr-xr-x 2 root wheel 30636 Apr 21 05:14:08 2001 /usr/bin/passwd > 8156 -r-sr-xr-x 1 root wheel 10440 Apr 21 05:09:37 2001 /usr/bin/quota > 8150 -r-sr-xr-x 1 root wheel 17564 Apr 21 05:14:09 2001 /usr/bin/rlogin > 8152 -r-sr-xr-x 1 root wheel 14748 Apr 21 05:14:10 2001 /usr/bin/rsh > 8161 -r-sr-xr-x 1 root wheel 11560 Apr 21 05:14:10 2001 /usr/bin/su > 8179 -r-xr-sr-x 1 root kmem 56144 Apr 21 05:09:41 2001 /usr/bin/systat > 8187 -r-xr-sr-x 1 root kmem 32344 Apr 21 05:09:42 2001 /usr/bin/top > 7938 -r-sr-xr-x 1 uucp wheel 88228 Apr 21 05:06:16 2001 /usr/bin/uucp > 7940 -r-sr-xr-x 1 uucp wheel 37312 Apr 21 05:06:16 2001 /usr/bin/uuname > 7943 -r-sr-sr-x 1 uucp dialer 96752 Apr 21 05:06:16 2001 /usr/bin/uustat > 7945 -r-sr-xr-x 1 uucp wheel 88844 Apr 21 05:06:16 2001 /usr/bin/uux > 8212 -r-xr-sr-x 1 root kmem 16368 Apr 21 05:09:47 2001 /usr/bin/vmstat > 8214 -r-xr-sr-x 1 root tty 9040 Apr 21 05:09:47 2001 /usr/bin/wall > 8222 -r-xr-sr-x 1 root tty 7500 Apr 21 05:09:48 2001 /usr/bin/write > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/ypchfn > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/ypchpass > 8051 -r-sr-xr-x 6 root wheel 32280 Apr 21 05:09:21 2001 /usr/bin/ypchsh > 8270 -r-sr-xr-x 2 root wheel 30636 Apr 21 05:14:08 2001 /usr/bin/yppasswd > 730141 -r-xr-sr-x 1 root games 7176 Apr 21 05:05:56 2001 /usr/games/dm > 476168 -r-sr-xr-x 1 root wheel 398740 Apr 21 05:10:28 2001 /usr/libexec/sendmail/sendmail > 492035 -r-sr-sr-x 1 uucp dialer 220704 Apr 21 05:06:15 2001 /usr/libexec/uucp/uucico > 492036 -r-sr-s--- 1 uucp uucp 99584 Apr 21 05:06:17 2001 /usr/libexec/uucp/uuxqt > 207208 -rwsr-xr-x 1 root wheel 4632 Apr 18 20:57:53 2001 /usr/local/bin/artswrapper > 365951 -rwsr-xr-x 1 root wheel 8701 Apr 19 00:58:19 2001 /usr/local/bin/kcheckpass > 365960 -rwxr-sr-x 1 root nobody 68088 Apr 19 01:00:57 2001 /usr/local/bin/kdesud > 365981 -rwsr-xr-x 1 root wheel 5336 Apr 19 01:04:54 2001 /usr/local/bin/konsole_grantpty > 691408 -rwsr-xr-x 1 root wheel 480944 Apr 18 22:48:57 2001 /usr/local/bin/kppp > 183184 -rwsr-xr-x 1 root wheel 641862 Aug 4 10:18:49 2001 /usr/local/bin/xscreensaver > 507951 -r-xr-sr-x 1 root kmem 4664 Apr 21 05:10:01 2001 /usr/sbin/ifmcstat > 507953 -r-xr-sr-x 1 root kmem 9608 Apr 21 05:10:01 2001 /usr/sbin/iostat > 508068 -r-xr-sr-x 1 root daemon 30196 Apr 21 05:10:25 2001 /usr/sbin/lpc > 507971 -r-sr-xr-x 1 root wheel 16348 Apr 21 05:10:04 2001 /usr/sbin/mrinfo > 507973 -r-sr-xr-x 1 root wheel 29896 Apr 21 05:10:05 2001 /usr/sbin/mtrace > 508111 -r-sr-xr-- 1 root network 295124 Apr 21 05:10:16 2001 /usr/sbin/ppp > 508112 -r-sr-xr-x 1 root wheel 95388 Apr 21 05:10:16 2001 /usr/sbin/pppd > 508009 -r-xr-sr-x 2 root kmem 14808 Apr 21 05:10:16 2001 /usr/sbin/pstat > 508032 -r-sr-x--- 1 root network 11112 Apr 21 05:10:19 2001 /usr/sbin/sliplogin > 508009 -r-xr-sr-x 2 root kmem 14808 Apr 21 05:10:16 2001 /usr/sbin/swapinfo > 508040 -r-sr-xr-x 1 root wheel 15112 Apr 21 05:10:20 2001 /usr/sbin/timedc > 508041 -r-sr-xr-x 1 root wheel 13168 Apr 21 05:10:20 2001 /usr/sbin/traceroute > 508042 -r-sr-xr-x 1 root bin 14952 Apr 21 05:10:20 2001 /usr/sbin/traceroute6 > 508043 -r-xr-sr-x 1 root kmem 8040 Apr 21 05:10:20 2001 /usr/sbin/trpt Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 12 10:34: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from barry.mail.mindspring.net (barry.mail.mindspring.net [207.69.200.25]) by hub.freebsd.org (Postfix) with ESMTP id 1F8A737B40D; Sun, 12 Aug 2001 10:33:56 -0700 (PDT) (envelope-from meshko@polkan2.dyndns.org) Received: from user-2ivef3h.dsl.mindspring.com (user-2ivef3h.dsl.mindspring.com [165.247.60.113]) by barry.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id NAA03477; Sun, 12 Aug 2001 13:33:53 -0400 (EDT) Date: Sun, 12 Aug 2001 13:38:56 -0400 (EDT) From: Mikhail Kruk X-X-Sender: To: Matthew Sundling Cc: , Subject: Re: security check output: questionable setuid diffs help? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you were running telnetd from original 4.3-RELEASE and have not done anything (like build world or some other way of upgrading) there 99% probability that you got hacked; most likely through the telnetd vulerability. Take the machien off line and reinstall from the clean media. As far as I know "undisclosed recepients" is fine. I don't know what are the reasons to have it this way. > I am new to the land of maintaining and securing my own unix-like > box, and so I have been presented with all the new problems > (interesting learning experiences?) that lie therein. > > FYI: my machine = FreeBSD 4.3-RELEASE #2: Fri Aug 3 19:32:28 > GMT 2001 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 12 13:12:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id AA7EA37B407 for ; Sun, 12 Aug 2001 13:12:10 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 225A11D14; Sun, 12 Aug 2001 22:11:35 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 69B90552A; Sun, 12 Aug 2001 22:11:35 +0200 (CEST) Date: Sun, 12 Aug 2001 22:11:34 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Matthew Sundling Cc: freebsd-security@FreeBSD.ORG Subject: Re: security check output: questionable setuid diffs help? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 12 Aug 2001, Matthew Sundling wrote: > I am new to the land of maintaining and securing my own unix-like > box, and so I have been presented with all the new problems > (interesting learning experiences?) that lie therein. Welcome aboard. Before we start, you didn't specify what is the purpose of your workstation. Is this a personal workstation, a server, a router? These different configurations require somewhat different approach. Reading your mail I guessed this is something like a personal workstation. > I just started reading/following online security related websites > on how to secure my machine yesturday (before yesturday my > machine was running at securelevel=-1, with finger/telnet/ftp all > still active in the default manner), and curiously messages > appeared in my daily security check emails today (pasted below). You didn't get any of these emails earlier? They're automatically gebnerated each night. > Please note the change in time stamp. If I am correct the only change is moving timestamp exactly four hours. Haven't you changed your time zone recently? IMHO this is not a pattern I'd expect in "typical" backdooring -- too many files, no other changes seen, although many weird things have been seen. > I would also point out the > fact that I started logging TCP/UDP connection attempts > yesturday, and it looked like several (~7) machines were port > scanning. Kiddiez looking for another victim. This is widely seen nowadays. > Also, my ISP is a rather open cable modem network. Nice place to look for a target. > I did remove all services from the inetd, > though... A step in right direction. Do netstat -atn and look what is else listening -- you may still have standalone (=not inetd-controlled) services. > Also, the header of the daily security log included: > > To: undisclosed-recipients:; Mine look the same. > Is this normal? I ask because I have no 'original' logs to > compare the header against, so I can't tell if this is normal. I > Checked my crontab,/etc/periodic/* stuff and it _seems_ like root > is the only recipient, but I can't really tell. If you're interested a look at /var/log/maillog should tell you who it was also sent to. > Any suggestions? Has my machine been penetrated? Any advice? Although I can't see any direct evidence in your logs, the possibility of intrusion cannot be ruled out. Specifically, it seems to me you've been running insecure setup with vulnerable telnetd, so I'd consider this a risky situation. I'd recommend taking following steps: 1. [HIGHLY RECOMMENDED] If possible, backing all data and doing a reinstall. I'd recommend upgrade to newer version, specifically RELENG_4_3 (this is 4.3-RELEASE with security fixes) or 4.3-STABLE (a.k.a. 4.4-PRERELEASE). 2. [RECOMMENED] Set up a firewall. Stock /etc/rc.firewall seems decent for begginning, edit "CLIENT" section to put you IP etc., and comment out "incoming email" rule, and enable firewalling in /etc/rc.conf. This will make your machine inaccessible from outside. If you want to provide any services to the outside world you will have to "loosen" this setup. 3. [USEFUL] Once you get clean system, set up an intrusion detection tool such as aide or tripwire. This will let you know if any of your files were modified (it checks not only for changed size/timestamp/permissions but also contents of the file) Good luck. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 12 16: 6:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.austclear.com.au (ns2.austclear.com.au [192.43.185.70]) by hub.freebsd.org (Postfix) with ESMTP id 16E6637B409 for ; Sun, 12 Aug 2001 16:06:28 -0700 (PDT) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.166.65]) by ns2.austclear.com.au (8.11.2/8.11.3) with ESMTP id f7CN6P428700; Mon, 13 Aug 2001 09:06:25 +1000 (EST) (envelope-from ahl@austclear.com.au) Received: from tungsten (tungsten [192.168.166.65]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA21903; Mon, 13 Aug 2001 09:06:25 +1000 (EST) Message-Id: <200108122306.JAA21903@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: Joshua Goodall Cc: freebsd-security@FreeBSD.ORG Subject: Re: distributed natd In-Reply-To: Message from Joshua Goodall of "Sun, 12 Aug 2001 10:50:33 +0100." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 13 Aug 2001 09:06:25 +1000 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org joshua@roughtrade.net said: > If you want to do failover between two NAT gateways, you can avoid > reinventing much of the high-availability wheel with the net/vrrp port > and taking things from there. VRRP was defined specifically to support > router failover. Perhaps you can piggyback state onto the > advertisements? Last time I checked on VRRP, it was in a questionable legal state due to protests by Cisco that it (sort of) infringed on HSRP--has that changed? I don't really want to build a solution on technology that may get yanked suddenly... Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 12 22:27:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from box.nexgen.com (oXyeTb.com [66.92.98.145]) by hub.freebsd.org (Postfix) with SMTP id A2E4437B405 for ; Sun, 12 Aug 2001 22:27:07 -0700 (PDT) (envelope-from alexus@box.nexgen.com) Received: (qmail 41343 invoked by uid 1000); 13 Aug 2001 05:27:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Aug 2001 05:27:05 -0000 Date: Mon, 13 Aug 2001 01:27:05 -0400 (EDT) From: alexus To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org _/_/ _/ _/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/ _/ _/ _/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/_/_/ _/_/_/ (W)orld(W)ide(W)eb: http://box.nexgen.com/ (I)nternet(R)elay(C)hat: EFnet #aLeXuS ******************************************************************************* The information contained in this e-mail is confidential, may be privileged and is intended only for the use of the recipient named above. If you are not the intended recipient or a representative of the intended recipient, you have received this e-mail in error and must not copy, use or disclose the contents of this email to anybody else. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the copy you received. This email has been swept for computer viruses. However, you should carry out your own virus checks. ******************************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 0:13:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe26.law12.hotmail.com [64.4.18.83]) by hub.freebsd.org (Postfix) with ESMTP id 39B3337B40A; Mon, 13 Aug 2001 00:13:16 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 13 Aug 2001 00:13:16 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: , Subject: Easy IPFW question... Date: Mon, 13 Aug 2001 02:12:29 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 13 Aug 2001 07:13:16.0054 (UTC) FILETIME=[6C00CB60:01C123C7] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm kinda new to IPFW, and I was unable to figure this out by myself... I want to block an I.P. range, say 192.168.0.1, with a netmask of 255.255.0.0 ... The rule I tried was this: ipfw add deny log all from 192.168.0.1/16 to any via ed0 I then attempted to access the server from this I.P. range and was able to do it normally... basically I don't want anyone in this I.P. range to be able to see anything at all... Thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 0:26: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from fs.novosoft.ru (fs.novosoft.ru [194.149.225.6]) by hub.freebsd.org (Postfix) with ESMTP id AD0D037B409 for ; Mon, 13 Aug 2001 00:26:02 -0700 (PDT) (envelope-from romaha@eoffice.ru) Received: by fs.novosoft.ru with Internet Mail Service (5.5.2653.19) id ; Mon, 13 Aug 2001 14:26:00 +0700 Message-ID: From: Roman Zabolotnikov To: freebsd-security@freebsd.org Subject: RE: Easy IPFW question... Date: Mon, 13 Aug 2001 14:25:51 +0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Try to use ":" sign between ip and netmask For example ipfw add deny log all from 192.168.0.1:255.255.0.0 to any via ed0 Please write what are you see on the console when execute this command. Elso see on the output of command Ipfw list |grep 192.168 To make sure your command in kernel tables. Do you use NAT on your network? It's may be the cause of your problem > -----Original Message----- > From: default - Subscriptions > [mailto:default013subscriptions@hotmail.com] > Sent: Monday, August 13, 2001 2:12 PM > To: freebsd-security@freebsd.org; freebsd-questions@freebsd.org > Subject: Easy IPFW question... > > > Hi, > > I'm kinda new to IPFW, and I was unable to figure this out by > myself... > > I want to block an I.P. range, say 192.168.0.1, with a > netmask of 255.255.0.0 ... > > The rule I tried was this: > ipfw add deny log all from 192.168.0.1/16 to any via ed0 > > I then attempted to access the server from this I.P. range > and was able to do it normally... basically I don't want > anyone in this I.P. range to be able to see anything at all... > > Thanks, > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 6:41:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (gb.office1.bg [193.68.24.4]) by hub.freebsd.org (Postfix) with SMTP id 65E5637B40C for ; Mon, 13 Aug 2001 06:41:16 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 6028 invoked by uid 1000); 13 Aug 2001 13:39:56 -0000 Date: Mon, 13 Aug 2001 16:39:56 +0300 From: Peter Pentchev To: Tony Landells Cc: Joshua Goodall , freebsd-security@FreeBSD.ORG Subject: Re: distributed natd Message-ID: <20010813163956.A1119@ringworld.oblivion.bg> Mail-Followup-To: Tony Landells , Joshua Goodall , freebsd-security@FreeBSD.ORG References: <200108122306.JAA21903@tungsten.austclear.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108122306.JAA21903@tungsten.austclear.com.au>; from ahl@austclear.com.au on Mon, Aug 13, 2001 at 09:06:25AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 13, 2001 at 09:06:25AM +1000, Tony Landells wrote: > joshua@roughtrade.net said: > > If you want to do failover between two NAT gateways, you can avoid > > reinventing much of the high-availability wheel with the net/vrrp port > > and taking things from there. VRRP was defined specifically to support > > router failover. Perhaps you can piggyback state onto the > > advertisements? > > Last time I checked on VRRP, it was in a questionable legal state > due to protests by Cisco that it (sort of) infringed on HSRP--has > that changed? > > I don't really want to build a solution on technology that may get > yanked suddenly... I think the legal issues with the net/vrrp port have been solved, however another problem has crept up: the port maintainer now thinks that this port does not really implement the relevant RFC's correctly, so the port was marked FORBIDDEN, and the maintainer is working on his own version. G'luck, Peter -- If this sentence didn't exist, somebody would have invented it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 6:57:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (gb.office1.bg [193.68.24.4]) by hub.freebsd.org (Postfix) with SMTP id 7691E37B411 for ; Mon, 13 Aug 2001 06:57:22 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 9561 invoked by uid 1000); 13 Aug 2001 13:56:04 -0000 Date: Mon, 13 Aug 2001 16:56:04 +0300 From: Peter Pentchev To: default - Subscriptions Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Easy IPFW question... Message-ID: <20010813165603.B1119@ringworld.oblivion.bg> Mail-Followup-To: default - Subscriptions , freebsd-security@freebsd.org, freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013subscriptions@hotmail.com on Mon, Aug 13, 2001 at 02:12:29AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 13, 2001 at 02:12:29AM -0500, default - Subscriptions wrote: > Hi, > > I'm kinda new to IPFW, and I was unable to figure this out by myself... > > I want to block an I.P. range, say 192.168.0.1, with a netmask of > 255.255.0.0 ... > > The rule I tried was this: > ipfw add deny log all from 192.168.0.1/16 to any via ed0 Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be also zeroed in the address. This is so because of the way the address/netmask calculations are performed: when an address, say 192.168.5.12, is tested against a 192.168.0.0/16 combination, a bitwise 'and' operation is performed between the address to check (192.168.5.12) and the netmask (255.255.0.0). Then, the result - 192.168.0.0 - is compared to the network address that you have specified. Since the 'and' operation clears the last 16 bits, a network address of 192.168.0.1 cannot match anything - it has its last bit set. Try 192.168.0.0/16, it will probably work. If it fails, try 192.168.0.0/255.255.0.0. G'luck, Peter -- I am the meaning of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 7:22:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 15C0137B40D; Mon, 13 Aug 2001 07:22:32 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id f7DEOMs03008; Mon, 13 Aug 2001 10:24:22 -0400 (EDT) Date: Mon, 13 Aug 2001 10:24:22 -0400 (EDT) From: Ralph Huntington To: Peter Pentchev Cc: , Subject: Re: Easy IPFW question... In-Reply-To: <20010813165603.B1119@ringworld.oblivion.bg> Message-ID: <20010813102237.N2863-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be > also zeroed in the address. Nice explanation. > Try 192.168.0.0/16, it will probably work. > If it fails, try 192.168.0.0/255.255.0.0. I think you mean 192.168.0.0:255.255.0.0 for that form ^ -- colon not slash To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 8:20:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from fins.uits.indiana.edu (fins.uits.indiana.edu [129.79.6.185]) by hub.freebsd.org (Postfix) with ESMTP id 0456737B407 for ; Mon, 13 Aug 2001 08:20:36 -0700 (PDT) (envelope-from asebesta@indiana.edu) Received: from massachusetts.exchange.indiana.edu (massachusetts.exchange.indiana.edu [129.79.6.159]) by fins.uits.indiana.edu (8.10.1/8.10.1/IUPO) with ESMTP id f7DFKZM27505 for ; Mon, 13 Aug 2001 10:20:35 -0500 (EST) Received: by massachusetts.exchange.indiana.edu with Internet Mail Service (5.5.2653.19) id ; Mon, 13 Aug 2001 10:20:35 -0500 Message-ID: <4DDCEF49E462D21185C400805F6547DA08FDF39F@delaware.exchange.indiana.edu> From: "Sebesta, Alix K" To: "'freebsd-security@FreeBSD.ORG'" Subject: Date: Mon, 13 Aug 2001 10:20:17 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth 97f1ea8f unsubscribe freebsd-security asebesta@indiana.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 9:43:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 40CCB37B413; Mon, 13 Aug 2001 09:42:59 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA05963; Mon, 13 Aug 2001 10:42:49 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA20963; Mon, 13 Aug 2001 10:42:40 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15224.895.861427.828038@nomad.yogotech.com> Date: Mon, 13 Aug 2001 10:42:39 -0600 To: Peter Pentchev Cc: default - Subscriptions , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Easy IPFW question... In-Reply-To: <20010813165603.B1119@ringworld.oblivion.bg> References: <20010813165603.B1119@ringworld.oblivion.bg> X-Mailer: VM 6.95 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I'm kinda new to IPFW, and I was unable to figure this out by myself... > > > > I want to block an I.P. range, say 192.168.0.1, with a netmask of > > 255.255.0.0 ... > > > > The rule I tried was this: > > ipfw add deny log all from 192.168.0.1/16 to any via ed0 > > Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be > also zeroed in the address. If so, then the ipfw parser is borken. :( It *shouldn't* matter what the last two bytes in this case are, as it doesn't matter to any of the other routing protocols. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 10:26:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 001C937B410 for ; Mon, 13 Aug 2001 10:26:50 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 23422 invoked from network); 13 Aug 2001 17:26:35 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 13 Aug 2001 17:26:35 -0000 Message-ID: <000b01c1241d$1feb9970$0d00a8c0@alexus> From: "alexus" To: Subject: bin user Date: Mon, 13 Aug 2001 13:26:44 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2526.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2526.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org is it safe to allow user bin have shell but with password that no one will know? alexus@~$ finger bin Login: bin Name: Binaries Commands and Source Directory: / Shell: /sbin/nologin Never logged in. No Mail. No Plan. alexus@~$ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 10:34:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from gnjilux.srk.fer.hr (gnjilux.srk.fer.hr [161.53.70.141]) by hub.freebsd.org (Postfix) with ESMTP id 474C637B405 for ; Mon, 13 Aug 2001 10:34:39 -0700 (PDT) (envelope-from ike@gnjilux.srk.fer.hr) Received: from gnjilux.srk.fer.hr (ike@localhost [127.0.0.1]) by localhost (8.12.0.Beta16/8.12.0.Beta16/Debian 8.12.0.Beta16) with ESMTP id f7DHYT5J005797 for ; Mon, 13 Aug 2001 19:34:29 +0200 Received: (from ike@localhost) by gnjilux.srk.fer.hr (8.12.0.Beta16/8.12.0.Beta16/Debian 8.12.0.Beta16) id f7DHYTqt005794 for freebsd-security@freebsd.org; Mon, 13 Aug 2001 19:34:29 +0200 From: Ivan Krstic Date: Mon, 13 Aug 2001 19:34:29 +0200 To: freebsd-security@freebsd.org Subject: Re: bin user Message-ID: <20010813193429.Z3889@gnjilux.cc.fer.hr> References: <000b01c1241d$1feb9970$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.17i In-Reply-To: <000b01c1241d$1feb9970$0d00a8c0@alexus>; from ml@db.nexgen.com on Mon, Aug 13, 2001 at 01:26:44PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 13, 2001 at 01:26:44PM -0400, alexus wrote: > is it safe to allow user bin have shell but with password that no one will > know? [snip] If the only reason to give the bin user a shell is so you can su to this account, there's no need to assign a password at all. The shadow file entry illustrates this: bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin Note the second field is an asterisk, which is an impossible hash (no password will ever match). So, just assign this user a valid shell, and leave the password the way it already is. Best regards, -- Ivan Krstic - ike " life is the road beneath my feet, love is the girl I wait to meet, and art is everything I create, rob me of any and I will hate, you, my God, my devil, my fate " To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 10:38: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id ACD2237B40D for ; Mon, 13 Aug 2001 10:38:05 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7DGX7l46656; Mon, 13 Aug 2001 09:33:12 -0700 (PDT) Date: Mon, 13 Aug 2001 09:33:07 -0700 (PDT) From: David Kirchner X-X-Sender: To: Ivan Krstic Cc: Subject: Re: bin user In-Reply-To: <20010813193429.Z3889@gnjilux.cc.fer.hr> Message-ID: <20010813093238.B38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 13 Aug 2001, Ivan Krstic wrote: > On Mon, Aug 13, 2001 at 01:26:44PM -0400, alexus wrote: > > is it safe to allow user bin have shell but with password that no one will > > know? > > [snip] > If the only reason to give the bin user a shell is so you can su to this > account, there's no need to assign a password at all. It'd probably be better to leave the shell as /sbin/nologin, and then just use 'su -m bin' to su to bin. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 10:46:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id F0AAE37B409 for ; Mon, 13 Aug 2001 10:46:07 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 23634 invoked from network); 13 Aug 2001 17:45:51 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 13 Aug 2001 17:45:51 -0000 Message-ID: <000b01c1241f$d0e74c90$0d00a8c0@alexus> From: "alexus" To: "David Kirchner" , "Ivan Krstic" Cc: References: <20010813093238.B38221-100000@localhost> Subject: Re: bin user Date: Mon, 13 Aug 2001 13:46:00 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2526.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2526.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hm, i like yours is better the only question will it work from crontab? ----- Original Message ----- From: "David Kirchner" To: "Ivan Krstic" Cc: Sent: Monday, August 13, 2001 12:33 PM Subject: Re: bin user > On Mon, 13 Aug 2001, Ivan Krstic wrote: > > > On Mon, Aug 13, 2001 at 01:26:44PM -0400, alexus wrote: > > > is it safe to allow user bin have shell but with password that no one will > > > know? > > > > [snip] > > If the only reason to give the bin user a shell is so you can su to this > > account, there's no need to assign a password at all. > > It'd probably be better to leave the shell as /sbin/nologin, and then just > use 'su -m bin' to su to bin. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 10:46:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id CB98D37B405 for ; Mon, 13 Aug 2001 10:46:21 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 23647 invoked from network); 13 Aug 2001 17:46:06 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 13 Aug 2001 17:46:06 -0000 Message-ID: <001101c1241f$d9f9fdf0$0d00a8c0@alexus> From: "alexus" To: "Ivan Krstic" , References: <000b01c1241d$1feb9970$0d00a8c0@alexus> <20010813193429.Z3889@gnjilux.cc.fer.hr> Subject: Re: bin user Date: Mon, 13 Aug 2001 13:46:15 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2526.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2526.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thats what i meant:) ----- Original Message ----- From: "Ivan Krstic" To: Sent: Monday, August 13, 2001 1:34 PM Subject: Re: bin user > On Mon, Aug 13, 2001 at 01:26:44PM -0400, alexus wrote: > > is it safe to allow user bin have shell but with password that no one will > > know? > > [snip] > If the only reason to give the bin user a shell is so you can su to this > account, there's no need to assign a password at all. The shadow file entry > illustrates this: > bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin > > Note the second field is an asterisk, which is an impossible hash (no password > will ever match). So, just assign this user a valid shell, and leave the > password the way it already is. > > Best regards, > > -- > Ivan Krstic - ike > " life is the road beneath my feet, > love is the girl I wait to meet, > and art is everything I create, > rob me of any and I will hate, > you, my God, my devil, my fate " > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 10:49:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id DC06C37B411 for ; Mon, 13 Aug 2001 10:49:55 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7DGjEm46691; Mon, 13 Aug 2001 09:45:14 -0700 (PDT) Date: Mon, 13 Aug 2001 09:45:14 -0700 (PDT) From: David Kirchner X-X-Sender: To: alexus Cc: Ivan Krstic , Subject: Re: bin user In-Reply-To: <000b01c1241f$d0e74c90$0d00a8c0@alexus> Message-ID: <20010813094504.I38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 13 Aug 2001, alexus wrote: > hm, i like yours is better the only question will it work from crontab? Yep, sure will. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 11:28:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 0F49637B40F for ; Mon, 13 Aug 2001 11:28:07 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f7DIRlM26984; Mon, 13 Aug 2001 11:27:47 -0700 Date: Mon, 13 Aug 2001 11:27:47 -0700 From: Brooks Davis To: Rolandas Garska Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD-SA-01:40.fts.asc Message-ID: <20010813112747.B5346@Odin.AC.HMC.Edu> References: <002001c1232b$b72b2af0$c74cdbc1@ku.lt> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mxv5cy4qt+RJ9ypb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002001c1232b$b72b2af0$c74cdbc1@ku.lt>; from garska@ik.ku.lt on Sun, Aug 12, 2001 at 02:38:38PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --mxv5cy4qt+RJ9ypb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Aug 12, 2001 at 02:38:38PM +0200, Rolandas Garska wrote: >=20 > I not find /usr/src/usr.bin/chgrp in source tree on my 4.3-RELEASE. It's actually just chown with another name so it lives in /usr/src/usr.sbin/chown. This appears to be a bug in the advisory. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --mxv5cy4qt+RJ9ypb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7eBwiXY6L6fI4GtQRArUKAKCjDXlLMelz9HR5TWET81FT8DqARACfVLMi UWn2jhgNpKB3GHnvJid96ps= =IlzC -----END PGP SIGNATURE----- --mxv5cy4qt+RJ9ypb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 11:54:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from hq1.tyfon.net (hq1.tyfon.net [217.27.162.35]) by hub.freebsd.org (Postfix) with ESMTP id 4837637B403 for ; Mon, 13 Aug 2001 11:54:45 -0700 (PDT) (envelope-from dl@tyfon.net) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id A8F721C7F9 for ; Mon, 13 Aug 2001 20:54:43 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id 7C08C1C5CA for ; Mon, 13 Aug 2001 20:54:42 +0200 (CEST) Date: Mon, 13 Aug 2001 20:54:42 +0200 (CEST) From: Dan Larsson To: Subject: OpenBSD enc device for FreeBSD Message-ID: <20010813205026.L66985-100000@hq1.tyfon.net> Organization: Tyfon Svenska AB X-NCC-NIC: DL1999-RIPE X-NCC-RegID: se.tyfon MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by hq1.tyfon.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! Will FreeBSD merge this very excellent solution into the source tree or does FreeBSD have a similar device doing the same thing? Regards +------ Dan Larsson | Tel: +46 8 550 120 21 Tyfon Svenska AB | Fax: +46 8 550 120 02 GPG and PGP keys | finger dl@hq1.tyfon.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 12:47:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 56BFE37B40D for ; Mon, 13 Aug 2001 12:47:47 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f7DJlaM03040; Mon, 13 Aug 2001 12:47:36 -0700 Date: Mon, 13 Aug 2001 12:47:36 -0700 From: Brooks Davis To: Dan Larsson Cc: freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD enc device for FreeBSD Message-ID: <20010813124736.D5346@Odin.AC.HMC.Edu> References: <20010813205026.L66985-100000@hq1.tyfon.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9UV9rz0O2dU/yYYn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010813205026.L66985-100000@hq1.tyfon.net>; from dl@tyfon.net on Mon, Aug 13, 2001 at 08:54:42PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --9UV9rz0O2dU/yYYn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 13, 2001 at 08:54:42PM +0200, Dan Larsson wrote: > Will FreeBSD merge this very excellent solution into > the source tree or does FreeBSD have a similar device > doing the same thing? It looks intresting, I'll take a look at it. No promises on delivery date though. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --9UV9rz0O2dU/yYYn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7eC6zXY6L6fI4GtQRAjB0AKC46QQPec/T602CXhUBD8i9sxuJ0gCglcrs 8sDmWgluxNrYdzMkGrGc6hE= =T9Dv -----END PGP SIGNATURE----- --9UV9rz0O2dU/yYYn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 13:22: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from fasterix.frmug.org (s196.dhcp212-75.cybercable.fr [212.198.75.196]) by hub.freebsd.org (Postfix) with ESMTP id D9F6A37B406 for ; Mon, 13 Aug 2001 13:21:46 -0700 (PDT) (envelope-from pb@fasterix.frmug.org) Received: (from pb@localhost) by fasterix.frmug.org (8.11.4/8.9.3/pb-19990315) id f7DKLjM66748 for freebsd-security@freebsd.org; Mon, 13 Aug 2001 22:21:45 +0200 (CEST) Message-ID: <20010813222145.A66725@fasterix.frmug.org> Date: Mon, 13 Aug 2001 22:21:45 +0200 From: Pierre Beyssac To: freebsd-security@freebsd.org Subject: [pb@fasterix.freenix.org: bin/29026: fix for traceroute] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.92.8i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Any advice on this? Ruslan advised me to wait a return from the traceroute list at LBL, but no news from them since I sent the patch almost a month ago... Pierre ----- Forwarded message from Pierre Beyssac ----- Date: Mon, 16 Jul 2001 21:06:37 +0200 From: Pierre Beyssac To: freebsd-net@FreeBSD.ORG Cc: traceroute@ee.lbl.gov Subject: fix for traceroute (bin/29026) Could anyone check this fix for PR bin/29026 (traceroute -s option)? It just reenables the bind(2) call checking for the source address correctness, and moves the IP_HDRINCL after that (once IP_HDRINCL is enabled on the socket, bind doesn't check this anymore). It seems to work on my (very outdated) current as well as -stable, but I'm not able to check it on a recent -current, and although I have tested it with and without -s I may have missed some side effects with weird options combinations. If someone can confirm that this works, I can commit it. Index: traceroute.c =================================================================== RCS file: /home/ncvs/src/contrib/traceroute/traceroute.c,v retrieving revision 1.18 diff -u -r1.18 traceroute.c --- traceroute.c 2001/06/06 16:12:59 1.18 +++ traceroute.c 2001/07/16 18:53:44 @@ -727,13 +727,6 @@ exit(1); } #endif -#ifdef IP_HDRINCL - if (setsockopt(sndsock, IPPROTO_IP, IP_HDRINCL, (char *)&on, - sizeof(on)) < 0) { - Fprintf(stderr, "%s: IP_HDRINCL: %s\n", prog, strerror(errno)); - exit(1); - } -#endif if (options & SO_DEBUG) (void)setsockopt(sndsock, SOL_SOCKET, SO_DEBUG, (char *)&on, sizeof(on)); @@ -744,14 +737,19 @@ if (source != NULL) { source = savestr(getsin(&from, source)); outip->ip_src = from.sin_addr; -#ifndef IP_HDRINCL if (bind(sndsock, (struct sockaddr *)&from, sizeof(from)) < 0) { Fprintf(stderr, "%s: bind: %s\n", prog, strerror(errno)); exit (1); } -#endif } +#ifdef IP_HDRINCL + if (setsockopt(sndsock, IPPROTO_IP, IP_HDRINCL, (char *)&on, + sizeof(on)) < 0) { + Fprintf(stderr, "%s: IP_HDRINCL: %s\n", prog, strerror(errno)); + exit(1); + } +#endif #if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC) if (setpolicy(sndsock, "in bypass") < 0) -- Pierre Beyssac pb@fasterix.frmug.org pb@fasterix.freenix.org Why write portable code when you can write Linux code? Free domains: http://www.eu.org/ or mail dns-manager@EU.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 13:25:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 6ECE737B403 for ; Mon, 13 Aug 2001 13:25:23 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from itojun.org (localhost [127.0.0.1]) by coconut.itojun.org (Postfix) with ESMTP id 242E84B20; Tue, 14 Aug 2001 05:25:17 +0900 (JST) To: Brooks Davis Cc: Dan Larsson , freebsd-security@FreeBSD.ORG In-reply-to: brooks's message of Mon, 13 Aug 2001 12:47:36 MST. <20010813124736.D5346@Odin.AC.HMC.Edu> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: OpenBSD enc device for FreeBSD From: itojun@iijlab.net Date: Tue, 14 Aug 2001 05:25:17 +0900 Message-ID: <23330.997734317@itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >It looks intresting, I'll take a look at it. No promises on delivery >date though. don't play with rcvif. it will break IPv6 scoped address architecture support. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 13 17: 2:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.partner.de (www.partner.de [195.254.3.1]) by hub.freebsd.org (Postfix) with ESMTP id 436EB37B40C for ; Mon, 13 Aug 2001 17:02:33 -0700 (PDT) (envelope-from ob@icon-sult.de) Received: from icon-sult.de (root@localhost) by www.partner.de (8.11.3/8.11.3) with ESMTP id f7E02T959970; Tue, 14 Aug 2001 02:02:30 +0200 (CEST) Message-ID: <3B786A91.8E2E3E26@icon-sult.de> Date: Tue, 14 Aug 2001 02:02:25 +0200 From: Oliver Breuninger Reply-To: ob@icon-sult.de X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en, de-DE MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: isakmpd Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, in wich way will it be possible to use the isakmpd-port as an IKE-initiator ? The ports works fine if the the other side establish the negotiation, but isakmpd does nothing on startup to build the VPN. The config parameters Check-interval Shared-SADB Default Connections Flags=Active-only has no effect to change the situation. Is it a bug in the modification for FreeBSD ? Does someone know how it will be changed ? regards -- Oliver Breuninger, Consultant | E-Mail: ob@icon-sult.de I.CONsult Beratungsgesellschaft mbH | web: www.icon-sult.de Breitwiesenstr. 6 | Tel. +49 711 787808-16 70565 Stuttgart | Fax. +49 711 787808-11 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 3:18:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.tricom.com.ph (phoenix.tricom.com.ph [203.167.87.58]) by hub.freebsd.org (Postfix) with SMTP id 4402F37B409 for ; Tue, 14 Aug 2001 03:18:12 -0700 (PDT) (envelope-from jimmy@tricom.com.ph) Received: (qmail 9845 invoked from network); 14 Aug 2001 10:21:26 -0000 Received: from sphinx.tricom.com.ph (HELO tricom.com.ph) (ovsjiv@203.167.87.59) by tricom.com.ph with SMTP; 14 Aug 2001 10:21:26 -0000 Message-ID: <3B78FE2D.36FC4FEF@tricom.com.ph> Date: Tue, 14 Aug 2001 18:32:13 +0800 From: Jimmy X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.8-pre4 i686) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 9:15: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from franklin.physics.purdue.edu (franklin.physics.purdue.edu [128.210.146.222]) by hub.freebsd.org (Postfix) with ESMTP id 6D65F37B403 for ; Tue, 14 Aug 2001 09:14:59 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: from physics.purdue.edu (bohr.physics.purdue.edu [128.210.67.12]) by franklin.physics.purdue.edu (Postfix) with ESMTP id 6295520F03; Tue, 14 Aug 2001 11:16:06 -0500 (EST) Received: by physics.purdue.edu (Postfix, from userid 12409) id 2C8005BC1; Tue, 14 Aug 2001 11:14:13 -0500 (EST) Date: Tue, 14 Aug 2001 11:14:13 -0500 From: Will Andrews To: alexus Cc: David Kirchner , Ivan Krstic , freebsd-security@FreeBSD.ORG Subject: Re: bin user Message-ID: <20010814111413.N5712@bohr.physics.purdue.edu> Reply-To: Will Andrews Mail-Followup-To: alexus , David Kirchner , Ivan Krstic , freebsd-security@FreeBSD.ORG References: <20010813093238.B38221-100000@localhost> <000b01c1241f$d0e74c90$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.17i In-Reply-To: <000b01c1241f$d0e74c90$0d00a8c0@alexus>; from ml@db.nexgen.com on Mon, Aug 13, 2001 at 01:46:00PM -0400 X-Operating-System: FreeBSD 4.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 13, 2001 at 01:46:00PM -0400, alexus (ml@db.nexgen.com) wrote: > hm, i like yours is better the only question will it work from crontab? /etc/crontab will let you specify user to run the command as. You can also do ``su -m bin'' then ``crontab -e''. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 9:35:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id CDA2937B40A for ; Tue, 14 Aug 2001 09:35:44 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 553 invoked from network); 14 Aug 2001 16:35:11 -0000 Received: from localhost.nexgen.com (HELO alexus) (127.0.0.1) by localhost.nexgen.com with SMTP; 14 Aug 2001 16:35:11 -0000 Message-ID: <001d01c124df$2962eae0$0d00a8c0@alexus> From: "alexus" To: "Will Andrews" Cc: "David Kirchner" , "Ivan Krstic" , References: <20010813093238.B38221-100000@localhost> <000b01c1241f$d0e74c90$0d00a8c0@alexus> <20010814111413.N5712@bohr.physics.purdue.edu> Subject: Re: bin user Date: Tue, 14 Aug 2001 12:35:17 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2526.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2526.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org after reading yourr e-mail i thoug this is a very good idea too *BUT*! # su -m bin su: /usr/local/bin/bash: Permission denied # id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) # it won't switch to bin for some reason:( ----- Original Message ----- From: "Will Andrews" To: "alexus" Cc: "David Kirchner" ; "Ivan Krstic" ; Sent: Tuesday, August 14, 2001 12:14 PM Subject: Re: bin user > On Mon, Aug 13, 2001 at 01:46:00PM -0400, alexus (ml@db.nexgen.com) wrote: > > hm, i like yours is better the only question will it work from crontab? > > /etc/crontab will let you specify user to run the command as. > You can also do ``su -m bin'' then ``crontab -e''. > > -- > wca > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 9:48:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 8D83E37B406 for ; Tue, 14 Aug 2001 09:48:26 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id NAA34895; Tue, 14 Aug 2001 13:45:47 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Tue, 14 Aug 2001 13:45:47 -0300 From: Fernando Schapachnik To: alexus Cc: Will Andrews , David Kirchner , Ivan Krstic , freebsd-security@FreeBSD.ORG Subject: Re: bin user Message-ID: <20010814134547.D6223@ns1.via-net-works.net.ar> References: <20010813093238.B38221-100000@localhost> <000b01c1241f$d0e74c90$0d00a8c0@alexus> <20010814111413.N5712@bohr.physics.purdue.edu> <001d01c124df$2962eae0$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <001d01c124df$2962eae0$0d00a8c0@alexus>; from ml@db.nexgen.com on Tue, Aug 14, 2001 at 12:35:17PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, alexus escribió: > # su -m bin > su: /usr/local/bin/bash: Permission denied > # id > uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), > 5(operator), 20(staff), 31(guest) > # > > it won't switch to bin for some reason:( From man su: -m Leave the environment unmodified. The invoked shell is your lo- gin shell, and no directory changes are made. As a security pre- caution, if the target user's shell is a non-standard shell (as defined by getusershell(3)) and the caller's real uid is non-ze- ro, su will fail. I guess that the read uid!=0 check is not implemented. Reset the bin shell and you'll be fine. Regards. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 10:47:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 39DED37B40F for ; Tue, 14 Aug 2001 10:47:19 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-host193.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id 6A19C2D056E for ; Tue, 14 Aug 2001 12:47:18 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f7EHlHD01899 for freebsd-security@freebsd.org; Tue, 14 Aug 2001 12:47:17 -0500 (CDT) (envelope-from hawkeyd) Date: Tue, 14 Aug 2001 12:47:17 -0500 From: D J Hawkey Jr To: freebsd-security@freebsd.org Subject: Is minicom exploitable under FreeBSD? Message-ID: <20010814124717.B1870@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not certain this is "technical enough" for this group, but it seems appropriate, none the less? Per the following synopsis, is minicom, as found in the packages collection, vulnerable? ---8<--- *** {01.19.020} Cross - Format string vulnerabilities in minicom An advisory was released recently demonstrating format string vulnerabilities in the upload/download functionality of minicom. If minicom is set sgid uucp (which was recommended at one point in time), it is possible to gain uucp group privileges and potentially use those privileges to gain root privileges (the advisory details a potential exploit path). No patches have been made available. This vulnerability has not been confirmed. Source: SecurityFocus Bugtraq --->8--- Minicom installed on my system as: [sheol] /usr/local/bin$ ll mini* -rwsr-xr-x 1 uucp dialer 132372 Nov 16 2000 minicom Not installed SGID, but it is SUID. I only use it to talk to my Cisco DSL modem over cuaa1; I can't figure out how to get 'cu' to talk to it (which I would if I could). TIA, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 12:12:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.neuson-ag.com (mail.neuson-ag.com [212.152.154.130]) by hub.freebsd.org (Postfix) with SMTP id 1BDB837B406; Tue, 14 Aug 2001 12:12:15 -0700 (PDT) (envelope-from info@vrsite2.com) Received: from no.name.available by mail.neuson-ag.com via smtpd (for hub.freebsd.org [216.136.204.18]) with SMTP; 14 Aug 2001 19:21:49 UT Received: from ns5.pib.com.br ([192.168.10.253]) by nbamails1.neusonkramer.com with Microsoft SMTPSVC(5.0.2195.2966); Tue, 14 Aug 2001 10:10:07 +0200 Reply-To: From: "info@vrsite2.com" To: "4468@telconet.net" <4468@telconet.net> Message-ID: <0997777005.0093966895@ns5.pib.com.br> Subject: Foreign residents: Is the market taking you for a ride? 1582306 Content-Type: text/plain; charset="us-ascii";format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 14 Aug 2001 08:10:08.0397 (UTC) FILETIME=[8854C3D0:01C12498] Date: 14 Aug 2001 10:10:08 +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ============================================================================= Attention: An "english" speaking representative will be contacting you to verify your correct mailing information prior to shipping you your FREE special report(s). A valid number is required! We apologize, but this investment opportunity does not apply to "United States, India and Pakistan residents at this time. ============================================================================= Currency Trading Made Simple! Do You Have The Yen To Be a A Millionaire? 200% return in less than 90 days! Unique Strategy Trading in the International Currency Markets! Largest MarketPlace in the World! Get our Reports, Charts and Strategies on the U.S. Dollar vs Japanese yen and euro. Example: A $5,000 Investment in the Euro vs the Dollar, "properly positioned", on 09/29/00 could have returned $12,500.00 on 10/19/00. For your FREE information package, contact us today. http://www.dio.pp.ru/user534/curr/default.html ============================================================================= Attention: An "english" speaking representative will be contacting you to verify your correct mailing information prior to shipping you your FREE special report(s). A valid number is required! We apologize, but this investment opportunity does not apply to "United States, India and Pakistan residents at this time. ============================================================================= If you wish not to be part of our"in house" mailing list mailto:remove@vrsite2.com You have received this email by either requesting more information on one of our opportunities or someone may have used your email address. If you received this email in error, please accept our apologies. (Any attempts to disrupt theemail address etc., will not allow us to be able to retrieve and process your opt out requests.) ============================================================================= **** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 17:21:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id F3D0337B40A; Tue, 14 Aug 2001 17:21:50 -0700 (PDT) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.11.4/8.11.4) id f7F0Lnj05556; Wed, 15 Aug 2001 04:21:49 +0400 (MSD) (envelope-from ache) Date: Wed, 15 Aug 2001 04:21:46 +0400 From: "Andrey A. Chernov" To: security@freebsd.org, markm@freebsd.org Subject: CFR: OPIE heuristic to detect SSH connection Message-ID: <20010815042144.A5499@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I plan to commit this for proper OPIE+SSH integration (without bothering people using SSH to add unneded -f key). This is completely in insecure style of other OPIE heuristics sensing DISPLAY and TERM, this is not supposed to be secure, only to help people with warnings. --- insecure.c.bak Tue Apr 11 16:52:01 2000 +++ insecure.c Wed Aug 15 04:11:21 2001 @@ -64,6 +64,8 @@ if (result != -1) return result; + if (getenv("SSH_CLIENT") != NULL) + return (result = 0); display_name = (char *) getenv("DISPLAY"); term_name = (char *) getenv("TERM"); -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 18: 9:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from bifrost.agrknives.com (bifrost.hos.net [205.238.129.40]) by hub.freebsd.org (Postfix) with ESMTP id AFCEC37B401 for ; Tue, 14 Aug 2001 18:09:14 -0700 (PDT) (envelope-from arussell@bifrost.agrknives.com) Received: (from arussell@localhost) by bifrost.agrknives.com (8.9.3/8.9.3) id UAA09269; Tue, 14 Aug 2001 20:05:06 -0500 (CDT) From: "A.G. Russell IV" Message-Id: <200108150105.UAA09269@bifrost.agrknives.com> Subject: Re: Is minicom exploitable under FreeBSD? In-Reply-To: <20010814124717.B1870@sheol.localdomain> from D J Hawkey Jr at "Aug 14, 2001 12:47:17 pm" To: hawkeyd@visi.com Date: Tue, 14 Aug 2001 20:05:06 -0500 (CDT) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Try "cu -l cuaa0 -s 9600" with cuaa0 = tty0 = com1 cuaa1 = tty1 = com2 cuaa2 = tty2 = com3 cuaa3 = tty3 = com4 I don't know about minicom, having never used it. A.G. "D J Hawkey Jr wrote ..." > I'm not certain this is "technical enough" for this group, but it seems > appropriate, none the less? > > Per the following synopsis, is minicom, as found in the packages collection, > vulnerable? > > ---8<--- > > *** {01.19.020} Cross - Format string vulnerabilities in minicom > > An advisory was released recently demonstrating format string > vulnerabilities in the upload/download functionality of minicom. If > minicom is set sgid uucp (which was recommended at one point in time), > it is possible to gain uucp group privileges and potentially use those > privileges to gain root privileges (the advisory details a potential > exploit path). > > No patches have been made available. This vulnerability has not been > confirmed. > > Source: SecurityFocus Bugtraq > > --->8--- > > Minicom installed on my system as: > > [sheol] /usr/local/bin$ ll mini* > -rwsr-xr-x 1 uucp dialer 132372 Nov 16 2000 minicom > > Not installed SGID, but it is SUID. > > I only use it to talk to my Cisco DSL modem over cuaa1; I can't figure out > how to get 'cu' to talk to it (which I would if I could). > > TIA, > Dave > > -- > > Windows: "Where do you want to go today?" > Linux: "Where do you want to go tomorrow?" > FreeBSD: "Are you guys coming, or what?" > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > _______________________________________________________________________________ A.G. Russell IV KC5KFD High Order Software e-mail: ag4@hos.net Phone 512-834-1145 These are my views, on anyone else they would look silly. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 18:35:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail46.fg.online.no (mail46-s.fg.online.no [148.122.161.46]) by hub.freebsd.org (Postfix) with ESMTP id 6721837B405 for ; Tue, 14 Aug 2001 18:35:33 -0700 (PDT) (envelope-from geir@dropzone.as) Received: from PULZ (ti29a81-0669.bb.online.no [146.172.50.156]) by mail46.fg.online.no (8.9.3/8.9.3) with SMTP id DAA08790 for ; Wed, 15 Aug 2001 03:35:31 +0200 (MET DST) Message-ID: <002401c1252b$38cb8d10$3704fea9@PULZ> Reply-To: =?iso-8859-1?Q?Geir_R=E5ness?= From: =?iso-8859-1?Q?Geir_R=E5ness?= To: References: <20010814124717.B1870@sheol.localdomain> Subject: Re: Is minicom exploitable under FreeBSD? Date: Wed, 15 Aug 2001 03:40:10 +0200 Organization: DropZone MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org About a month ago it was noticed an bug in the minicom drivers, that can = lead to root.... I aint sure if this ust linux or if it is FreeBSD to, but from what i = know about it, it affects all the systems using minicom. ----- Original Message -----=20 From: "D J Hawkey Jr" To: Sent: Tuesday, August 14, 2001 7:47 PM Subject: Is minicom exploitable under FreeBSD? > I'm not certain this is "technical enough" for this group, but it = seems > appropriate, none the less? >=20 > Per the following synopsis, is minicom, as found in the packages = collection, > vulnerable? >=20 > ---8<--- > =20 > *** {01.19.020} Cross - Format string vulnerabilities in minicom >=20 > An advisory was released recently demonstrating format string > vulnerabilities in the upload/download functionality of minicom. If > minicom is set sgid uucp (which was recommended at one point in time), > it is possible to gain uucp group privileges and potentially use those > privileges to gain root privileges (the advisory details a potential > exploit path). >=20 > No patches have been made available. This vulnerability has not been > confirmed. >=20 > Source: SecurityFocus Bugtraq >=20 > --->8--- >=20 > Minicom installed on my system as: >=20 > [sheol] /usr/local/bin$ ll mini* > -rwsr-xr-x 1 uucp dialer 132372 Nov 16 2000 minicom >=20 > Not installed SGID, but it is SUID. >=20 > I only use it to talk to my Cisco DSL modem over cuaa1; I can't figure = out > how to get 'cu' to talk to it (which I would if I could). >=20 > TIA, > Dave >=20 > --=20 >=20 > Windows: "Where do you want to go today?" > Linux: "Where do you want to go tomorrow?" > FreeBSD: "Are you guys coming, or what?" >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 20:11:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe64.law12.hotmail.com [64.4.18.199]) by hub.freebsd.org (Postfix) with ESMTP id B1AC037B40A; Tue, 14 Aug 2001 20:11:28 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 14 Aug 2001 20:11:28 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: , Subject: IPFW and interface aliases... Date: Tue, 14 Aug 2001 22:11:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 15 Aug 2001 03:11:28.0301 (UTC) FILETIME=[F988DDD0:01C12537] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm running a server with two I.P. addresses bound to it... I just setup IPFW and it is working great, but I just realized that the alias I.P. is not able to send or receive any traffic... Just to test, I added these rules to top of my rc.firewall: ${fwcmd} add pass all from ${ip2} to any ${fwcmd} add pass all from any to ${ip2} This did not change anything... Is there some special way that aliases need to be referred to in the firewall rules? Thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 20:57:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe69.law12.hotmail.com [64.4.18.204]) by hub.freebsd.org (Postfix) with ESMTP id 388F937B407; Tue, 14 Aug 2001 20:57:41 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 14 Aug 2001 20:57:41 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: , Subject: Fw: IPFW and interface aliases... Date: Tue, 14 Aug 2001 22:57:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 15 Aug 2001 03:57:41.0056 (UTC) FILETIME=[6E39B400:01C1253E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I love the FreeBSD mail archive!!! I searched through the archive, found someone with my exact problem... It turns out that I was using a 24 bit netmask for the alias, when I should have been using a 32 bit... This prompts a new question... sending in another email... thanks, jordan :) ----- Original Message ----- From: "default - Subscriptions" To: ; Sent: Tuesday, August 14, 2001 10:11 PM Subject: IPFW and interface aliases... > Hi, > > I'm running a server with two I.P. addresses bound to it... > > I just setup IPFW and it is working great, but I just realized that the > alias I.P. is not able to send or receive any traffic... > > Just to test, I added these rules to top of my rc.firewall: > ${fwcmd} add pass all from ${ip2} to any > ${fwcmd} add pass all from any to ${ip2} > > This did not change anything... > > Is there some special way that aliases need to be referred to in the > firewall rules? > > Thanks, > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 14 21: 6:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe35.law12.hotmail.com [64.4.18.92]) by hub.freebsd.org (Postfix) with ESMTP id 5034137B401; Tue, 14 Aug 2001 21:06:30 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 14 Aug 2001 21:06:30 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: , Subject: Question about default IPFW Rules... Date: Tue, 14 Aug 2001 23:06:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 15 Aug 2001 04:06:30.0143 (UTC) FILETIME=[A995F8F0:01C1253F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Okay I recently setup IPFW, and during the past 24 hours I have been tweaking and getting familiar with writing the rules... I have a question about this rule in the default rc.firewall script: # Allow any traffic to or from my own net ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} If one is on a cable/dsl connection like @home, wouldn't this rule supercede all other rules and let any traffic in from my I.P. address range? (given that example I.P. is 192.168.0.3, and netmask is 255.255.255.0) I am concerned with this because I do have hackers in my range that have been trying to get in... Is there a better way to do this? Or would you guys suggest removing this rule completely? (I have not tried this yet...) I am on an @home connection with two I.P. addresses bound to my NIC. they are both in the same range (ex. 192.168.0.3 and 192.168.0.4) ... the gateway is 192.168.0.1... I was thinking maybe I could limit this to traffic with my gateway and my own I.P. addresses, as I have provided other rules for things like DNS ... Thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 0:40:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id AAE2437B409 for ; Wed, 15 Aug 2001 00:40:36 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 91B361D14; Wed, 15 Aug 2001 09:39:49 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id EECBC552A; Wed, 15 Aug 2001 09:39:48 +0200 (CEST) Date: Wed, 15 Aug 2001 09:39:47 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: default - Subscriptions Cc: freebsd-security@FreeBSD.ORG Subject: Re: Question about default IPFW Rules... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 14 Aug 2001, default - Subscriptions wrote: > I have a question about this rule in the default rc.firewall script: > > # Allow any traffic to or from my own net > ${fwcmd} add pass all from ${ip} to ${net}:${mask} > ${fwcmd} add pass all from ${net}:${mask} to ${ip} > > If one is on a cable/dsl connection like @home, wouldn't this rule supercede > all other rules and let any traffic in from my I.P. address range? (given > that example I.P. is 192.168.0.3, and netmask is 255.255.255.0) It would. _First mathing rule wins_. > I am concerned with this because I do have hackers in my range that have > been trying to get in... Well... /etc/rc.firewall contains just "typical" rulesets and they SHOULD be customized... The "CLIENT" ruleset is built based on the following assumption "local network is friendly, rest of the world is not". This makes a lot of sense: for example if you're inside a company which has a class C address block you'd normally allow all access from this block (your colleague at the next desk won't break in), right? However you are also on class C subnet, yet your network neighbors are "untrusted". So, as you said, they need to be denied access similarly to the rest of the world. IMPORTANT: The netmask in /etc/rc.firewall DOES NOT affect your routing configuration. It is used because of assumption that "local net is friendly" described above. > Is there a better way to do this? Standard approach is "deny by default": deny everyone, ALLOW friends. This is more convenient then trying to determine who may want to break in and who may not. > Or would you guys suggest removing this > rule completely? (I have not tried this yet...) The rule may be safely removed (commenting out is more convenient). In your case, should be. > I am on an @home connection with two I.P. addresses bound to my NIC. they > are both in the same range (ex. 192.168.0.3 and 192.168.0.4) ... the gateway > is 192.168.0.1... So you have to cover both in your ruleset but I guess you've already done so. > I was thinking maybe I could limit this to traffic with my gateway and my > own I.P. addresses, as I have provided other rules for things like DNS ... IMHO you should set limits both on the firewall and services. This is somewhat a concept of multi-layered defence. If your firewall is disabled for some reason (debuging ruleset etc.) you'll still have some protection. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 4:48:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from kawoserv.kawo2.rwth-aachen.de (kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by hub.freebsd.org (Postfix) with ESMTP id 5146537B406; Wed, 15 Aug 2001 04:48:53 -0700 (PDT) (envelope-from alex@big.endian.de) Received: from zerogravity.kawo2.rwth-aachen.de (zerogravity.kawo2.rwth-aachen.de [134.130.181.28]) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id NAA17931; Wed, 15 Aug 2001 13:48:52 +0200 Received: by zerogravity.kawo2.rwth-aachen.de (Postfix, from userid 1001) id ACD7414E50; Wed, 15 Aug 2001 13:48:52 +0200 (CEST) Date: Wed, 15 Aug 2001 13:48:52 +0200 From: Alexander Langer To: Robert Watson Cc: security@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010815134852.B16184@zerogravity.kawo2.rwth-aachen.d> References: <20010814213312.C22531@zerogravity.kawo2.rwth-aachen.d> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@FreeBSD.org on Tue, Aug 14, 2001 at 07:50:56PM -0400 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Robert Watson (rwatson@FreeBSD.org): > processing out of cron, not bind sockets, etc. I don't know much about > that, from an operational perspective, and would be interested in hearing > more about the considerations here. For example, I do know that a number > of system functions generate e-mail (scheduled events, vi recovery, etc) > and that needs to be handled properly. We can disable binding to port 25 and local mail delivery will still work. I also like disabling all other network services by default. One of OpenBSD's argument is, that you then know what services you've had enabled, and you then know, what to take care about. If you missed a SA about some service you haven't enabled either, who cares? Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 5:47:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id DB45237B405; Wed, 15 Aug 2001 05:47:40 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.31 #1) id 15X06R-000FZ7-00; Wed, 15 Aug 2001 14:48:55 +0200 From: Sheldon Hearn To: Alexander Langer Cc: Robert Watson , security@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf In-reply-to: Your message of "Wed, 15 Aug 2001 13:48:52 +0200." <20010815134852.B16184@zerogravity.kawo2.rwth-aachen.d> Date: Wed, 15 Aug 2001 14:48:54 +0200 Message-ID: <59836.997879734@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001 13:48:52 +0200, Alexander Langer wrote: > We can disable binding to port 25 and local mail delivery will still > work. I also like disabling all other network services by default. > One of OpenBSD's argument is, that you then know what services you've > had enabled, and you then know, what to take care about. If you > missed a SA about some service you haven't enabled either, who cares? The only problem here is that FreeBSD could be seen as a system that does nothing out of the box. :-) This is not an unresolvable problem, it's just something that needs to be considered. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 6:14:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 4EDFD37B403 for ; Wed, 15 Aug 2001 06:14:36 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-host193.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id B4CD12D055D; Wed, 15 Aug 2001 08:14:31 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f7FDEU108126; Wed, 15 Aug 2001 08:14:30 -0500 (CDT) (envelope-from hawkeyd) Date: Wed, 15 Aug 2001 08:14:30 -0500 From: D J Hawkey Jr To: modulus@icmp.dhs.org, freebsd-security@freebsd.org Subject: Re: [modulus@icmp.dhs.org Re: ipmon and periodic] Message-ID: <20010815081430.A7983@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello All. This is old business (Feb 2001), but "modulus@icmp.dhs.org" had written a script for /etc/periodic/daily to include messages logged by 'ipmon' in the daily security mailing. I borrowed a bit of his script, but took a different approach, which I think more elegant. Please review and comment. Perhaps the Right People(tm) can forward it to the Other Right People(tm) for the -CURRENT and/or -STABLE CVS trees? This is from FreeBSD-4.2REL, incidentally. I had switched from 'ipfw' to the kernel's ipfilter yesterday, and was dismayed to find nothing in the daily security mailing this morning. This may already be remedied for current and future releases? ---8<--- --- /etc/security Mon Nov 20 06:03:04 2000 +++ security Wed Aug 15 07:54:06 2001 @@ -43,6 +43,9 @@ [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz [ -f $LOG/messages.0 ] && cat $LOG/messages.0 [ -f $LOG/messages ] && cat $LOG/messages + [ -f $LOG/security.0.gz ] && zcat $LOG/security.0.gz + [ -f $LOG/security.0 ] && cat $LOG/security.0 + [ -f $LOG/security ] && cat $LOG/security } sflag=FALSE ignore= @@ -160,6 +163,15 @@ echo "ipfw log limit reached:" cat ${TMP} fi +fi + +# Show ipfilter log messages +# +if n=$(catmsgs | grep -i "^$yesterday.*ipmon" | tee ${TMP} | wc -l); then + [ $n -gt 0 -a $rc -lt 1 ] && rc=1 + separator + echo "${host} ipfilter log messages:" + cat ${TMP} | awk '{ match($0, $6); printf "%s\n", substr($0, RSTART) }' fi # Show kernel log messages --->8--- Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 6:23:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C39CF37B40B; Wed, 15 Aug 2001 06:23:31 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7FDMPI79928; Wed, 15 Aug 2001 09:22:25 -0400 (EDT) (envelope-from arr@watson.org) Date: Wed, 15 Aug 2001 09:22:24 -0400 (EDT) From: "Andrew R. Reiter" To: Sheldon Hearn Cc: Alexander Langer , Robert Watson , security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <59836.997879734@axl.seasidesoftware.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :> We can disable binding to port 25 and local mail delivery will still :> work. I also like disabling all other network services by default. :> One of OpenBSD's argument is, that you then know what services you've :> had enabled, and you then know, what to take care about. If you :> missed a SA about some service you haven't enabled either, who cares? : :The only problem here is that FreeBSD could be seen as a system that :does nothing out of the box. :-) : :This is not an unresolvable problem, it's just something that needs to :be considered. What about sysinstall options for this type of thing? We have a post-install Security configuration menu -- perhaps expanding this would be valuable? Andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 6:55:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from nebula-bsd.dyndns.org (ptldme-cmt2-c3-66-30-32-135.maine.rr.com [66.30.32.135]) by hub.freebsd.org (Postfix) with ESMTP id 4446A37B405 for ; Wed, 15 Aug 2001 06:55:41 -0700 (PDT) (envelope-from richard@nebula-bsd.dyndns.org) Received: from localhost (richard@localhost) by nebula-bsd.dyndns.org (8.11.1/8.11.1) with ESMTP id f7FE4Vk84078; Wed, 15 Aug 2001 10:04:31 -0400 (EDT) (envelope-from richard@nebula-bsd.dyndns.org) Date: Wed, 15 Aug 2001 10:04:29 -0400 (EDT) From: Richard Stanaford X-Sender: richard@localhost To: "Andrew R. Reiter" Cc: security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Perhaps we could also have the option to not run Inetd at all. Of course you can just go right in to /etc/rc.conf and set "inetd_enable=NO", but doing it at the end of the system build might save a few who could forget. *shrug* 8-) -Richard On Wed, 15 Aug 2001, Andrew R. Reiter wrote: > > What about sysinstall options for this type of thing? We have a > post-install Security configuration menu -- perhaps expanding this would > be valuable? > > Andrew > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 7: 0:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 136BD37B40B for ; Wed, 15 Aug 2001 07:00:21 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7FDxdf80294; Wed, 15 Aug 2001 09:59:39 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 15 Aug 2001 09:59:38 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Sheldon Hearn Cc: Alexander Langer , security@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <59836.997879734@axl.seasidesoftware.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001, Sheldon Hearn wrote: > On Wed, 15 Aug 2001 13:48:52 +0200, Alexander Langer wrote: > > > We can disable binding to port 25 and local mail delivery will still > > work. I also like disabling all other network services by default. > > One of OpenBSD's argument is, that you then know what services you've > > had enabled, and you then know, what to take care about. If you > > missed a SA about some service you haven't enabled either, who cares? > > The only problem here is that FreeBSD could be seen as a system that > does nothing out of the box. :-) > > This is not an unresolvable problem, it's just something that needs to > be considered. Well, we're already not a web server out of the box, or a decent workstation out of the box, or able to serve files to Windows systems. Many common uses of FreeBSD require using packages, and I think that's a fine approach. We have a strong binary packaging solution that makes it easy for our users to install a variety of well-supported software packages providing these additional services. That said, the way we have addressed this recently is to disable services by default, but make it easier to turn them on. For example, to provide an interactive prompt to enable the service during install, and provide a sysinstall menu option to twiddle it post-install. This is true of both base system services (NFS, etc), and package ones (we provide special hooks to allow things like Linux emulation to be properly enabled, and so on). Part of the problem we seem to be bumping into is that the scope of "reasonable defaults" can be conservative only if administering the machine is straight forward. Otherwise you have to turn things on because no one wants to invest the time to figure out how. In that case, the problem isn't with changing the defaults, it's with the administrative tools. A quick glance at past security advisories demonstrates that *every* significant (and many insignificant) remotely accessible base system service on FreeBSD has suffered a vulnerability in the base install in the past. This includes ftpd, telnetd, sshd, sendmail, and even fingerd. And of these, at least two or three have been in the past six months. We review our source code carefully, and others who review their code carefully have the same problem (including the OpenBSD project). The only reasonable remedy to a scenario that assumes inevitable failure is to reduce the opportunity and hence reduce the risk. This means choosing conservative defaults, but making it easier for users to manage the set of services they provide via the system. That's why I've spent some time both disabling services by default, and attempting to make up for that with sysinstall changes. I'm pretty good at turning off services, but I make no claims about experience with user interface design. I'd welcome others to work towards the same goals. None of this precludes continuing to improve the quality and correctness (and hence security) of our code base, it just means we need to accept that a complete solution requires a more comprehensive look at the problem, addressing a variety of issues relating to architecture, implementation, and usability. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 7: 6:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from mixtim.homeip.net (cg392862-a.adubn1.nj.home.com [65.2.79.221]) by hub.freebsd.org (Postfix) with ESMTP id E2B9037B405 for ; Wed, 15 Aug 2001 07:06:21 -0700 (PDT) (envelope-from michael@mixtim.homeip.net) Received: by mixtim.homeip.net (Postfix, from userid 1000) id 3992498D7; Wed, 15 Aug 2001 10:06:21 -0400 (EDT) Date: Wed, 15 Aug 2001 10:06:21 -0400 From: Mixtim To: security@freebsd.org Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010815100621.A5853@mixtim.homeip.net> Reply-To: mixtim@mixtim.homeip.net References: <20010815134852.B16184@zerogravity.kawo2.rwth-aachen.d> <59836.997879734@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <59836.997879734@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Wed, Aug 15, 2001 at 02:48:54PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 15, 2001 at 02:48:54PM +0200, Sheldon Hearn wrote: > The only problem here is that FreeBSD could be seen as a system that > does nothing out of the box. :-) > This is not an unresolvable problem, it's just something that needs to > be considered. I've installed FreeBSD on quite a few machines. Every install required tweaking configuration files and editing rc.conf. Since you do this every install anyway, why not disable every network service and make the administrator turn on what they really need? I mean seriously... how many people actually use the default sendmail.cf file (for those who do use sendmail) for their network mail server? Nobody. You always end up having to edit the .mc file for one reason or another. While the admin is configuring sendmail he/she can just add the "-bd" flag back to the list of sendmail options. Not binding to port 25 by default really doesn't hurt anyone and probably saves a few clueless admins from themselves. The same goes for the other network services. Just my $.02 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 7:24:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mixtim.homeip.net (cg392862-a.adubn1.nj.home.com [65.2.79.221]) by hub.freebsd.org (Postfix) with ESMTP id 5006F37B401 for ; Wed, 15 Aug 2001 07:24:16 -0700 (PDT) (envelope-from michael@mixtim.homeip.net) Received: by mixtim.homeip.net (Postfix, from userid 1000) id 49CD498FC; Wed, 15 Aug 2001 10:24:15 -0400 (EDT) Date: Wed, 15 Aug 2001 10:24:15 -0400 From: Mixtim To: Eric Anderson Cc: security@freebsd.org Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010815102415.A5942@mixtim.homeip.net> Reply-To: mixtim@mixtim.homeip.net References: <20010815134852.B16184@zerogravity.kawo2.rwth-aachen.d> <59836.997879734@axl.seasidesoftware.co.za> <20010815100621.A5853@mixtim.homeip.net> <3B7A8424.CBFF1F30@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B7A8424.CBFF1F30@centtech.com>; from anderson@centtech.com on Wed, Aug 15, 2001 at 09:16:04AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 15, 2001 at 09:16:04AM -0500, Eric Anderson wrote: > Here's the thing. I thought that was a great idea - until I started > installing (ick) RedHat 7.1 on a few machines here at the office. It > has everything closed off, so remote access is not possible off the hat > (ssh will work, but you have to add a local non-root user). I should have stated ssh as an exception. You almost always have to have it running. Of course, logging in as root and executing the sshd command only takes a few seconds. > Plus, anyone installing FreeBSD should have a good idea that they are > installing an OS that has many servers running, some possibly easy to > hack. If CodeRed taught us anything it is that there are more than enough clueless admins on the net. Just because someone installed FreeBSD doesn't mean they are that much more intelligent. > It isn't up to the programmers of the operating system to protect the > users of it. Then why is there a security@freebsd.org address? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 8:51:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id A0BBA37B409 for ; Wed, 15 Aug 2001 08:51:37 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7FFpTf81523; Wed, 15 Aug 2001 11:51:29 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 15 Aug 2001 11:51:28 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Richard Stanaford Cc: "Andrew R. Reiter" , security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001, Richard Stanaford wrote: > Perhaps we could also have the option to not run Inetd at all. Of > course you can just go right in to /etc/rc.conf and set > "inetd_enable=NO", but doing it at the end of the system build might > save a few who could forget. I recently changed sysinstall (should be in 4.4-RELEASE when that comes out) to first ask whether the user wants to run inetd, and then if they say yes, asks if they'd like to edit inetd.conf. Inetd.conf is now defaulted so that all services are disabled. This permits sysinstall to enable/disable inetd, and allows the user to enable services as they see fit during the install prior to reboot. This is not heavily tested, so I'd appreciate it if, when the prerelease snapshot comes out, people could give it a spin. I also modified the security menu a fair amount, eliminating two of the security profiles, as they were now redundant. I'm hoping to gradually phase out the security profiles, and simply have the user enable or dissable services specifically. Possibly adding a security evalaution feature that would look at the active settings and talk about the risks (this might be a cool project for someone wanting play with sysinstall). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 9:23:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 2F89F37B406 for ; Wed, 15 Aug 2001 09:23:54 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.31 #1) id 15X3Tf-000MMh-00; Wed, 15 Aug 2001 18:25:07 +0200 From: Sheldon Hearn To: mixtim@mixtim.homeip.net Cc: security@freebsd.org Subject: Re: cvs commit: src/etc inetd.conf In-reply-to: Your message of "Wed, 15 Aug 2001 10:06:21 -0400." <20010815100621.A5853@mixtim.homeip.net> Date: Wed, 15 Aug 2001 18:25:07 +0200 Message-ID: <85974.997892707@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001 10:06:21 -0400, Mixtim wrote: > I've installed FreeBSD on quite a few machines. Every install required > tweaking configuration files and editing rc.conf. Since you do this > every install anyway, why not disable every network service and make the > administrator turn on what they really need? You missed my point. All I'm seeing is that care should be taken to avoid the perception amongst journalists and other non-technical people that "FreeBSD is useless out of the box". As Robert Watson mentioned, care is already taken in sysinstall, where a number of services can be "turned on" during the installation. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 9:26:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 6EB9E37B40D; Wed, 15 Aug 2001 09:26:34 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.31 #1) id 15X3WM-000MNF-00; Wed, 15 Aug 2001 18:27:54 +0200 From: Sheldon Hearn To: Robert Watson Cc: Richard Stanaford , "Andrew R. Reiter" , security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf In-reply-to: Your message of "Wed, 15 Aug 2001 11:51:28 -0400." Date: Wed, 15 Aug 2001 18:27:54 +0200 Message-ID: <86008.997892874@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001 11:51:28 -0400, Robert Watson wrote: > I recently changed sysinstall (should be in 4.4-RELEASE when that comes > out) to first ask whether the user wants to run inetd, and then if they > say yes, asks if they'd like to edit inetd.conf. Inetd.conf is now > defaulted so that all services are disabled. The only problem with this is that it raises the bar for installation. Now, people need to know how to drive a (possibly) unfamiliar text editor to turn stuff on. Still, I like the direction you're moving in. Ultimately, I think the text editor idea should be an advanced option and changes to inetd.conf (and whatever) should be possible with the UI. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 9:33:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id AB99A37B416; Wed, 15 Aug 2001 09:33:48 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id NAA32108; Wed, 15 Aug 2001 13:32:31 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Wed, 15 Aug 2001 13:32:31 -0300 From: Fernando Schapachnik To: Sheldon Hearn Cc: Robert Watson , Richard Stanaford , "Andrew R. Reiter" , security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010815133231.B5030@ns1.via-net-works.net.ar> References: <86008.997892874@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <86008.997892874@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Wed, Aug 15, 2001 at 06:27:54PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, Sheldon Hearn escribió: > > On Wed, 15 Aug 2001 11:51:28 -0400, Robert Watson wrote: > > > I recently changed sysinstall (should be in 4.4-RELEASE when that comes > > out) to first ask whether the user wants to run inetd, and then if they > > say yes, asks if they'd like to edit inetd.conf. Inetd.conf is now > > defaulted so that all services are disabled. > > The only problem with this is that it raises the bar for installation. > Now, people need to know how to drive a (possibly) unfamiliar text > editor to turn stuff on. Maybe nano (the pico clone) could be used for that. It is really straight forward to use. I haven't found a user that can't deal with it. And is pretty small. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 10:14:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 097E537B417 for ; Wed, 15 Aug 2001 10:14:46 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7FHDpf04933; Wed, 15 Aug 2001 13:13:53 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 15 Aug 2001 13:13:51 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Sheldon Hearn Cc: Richard Stanaford , "Andrew R. Reiter" , security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <86008.997892874@axl.seasidesoftware.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001, Sheldon Hearn wrote: > On Wed, 15 Aug 2001 11:51:28 -0400, Robert Watson wrote: > > > I recently changed sysinstall (should be in 4.4-RELEASE when that comes > > out) to first ask whether the user wants to run inetd, and then if they > > say yes, asks if they'd like to edit inetd.conf. Inetd.conf is now > > defaulted so that all services are disabled. > > The only problem with this is that it raises the bar for installation. > Now, people need to know how to drive a (possibly) unfamiliar text > editor to turn stuff on. > > Still, I like the direction you're moving in. Ultimately, I think the > text editor idea should be an advanced option and changes to inetd.conf > (and whatever) should be possible with the UI. I agree with your observations--this is one reason I added some more commenting to inetd.conf to make it more clear what the user should do. Actually, I think the real problem here is the inetd.conf file format. It doesn't have an "in-band" way to disable services, all you can do is comment them out. I'd like something more like /etc/ttys, where there's an "on/off" choice. This lets a structured editor disable things in such a way that it can recognize when to enable them (and when it's just a comment). Note the magic that is possible in Andrey's ttys editing code, but that is not possible in inetd.conf. Someone also later comments, in this thread, that we might make use of a better editor. I agree that nano offers a lot of usability benefits, and wouldn't mind further investigation of options like that. However, I'd rather have a semantics-rich configuration editor (such as with the ttys/console stuff) than a text editor, myself. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 10:18:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 6534E37B401 for ; Wed, 15 Aug 2001 10:18:18 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id JAA06460; Wed, 15 Aug 2001 09:16:21 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma006455; Wed, 15 Aug 01 09:16:05 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA10754; Wed, 15 Aug 2001 09:16:05 -0500 (CDT) Message-ID: <3B7A8424.CBFF1F30@centtech.com> Date: Wed, 15 Aug 2001 09:16:04 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: mixtim@mixtim.homeip.net Cc: security@freebsd.org Subject: Re: cvs commit: src/etc inetd.conf References: <20010815134852.B16184@zerogravity.kawo2.rwth-aachen.d> <59836.997879734@axl.seasidesoftware.co.za> <20010815100621.A5853@mixtim.homeip.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here's the thing. I thought that was a great idea - until I started installing (ick) RedHat 7.1 on a few machines here at the office. It has everything closed off, so remote access is not possible off the hat (ssh will work, but you have to add a local non-root user). Thats not the biggest deal, I would much prefer to install FreeBSD and head back to my desk down the hall and configure the rest there. Plus, anyone installing FreeBSD should have a good idea that they are installing an OS that has many servers running, some possibly easy to hack. I think the best thing to do is leave the defaults how they are, but add a sysinstal window that comes up after everything is installed, and show the services enabled, allowing the installer to select/deselect services to run at startup. I definitely don't think it's a good idea to have it so dumbed down that my grandmother could install it and feel safe on the internet. It isn't up to the programmers of the operating system to protect the users of it. Eric my $.10 (inflation) Mixtim wrote: > > On Wed, Aug 15, 2001 at 02:48:54PM +0200, Sheldon Hearn wrote: > > The only problem here is that FreeBSD could be seen as a system that > > does nothing out of the box. :-) > > This is not an unresolvable problem, it's just something that needs to > > be considered. > > I've installed FreeBSD on quite a few machines. Every install required > tweaking configuration files and editing rc.conf. Since you do this > every install anyway, why not disable every network service and make the > administrator turn on what they really need? > > I mean seriously... how many people actually use the default sendmail.cf > file (for those who do use sendmail) for their network mail server? > Nobody. You always end up having to edit the .mc file for one reason or > another. While the admin is configuring sendmail he/she can just add the > "-bd" flag back to the list of sendmail options. Not binding to port 25 > by default really doesn't hurt anyone and probably saves a few clueless > admins from themselves. The same goes for the other network services. > > Just my $.02 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Truth is more marvelous than mystery. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 10:18:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id A5D8037B414 for ; Wed, 15 Aug 2001 10:18:11 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id JAA07040; Wed, 15 Aug 2001 09:34:23 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma007038; Wed, 15 Aug 01 09:33:53 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA11277; Wed, 15 Aug 2001 09:33:53 -0500 (CDT) Message-ID: <3B7A8851.3523EC9B@centtech.com> Date: Wed, 15 Aug 2001 09:33:53 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: mixtim@mixtim.homeip.net Cc: security@freebsd.org Subject: Re: cvs commit: src/etc inetd.conf References: <20010815134852.B16184@zerogravity.kawo2.rwth-aachen.d> <59836.997879734@axl.seasidesoftware.co.za> <20010815100621.A5853@mixtim.homeip.net> <3B7A8424.CBFF1F30@centtech.com> <20010815102415.A5942@mixtim.homeip.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mixtim wrote: > > On Wed, Aug 15, 2001 at 09:16:04AM -0500, Eric Anderson wrote: > > Here's the thing. I thought that was a great idea - until I started > > installing (ick) RedHat 7.1 on a few machines here at the office. It > > has everything closed off, so remote access is not possible off the hat > > (ssh will work, but you have to add a local non-root user). > > I should have stated ssh as an exception. You almost always have to have > it running. Of course, logging in as root and executing the sshd command > only takes a few seconds. > > > Plus, anyone installing FreeBSD should have a good idea that they are > > installing an OS that has many servers running, some possibly easy to > > hack. > > If CodeRed taught us anything it is that there are more than enough > clueless admins on the net. Just because someone installed FreeBSD > doesn't mean they are that much more intelligent. If CodeRed taught us anything, it's to not use Microsoft OS's for production servers. Yes, there are a lot of clueless admins out there, but the reason MS has made such shotty software for servers (in my opinion) is because they continue to dumb it down, making it simpler and simpler to set up. This is exactly the reason that everyone and their dog thinks they can be a SysAdmin and do just fine. I guess it's kind of a survival of the fittest thing. > > > It isn't up to the programmers of the operating system to protect the > > users of it. > > Then why is there a security@freebsd.org address? Good point, but thats a little different. Warning those who care (subscribers of the list) about security advisories is MUCH different than making the OS mute because a percentage of the installers can't figure out (or don't know that they SHOULD figure out) how to turn off sendmail, telnet, etc. It just won't save the experienced users any time to have them disabled, and it won't stop the 'clueless' from being just that. -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Truth is more marvelous than mystery. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 10:29:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id C1E0437B414; Wed, 15 Aug 2001 10:29:26 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f7FHTKq11654; Wed, 15 Aug 2001 13:29:20 -0400 (EDT) (envelope-from str) Date: Wed, 15 Aug 2001 13:29:20 -0400 (EDT) From: Igor Roshchin Message-Id: <200108151729.f7FHTKq11654@giganda.komkon.org> To: rwatson@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf Cc: security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: Wed, 15 Aug 2001 13:13:51 -0400 (EDT) > From: Robert Watson > > > On Wed, 15 Aug 2001, Sheldon Hearn wrote: > > > On Wed, 15 Aug 2001 11:51:28 -0400, Robert Watson wrote: > > > > > I recently changed sysinstall (should be in 4.4-RELEASE when that comes > > > out) to first ask whether the user wants to run inetd, and then if they > > > say yes, asks if they'd like to edit inetd.conf. Inetd.conf is now > > > defaulted so that all services are disabled. > > > > The only problem with this is that it raises the bar for installation. > > Now, people need to know how to drive a (possibly) unfamiliar text > > editor to turn stuff on. > > > > Still, I like the direction you're moving in. Ultimately, I think the > > text editor idea should be an advanced option and changes to inetd.conf > > (and whatever) should be possible with the UI. > > I agree with your observations--this is one reason I added some more > commenting to inetd.conf to make it more clear what the user should do. > > Actually, I think the real problem here is the inetd.conf file format. It > doesn't have an "in-band" way to disable services, all you can do is > comment them out. I'd like something more like /etc/ttys, where there's > an "on/off" choice. This lets a structured editor disable things in such > a way that it can recognize when to enable them (and when it's just a > comment). Note the magic that is possible in Andrey's ttys editing code, > but that is not possible in inetd.conf. > > Someone also later comments, in this thread, that we might make use of a > better editor. I agree that nano offers a lot of usability benefits, and > wouldn't mind further investigation of options like that. However, I'd > rather have a semantics-rich configuration editor (such as with the > ttys/console stuff) than a text editor, myself. > I am not completely sure if this is a good idea or not, but I'd through it in. How about having two menu options here, after offering to edit inetd.conf: for `experts' (manual editing) and for `beginners' (menu-driven configuration). The former one would bring up an editor (in this case it doesn't need to be nano, it can be vi, or whatever). The latter one would show a check-mark-type menu of services which could be enabled, and a small script called upon exit from this menu would write out /etc/inetd.conf with the lines commented or uncommented based upon the choices made, and a template of /etc/inetd.conf Best, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 10:32:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 1A13D37B40E for ; Wed, 15 Aug 2001 10:32:36 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7FGRrZ50712; Wed, 15 Aug 2001 09:27:53 -0700 (PDT) Date: Wed, 15 Aug 2001 09:27:53 -0700 (PDT) From: David Kirchner X-X-Sender: To: Eric Anderson Cc: , Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <3B7A8851.3523EC9B@centtech.com> Message-ID: <20010815092034.E38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001, Eric Anderson wrote: > Good point, but thats a little different. Warning those who care > (subscribers of the list) about security advisories is MUCH different > than making the OS mute because a percentage of the installers can't > figure out (or don't know that they SHOULD figure out) how to turn off > sendmail, telnet, etc. It just won't save the experienced users any > time to have them disabled, and it won't stop the 'clueless' from being > just that. Microsoft failed to understand the responsibility they had to provide secure software out of the box. This failure has caused problems across the entire Internet. There's no reason why FreeBSD shouldn't take the responsible approach and provide a secure system out-of-the-box. A worm could easily be written to take advantage of a FreeBSD hole, such as the one found in telnetd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 10:32:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id B0A0237B414 for ; Wed, 15 Aug 2001 10:32:48 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7FHWef11981; Wed, 15 Aug 2001 13:32:40 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 15 Aug 2001 13:32:40 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Igor Roshchin Cc: security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <200108151729.f7FHTKq11654@giganda.komkon.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001, Igor Roshchin wrote: > > I agree with your observations--this is one reason I added some more > > commenting to inetd.conf to make it more clear what the user should do. > > > > Actually, I think the real problem here is the inetd.conf file format. It > > doesn't have an "in-band" way to disable services, all you can do is > > comment them out. I'd like something more like /etc/ttys, where there's > > an "on/off" choice. This lets a structured editor disable things in such > > a way that it can recognize when to enable them (and when it's just a > > comment). Note the magic that is possible in Andrey's ttys editing code, > > but that is not possible in inetd.conf. > > > > Someone also later comments, in this thread, that we might make use of a > > better editor. I agree that nano offers a lot of usability benefits, and > > wouldn't mind further investigation of options like that. However, I'd > > rather have a semantics-rich configuration editor (such as with the > > ttys/console stuff) than a text editor, myself. > > I am not completely sure if this is a good idea or not, but I'd through > it in. How about having two menu options here, after offering to edit > inetd.conf: for `experts' (manual editing) and for `beginners' > (menu-driven configuration). The former one would bring up an editor > (in this case it doesn't need to be nano, it can be vi, or whatever). > The latter one would show a check-mark-type menu of services which could > be enabled, and a small script called upon exit from this menu would > write out /etc/inetd.conf with the lines commented or uncommented based > upon the choices made, and a template of /etc/inetd.conf This is pretty much what I had in mind, but the problem I cited was that it's difficult for such an editor to read in inetd.conf in an effective way after the user has edited it once, because it's hard to tell which lines are "disabled services" and which are simply "comments". Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 10:37:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from virtual-voodoo.com (bdsl.66.12.217.106.gte.net [66.12.217.106]) by hub.freebsd.org (Postfix) with ESMTP id AAE8A37B401; Wed, 15 Aug 2001 10:37:03 -0700 (PDT) (envelope-from steve@virtual-voodoo.com) Received: from inlafrec (bdsl.66.12.217.40.gte.net [66.12.217.40]) (authenticated) by virtual-voodoo.com (8.11.5/8.11.5) with ESMTP id f7FHatR51270; Wed, 15 Aug 2001 12:36:55 -0500 (EST) (envelope-from steve@virtual-voodoo.com) Message-ID: <006601c125b0$625d7b90$28d90c42@eservoffice.com> From: "Steven Ames" To: "Igor Roshchin" , Cc: References: <200108151729.f7FHTKq11654@giganda.komkon.org> Subject: Re: cvs commit: src/etc inetd.conf Date: Wed, 15 Aug 2001 12:33:22 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I am not completely sure if this is a good idea or not, but I'd through it in. > How about having two menu options here, after offering to edit inetd.conf: > for `experts' (manual editing) and for `beginners' (menu-driven > configuration). 'sysinstall' already has a 'Security' menu under post configuration. Couldn't we just install from a fixed set of 2-3 different inetd.conf files? i.e. if the user selects 'moderate [default]' install src/etc/inetd.conf.moderate into /etc. If they select 'extreme' install the inetd.conf that has everything turned off. This is a short-term hackish solution but I believe it would suffice until we get a GUI up where we can select 'yes'/'no' for every line in the inetd.conf and have the ability to add in new lines. Good project for someone... the 'inetd editor'. -Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 10:37:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail3.enter.net (mail3.enter.net [63.65.0.23]) by hub.freebsd.org (Postfix) with ESMTP id A931337B409 for ; Wed, 15 Aug 2001 10:37:44 -0700 (PDT) (envelope-from gaving@enter.net) Received: from grabes2.enter.net (grabes2.enter.net [63.65.2.36]) by mail3.enter.net (8.11.2/8.11.2) with ESMTP id f7FHbiT61749 for ; Wed, 15 Aug 2001 13:37:44 -0400 (EDT) Date: Wed, 15 Aug 2001 13:35:14 -0400 (EDT) From: Gavin Grabias To: Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <20010815092034.E38221-100000@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Good point, but thats a little different. Warning those who care > (subscribers of the list) about security advisories is MUCH different > than making the OS mute because a percentage of the installers can't > figure out (or don't know that they SHOULD figure out) how to turn off > sendmail, telnet, etc. It just won't save the experienced users any > time to have them disabled, and it won't stop the 'clueless' from being > just that. Security is starting to sound like a bug instead of a feature for FreeBSD. We are arguing about whether users can use a text editor to edit their inetd.conf. The secure approach would be to disable all services by default. If the user wants "features" make him/her read about them and educate themselves. Then they can make the decision as to whether they want the service enabled. Regards, Gavin Grabias - System Administration ******************************************************************** ENTER.NET - "The Road to the Internet Starts Here!" (tm) (610) 437-2221 * http://www.enter.net/ * email:support@enter.net ******************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 10:45: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 39E7737B407 for ; Wed, 15 Aug 2001 10:44:59 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7FHinf13455; Wed, 15 Aug 2001 13:44:49 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 15 Aug 2001 13:44:48 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Steven Ames Cc: Igor Roshchin , security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <006601c125b0$625d7b90$28d90c42@eservoffice.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001, Steven Ames wrote: > > I am not completely sure if this is a good idea or not, but I'd through it > in. > > How about having two menu options here, after offering to edit inetd.conf: > > for `experts' (manual editing) and for `beginners' (menu-driven > > configuration). > > 'sysinstall' already has a 'Security' menu under post configuration. > Couldn't we just install from a fixed set of 2-3 different inetd.conf > files? > > i.e. if the user selects 'moderate [default]' install > src/etc/inetd.conf.moderate into /etc. If they select 'extreme' install > the inetd.conf that has everything turned off. > > This is a short-term hackish solution but I believe it would suffice > until we get a GUI up where we can select 'yes'/'no' for every line in > the inetd.conf and have the ability to add in new lines. Good project > for someone... the 'inetd editor'. One of the problems with this solution is that sites frequently modify their inetd.conf to add services, such as pop or imap, and that if they ran sysinstall to select a template, they would risk squashing their current install. I agree with your thoughts on a menu-driven editor, but doing that properly relies on having a machine-parsable file format that supports in-band disabling of services. My feeling was that our current file format didn't lend itself to that, and as such I went with the current "spit the user a text editor" over implementing one before 4.4-RELEASE. If someone would like to write an editor that understands the syntax and semantics of inetd.conf, they should feel free. However, it needs to handle the cases where users have custom comments (etc) properly, and be able to handle the full scope of valid inetd.conf files, not just the set of files it could possibly generate. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 10:56:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 1B49137B403; Wed, 15 Aug 2001 10:56:52 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f7FHupj32671; Wed, 15 Aug 2001 13:56:51 -0400 (EDT) (envelope-from wollman) Date: Wed, 15 Aug 2001 13:56:51 -0400 (EDT) From: Garrett Wollman Message-Id: <200108151756.f7FHupj32671@khavrinen.lcs.mit.edu> To: Robert Watson Cc: security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: References: <006601c125b0$625d7b90$28d90c42@eservoffice.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > I agree with your thoughts on a menu-driven editor, but doing that > properly relies on having a machine-parsable file format that supports > in-band disabling of services. This is the sort of thing that XML would be good for, if only there were a tolerable XML-parsing library. (Actually, almost any structured format would be better than the current mess that is inetd.conf.) That would also make it easier for packages to auto-configure their inetd.conf entries. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 11:27:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id C9D1537B415; Wed, 15 Aug 2001 11:27:27 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f7FIRQG13462; Wed, 15 Aug 2001 14:27:26 -0400 (EDT) (envelope-from str) Date: Wed, 15 Aug 2001 14:27:26 -0400 (EDT) From: Igor Roshchin Message-Id: <200108151827.f7FIRQG13462@giganda.komkon.org> To: rwatson@FreeBSD.ORG, steve@virtual-voodoo.com Subject: Re: cvs commit: src/etc inetd.conf Cc: security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: Wed, 15 Aug 2001 13:44:48 -0400 (EDT) > From: Robert Watson > > On Wed, 15 Aug 2001, Steven Ames wrote: > > > > I am not completely sure if this is a good idea or not, but I'd through it > > in. > > > How about having two menu options here, after offering to edit inetd.conf: > > > for `experts' (manual editing) and for `beginners' (menu-driven > > > configuration). > > > > 'sysinstall' already has a 'Security' menu under post configuration. > > Couldn't we just install from a fixed set of 2-3 different inetd.conf > > files? > > > > i.e. if the user selects 'moderate [default]' install > > src/etc/inetd.conf.moderate into /etc. If they select 'extreme' install > > the inetd.conf that has everything turned off. > > > > This is a short-term hackish solution but I believe it would suffice > > until we get a GUI up where we can select 'yes'/'no' for every line in > > the inetd.conf and have the ability to add in new lines. Good project > > for someone... the 'inetd editor'. > > One of the problems with this solution is that sites frequently modify > their inetd.conf to add services, such as pop or imap, and that if they > ran sysinstall to select a template, they would risk squashing their > current install. > > I agree with your thoughts on a menu-driven editor, but doing that > properly relies on having a machine-parsable file format that supports > in-band disabling of services. My feeling was that our current file > format didn't lend itself to that, and as such I went with the current > "spit the user a text editor" over implementing one before 4.4-RELEASE. > If someone would like to write an editor that understands the syntax and > semantics of inetd.conf, they should feel free. However, it needs to > handle the cases where users have custom comments (etc) properly, and be > able to handle the full scope of valid inetd.conf files, not just the set > of files it could possibly generate. > Comments and suggestions: Comments: -------- It sounds like such an editor is either impossible, or its abilities won't be "universal". This is due to the reachness of inetd.conf. You don't just enable or disable services in that file, but also can change many options. In order to cover all possibilities of the options inserted or edited by hand one would have, especially if we assume that there might be "new" services added locally. One thought I had is that such an editor can parse the existing inetd.conf (its commented lines) by searching for the known services names, which can be read in from /etc/services. However, this would fail if someone would make a comment like this: #telnet is temporarily disabled On another hand, if somebody has a bunch of services commented out by more then just "#", such approach (and many others) would fail. I sometimes disable a set of services altogether for a period of time by marking them with a specific comment, like this: #Down# telnetd stream tcp ... Parsing of such an unstructured text, as inetd.conf is, can produce erroneous results. Suggestions: ------------ Couple of ideas for a temporary `hack' for the 4.4-RELEASE: 1. "beginner" version of the inetd.conf editing via selecting/deselecting services in a check-mark-style menu should have a huge warning that all changes that had been made manually would be lost. So, sysinstall wouldn't parse the existing inetd.conf, but rather write out a new one. You may also add an option to enter one's own service. 2. Another additional possibility (also a `hack') is to have an additional copy of inetd.conf (say, /etc/inetd.conf.auto) saved by the menu-driven editor (that works as described in 1. above), so that every time sysinstall runs this editor again, the editor first runs diff(1) on both copies, and after the user's choice of services is completed, offers to make decisions on the lines that were added/edited manually since the last sysinstall run, somewhat similarly to what mergemaster does, with an option to abandon those new lines, to have them commented out, or to leave them intact. In all cases I assume an existance an alternative "expert" option to edit /etc/inetd.conf in an regular editor by hand. Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 12:33:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4829D37B415 for ; Wed, 15 Aug 2001 12:33:05 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7FJWvf44430; Wed, 15 Aug 2001 15:32:57 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 15 Aug 2001 15:32:57 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Gavin Grabias Cc: security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001, Gavin Grabias wrote: > > Good point, but thats a little different. Warning those who care > > (subscribers of the list) about security advisories is MUCH different > > than making the OS mute because a percentage of the installers can't > > figure out (or don't know that they SHOULD figure out) how to turn off > > sendmail, telnet, etc. It just won't save the experienced users any > > time to have them disabled, and it won't stop the 'clueless' from being > > just that. > > Security is starting to sound like a bug instead of a feature for > FreeBSD. We are arguing about whether users can use a text editor to > edit their inetd.conf. The secure approach would be to disable all > services by default. If the user wants "features" make him/her read > about them and educate themselves. Then they can make the decision as > to whether they want the service enabled. This is what FreeBSD 4.4 does with the inetd network services. There's an on-going debate about how best to handle this WRT sendmail, as local mail delivery is required for some internal base system functionality (vi recovery files, cron'd events, etc). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 12:41: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 99C4437B401; Wed, 15 Aug 2001 12:40:51 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.Awfulhak.org [2001:6f8:602:1::12]) by Awfulhak.org (8.11.5/8.11.5) with ESMTP id f7FJeug90175; Wed, 15 Aug 2001 20:40:56 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f7FJepc73604; Wed, 15 Aug 2001 20:40:51 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200108151940.f7FJepc73604@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Robert Watson Cc: Gavin Grabias , security@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: Message from Robert Watson of "Wed, 15 Aug 2001 15:32:57 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 15 Aug 2001 20:40:51 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > On Wed, 15 Aug 2001, Gavin Grabias wrote: > > > > Good point, but thats a little different. Warning those who care > > > (subscribers of the list) about security advisories is MUCH different > > > than making the OS mute because a percentage of the installers can't > > > figure out (or don't know that they SHOULD figure out) how to turn off > > > sendmail, telnet, etc. It just won't save the experienced users any > > > time to have them disabled, and it won't stop the 'clueless' from being > > > just that. > > > > Security is starting to sound like a bug instead of a feature for > > FreeBSD. We are arguing about whether users can use a text editor to > > edit their inetd.conf. The secure approach would be to disable all > > services by default. If the user wants "features" make him/her read > > about them and educate themselves. Then they can make the decision as > > to whether they want the service enabled. > > This is what FreeBSD 4.4 does with the inetd network services. There's an > on-going debate about how best to handle this WRT sendmail, as local mail > delivery is required for some internal base system functionality (vi > recovery files, cron'd events, etc). I'm don't intend to advocate that sendmail be turned off, but it *is* possible to add daily_output=/var/log/daily.log weekly_output=/var/log/weekly.log monthly_output=/var/log/monthly.log to /etc/periodic.conf to avoid the periodic mails.... > Robert N M Watson FreeBSD Core Team, TrustedBSD Project > robert@fledge.watson.org NAI Labs, Safeport Network Services -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 12:44:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 9E3E637B411; Wed, 15 Aug 2001 12:44:36 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7FIe2951023; Wed, 15 Aug 2001 11:40:02 -0700 (PDT) Date: Wed, 15 Aug 2001 11:40:02 -0700 (PDT) From: David Kirchner X-X-Sender: To: Robert Watson Cc: Gavin Grabias , Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: Message-ID: <20010815113750.R38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001, Robert Watson wrote: > This is what FreeBSD 4.4 does with the inetd network services. There's an > on-going debate about how best to handle this WRT sendmail, as local mail > delivery is required for some internal base system functionality (vi > recovery files, cron'd events, etc). Wouldn't it be best to create two seperate sendmail.cf files, one for delivery-only mode (sendmail.cf) and the other for queue-only mode (sendmaild.cf). Then sendmail could take a minor patch to check argv[0] - if it's called as sendmaild, read sendmaild.cf, otherwise read sendmail.cf. Anyways the implementation details would be worked out somewhere else, that's just a thought. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 14: 0: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 7B21537B409 for ; Wed, 15 Aug 2001 13:59:52 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id f7FKxjh135484; Wed, 15 Aug 2001 16:59:45 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <200108151940.f7FJepc73604@hak.lan.Awfulhak.org> References: <200108151940.f7FJepc73604@hak.lan.Awfulhak.org> Date: Wed, 15 Aug 2001 16:59:42 -0400 To: Brian Somers From: Garance A Drosihn Subject: Re: cvs commit: src/etc inetd.conf Cc: security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 8:40 PM +0100 8/15/01, Brian Somers wrote: > > > > On Wed, 15 Aug 2001, Gavin Grabias wrote: > > ... There's an on-going debate about how best to handle this WRT > > sendmail, as local mail delivery is required for some internal > > base system functionality (vi recovery files, cron'd events, etc). > >I'm don't intend to advocate that sendmail be turned off, but it *is* >possible to add > >daily_output=/var/log/daily.log >weekly_output=/var/log/weekly.log >monthly_output=/var/log/monthly.log > >to /etc/periodic.conf to avoid the periodic mails.... "cron'd events", such as if you add your own cron jobs, cron will email you if the process fails, or output from the process when it succeeds (depending on how you have the job setup). Cron itself expects it can send mail. So does lpd (if a user does 'lpr -m', for instance). -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 14: 2:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 7338437B407 for ; Wed, 15 Aug 2001 14:02:24 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 15X7nu-0005Di-00 for security@FreeBSD.ORG; Wed, 15 Aug 2001 17:02:18 -0400 Date: Wed, 15 Aug 2001 17:02:18 -0400 From: Peter Radcliffe To: security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010815170217.F14206@pir.net> Reply-To: security@freebsd.org Mail-Followup-To: security@FreeBSD.ORG References: <200108151940.f7FJepc73604@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from drosih@rpi.edu on Wed, Aug 15, 2001 at 04:59:42PM -0400 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garance A Drosihn probably said: > "cron'd events", such as if you add your own cron jobs, cron will > email you if the process fails, or output from the process when > it succeeds (depending on how you have the job setup). Cron itself > expects it can send mail. So does lpd (if a user does 'lpr -m', > for instance). So why can't we run sendmail by default, just with no '-bd' option so it doesn't listen on port 25. Local mail will get delivered, it's not a remote security problem ... P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 14:30:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail3.enter.net (mail3.enter.net [63.65.0.23]) by hub.freebsd.org (Postfix) with ESMTP id 7378037B413 for ; Wed, 15 Aug 2001 14:30:34 -0700 (PDT) (envelope-from gaving@enter.net) Received: from grabes2.enter.net (grabes2.enter.net [63.65.2.36]) by mail3.enter.net (8.11.2/8.11.2) with ESMTP id f7FLUXx86688 for ; Wed, 15 Aug 2001 17:30:33 -0400 (EDT) Date: Wed, 15 Aug 2001 17:28:03 -0400 (EDT) From: Gavin Grabias To: Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <20010815170217.F14206@pir.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > So why can't we run sendmail by default, just with no '-bd' option > so it doesn't listen on port 25. Local mail will get delivered, > it's not a remote security problem ... I agree.. echo "sendmail_flags=\"-q1h\"" >> /etc/defaults/rc.conf PS: I do believe this would consider me a contributor now. Sorry its been a long day. Regards, Gavin Grabias - System Administration ******************************************************************** ENTER.NET - "The Road to the Internet Starts Here!" (tm) (610) 437-2221 * http://www.enter.net/ * email:support@enter.net ******************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 16:38: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe46.law12.hotmail.com [64.4.18.18]) by hub.freebsd.org (Postfix) with ESMTP id 3541537B40B; Wed, 15 Aug 2001 16:37:54 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 15 Aug 2001 16:37:53 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: , Subject: Quick IPFW Rule Question Date: Wed, 15 Aug 2001 18:37:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 15 Aug 2001 23:37:53.0991 (UTC) FILETIME=[4E061570:01C125E3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, What would be the best rule to allow all incoming traffic from one specific I.P. address? (for a machine with 2 I.P.s bound to the NIC...) Also, what would be the best rule to allow all outgoing traffic from my local machine? Thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 16:47:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail49.fg.online.no (mail49-s.fg.online.no [148.122.161.49]) by hub.freebsd.org (Postfix) with ESMTP id A780A37B401; Wed, 15 Aug 2001 16:47:12 -0700 (PDT) (envelope-from geir@dropzone.as) Received: from PULZ (ti29a81-0098.bb.online.no [146.172.48.97]) by mail49.fg.online.no (8.9.3/8.9.3) with SMTP id BAA15950; Thu, 16 Aug 2001 01:47:09 +0200 (MET DST) Message-ID: <002001c125e5$3f07f870$3704fea9@PULZ> Reply-To: =?iso-8859-1?Q?Geir_R=E5ness?= From: =?iso-8859-1?Q?Geir_R=E5ness?= To: , Subject: sshd 3.01 using login classes ? Date: Thu, 16 Aug 2001 01:51:44 +0200 Organization: DropZone MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001D_01C125F6.00A32940" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_001D_01C125F6.00A32940 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have been using sshd 3.0.1 for some time now, and it seems like it = dont use the login classes, anyone know how to fix this if it is = possebol ? Geir @ dropzone ------=_NextPart_000_001D_01C125F6.00A32940 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I have been using sshd 3.0.1 for some = time now, and=20 it seems like it dont use the login classes, anyone know how to fix this = if it=20 is possebol ?
 
Geir @ = dropzone
------=_NextPart_000_001D_01C125F6.00A32940-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 17:29:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.westbend.net (ns1.westbend.net [216.47.253.3]) by hub.freebsd.org (Postfix) with ESMTP id 46C3A37B401 for ; Wed, 15 Aug 2001 17:29:49 -0700 (PDT) (envelope-from hetzels@westbend.net) Received: from admin0 (admin0.westbend.net [216.47.253.17]) by mail.westbend.net (8.11.5/8.11.5) with ESMTP id f7G0Sn260037 for ; Wed, 15 Aug 2001 19:29:14 -0500 (CDT) (envelope-from hetzels@westbend.net) Message-ID: <016b01c125e9$e9c82420$11fd2fd8@westbend.net> From: "Scot W. Hetzel" To: References: <200108151940.f7FJepc73604@hak.lan.Awfulhak.org> <20010815170217.F14206@pir.net> Subject: Re: cvs commit: src/etc inetd.conf Date: Wed, 15 Aug 2001 19:24:30 -0500 Organization: West Bend Interent MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: "Peter Radcliffe" > Garance A Drosihn probably said: > > "cron'd events", such as if you add your own cron jobs, cron will > > email you if the process fails, or output from the process when > > it succeeds (depending on how you have the job setup). Cron itself > > expects it can send mail. So does lpd (if a user does 'lpr -m', > > for instance). > > So why can't we run sendmail by default, just with no '-bd' option > so it doesn't listen on port 25. Local mail will get delivered, > it's not a remote security problem ... > With the latest changes in 4.4-PRERELEASE, rc, rc.conf have options to setup the server for outbound only mode: sendmail_enable="YES" # Run the sendmail inbound daemon (or NO). sendmail_flags="-bd -q30m" # Flags to sendmail (as a server) sendmail_outbound_enable="NO" # Dequeue stuck mail (or YES). sendmail_outbound_flags="-q30m" # Flags to sendmail (outbound only) So setting "sendmail_enable" to "NO" and setting "sendmail_outbound_enable" to "Yes" will accomplish this task. All that's needed is to fix sysinstall to choose 3 modes for sendmail: 1. Normal mode 2. Queue mode 3. Disabled Scot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 17:33:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-252.dsl.lsan03.pacbell.net [64.169.104.252]) by hub.freebsd.org (Postfix) with ESMTP id 4412237B40A; Wed, 15 Aug 2001 17:33:30 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A813166F69; Wed, 15 Aug 2001 17:32:24 -0700 (PDT) Date: Wed, 15 Aug 2001 17:32:24 -0700 From: Kris Kennaway To: =?iso-8859-1?Q?Geir_R=E5ness?= Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: sshd 3.01 using login classes ? Message-ID: <20010815173224.A56054@xor.obsecurity.org> References: <002001c125e5$3f07f870$3704fea9@PULZ> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002001c125e5$3f07f870$3704fea9@PULZ>; from geir@dropzone.as on Thu, Aug 16, 2001 at 01:51:44AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 16, 2001 at 01:51:44AM +0200, Geir R=E5ness wrote: > I have been using sshd 3.0.1 for some time now, and it seems like it > dont use the login classes, anyone know how to fix this if it is > possebol ? Write a patch to the source, probably. This is third party, unsupported (by us) software. Kris --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7exSYWry0BWjoQKURAoRuAJ9mnV8ZTKT4qKjKpufPJT49sbmKwwCeNo96 5/paxFBDWCGV4rCGhPQmP5Y= =Px4G -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 17:37:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.121.12]) by hub.freebsd.org (Postfix) with ESMTP id 1BDDD37B41E; Wed, 15 Aug 2001 17:37:53 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.136.223.Dial1.SanJose1.Level3.net [209.245.136.223]) by harrier.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id RAA08085; Wed, 15 Aug 2001 17:37:50 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7G0bb102002; Wed, 15 Aug 2001 17:37:37 -0700 (PDT) (envelope-from cjc) Date: Wed, 15 Aug 2001 17:37:37 -0700 From: "Crist J. Clark" To: Igor Roshchin Cc: rwatson@FreeBSD.ORG, steve@virtual-voodoo.com, security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010815173737.E330@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200108151827.f7FIRQG13462@giganda.komkon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108151827.f7FIRQG13462@giganda.komkon.org>; from str@giganda.komkon.org on Wed, Aug 15, 2001 at 02:27:26PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think the bikeshed should be green. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 18:38:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mixtim.homeip.net (cg392862-a.adubn1.nj.home.com [65.2.79.221]) by hub.freebsd.org (Postfix) with ESMTP id 7BE0437B414 for ; Wed, 15 Aug 2001 18:38:21 -0700 (PDT) (envelope-from michael@mixtim.homeip.net) Received: by mixtim.homeip.net (Postfix, from userid 1000) id 719A298FC; Wed, 15 Aug 2001 21:38:18 -0400 (EDT) Date: Wed, 15 Aug 2001 21:38:18 -0400 From: Mixtim To: security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010815213818.A759@mixtim.homeip.net> Reply-To: mixtim@mixtim.homeip.net References: <200108151827.f7FIRQG13462@giganda.komkon.org> <20010815173737.E330@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010815173737.E330@blossom.cjclark.org>; from cristjc@earthlink.net on Wed, Aug 15, 2001 at 05:37:37PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 15, 2001 at 05:37:37PM -0700, Crist J. Clark wrote: > I think the bikeshed should be green. Anyone else notice that bikeshed has lost its original meaning and is now synonymous with apathy? Every discussion now boils down to four groups: 1. The group in favor of a given proposal. 2. The group against a given proposal. 3. The apathetic group that keeps talking about bikesheds. 4. The group that can't stand discussion and keeps trying to get everyone to shutup. Why is it that group 3 is slowly becoming more annoying? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 20:40: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.fnal.gov (nova.fnal.gov [131.225.121.207]) by hub.freebsd.org (Postfix) with ESMTP id 800FA37B409 for ; Wed, 15 Aug 2001 20:40:00 -0700 (PDT) (envelope-from zingelman@fnal.gov) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id WAA28935; Wed, 15 Aug 2001 22:39:48 -0500 (CDT) X-Authentication-Warning: nova.fnal.gov: tez owned process doing -bs Date: Wed, 15 Aug 2001 22:39:48 -0500 (CDT) From: Tim Zingelman X-Sender: To: Mixtim Cc: Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <20010815213818.A759@mixtim.homeip.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Anyone else notice that bikeshed has lost its original meaning and is > now synonymous with apathy? Funny the coincidence... I'd deleted the last 7 messages in this thread without reading them. I read these last two only because there were only two in my inbox since the last time I'd checked my email. > Every discussion now boils down to four groups: > > 1. The group in favor of a given proposal. > 2. The group against a given proposal. > 3. The apathetic group that keeps talking about bikesheds. > 4. The group that can't stand discussion and keeps trying to get > everyone to shutup. I challenge you to go back through all the messages in this thread and classify even 25% in any of the above groups. I don't hear anyone agreeing or disagreeing with a proposal. Almost all fall into category five. Classic bikeshed input from people who have not contributed patches... Did anyone notice that the PATCHES attached to a recent earlier thread on almost exactly this topic have already been committed and will be in 4.4? > Why is it that group 3 is slowly becoming more annoying? Because you have not been reading this mailing list long enough. :) I'd argue that apathy (ie. I don't care) is the correct response to this class of discussion. - Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 15 21:27:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from omega.lovett.com (omega.lovett.com [209.249.90.123]) by hub.freebsd.org (Postfix) with ESMTP id CBAC837B40D; Wed, 15 Aug 2001 21:27:36 -0700 (PDT) (envelope-from ade@lovett.com) Received: from austin.lovett.com ([66.25.157.243] helo=klendathu.lovett.com ident=ident) by omega.lovett.com with esmtp (Exim 3.31 #1) id 15XEka-000G6D-00; Wed, 15 Aug 2001 21:27:20 -0700 Received: from ade by klendathu.lovett.com with local (Exim 3.32 #1) id 15XEka-0003Jc-00; Wed, 15 Aug 2001 23:27:20 -0500 Date: Wed, 15 Aug 2001 23:27:20 -0500 From: Ade Lovett To: Robert Watson Cc: Igor Roshchin , security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010815232720.B10783@FreeBSD.org> References: <200108151729.f7FHTKq11654@giganda.komkon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@FreeBSD.ORG on Wed, Aug 15, 2001 at 01:32:40PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 15, 2001 at 01:32:40PM -0400, Robert Watson wrote: > This is pretty much what I had in mind, but the problem I cited was that > it's difficult for such an editor to read in inetd.conf in an effective > way after the user has edited it once, because it's hard to tell which > lines are "disabled services" and which are simply "comments". Yes and no. If a disabled service were to be marked with, for example: #DISABLED# ftp stream tcp blah.. this would make things considerably easier to determine which is purely a comment, and which is a physical action to disable a service. Of course, adding an on/off flag to inetd.conf for each service is another option, but that has the annoying issue of violating POLA, since our inetd.conf would look unlike any others. -aDe -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 1:52: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from vindaloo.allsolutions.com.au (vindaloo.allsolutions.com.au [203.111.24.54]) by hub.freebsd.org (Postfix) with ESMTP id F0C4B37B409 for ; Thu, 16 Aug 2001 01:51:56 -0700 (PDT) (envelope-from David_May@allsolutions.com.au) Received: from roganjosh.allsolutions.com.au (roganjosh.allsolutions.com.au [192.9.200.253]) by vindaloo.allsolutions.com.au (8.9.3/8.9.3) with ESMTP id QAA00170 for ; Thu, 16 Aug 2001 16:51:55 +0800 (WST) (envelope-from David_May@allsolutions.com.au) From: David_May@allsolutions.com.au MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Distributions of security patches. X-Mailer: Lotus Notes Release 5.0.7 March 21, 2001 Message-ID: Date: Thu, 16 Aug 2001 16:51:56 +0800 X-MIMETrack: Serialize by Router on Perth/All Solutions(Release 5.0.7 |March 21, 2001) at 16/08/2001 04:51:55 PM, Serialize complete at 16/08/2001 04:51:55 PM Content-Type: multipart/alternative; boundary="=_alternative 0030B37748256AAA_=" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multipart message in MIME format. --=_alternative 0030B37748256AAA_= Content-Type: text/plain; charset="us-ascii" I have just been through a process of attempting to streamline the installation of security patches to our FreeBSD machines. There has to be a better way. Here, we install our systems from FreeBSD RELEASE CD-ROMS that we purchase. Given that so much effort has gone in to making FreeBSD releases easy to install it is a shame that it is not easy to install patches to the base system in the same way. Is there a good reason occasional BINARY patches containing ESSENTIAL UPDATES to FreeBSD releases are be made available for download from FreeBSD.ORG? It seems a bit silly that at www.freebsd.org there is an IMPORTANT NOTICE about a telnet demon exploit but no link for DOWNLOAD BINARY PATCH FROM HERE! Personally, I would even be happy to pay a bit more for my FreeBSD CDs for the privilege of avoiding all the CVSUPing or CTMing and re-compiling the ENTIRE SYSTEM just to ensure I have not missed a security patch to telnetd or whatever. --=_alternative 0030B37748256AAA_= Content-Type: text/html; charset="us-ascii"
I have just been through a process of attempting to
streamline the installation of security patches to
our FreeBSD machines.  There has to be a better way.

Here, we install our systems from FreeBSD RELEASE
CD-ROMS that we purchase. Given that so much effort
has gone in to making FreeBSD releases easy to install
it is a shame that it is not easy to install patches
to the base system in the same way.

Is there a good reason occasional BINARY patches
containing ESSENTIAL UPDATES to FreeBSD releases are
be made available for download from FreeBSD.ORG?

It seems a bit silly that at www.freebsd.org there is
an IMPORTANT NOTICE about a telnet demon exploit but
no link for DOWNLOAD BINARY PATCH FROM HERE!

Personally, I would even be happy to pay a bit more
for my FreeBSD CDs for the privilege of avoiding all
the CVSUPing or CTMing and re-compiling the ENTIRE
SYSTEM just to ensure I have not missed a security
patch to telnetd or whatever.
--=_alternative 0030B37748256AAA_=-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 2: 0:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-193.dsl.lsan03.pacbell.net [63.207.60.193]) by hub.freebsd.org (Postfix) with ESMTP id 78EDD37B40A for ; Thu, 16 Aug 2001 02:00:37 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id BC2ED66F68; Thu, 16 Aug 2001 02:00:16 -0700 (PDT) Date: Thu, 16 Aug 2001 02:00:16 -0700 From: Kris Kennaway To: David_May@allsolutions.com.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: Distributions of security patches. Message-ID: <20010816020016.A72606@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from David_May@allsolutions.com.au on Thu, Aug 16, 2001 at 04:51:56PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 16, 2001 at 04:51:56PM +0800, David_May@allsolutions.com.au wro= te: > Is there a good reason occasional BINARY patches=20 > containing ESSENTIAL UPDATES to FreeBSD releases are > be made available for download from FreeBSD.ORG?=20 >=20 > It seems a bit silly that at www.freebsd.org there is=20 > an IMPORTANT NOTICE about a telnet demon exploit but=20 > no link for DOWNLOAD BINARY PATCH FROM HERE! Err, read the advisory, dude. Kris --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7e4ufWry0BWjoQKURAgUKAJ4mku/UMqLQIXGHNTK2UPa2bhE+TACgkJrf QbfDrg/LpMaWdT0vAznrq9g= =Nxoc -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 2: 2:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 86C8C37B40C for ; Thu, 16 Aug 2001 02:02:36 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.31 #1) id 15XJ4A-0001qu-00; Thu, 16 Aug 2001 11:03:50 +0200 From: Sheldon Hearn To: "Scot W. Hetzel" Cc: security@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf In-reply-to: Your message of "Wed, 15 Aug 2001 19:24:30 EST." <016b01c125e9$e9c82420$11fd2fd8@westbend.net> Date: Thu, 16 Aug 2001 11:03:50 +0200 Message-ID: <7123.997952630@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001 19:24:30 EST, "Scot W. Hetzel" wrote: > With the latest changes in 4.4-PRERELEASE, rc, rc.conf have options to setup > the server for outbound only mode: > > sendmail_enable="YES" # Run the sendmail inbound daemon (or NO). > sendmail_flags="-bd -q30m" # Flags to sendmail (as a server) > sendmail_outbound_enable="NO" # Dequeue stuck mail (or YES). > sendmail_outbound_flags="-q30m" # Flags to sendmail (outbound only) *sigh* Yet another change merged onto the stable branch without appropriate documentation. I'll commit something to rc.conf(5) shortly, but this has got to stop. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 2:33: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from cyclone.tornadogroup.com (cyclone.tornadogroup.com [212.172.155.83]) by hub.freebsd.org (Postfix) with ESMTP id ADDAF37B40D for ; Thu, 16 Aug 2001 02:33:00 -0700 (PDT) (envelope-from matthew.seaman@tornadogroup.com) Received: from claudette.e1.tornadogroup.com (claudette.e1.tornadogroup.com [192.168.0.77]) by cyclone.tornadogroup.com (8.10.0.Beta10/8.10.0.Beta10) with ESMTP id f7G9Wvf04391 for ; Thu, 16 Aug 2001 10:32:58 +0100 (BST) Received: from tornadogroup.com (localhost [127.0.0.1]) by claudette.e1.tornadogroup.com (8.11.5/8.11.5) with ESMTP id f7G9WwO02816 for ; Thu, 16 Aug 2001 10:32:58 +0100 (BST) (envelope-from matthew.seaman@tornadogroup.com) Message-ID: <3B7B934A.67B39698@tornadogroup.com> Date: Thu, 16 Aug 2001 10:32:58 +0100 From: Matthew Seaman X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en-GB, en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf References: <200108151940.f7FJepc73604@hak.lan.Awfulhak.org> <20010815170217.F14206@pir.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Peter Radcliffe wrote: > > Garance A Drosihn probably said: > > "cron'd events", such as if you add your own cron jobs, cron will > > email you if the process fails, or output from the process when > > it succeeds (depending on how you have the job setup). Cron itself > > expects it can send mail. So does lpd (if a user does 'lpr -m', > > for instance). > > So why can't we run sendmail by default, just with no '-bd' option > so it doesn't listen on port 25. Local mail will get delivered, > it's not a remote security problem ... Much of the time you don't even need to do that. You can run quite happily and send e-mail without any sort of long-lived sendmail process running. Most processes that want to send mail will invoke /usr/sbin/sendmail directly to pipe the message into --- it's only if immediate delivery fails (*) that the message will end up in the queue where it will languish until `sendmail -q' gets run. Matthew (*) or you've altered the sendmail config to queue everything by default, in which case I'll suppose that you know what you're doing... -- Matthew Seaman Tel: 01628 498661 Certe, Toto, sentio nos in Kansate non iam adesse. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 3:43:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from cartman.techsupport.co.uk (cabletel1.cableol.net [194.168.3.4]) by hub.freebsd.org (Postfix) with ESMTP id 684E037B40A; Thu, 16 Aug 2001 03:43:46 -0700 (PDT) (envelope-from ceri@techsupport.co.uk) Received: from ceri by cartman.techsupport.co.uk with local (Exim 3.31 #1) id 15XKdX-0008Pu-00; Thu, 16 Aug 2001 11:44:27 +0100 Date: Thu, 16 Aug 2001 11:44:27 +0100 From: Ceri To: Robert Watson Cc: Gavin Grabias , security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010816114427.D9234@cartman.techsupport.co.uk> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@FreeBSD.ORG on Wed, Aug 15, 2001 at 03:32:57PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 15, 2001 at 03:32:57PM -0400, Robert Watson said: > On Wed, 15 Aug 2001, Gavin Grabias wrote: > > > > Good point, but thats a little different. Warning those who care > > > (subscribers of the list) about security advisories is MUCH different > > > than making the OS mute because a percentage of the installers can't > > > figure out (or don't know that they SHOULD figure out) how to turn off > > > sendmail, telnet, etc. It just won't save the experienced users any > > > time to have them disabled, and it won't stop the 'clueless' from being > > > just that. > > > > Security is starting to sound like a bug instead of a feature for > > FreeBSD. We are arguing about whether users can use a text editor to > > edit their inetd.conf. The secure approach would be to disable all > > services by default. If the user wants "features" make him/her read > > about them and educate themselves. Then they can make the decision as > > to whether they want the service enabled. > > This is what FreeBSD 4.4 does with the inetd network services. There's an > on-going debate about how best to handle this WRT sendmail, as local mail > delivery is required for some internal base system functionality (vi > recovery files, cron'd events, etc). Would there be any mileage in doing things the NetBSD way ? From NetBSD's rc.conf(5) : rc_configured If this is not set to `YES' then the system will drop into single-user mode during boot. This makes pretty damn sure that if you haven't configured your system it's not on the network. Might be a bit tougher for the first time user, but something like OpenBSD's afterboot(8) might help there. Just an idea, Ceri -- I probably wouldn't like you. Really. I really probably wouldn't like you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 5:54:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from fs.novosoft.ru (fs.novosoft.ru [194.149.225.6]) by hub.freebsd.org (Postfix) with ESMTP id 4560C37B40C for ; Thu, 16 Aug 2001 05:54:02 -0700 (PDT) (envelope-from romaha@eoffice.ru) Received: by fs.novosoft.ru with Internet Mail Service (5.5.2653.19) id ; Thu, 16 Aug 2001 19:54:00 +0700 Message-ID: From: Roman Zabolotnikov To: freebsd-security@freebsd.org Subject: RE: Quick IPFW Rule Question Date: Thu, 16 Aug 2001 19:53:59 +0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Hi, > > What would be the best rule to allow all incoming traffic > from one specific > I.P. address? (for a machine with 2 I.P.s bound to the NIC...) I guess it'd be like this. /sbin/ipfw add allow all from 123.123.123.123 to any via fxp0 /sbin/ipfw add reject all from any to any via fxp0 You should change "fxp0' from my example to your external interface name. > > Also, what would be the best rule to allow all outgoing > traffic from my > local machine? The same way. /sbin/ipfw add allow from 132.132.132.132 to any via fxp0 /sbin/ipfw add reject all from any to any via fxp0 But be carefully with "reject all" rule. It should be the last line in your firewall rules. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 6:24:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 9F35B37B405 for ; Thu, 16 Aug 2001 06:24:41 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) Received: by ING-mailhub; id PAA23298; Thu, 16 Aug 2001 15:26:34 +0200 (MET DST) Received: from somewhere by smtpxd content-class: urn:content-classes:message Subject: IPFW and dynamic rules. Date: Thu, 16 Aug 2001 15:27:50 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: <98829DC07ECECD47893074C4D525EFC31176AD@citsnl007.europe.intranet> X-MS-Has-Attach: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-TNEF-Correlator: Thread-Topic: Quick IPFW Rule Question Thread-Index: AcEmUyQDKdtCLhnYSyyPdGIhzTmkmwAAmD4Q From: "Carroll, D. (Danny)" To: Importance: normal X-OriginalArrivalTime: 16 Aug 2001 13:27:55.0108 (UTC) FILETIME=[41CD7A40:01C12657] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After struggling for a few days, I came accross a rule to allow active FTP out from my firewalled and masq'd clients. # FTP - Allow access from our LAN to External FTP servers #first is for the command channel ${fwcmd} add pass tcp from any to any 21 setup #second is for the data channel... ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup Basically (if I understand it rght) the ftp server must send back the data from it's port 20... Which is how the protocol works. But I think it means that anyone writing a program that binds to (their) local port 20 can access my hosts.... Think it's too open? I do... A better way (for me) to go would be if the firewall watched the FTP outgoing traffic then added a dynamic rule for the data channel back in... I heard about the punch_fw option and that sounds great. But I want it for more than just FTP and IRC DCC. Is it possible to set up a rule that works a little like this: internal host A connects to external host B ipfw or natd then makes a dynamic rule that allows any traffic (or traffic from specific ports) from host B back into the network. After 5 minutes of inactivity, the rule is discarded. Taking it one step further, I could even define different rules for different situations. FTP: watch outgoing some.host:21 and allow incomming some.host:20 mypc.home:1024 <> mypc.home:65535 until the activity finishes. Quake: watch outgoing some.host:25970 and allow incomming mypc.home:25000 <> mypc.home:29000 until the activity finishes. ICQ (for file transfers): Watch outgoing some.host:X and allow incomming mypc.home:Y <> mypc.home:Z until the activity finishes. I know this is a little more overhead, but for my little home network I would like the idea of being able to add this type of customized filtering. Can it be done? -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 7:43:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 08ECC37B406 for ; Thu, 16 Aug 2001 07:43:24 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7GEh8f84673; Thu, 16 Aug 2001 10:43:08 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 16 Aug 2001 10:43:08 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: David_May@allsolutions.com.au Cc: freebsd-security@freebsd.org Subject: Re: Distributions of security patches. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 16 Aug 2001 David_May@allsolutions.com.au wrote: > I have just been through a process of attempting to streamline the > installation of security patches to our FreeBSD machines. There has to > be a better way. > > Here, we install our systems from FreeBSD RELEASE CD-ROMS that we > purchase. Given that so much effort has gone in to making FreeBSD > releases easy to install it is a shame that it is not easy to install > patches to the base system in the same way. > > Is there a good reason occasional BINARY patches containing ESSENTIAL > UPDATES to FreeBSD releases are be made available for download from > FreeBSD.ORG? > > It seems a bit silly that at www.freebsd.org there is an IMPORTANT > NOTICE about a telnet demon exploit but no link for DOWNLOAD BINARY > PATCH FROM HERE! > > Personally, I would even be happy to pay a bit more for my FreeBSD CDs > for the privilege of avoiding all the CVSUPing or CTMing and > re-compiling the ENTIRE SYSTEM just to ensure I have not missed a > security patch to telnetd or whatever. As of FreeBSD 4.3-RELEASE, the FreeBSD project has provided binary updates for significant security problems, as well as the ability to pick up and apply automatically all security patches against the release using CVS or cvsup. Information on the binary patch available is included with each advisory, including instructions on how to download and install the binary patch. To pick up all the security patches (and no other changes), you can use the "release branch" with cvs or cvsup. In the case of 4.3-RELEASE, the branch name is RELENG_4_3; once 4.4-RELEASE goes out the door, patches will be applied to RELENG_4_4. This is the same version control mechanism used to generate the patches, so should contain everything you need so you can build precisely once, if that's what you'd like to do. Or you can track -STABLE (RELENG_4) and get the new features as well as security fixes, but that may be less appealing to production users. Take a look at the advisories, and if you have any questions or concerns about them, feel free to post to this mailing list. Obviously, we'd like to keep improving the system, but it does sound like most of your concerns are addressed by what's currently in place. One idea I've been looking at is making the packages available via a special package collection that sysinstall can point itself at, as well as providing a magic "all_security.tgz" package that has dependencies against all current binary updates, but that doesn't register itself, so that repeated pkg_add -r's pick up any new changes each time they run. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 9:34:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from virtual-voodoo.com (bdsl.66.12.217.106.gte.net [66.12.217.106]) by hub.freebsd.org (Postfix) with ESMTP id 529A337B403; Thu, 16 Aug 2001 09:34:48 -0700 (PDT) (envelope-from steve@virtual-voodoo.com) Received: from inlafrec (bdsl.66.12.217.40.gte.net [66.12.217.40]) (authenticated) by virtual-voodoo.com (8.11.5/8.11.5) with ESMTP id f7GGYkR97928; Thu, 16 Aug 2001 11:34:46 -0500 (EST) (envelope-from steve@virtual-voodoo.com) Message-ID: <005101c12670$dc57d1a0$28d90c42@eservoffice.com> From: "Steven Ames" To: "Robert Watson" Cc: "Igor Roshchin" , References: Subject: Re: cvs commit: src/etc inetd.conf Date: Thu, 16 Aug 2001 11:31:10 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001, Robert Watson wrote: > > One of the problems with this solution is that sites frequently modify > their inetd.conf to add services, such as pop or imap, and that if they > ran sysinstall to select a template, they would risk squashing their > current install. Absolutely. I was only suggesting a selection of fixed configurations for initial install. For the "out of the box" approach. Anything past initial install I get iffy letting a script make decisions for me :) > I agree with your thoughts on a menu-driven editor, but doing that > properly relies on having a machine-parsable file format that supports > in-band disabling of services. Sort of. As others have pointed out, changing our inetd.conf file makes us different than other UNIX and that's bad from a learning curve/standards type of position. OTOH, I see two possible ways around this objection: 1. The radical approach. Add an option to inetd that tells it to use a machine readable file instead of inetd.conf (maybe inetd.db or some such). My feeling was that our current file. This doesn't really violate POLA as its something readily apparent and the admin goes into it with his eyes open. 2. Make use of the existing inetd.conf format with some special handling of comments. Assume that anything starting with '#OFF#' is a usable option that is currently turned off. Anything else starting with '#' is just a comment. While this won't work with a lot of existing inetd.conf files out there it won't barf on them either. It just means that instead of being able to just click the "ON" button for a disabled option you'll have to use the inetd editor to ADD a new service. No biggie. Any comments read in, get regurgitated back out in the order they apear in. Clicking the "OFF" button for an active service will cause it to be commented out with the "#OFF#" syntax. > format didn't lend itself to that, and as such I went with the current > "spit the user a text editor" over implementing one before 4.4-RELEASE. > If someone would like to write an editor that understands the syntax and > semantics of inetd.conf, they should feel free. However, it needs to > handle the cases where users have custom comments (etc) properly, and be > able to handle the full scope of valid inetd.conf files, not just the set > of files it could possibly generate. Agreed in all regards. -Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 10:31:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id B2D9D37B406 for ; Thu, 16 Aug 2001 10:31:50 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.128.59.Dial1.SanJose1.Level3.net [209.245.128.59]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id KAA12074; Thu, 16 Aug 2001 10:31:39 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7GGwrA05061; Thu, 16 Aug 2001 09:58:53 -0700 (PDT) (envelope-from cjc) Date: Thu, 16 Aug 2001 09:58:53 -0700 From: "Crist J. Clark" To: "Carroll, D. (Danny)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW and dynamic rules. Message-ID: <20010816095853.D4232@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <98829DC07ECECD47893074C4D525EFC31176AD@citsnl007.europe.intranet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <98829DC07ECECD47893074C4D525EFC31176AD@citsnl007.europe.intranet>; from Danny.Carroll@mail.ing.nl on Thu, Aug 16, 2001 at 03:27:50PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 16, 2001 at 03:27:50PM +0200, Carroll, D. (Danny) wrote: [snip] > Is it possible to set up a rule that works a little like this: > > internal host A connects to external host B > ipfw or natd then makes a dynamic rule that allows any traffic (or > traffic from specific ports) from host B back into the network. > After 5 minutes of inactivity, the rule is discarded. [snip] > Can it be done? Yes. Patches welcome. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 10:32:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id BFBD237B405; Thu, 16 Aug 2001 10:32:38 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.128.59.Dial1.SanJose1.Level3.net [209.245.128.59]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id KAA13902; Thu, 16 Aug 2001 10:31:58 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7GGuFT05051; Thu, 16 Aug 2001 09:56:15 -0700 (PDT) (envelope-from cjc) Date: Thu, 16 Aug 2001 09:56:15 -0700 From: "Crist J. Clark" To: Nate Williams Cc: Peter Pentchev , default - Subscriptions , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Easy IPFW question... Message-ID: <20010816095615.C4232@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010813165603.B1119@ringworld.oblivion.bg> <15224.895.861427.828038@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15224.895.861427.828038@nomad.yogotech.com>; from nate@yogotech.com on Mon, Aug 13, 2001 at 10:42:39AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 13, 2001 at 10:42:39AM -0600, Nate Williams wrote: > > > I'm kinda new to IPFW, and I was unable to figure this out by myself... > > > > > > I want to block an I.P. range, say 192.168.0.1, with a netmask of > > > 255.255.0.0 ... > > > > > > The rule I tried was this: > > > ipfw add deny log all from 192.168.0.1/16 to any via ed0 > > > > Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be > > also zeroed in the address. > > If so, then the ipfw parser is borken. :( > > It *shouldn't* matter what the last two bytes in this case are, as it > doesn't matter to any of the other routing protocols. I cannot reproduce this. On a 4.4-PREPRELEASE system, vegeta# ipfw add 1000 count ip from 192.168.0.1/16 to any 01000 count ip from 192.168.0.0/16 to any vegeta# ipfw add 1001 count ip from 192.168.0.0/16 to any 01001 count ip from 192.168.0.0/16 to any vegeta# ipfw sh 01000 12 1268 count ip from 192.168.0.0/16 to any 01001 12 1268 count ip from 192.168.0.0/16 to any 65000 17743 4318556 allow ip from any to any 65535 0 0 deny ip from any to any The host bits are automatically zeroed in my first ipfw(8) command. What version is the original poster using? What do the rules look like when he does a 'show?' This might not be his problem at all. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 11:33:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe60.law12.hotmail.com [64.4.18.195]) by hub.freebsd.org (Postfix) with ESMTP id 4F45B37B40C; Thu, 16 Aug 2001 11:33:07 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 16 Aug 2001 11:33:07 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: , Cc: References: <20010813165603.B1119@ringworld.oblivion.bg> <15224.895.861427.828038@nomad.yogotech.com> <20010816095615.C4232@blossom.cjclark.org> Subject: Re: Easy IPFW question... Date: Thu, 16 Aug 2001 13:33:04 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 16 Aug 2001 18:33:07.0145 (UTC) FILETIME=[E4A09390:01C12681] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Thanks for the help ya'll. I got this fixed, I think what the deal was was I had the rule placed below some other rules that allowed traffic... stupid mistake... The rule I ended up keeping was this: ipfw add deny log all from 192.168.0.1/16 to any via ed0 I tested this using another machine on my network, and it worked great. Thanks! Jordan ----- Original Message ----- From: "Crist J. Clark" To: "Nate Williams" Cc: "Peter Pentchev" ; "default - Subscriptions" ; ; Sent: Thursday, August 16, 2001 11:56 AM Subject: Re: Easy IPFW question... > On Mon, Aug 13, 2001 at 10:42:39AM -0600, Nate Williams wrote: > > > > I'm kinda new to IPFW, and I was unable to figure this out by myself... > > > > > > > > I want to block an I.P. range, say 192.168.0.1, with a netmask of > > > > 255.255.0.0 ... > > > > > > > > The rule I tried was this: > > > > ipfw add deny log all from 192.168.0.1/16 to any via ed0 > > > > > > Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be > > > also zeroed in the address. > > > > If so, then the ipfw parser is borken. :( > > > > It *shouldn't* matter what the last two bytes in this case are, as it > > doesn't matter to any of the other routing protocols. > > I cannot reproduce this. On a 4.4-PREPRELEASE system, > > vegeta# ipfw add 1000 count ip from 192.168.0.1/16 to any > 01000 count ip from 192.168.0.0/16 to any > vegeta# ipfw add 1001 count ip from 192.168.0.0/16 to any > 01001 count ip from 192.168.0.0/16 to any > vegeta# ipfw sh > 01000 12 1268 count ip from 192.168.0.0/16 to any > 01001 12 1268 count ip from 192.168.0.0/16 to any > 65000 17743 4318556 allow ip from any to any > 65535 0 0 deny ip from any to any > > The host bits are automatically zeroed in my first ipfw(8) > command. What version is the original poster using? What do the rules > look like when he does a 'show?' This might not be his problem at > all. > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 11:49:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 72BC537B401; Thu, 16 Aug 2001 11:49:35 -0700 (PDT) (envelope-from ryan@sasknow.com) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id MAA03987; Thu, 16 Aug 2001 12:49:30 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Thu, 16 Aug 2001 12:49:30 -0600 (CST) From: Ryan Thompson To: default - Subscriptions Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Quick IPFW Rule Question In-Reply-To: Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is most appropriate for the -questions forum. Reply sent to freebsd-questions@freebsd.org, BCC security. default - Subscriptions wrote to freebsd-security@FreeBSD.ORG and...: > Hi, > > What would be the best rule to allow all incoming traffic from one > specific I.P. address? (for a machine with 2 I.P.s bound to the > NIC...) If you mean "allow incoming traffic for an IP address bound to a NIC", this is implicitly allowed by default. Otherwise, to allow any incoming traffic from, say, 172.16.0.1: ipfw add 1000 allow ip from 172.16.0.1 to any You also need an explicit outgoing rule, if you do not allow all outgoing traffic. That rule would be: ipfw add 1010 allow ip from any to 172.16.0.1 To be more specific/secure, replace "any" in the above two rules with your IP or network address. > Also, what would be the best rule to allow all outgoing traffic from > my local machine? Repeat for each IP address you have bound to your NIC. The basic syntax is: ipfw add #### allow ip from 10.0.0.1 to any Where #### is a unique rule number. Or, you can allow subnets, if appropriate in your setup: ipfw add 3000 allow ip from 10.0.0.0/24 to any > Thanks, > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 11:53:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 2CB3F37B403 for ; Thu, 16 Aug 2001 11:53:21 -0700 (PDT) (envelope-from ryan@sasknow.com) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id MAA04541; Thu, 16 Aug 2001 12:53:13 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Thu, 16 Aug 2001 12:53:13 -0600 (CST) From: Ryan Thompson To: Roman Zabolotnikov Cc: freebsd-security@FreeBSD.ORG Subject: RE: Quick IPFW Rule Question In-Reply-To: Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Roman Zabolotnikov wrote to freebsd-security@FreeBSD.ORG: > > > > Hi, > > > > What would be the best rule to allow all incoming traffic > > from one specific > > I.P. address? (for a machine with 2 I.P.s bound to the NIC...) > > I guess it'd be like this. > > /sbin/ipfw add allow all from 123.123.123.123 to any via fxp0 > /sbin/ipfw add reject all from any to any via fxp0 > > You should change "fxp0' from my example to your external interface name. > > > > > Also, what would be the best rule to allow all outgoing > > traffic from my > > local machine? > The same way. > > /sbin/ipfw add allow from 132.132.132.132 to any via fxp0 > /sbin/ipfw add reject all from any to any via fxp0 > > But be carefully with "reject all" rule. It should be the last line in your > firewall rules. It is normally not required to specify the "reject all" rule. It is hardwired as rule 65535 in ipfw. The thing to watch, in this case, is if the user has an "OPEN" firewall thanks to rc.conf--in which case rule 65000 will be added which allows everything. As always, order and numbering is important. Rules are passed/rejected based on the order of numerical rule numbers. The correct rule in the wrong order may not work at all. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 18:46:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (s216-232-31-82.bc.hsia.telus.net [216.232.31.82]) by hub.freebsd.org (Postfix) with ESMTP id BF6C137B40F for ; Thu, 16 Aug 2001 18:46:35 -0700 (PDT) (envelope-from dr@kyx.net) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id B97051DC0D for ; Thu, 16 Aug 2001 18:56:04 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: security@freebsd.org Subject: does the fetchmail ssl remote vuln apply to freebsd? Date: Thu, 16 Aug 2001 18:40:47 -0700 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <0108161841280S.33176@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://lwn.net/alerts/EnGarde/ESA-20010816-01.php3 -- Dragos Ruiu dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 19: 0:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-193.dsl.lsan03.pacbell.net [63.207.60.193]) by hub.freebsd.org (Postfix) with ESMTP id 9600337B401 for ; Thu, 16 Aug 2001 19:00:19 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 124A166F68; Thu, 16 Aug 2001 19:00:19 -0700 (PDT) Date: Thu, 16 Aug 2001 19:00:18 -0700 From: Kris Kennaway To: Dragos Ruiu Cc: security@FreeBSD.ORG Subject: Re: does the fetchmail ssl remote vuln apply to freebsd? Message-ID: <20010816190018.A81586@xor.obsecurity.org> References: <0108161841280S.33176@smp.kyx.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <0108161841280S.33176@smp.kyx.net>; from dr@kyx.net on Thu, Aug 16, 2001 at 06:40:47PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Aug 16, 2001 at 06:40:47PM -0700, Dragos Ruiu wrote: > http://lwn.net/alerts/EnGarde/ESA-20010816-01.php3 I'm not certain; it's usually really hard to figure out details of vulnerabilities from those Linnex advisories. They usually don't bother to mention what versions are affected: sometimes they don't even mention what the problem is, although this one at least mentions the nature of the bug, if not the effect. There was something which sounds similar fixed in fetchmail 5.8.17, for which we hope to have an advisory out before too long. I'm a bit snowed under at the moment. Kris --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7fHqyWry0BWjoQKURAk9nAKDlvkJysyFcTre46dZT/c6C3/IgAACfavEf MKVx9OV0khRkenVkpU2oWIM= =rniq -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 20:57:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.tricom.com.ph (phoenix.tricom.com.ph [203.167.87.58]) by hub.freebsd.org (Postfix) with SMTP id A870137B40C for ; Thu, 16 Aug 2001 20:57:32 -0700 (PDT) (envelope-from jimmy@tricom.com.ph) Received: (qmail 41913 invoked by uid 89); 17 Aug 2001 04:00:38 -0000 Message-ID: <20010817040038.41912.qmail@phoenix.tricom.com.ph> From: "Jimmy Lim" To: security@freebsd.org Subject: multiple default route Date: Fri, 17 Aug 2001 04:00:38 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry guys for this Off-topic. Is it possible for freebsd to have 2 or more default route? Thanks in advance Jimmy Lim Operation & Support Team Leader Tricom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 23: 2: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from pit.lv (www.pit.lv [159.148.96.253]) by hub.freebsd.org (Postfix) with ESMTP id 2C26937B403 for ; Thu, 16 Aug 2001 23:01:58 -0700 (PDT) (envelope-from matiss@bkc.lv) Received: from ysdh45 ([159.148.83.150]) by pit.lv (8.10.2/8.11.2) with SMTP id f7H64Uc10758; Fri, 17 Aug 2001 09:04:30 +0300 Message-ID: <005101c12735$f1087da0$9653949f@lv> From: =?windows-1257?Q?Mat=EEss_Elsbergs?= To: , Subject: Re: multiple default route Date: Fri, 17 Aug 2001 09:01:35 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1257" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Is it possible for freebsd to have 2 or more default route? It is not possible for one network interface. TCP/IP interface can have only one default gateway. If several netcards are installed, you can have as many gateways as you like. Rgds, Mathis Elsberg Technical Director Astranet IS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 23:31:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 163C437B406; Thu, 16 Aug 2001 23:30:56 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7H6UuU68762; Thu, 16 Aug 2001 23:30:56 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 16 Aug 2001 23:30:56 -0700 (PDT) Message-Id: <200108170630.f7H6UuU68762@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:40.fts [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:40 Security Advisory FreeBSD, Inc. Topic: fts(3) routines contain race condition [REVISED] Category: core Module: libc Announced: 2001-06-04 Revised: 2001-08-16 Credits: Nick Cleaton Todd Miller helped to develop the patch. Affects: FreeBSD 4.3-RELEASE, 4.3-STABLE prior to the correction date. Corrected: 2001-06-01 FreeBSD only: NO 0. Revision History 2001-06-04 v1.0 Initial release 2001-08-16 v1.1 Corrected typo in recompilation instructions I. Background The standard C library (libc) contains a set of routines known as fts which allow an application to recursively traverse a filesystem. II. Problem Description The fts routines are vulnerable to a race condition when ascending a file hierarchy, which allows an attacker who has control over part of the hierarchy into which fts is descending to cause the application to ascend beyond the starting point of the file traversal, and enter other parts of the filesystem. If the fts routines are being used by an application to perform operations on the filesystem hierarchy, such as find(1) with a keyword such as -exec or -delete, or rm(1) with the -r flag, these operations can be incorrectly applied to files outside the intended hierarchy, which may result in system damage or compromise. All versions of FreeBSD prior to the correction date including 4.3-RELEASE are vulnerable to this problem. III. Impact Local users may be able to remove or modify files on the local system which are owned or writable by a user running a command that uses the FTS routines in a vulnerable way. If the system administrator has enabled the daily_clean_tmps_enable variable in /etc/periodic.conf, the find -delete command is run once per day, allowing unauthorised removal of files on the system. This option is not enabled by default. IV. Workaround None appopriate for the general vulnerability. The instance exposed by the daily_clean_tmps_enable setting can be prevented by disabling this switch in /etc/periodic.conf, if it has been enabled. V. Solution One of the following: 1) As of FreeBSD 4.3-RELEASE, we have introduced a new ``security fix CVS branch'' which contains security fixes only, which can be tracked using the standard FreeBSD tools (cvsup/CVS/etc). The branch name is ``RELENG_4_3''. Upgrade your vulnerable FreeBSD system to the RELENG_4_3 branch after the correction date. 2) Upgrade your vulnerable FreeBSD system to 4.3-STABLE after the correction dates. 3) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.3 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:40/fts.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:40/fts.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/lib/libc # patch -p < /path/to/patch # make depend && make all install # cd /usr/src/lib/libc_r # make depend && make all install # cd /usr/src/bin/chmod # make depend && make all install # cd /usr/src/bin/cp # make depend && make all install # cd /usr/src/bin/ls # make depend && make all install # cd /usr/src/bin/pax # make depend && make all install # cd /usr/src/bin/rm # make depend && make all install # cd /usr/src/usr.bin/chflags # make depend && make all install # cd /usr/src/usr.bin/du # make depend && make all install # cd /usr/src/usr.bin/find # make depend && make all install # cd /usr/src/libexec/ftpd # make depend && make all install # cd /usr/src/usr.sbin/chown # make depend && make all install # cd /usr/src/usr.sbin/ckdist # make depend && make all install # cd /usr/src/usr.sbin/ctm # make depend && make all install # cd /usr/src/usr.sbin/mtree # make depend && make all install # cd /usr/src/usr.sbin/pkg_install # make depend && make all install This patch has been verified to apply to FreeBSD 4.3-RELEASE and 4.2-RELEASE; it may or may not apply to older, unsupported versions of FreeBSD. 4) An experimental upgrade package is available for adventurous users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. Since this is the first binary upgrade package produced for the FreeBSD base system, it is not recommended that this be used on production systems without first being tested on a scratch machine; since the package replaces critical system files, a failed upgrade can leave a system in an unusable state. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patch state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:40/security-patch-fts-01.40.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:40/security-patch-fts-01.40.tgz.asc Verify the detached PGP signature using your PGP utility. Bring the system down to single-user mode; this package should not be installed from multi-user mode. If it desired to remove the package at a later date, you should again do so from single-user mode. # shutdown now # pkg_add security-patch-fts-01.40 Follow the directions given after the installation of the package to complete the system upgrade. To bring the system back up to multi-user mode, type the following command: # exit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO3y5tFUuHi5z0oilAQF6PwP/fFXgo2bL/IlDleuWCQsVB/C1By8QPL5J Z0Hi4yl28Z8hEGRTI8qK2UXIliskU+ixlD0j9N6yxJDe17KIY/4w3gGJGsux3J7j TSHXZOfsX0CE61Jssm9kUpOzilwJBOhRvii0BSso7njtVIQpFpWBgIMne+lNluFe S7SZsk6sqgg= =K6yG -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 23:33:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 3F59237B403 for ; Thu, 16 Aug 2001 23:33:32 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 23093 invoked from network); 17 Aug 2001 06:33:08 -0000 Received: from localhost.nexgen.com (HELO alexus) (127.0.0.1) by localhost.nexgen.com with SMTP; 17 Aug 2001 06:33:08 -0000 Message-ID: <002801c126e7$026467c0$0100a8c0@alexus> From: "alexus" To: =?windows-1257?Q?Mat=EEss_Elsbergs?= , , References: <005101c12735$f1087da0$9653949f@lv> Subject: Re: multiple default route Date: Fri, 17 Aug 2001 02:36:29 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1257" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2479.0006 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org can you implement some sort of fail over with this? if one nic went bad, it'd use second nic w/ second gateway ----- Original Message ----- From: "Matîss Elsbergs" To: ; Sent: Friday, August 17, 2001 12:01 PM Subject: Re: multiple default route > > Is it possible for freebsd to have 2 or more default route? > > It is not possible for one network interface. TCP/IP interface can have only > one default gateway. > > If several netcards are installed, you can have as many gateways as you > like. > > Rgds, > Mathis Elsberg > Technical Director > Astranet IS > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 23:35: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe41.law12.hotmail.com [64.4.18.98]) by hub.freebsd.org (Postfix) with ESMTP id E41C537B408 for ; Thu, 16 Aug 2001 23:35:01 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 16 Aug 2001 23:35:01 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: Subject: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 01:34:48 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 17 Aug 2001 06:35:01.0691 (UTC) FILETIME=[BE1BC8B0:01C126E6] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Recently hundreds of I.P. addresses have been attempting to use an NT exploit on my FreeBSD web server as if it were an NT server... Apache logs the attack like this: ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 276 "-" "-" Here's what security tracker has to say about it: http://securitytracker.com/alerts/2001/Jun/1001788.html Apparently this exploits the indexing service in IIS allowing the cracker to gain SYSTEM access... Now, this does absolutely nothing to my server, as it is a FreeBSD machine which I believe is decently secure even if the attacks were exploits that worked on FreeBSD (which they do not). I have been receiving so many of these lately, that I must almost assume that it is one person orchestrating the whole attack in a pathetic attempt to gain access to my machine. Really all it does is pester me by sucking up a small percentage of my bandwidth, and system resources... My question is: Is this a common attack that script kiddies are using right now? Are lots of people getting attacked in a similar manner? If so, does anyone know a place where I could get the binary and source code so that I can take a look at how it works? And what are the rest of you guys doing about this if anything? I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but they have done nothing, and have not even replied to my complaints. I have resorted to running a cron that blocks these I.P. addresses when they first show their ugly faces... I know that's kindof anal, but I feel that it is a good precaution because even if it really is hundreds of people, a couple of them are bound to get wise eventually and try something smarter... Anyway, its really starting to bug me, it has been going on for a couple of weeks now, and I am nearing a total of 300 I.P. addresses as the sources... most of which are low security NT servers on a commercial network such as AT&T@Home, and RoadRunner... Thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 23:44:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id 6C17D37B40A; Thu, 16 Aug 2001 23:44:30 -0700 (PDT) (envelope-from eugen@svzserv.kemerovo.su) Received: from svzserv.kemerovo.su (kost [213.184.65.82]) by www.svzserv.kemerovo.su (8.9.3/8.9.3) with ESMTP id OAA50391; Fri, 17 Aug 2001 14:44:27 +0800 (KRAST) (envelope-from eugen@svzserv.kemerovo.su) Message-ID: <3B7CBD47.1EA32FED@svzserv.kemerovo.su> Date: Fri, 17 Aug 2001 14:44:23 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: security@FreeBSD.ORG Cc: imp@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:40.fts [REVISED] References: <200108170630.f7H6UuU68762@freefall.freebsd.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-01:40 Security Advisory > FreeBSD, Inc.> > Topic: fts(3) routines contain race condition [REVISED] > > Category: core > Module: libc > Announced: 2001-06-04 > Revised: 2001-08-16 > Credits: Nick Cleaton > Todd Miller helped to develop the > patch. > Affects: FreeBSD 4.3-RELEASE, 4.3-STABLE prior to the correction > date. > Corrected: 2001-06-01 > FreeBSD only: NO Now this is the only Advisory that is actual for FreeBSD 3.5-STABLE (e.g. that does not provide fix). Even later FreeBSD-SA-01:42 does provide a patch. However, http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27922 suggests patch for RELENG_3. My system runs with it for more than 2 months. Please consider this PR. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 23:45:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id D050237B403; Thu, 16 Aug 2001 23:45:40 -0700 (PDT) (envelope-from root@ns.morning.ru) Received: (from root@localhost) by ns.morning.ru (8.11.5/8.11.5) id f7H6jaT64891; Fri, 17 Aug 2001 14:45:36 +0800 (KRAST) Date: Fri, 17 Aug 2001 14:45:36 +0800 From: Hostmaster To: =?koi8-r?Q?Mat=EEss_Elsbergs?= Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: multiple default route Message-ID: <20010817144536.A64780@ns.morning.ru> References: <005101c12735$f1087da0$9653949f@lv> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <005101c12735$f1087da0$9653949f@lv>; from matiss@bkc.lv on Fri, Aug 17, 2001 at 09:01:35AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 17, 2001 at 09:01:35AM -0700, Matîss Elsbergs wrote: > > Is it possible for freebsd to have 2 or more default route? > > It is not possible for one network interface. TCP/IP interface can have only > one default gateway. man ipfw, then look for fwd... > > If several netcards are installed, you can have as many gateways as you > like. > > Rgds, > Mathis Elsberg > Technical Director > Astranet IS > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Igor M Podlesny Morning Network hostmaster http://good.morning.ru phone: +7 3912 296962 mailto:hostmaster@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 23:46:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id 527E137B401 for ; Thu, 16 Aug 2001 23:46:38 -0700 (PDT) (envelope-from cfaber@fpsn.net) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) by mail.fpsn.net (8.9.3/8.9.3) with ESMTP id AAA06668 for ; Fri, 17 Aug 2001 00:46:30 -0600 (MDT) (envelope-from cfaber@fpsn.net) Message-ID: <3B7CBD46.F814B3C7@fpsn.net> Date: Fri, 17 Aug 2001 00:44:22 -0600 From: Colin Faber Reply-To: cfaber@fpsn.net Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can't get one past you ;-) default - Subscriptions wrote: > > Hi, > > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT server... Apache logs > the attack like this: > ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 404 276 "-" "-" > > Here's what security tracker has to say about it: > http://securitytracker.com/alerts/2001/Jun/1001788.html > > Apparently this exploits the indexing service in IIS allowing the cracker to > gain SYSTEM access... > > Now, this does absolutely nothing to my server, as it is a FreeBSD machine > which I believe is decently secure even if the attacks were exploits that > worked on FreeBSD (which they do not). > > I have been receiving so many of these lately, that I must almost assume > that it is one person orchestrating the whole attack in a pathetic attempt > to gain access to my machine. Really all it does is pester me by sucking up > a small percentage of my bandwidth, and system resources... > > My question is: Is this a common attack that script kiddies are using right > now? Are lots of people getting attacked in a similar manner? If so, does > anyone know a place where I could get the binary and source code so that I > can take a look at how it works? And what are the rest of you guys doing > about this if anything? > > I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but > they have done nothing, and have not even replied to my complaints. I have > resorted to running a cron that blocks these I.P. addresses when they first > show their ugly faces... I know that's kindof anal, but I feel that it is a > good precaution because even if it really is hundreds of people, a couple of > them are bound to get wise eventually and try something smarter... > > Anyway, its really starting to bug me, it has been going on for a couple of > weeks now, and I am nearing a total of 300 I.P. addresses as the sources... > most of which are low security NT servers on a commercial network such as > AT&T@Home, and RoadRunner... > > Thanks, > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 23:47:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta03.mail.mel.aone.net.au (mta03.mail.au.uu.net [203.2.192.83]) by hub.freebsd.org (Postfix) with ESMTP id 8D2E137B40D for ; Thu, 16 Aug 2001 23:46:59 -0700 (PDT) (envelope-from ferni@shafted.com.au) Received: from fernilaptop ([63.34.220.228]) by mta03.mail.mel.aone.net.au with SMTP id <20010817064657.XHXZ23992.mta03.mail.mel.aone.net.au@fernilaptop> for ; Fri, 17 Aug 2001 16:46:57 +1000 Message-ID: <004701c126e8$38d006b0$240aa8c0@fernilaptop> Reply-To: "Andrew Dean" From: "Andrew Dean" To: References: Subject: Re: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 16:45:36 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Isn't that the code red worm? *feels dumb* ----- Original Message ----- From: "default - Subscriptions" To: Sent: Friday, August 17, 2001 4:34 PM Subject: Silly crackers... NT is for kids... > Hi, > > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT server... Apache logs > the attack like this: > ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 404 276 "-" "-" > > Here's what security tracker has to say about it: > http://securitytracker.com/alerts/2001/Jun/1001788.html > > Apparently this exploits the indexing service in IIS allowing the cracker to > gain SYSTEM access... > > Now, this does absolutely nothing to my server, as it is a FreeBSD machine > which I believe is decently secure even if the attacks were exploits that > worked on FreeBSD (which they do not). > > I have been receiving so many of these lately, that I must almost assume > that it is one person orchestrating the whole attack in a pathetic attempt > to gain access to my machine. Really all it does is pester me by sucking up > a small percentage of my bandwidth, and system resources... > > My question is: Is this a common attack that script kiddies are using right > now? Are lots of people getting attacked in a similar manner? If so, does > anyone know a place where I could get the binary and source code so that I > can take a look at how it works? And what are the rest of you guys doing > about this if anything? > > I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but > they have done nothing, and have not even replied to my complaints. I have > resorted to running a cron that blocks these I.P. addresses when they first > show their ugly faces... I know that's kindof anal, but I feel that it is a > good precaution because even if it really is hundreds of people, a couple of > them are bound to get wise eventually and try something smarter... > > Anyway, its really starting to bug me, it has been going on for a couple of > weeks now, and I am nearing a total of 300 I.P. addresses as the sources... > most of which are low security NT servers on a commercial network such as > AT&T@Home, and RoadRunner... > > Thanks, > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 23:47:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe66.law12.hotmail.com [64.4.18.201]) by hub.freebsd.org (Postfix) with ESMTP id 454CC37B40F for ; Thu, 16 Aug 2001 23:47:19 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 16 Aug 2001 23:47:18 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: Subject: Fw: Silly crackers... NT is for kids... - DOH! Date: Fri, 17 Aug 2001 01:47:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 17 Aug 2001 06:47:18.0494 (UTC) FILETIME=[7546FFE0:01C126E8] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Whoops! As it turns out, I did a bit more research at http://www.eeye.com , and found that this is the CODE RED worm! Wow! This is one mean wormy, well... guess I can at least be relieved that there aren't 5 billion crackers on my I.P. block :) Thanks! Jordan Oh, P.S. If anyone else wants to read up on this, here is what I found: http://www.eeye.com/html/Research/Advisories/AL20010717.html ----- Original Message ----- From: "default - Subscriptions" To: Sent: Friday, August 17, 2001 1:34 AM Subject: Silly crackers... NT is for kids... > Hi, > > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT server... Apache logs > the attack like this: > ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 404 276 "-" "-" > > Here's what security tracker has to say about it: > http://securitytracker.com/alerts/2001/Jun/1001788.html > > Apparently this exploits the indexing service in IIS allowing the cracker to > gain SYSTEM access... > > Now, this does absolutely nothing to my server, as it is a FreeBSD machine > which I believe is decently secure even if the attacks were exploits that > worked on FreeBSD (which they do not). > > I have been receiving so many of these lately, that I must almost assume > that it is one person orchestrating the whole attack in a pathetic attempt > to gain access to my machine. Really all it does is pester me by sucking up > a small percentage of my bandwidth, and system resources... > > My question is: Is this a common attack that script kiddies are using right > now? Are lots of people getting attacked in a similar manner? If so, does > anyone know a place where I could get the binary and source code so that I > can take a look at how it works? And what are the rest of you guys doing > about this if anything? > > I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but > they have done nothing, and have not even replied to my complaints. I have > resorted to running a cron that blocks these I.P. addresses when they first > show their ugly faces... I know that's kindof anal, but I feel that it is a > good precaution because even if it really is hundreds of people, a couple of > them are bound to get wise eventually and try something smarter... > > Anyway, its really starting to bug me, it has been going on for a couple of > weeks now, and I am nearing a total of 300 I.P. addresses as the sources... > most of which are low security NT servers on a commercial network such as > AT&T@Home, and RoadRunner... > > Thanks, > > Jordan > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 23:47:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx1.deloitte.com.au (mx1.deloitte.com.au [210.11.17.9]) by hub.freebsd.org (Postfix) with ESMTP id 01AAF37B405 for ; Thu, 16 Aug 2001 23:47:18 -0700 (PDT) (envelope-from jshevland@deloitte.com.au) Received: from ausyd0490.deloitte.com.au (unverified) by mx1.deloitte.com.au (Content Technologies SMTPRS 4.1.5) with ESMTP id ; Fri, 17 Aug 2001 16:38:21 +1000 Received: by ausyd0490.deloitte.com.au with Internet Mail Service (5.5.2653.19) id ; Fri, 17 Aug 2001 16:47:16 +1000 Message-ID: From: "Shevland, Joseph (AU - Hobart)" To: 'default - Subscriptions' , "'freebsd-security@FreeBSD.ORG'" Subject: RE: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 16:47:16 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It the CodeRed (II) virus, but there's no sinister Evil Dude/s picking on you; these comprised IIS servers randomly try and infect any other IP/server they can connect to port 80 on... its a bit of a DoS for some people, hopefully the IIS weenies will patch their servers as soon as possible so these things stop. Cheers, Joe > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of default - > Subscriptions > Sent: Friday, 17 August 2001 4:35 PM > To: freebsd-security@FreeBSD.ORG > Subject: Silly crackers... NT is for kids... > > > Hi, > > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT > server... Apache logs > the attack like this: > ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909 > 0%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0 > 000%u00=a > HTTP/1.0" 404 276 "-" "-" ***********Confidentiality/Limited Liability Statement*************** Have the latest business news and in depth analysis delivered to your desktop. Subscribe to "Insights", Deloitte's fortnightly email business bulletin . . . http://www.deloitte.com.au/preferences/preference.asp This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message, you must not disseminate, copy or take any action in reliance on it. If you have received this message in error, please notify Deloitte Touche Tohmatsu immediately. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Deloitte. The liability of Deloitte Touche Tohmatsu, is limited by, and to the extent of, the Accountants' Scheme under the Professional Standards Act 1994 (NSW). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 16 23:51:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-193.dsl.lsan03.pacbell.net [63.207.60.193]) by hub.freebsd.org (Postfix) with ESMTP id 1CE6E37B40B; Thu, 16 Aug 2001 23:51:23 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 6322B66F68; Thu, 16 Aug 2001 23:51:22 -0700 (PDT) Date: Thu, 16 Aug 2001 23:51:22 -0700 From: Kris Kennaway To: Eugene Grosbein Cc: security@FreeBSD.ORG, imp@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:40.fts [REVISED] Message-ID: <20010816235121.A10852@xor.obsecurity.org> References: <200108170630.f7H6UuU68762@freefall.freebsd.org> <3B7CBD47.1EA32FED@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B7CBD47.1EA32FED@svzserv.kemerovo.su>; from eugen@svzserv.kemerovo.su on Fri, Aug 17, 2001 at 02:44:23PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 17, 2001 at 02:44:23PM +0800, Eugene Grosbein wrote: > FreeBSD Security Advisories wrote: >=20 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > > FreeBSD-SA-01:40 Security Adv= isory > > FreeBSD= , Inc.>=20 > > Topic: fts(3) routines contain race condition [REVISED] > >=20 > > Category: core > > Module: libc > > Announced: 2001-06-04 > > Revised: 2001-08-16 > > Credits: Nick Cleaton > > Todd Miller helped to develop the > > patch. > > Affects: FreeBSD 4.3-RELEASE, 4.3-STABLE prior to the correction > > date. > > Corrected: 2001-06-01 > > FreeBSD only: NO >=20 > Now this is the only Advisory that is actual for FreeBSD 3.5-STABLE=20 > (e.g. that does not provide fix). FreeBSD 3.x is no longer officially supported for local security vulnerabilities. You'll have to find another committer to test and commit that patch. Kris --2oS5YaxWCcQjTEyO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7fL7pWry0BWjoQKURAgsCAJ95LC6+O6LTrmcjqvnV2lFL0HsuewCg7JC2 J9ziitr6aOM3jbMNqkriE4g= =dXg7 -----END PGP SIGNATURE----- --2oS5YaxWCcQjTEyO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 0: 2: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id D206F37B40B; Fri, 17 Aug 2001 00:02:02 -0700 (PDT) (envelope-from eugen@svzserv.kemerovo.su) Received: from svzserv.kemerovo.su (kost [213.184.65.82]) by www.svzserv.kemerovo.su (8.9.3/8.9.3) with ESMTP id PAA51837; Fri, 17 Aug 2001 15:01:55 +0800 (KRAST) (envelope-from eugen@svzserv.kemerovo.su) Message-ID: <3B7CC15F.1A7DF48B@svzserv.kemerovo.su> Date: Fri, 17 Aug 2001 15:01:51 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: Kris Kennaway Cc: security@FreeBSD.ORG, imp@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:40.fts [REVISED] References: <200108170630.f7H6UuU68762@freefall.freebsd.org> <3B7CBD47.1EA32FED@svzserv.kemerovo.su> <20010816235121.A10852@xor.obsecurity.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kris Kennaway wrote: > > > FreeBSD-SA-01:40 Security Advisory > > Now this is the only Advisory that is actual for FreeBSD 3.5-STABLE > > (e.g. that does not provide fix). > > FreeBSD 3.x is no longer officially supported for local security > vulnerabilities. You'll have to find another committer to test and > commit that patch. Will the PR remain open forever if nobody will commit this? Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 0: 3:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id E15B537B414 for ; Fri, 17 Aug 2001 00:03:54 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id f7H73rq19662; Fri, 17 Aug 2001 01:03:53 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.11.3/8.11.4) with ESMTP id f7H73qW39221; Fri, 17 Aug 2001 01:03:52 -0600 (MDT) (envelope-from imp@harmony.village.org) Message-Id: <200108170703.f7H73qW39221@harmony.village.org> To: Eugene Grosbein Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:40.fts [REVISED] Cc: Kris Kennaway , security@FreeBSD.ORG In-reply-to: Your message of "Fri, 17 Aug 2001 15:01:51 +0800." <3B7CC15F.1A7DF48B@svzserv.kemerovo.su> References: <3B7CC15F.1A7DF48B@svzserv.kemerovo.su> <200108170630.f7H6UuU68762@freefall.freebsd.org> <3B7CBD47.1EA32FED@svzserv.kemerovo.su> <20010816235121.A10852@xor.obsecurity.org> Date: Fri, 17 Aug 2001 01:03:52 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <3B7CC15F.1A7DF48B@svzserv.kemerovo.su> Eugene Grosbein writes: : Kris Kennaway wrote: : : > > > FreeBSD-SA-01:40 Security Advisory : > > Now this is the only Advisory that is actual for FreeBSD 3.5-STABLE : > > (e.g. that does not provide fix). : > : > FreeBSD 3.x is no longer officially supported for local security : > vulnerabilities. You'll have to find another committer to test and : > commit that patch. : : Will the PR remain open forever if nobody will commit this? Yes. However, I plan on committing it. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 0: 5:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-193.dsl.lsan03.pacbell.net [63.207.60.193]) by hub.freebsd.org (Postfix) with ESMTP id C9E7837B408; Fri, 17 Aug 2001 00:05:43 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3750266F75; Fri, 17 Aug 2001 00:05:43 -0700 (PDT) Date: Fri, 17 Aug 2001 00:05:42 -0700 From: Kris Kennaway To: Eugene Grosbein Cc: Kris Kennaway , security@FreeBSD.ORG, imp@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:40.fts [REVISED] Message-ID: <20010817000542.A11119@xor.obsecurity.org> References: <200108170630.f7H6UuU68762@freefall.freebsd.org> <3B7CBD47.1EA32FED@svzserv.kemerovo.su> <20010816235121.A10852@xor.obsecurity.org> <3B7CC15F.1A7DF48B@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B7CC15F.1A7DF48B@svzserv.kemerovo.su>; from eugen@svzserv.kemerovo.su on Fri, Aug 17, 2001 at 03:01:51PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 17, 2001 at 03:01:51PM +0800, Eugene Grosbein wrote: > Kris Kennaway wrote: >=20 > > > > FreeBSD-SA-01:40 Security= Advisory > > > Now this is the only Advisory that is actual for FreeBSD 3.5-STABLE > > > (e.g. that does not provide fix). > >=20 > > FreeBSD 3.x is no longer officially supported for local security > > vulnerabilities. You'll have to find another committer to test and > > commit that patch. >=20 > Will the PR remain open forever if nobody will commit this? Not forever, I imagine it would be timed out at some point. Probably if no committers volunteer to do the honours as a result of this thread it would be a safe bet to assume none are interested, and we could close it then. Kris --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7fMJFWry0BWjoQKURAhx/AJ9sZ8UOGzDLk0IAfYsYAHniY2DB3wCgjUzh WFYoagNrwzc36DhcnxyDQlc= =uPCI -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 0:13: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from neptune.he.net (neptune.he.net [216.218.166.2]) by hub.freebsd.org (Postfix) with ESMTP id 7DD4137B40C for ; Fri, 17 Aug 2001 00:12:57 -0700 (PDT) (envelope-from robinson@netrinsics.com) Received: from netrinsics.com ([210.52.155.136] (may be forged)) by neptune.he.net (8.8.6/8.8.2) with ESMTP id AAA16710 for ; Fri, 17 Aug 2001 00:12:55 -0700 Received: (from robinson@localhost) by netrinsics.com (8.11.2/8.11.1) id f7H7DHF10706; Fri, 17 Aug 2001 15:13:17 +0800 (+0800) (envelope-from robinson) Date: Fri, 17 Aug 2001 15:13:16 +0800 From: Michael Robinson To: default - Subscriptions Cc: security@freebsd.org Subject: Re: Fw: Silly crackers... NT is for kids... - DOH! Message-ID: <20010817151316.A10647@elephant.netrinsics.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013subscriptions@hotmail.com on Fri, Aug 17, 2001 at 01:47:05AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 17, 2001 at 01:47:05AM -0500, default - Subscriptions wrote: > As it turns out, I did a bit more research at http://www.eeye.com , and > found that this is the CODE RED worm! > Wow! This is one mean wormy, well... guess I can at least be relieved that > there aren't 5 billion crackers on my I.P. block :) Since you seem to be somewhat clue challenged, I thought it might be worthwhile to point out that a couple months ago a bug was discovered in the FreeBSD telnetd service that allows any random person on the Internet to walk in and get root access to your server. Just in case you have telnetd running and hadn't heard about this. There's a big notice at the top of http://www.freebsd.org to get you started. -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 0:22:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id 6AFA337B406 for ; Fri, 17 Aug 2001 00:22:32 -0700 (PDT) (envelope-from eugen@svzserv.kemerovo.su) Received: from svzserv.kemerovo.su (kost [213.184.65.82]) by www.svzserv.kemerovo.su (8.9.3/8.9.3) with ESMTP id PAA53285 for ; Fri, 17 Aug 2001 15:22:30 +0800 (KRAST) (envelope-from eugen@svzserv.kemerovo.su) Message-ID: <3B7CC632.E677C309@svzserv.kemerovo.su> Date: Fri, 17 Aug 2001 15:22:26 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:40.fts [REVISED] References: <3B7CC15F.1A7DF48B@svzserv.kemerovo.su> <200108170630.f7H6UuU68762@freefall.freebsd.org> <3B7CBD47.1EA32FED@svzserv.kemerovo.su> <20010816235121.A10852@xor.obsecurity.org> <200108170703.f7H73qW39221@harmony.village.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Warner Losh wrote: > : Will the PR remain open forever if nobody will commit this? > Yes. > However, I plan on committing it. Thank you very much! This, at least, will make it possible to do 'make release' for 3.5-STABLE and use the snapshot for old mashines. RELENG_4 is still not usable for some old hardware, basically hard disks. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 0:32:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from arb.arb.za.net (arb.arb.za.net [196.7.148.4]) by hub.freebsd.org (Postfix) with ESMTP id 9B72A37B410 for ; Fri, 17 Aug 2001 00:32:53 -0700 (PDT) (envelope-from mark@grondar.za) Received: (from uucp@localhost) by arb.arb.za.net (8.11.3/8.11.3) with UUCP id f7H7WXe16098; Fri, 17 Aug 2001 09:32:33 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.5/8.11.4) with ESMTP id f7GKIjK81954; Thu, 16 Aug 2001 21:18:46 +0100 (BST) (envelope-from mark@grondar.za) Message-Id: <200108162018.f7GKIjK81954@grimreaper.grondar.za> To: Dan Larsson Cc: freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD enc device for FreeBSD References: <20010813205026.L66985-100000@hq1.tyfon.net> In-Reply-To: <20010813205026.L66985-100000@hq1.tyfon.net> ; from Dan Larsson "Mon, 13 Aug 2001 20:54:42 +0200." Date: Thu, 16 Aug 2001 21:18:44 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Will FreeBSD merge this very excellent solution into > the source tree or does FreeBSD have a similar device > doing the same thing? Yes - as soon as my stuff arrives. Say a week or 2. M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 0:33:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from arb.arb.za.net (arb.arb.za.net [196.7.148.4]) by hub.freebsd.org (Postfix) with ESMTP id EE76837B410 for ; Fri, 17 Aug 2001 00:33:36 -0700 (PDT) (envelope-from mark@grondar.za) Received: (from uucp@localhost) by arb.arb.za.net (8.11.3/8.11.3) with UUCP id f7H7Wxg16099; Fri, 17 Aug 2001 09:32:59 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.5/8.11.4) with ESMTP id f7GKKnK83440; Thu, 16 Aug 2001 21:20:50 +0100 (BST) (envelope-from mark@grondar.za) Message-Id: <200108162020.f7GKKnK83440@grimreaper.grondar.za> To: itojun@iijlab.net Cc: Brooks Davis , Dan Larsson , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD enc device for FreeBSD References: <23330.997734317@itojun.org> In-Reply-To: <23330.997734317@itojun.org> ; from itojun@iijlab.net "Tue, 14 Aug 2001 05:25:17 +0900." Date: Thu, 16 Aug 2001 21:20:49 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > >It looks intresting, I'll take a look at it. No promises on delivery > >date though. > > don't play with rcvif. it will break IPv6 scoped address architecture > support. I have converted OpenBSD's kernel crypto library into a FreeBSD module, and I have a device driver for a HiFn hardware crypto device. Interested? M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 0:39:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from hq1.tyfon.net (hq1.tyfon.net [217.27.162.35]) by hub.freebsd.org (Postfix) with ESMTP id 0E8A337B401 for ; Fri, 17 Aug 2001 00:39:48 -0700 (PDT) (envelope-from dl@tyfon.net) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id 4A1791C88C; Fri, 17 Aug 2001 09:39:46 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id 4A7381C88A; Fri, 17 Aug 2001 09:39:45 +0200 (CEST) Date: Fri, 17 Aug 2001 09:39:45 +0200 (CEST) From: Dan Larsson To: Mark Murray Cc: , Brooks Davis , Subject: Re: OpenBSD enc device for FreeBSD In-Reply-To: <200108162020.f7GKKnK83440@grimreaper.grondar.za> Message-ID: <20010817093903.J2426-100000@hq1.tyfon.net> Organization: Tyfon Svenska AB X-NCC-NIC: DL1999-RIPE X-NCC-RegID: se.tyfon MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by hq1.tyfon.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 16 Aug 2001, Mark Murray wrote: | > >It looks intresting, I'll take a look at it. No promises on delivery | > >date though. | > | > don't play with rcvif. it will break IPv6 scoped address architecture | > support. | | I have converted OpenBSD's kernel crypto library into a FreeBSD module, | and I have a device driver for a HiFn hardware crypto device. | | Interested? Great! Yes, very much so :) | Regards +------ Dan Larsson | Tel: +46 8 550 120 21 Tyfon Svenska AB | Fax: +46 8 550 120 02 GPG and PGP keys | finger dl@hq1.tyfon.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 1:31:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id D604737B408; Fri, 17 Aug 2001 01:31:08 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (pool0642.cvx20-bradley.dialup.earthlink.net [209.179.252.132]) by falcon.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id BAA15904; Fri, 17 Aug 2001 01:30:59 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7H8UsG08422; Fri, 17 Aug 2001 01:30:54 -0700 (PDT) (envelope-from cjc) Date: Fri, 17 Aug 2001 01:30:54 -0700 From: "Crist J. Clark" To: =?iso-8859-1?Q?Mat=EEss_Elsbergs?= Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: multiple default route Message-ID: <20010817013054.R4232@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <005101c12735$f1087da0$9653949f@lv> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <005101c12735$f1087da0$9653949f@lv>; from matiss@bkc.lv on Fri, Aug 17, 2001 at 09:01:35AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 17, 2001 at 09:01:35AM -0700, Matîss Elsbergs wrote: > > Is it possible for freebsd to have 2 or more default route? > > It is not possible for one network interface. TCP/IP interface can have only > one default gateway. If you are saying that having one default route is a limitation of TCP/IP, you are incorrect. Actually, RFC1122 says, When there is no route cache entry for the destination host address (and the destination is not on the connected network), the IP layer MUST pick a gateway from its list of "default" gateways. The IP layer MUST support multiple default gateways. Note the last sentence. This is one of the few places where I've seen FreeBSD to be non-compliant with STD RFCs. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 1:40:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 720D237B410; Fri, 17 Aug 2001 01:40:16 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from itojun.org (localhost [127.0.0.1]) by coconut.itojun.org (Postfix) with ESMTP id 6BA254B21; Fri, 17 Aug 2001 17:40:13 +0900 (JST) To: cjclark@alum.mit.edu Cc: =?iso-8859-1?Q?Mat=EEss_Elsbergs?= , freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG In-reply-to: cristjc's message of Fri, 17 Aug 2001 01:30:54 MST. <20010817013054.R4232@blossom.cjclark.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: multiple default route From: itojun@iijlab.net Date: Fri, 17 Aug 2001 17:40:13 +0900 Message-ID: <6998.998037613@itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> > Is it possible for freebsd to have 2 or more default route? KAME/NetBSD has an experiental support for multipath FIB. you can have multiple default routes. it would be a bit hard to port, and it needs some more stabilization. ftp://ftp.kame.net/pub/kame/snap/ itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 2:16:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 1CB1037B408 for ; Fri, 17 Aug 2001 02:16:32 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7H9GVv05860 for ; Fri, 17 Aug 2001 05:16:31 -0400 (EDT) (envelope-from arr@watson.org) Date: Fri, 17 Aug 2001 05:16:31 -0400 (EDT) From: "Andrew R. Reiter" To: freebsd-security@freebsd.org Subject: fetchmail fix -- Deleted other thread :-( Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To answer the question, kkenn updated the fetchmail package to get the non-vulnerable version. If you check the cvs log: revision 1.127 date: 2001/08/09 21:35:36; author: kris; state: Exp; lines: +2 -2 Upgrade to 5.8.17 ("Another victory for Open Source!"). This fixes a remotely exploitable buffer overflow when connecting to a malicious server. So, update your ports. Andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 3:20:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from broadweb.com.tw (nat.broadweb.com.tw [211.75.42.222]) by hub.freebsd.org (Postfix) with ESMTP id 8743C37B401 for ; Fri, 17 Aug 2001 03:20:13 -0700 (PDT) (envelope-from roger@broadweb.com.tw) Received: from meteor ([192.168.168.71]) by broadweb.com.tw (8.9.3/8.9.3) with SMTP id OAA23056 for ; Fri, 17 Aug 2001 14:41:14 +0800 From: "Roger Chien" To: Subject: Re: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 14:50:21 +0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Don't you know that the effect of Code Red infected machine? Most of them are innocent. BTW, your FreeBSD isn't absolutely secure, apply telnet-AYT patch already? >Subject: Silly crackers... NT is for kids... > > >Hi, > >Recently hundreds of I.P. addresses have been attempting to use an NT >exploit on my FreeBSD web server as if it were an NT server... Apache logs >the attack like this: >ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >XXXXXXXXX >XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >XXXXXXXXX >XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >XXXXXXXXX >XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u68 >58%ucbd3% >u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a >HTTP/1.0" 404 276 "-" "-" > >Here's what security tracker has to say about it: >http://securitytracker.com/alerts/2001/Jun/1001788.html > >Apparently this exploits the indexing service in IIS allowing the >cracker to >gain SYSTEM access... > >Now, this does absolutely nothing to my server, as it is a FreeBSD machine >which I believe is decently secure even if the attacks were exploits that >worked on FreeBSD (which they do not). >Anyway, its really starting to bug me, it has been going on for a couple of >weeks now, and I am nearing a total of 300 I.P. addresses as the sources... >most of which are low security NT servers on a commercial network such as >AT&T@Home, and RoadRunner... > >Thanks, > >Jordan > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 3:55: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from titan.parkline.ru (titan.parkline.ru [195.209.63.162]) by hub.freebsd.org (Postfix) with ESMTP id 7BCDE37B406 for ; Fri, 17 Aug 2001 03:55:05 -0700 (PDT) (envelope-from aronov@parkline.ru) Received: from ami.gpt.ru (ami.gpt.ru [195.209.50.5]) by titan.parkline.ru (8.9.2/8.9.2) with ESMTP id OAA53024 for ; Fri, 17 Aug 2001 14:54:59 +0400 (MSD) (envelope-from aronov@parkline.ru) Date: Fri, 17 Aug 2001 14:54:14 +0400 (MSD) From: Mikhail Aronov X-X-Sender: To: Subject: Re: Silly crackers... NT is for kids... In-Reply-To: Message-ID: <20010817144920.U893-100000@ami.gpt.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Aug 17, 2001, Roger Chien wrote: >Don't you know that the effect of Code Red infected machine? >Most of them are innocent. > >BTW, your FreeBSD isn't absolutely secure, apply telnet-AYT patch >already? I was sure telnet died about 20 years ago together with passwordless logins etc. Uncrypted session == broadcast session, isn't it? Mikhail Aronov aronov@parkline.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 4:57:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 80CA237B40B for ; Fri, 17 Aug 2001 04:57:13 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) Received: by ING-mailhub; id NAA29587; Fri, 17 Aug 2001 13:59:06 +0200 (MET DST) Received: from somewhere by smtpxd content-class: urn:content-classes:message Subject: RE: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 14:00:26 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: <98829DC07ECECD47893074C4D525EFC311561E@citsnl007.europe.intranet> X-MS-Has-Attach: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-TNEF-Correlator: Thread-Topic: Silly crackers... NT is for kids... Thread-Index: AcEnC55Aygb796FoTK2ff3o9fqhmhgACHmVg From: "Carroll, D. (Danny)" To: Importance: normal X-OriginalArrivalTime: 17 Aug 2001 12:00:31.0390 (UTC) FILETIME=[36B75BE0:01C12714] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Agreed As far as I am concerned, anything less than SSH is asking for trouble. -----Original Message----- From: Mikhail Aronov [mailto:aronov@parkline.ru] Sent: Friday, August 17, 2001 12:54 PM To: freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... On Aug 17, 2001, Roger Chien wrote: >Don't you know that the effect of Code Red infected machine? >Most of them are innocent. > >BTW, your FreeBSD isn't absolutely secure, apply telnet-AYT patch >already? I was sure telnet died about 20 years ago together with passwordless logins etc. Uncrypted session =3D=3D broadcast session, isn't it? Mikhail Aronov aronov@parkline.ru -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 5: 9:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (dialmess.nanolink.com [217.75.135.246]) by hub.freebsd.org (Postfix) with SMTP id 21BF137B403 for ; Fri, 17 Aug 2001 05:09:12 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 2966 invoked by uid 1000); 17 Aug 2001 12:07:49 -0000 Date: Fri, 17 Aug 2001 15:07:49 +0300 From: Peter Pentchev To: "Carroll, D. (Danny)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... Message-ID: <20010817150749.F724@ringworld.oblivion.bg> Mail-Followup-To: "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG References: <98829DC07ECECD47893074C4D525EFC311561E@citsnl007.europe.intranet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <98829DC07ECECD47893074C4D525EFC311561E@citsnl007.europe.intranet>; from Danny.Carroll@mail.ing.nl on Fri, Aug 17, 2001 at 02:00:26PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org OK, let's not go through this yet one more time.. alright? For most cases, anything less than SSH is asking for trouble. There *are* some cases, though, when telnet is acceptable (properly protected LAN's), and there are even some cases when telnet is the only really acceptable way - and yes, I've heard about all kinds of SSH clients, including Java ones, web-based ones, etc.. but still, there are cases when one simply has to use telnet, period. G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. On Fri, Aug 17, 2001 at 02:00:26PM +0200, Carroll, D. (Danny) wrote: > Agreed > As far as I am concerned, anything less than SSH is asking for trouble. > > -----Original Message----- > From: Mikhail Aronov [mailto:aronov@parkline.ru] > Sent: Friday, August 17, 2001 12:54 PM > To: freebsd-security@FreeBSD.ORG > Subject: Re: Silly crackers... NT is for kids... > > > On Aug 17, 2001, Roger Chien wrote: > > >Don't you know that the effect of Code Red infected machine? > >Most of them are innocent. > > > >BTW, your FreeBSD isn't absolutely secure, apply telnet-AYT patch > >already? > I was sure telnet died about 20 years ago together with passwordless > logins etc. Uncrypted session == broadcast session, isn't it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 5:21:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 9F6F737B40A for ; Fri, 17 Aug 2001 05:21:52 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) Received: by ING-mailhub; id OAA04671; Fri, 17 Aug 2001 14:23:42 +0200 (MET DST) Received: from somewhere by smtpxd content-class: urn:content-classes:message Subject: RE: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 14:25:01 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet> X-MS-Has-Attach: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-TNEF-Correlator: Thread-Topic: Silly crackers... NT is for kids... Thread-Index: AcEnFepaGWrp1FwvQ6qcpXvKidMf6QAAUrug From: "Carroll, D. (Danny)" Cc: Importance: normal X-OriginalArrivalTime: 17 Aug 2001 12:25:06.0491 (UTC) FILETIME=[A5F1E8B0:01C12717] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Even for authentication? I can understand using a telnet client to manually test SMTP servers or other protocols, but I cannot understand why you *need* telnet. Mind you I am against using pop3 as well, unless it's encrypted. -D -----Original Message----- From: Peter Pentchev [mailto:roam@ringlet.net] Sent: Friday, August 17, 2001 2:08 PM To: Carroll, D. (Danny) Cc: freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... OK, let's not go through this yet one more time.. alright? For most cases, anything less than SSH is asking for trouble. There *are* some cases, though, when telnet is acceptable (properly protected LAN's), and there are even some cases when telnet is the only really acceptable way - and yes, I've heard about all kinds of SSH clients, including Java ones, web-based ones, etc.. but still, there are cases when one simply has to use telnet, period. G'luck, Peter --=20 You have, of course, just begun reading the sentence that you have just finished reading. -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 5:25:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from titan.parkline.ru (titan.parkline.ru [195.209.63.162]) by hub.freebsd.org (Postfix) with ESMTP id 2638737B40E for ; Fri, 17 Aug 2001 05:25:36 -0700 (PDT) (envelope-from aronov@parkline.ru) Received: from ami.gpt.ru (ami.gpt.ru [195.209.50.5]) by titan.parkline.ru (8.9.2/8.9.2) with ESMTP id QAA58074 for ; Fri, 17 Aug 2001 16:25:34 +0400 (MSD) (envelope-from aronov@parkline.ru) Date: Fri, 17 Aug 2001 16:24:51 +0400 (MSD) From: Mikhail Aronov X-X-Sender: To: Subject: Re: Silly crackers... NT is for kids... In-Reply-To: <20010817150749.F724@ringworld.oblivion.bg> Message-ID: <20010817161920.O893-100000@ami.gpt.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Aug 17, 2001, Peter Pentchev wrote: >OK, let's not go through this yet one more time.. alright? > >For most cases, anything less than SSH is asking for trouble. >There *are* some cases, though, when telnet is acceptable >(properly protected LAN's), and there are even some cases when telnet >is the only really acceptable way - and yes, I've heard about all kinds >of SSH clients, including Java ones, web-based ones, etc.. but still, >there are cases when one simply has to use telnet, period. > >G'luck, >Peter I can add some more examples when telnet is the only way, but you're right - quite enough. Yours, Mikhail Aronov aronov@parkline.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 6:25:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id AEDDE37B403; Fri, 17 Aug 2001 06:25:43 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7HDPhZ07792; Fri, 17 Aug 2001 09:25:43 -0400 (EDT) (envelope-from arr@watson.org) Date: Fri, 17 Aug 2001 09:25:42 -0400 (EDT) From: "Andrew R. Reiter" To: audit@freebsd.org, security@freebsd.org Subject: login_cap Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey, Im wondering if there's any real interest for patches to be made for some services so that they do login class, etc authentication? Such an example would be for atrun.c in libexec/atrun/. In my opinion, it is probably worth doing and getting commited, but if no one would commit the patches, I dont see a point in doing them :-) btw, if you're unfamiliar with login caps, check out login_cap(3) and login_class(3). Andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 8:26:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5]) by hub.freebsd.org (Postfix) with ESMTP id 15BA937B409 for ; Fri, 17 Aug 2001 08:26:17 -0700 (PDT) (envelope-from randall@isber.ucsb.edu) Received: from casino.isber.ucsb.edu ([128.111.147.11] helo=isber.ucsb.edu) by isber.ucsb.edu with esmtp (Exim 3.32 #4) id 15XlVo-0007sg-00; Fri, 17 Aug 2001 08:26:16 -0700 Message-ID: <3B7D3797.ED5ED033@isber.ucsb.edu> Date: Fri, 17 Aug 2001 08:26:15 -0700 From: randall ehren Reply-To: randall@isber.ucsb.edu Organization: isber.ucsb.edu X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Cc: Steve McGhee Subject: Re: [Fwd: Silly crackers... NT is for kids...] References: <3B7D33B0.E584E835@lmri.ucsb.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hey, i have several freebsd web servers getting attacked all day long. they are basically hitting anything with port 80 open (hp jet admin boxes as well) it may not be the most polite thing, and i have yet to test it, but there are a few people making little scripts to "get back" at them... http://members.shaw.ca/jobeus/codered.htm is one example. there was a post on slashdot.org a few days back with another version... http://www.dasbistro.com/default_ida_info.html the article was: http://slashdot.org/article.pl?sid=01/08/11/1420207&mode=nested -- - randall s. ehren -=- 805 893-5632 system administrator -=- isber.ucsb.edu institute for social, behavioral, and economic research randall.cell@isber.ucsb.edu freebsd-security@freebsd.org > > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT server... Apache > logs > the attack like this: > ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 404 276 "-" "-" > > > I have been receiving so many of these lately, that I must almost assume > that it is one person orchestrating the whole attack in a pathetic > attempt > to gain access to my machine. Really all it does is pester me by sucking > up > a small percentage of my bandwidth, and system resources... > > My question is: Is this a common attack that script kiddies are using > right > now? Are lots of people getting attacked in a similar manner? If so, > does > anyone know a place where I could get the binary and source code so that > I > can take a look at how it works? And what are the rest of you guys doing > about this if anything? > > I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) > but > they have done nothing, and have not even replied to my complaints. I > have > resorted to running a cron that blocks these I.P. addresses when they > first > show their ugly faces... I know that's kindof anal, but I feel that it > is a > good precaution because even if it really is hundreds of people, a > couple of > them are bound to get wise eventually and try something smarter... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 8:32:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id E327537B405 for ; Fri, 17 Aug 2001 08:32:12 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7HERXU55316; Fri, 17 Aug 2001 07:27:33 -0700 (PDT) Date: Fri, 17 Aug 2001 07:27:33 -0700 (PDT) From: David Kirchner X-X-Sender: To: randall ehren Cc: , Steve McGhee Subject: Re: [Fwd: Silly crackers... NT is for kids...] In-Reply-To: <3B7D3797.ED5ED033@isber.ucsb.edu> Message-ID: <20010817072502.A38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Automated responses to the queries is a Very Bad Thing (tm). All it will do is clog up the Internet further, filling sysadmin mailboxes. To put it in to perspective, consider that a server I am on is hit by Code Red 15-20,000 times a day for the past month. That's a hell of a lot of e-mail going out just to remind people that they should keep up on security. You're probably better off just ignoring them. On Fri, 17 Aug 2001, randall ehren wrote: > hey, > i have several freebsd web servers getting attacked all day long. they > are basically hitting anything with port 80 open (hp jet admin boxes as > well) > > it may not be the most polite thing, and i have yet to test it, but > there are a few people making little scripts to "get back" at them... > http://members.shaw.ca/jobeus/codered.htm is one example. there was a > post on slashdot.org a few days back with another version... > http://www.dasbistro.com/default_ida_info.html > > the article was: > http://slashdot.org/article.pl?sid=01/08/11/1420207&mode=nested To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 9:30:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 3529737B40A for ; Fri, 17 Aug 2001 09:30:42 -0700 (PDT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id CAA13815; Sat, 18 Aug 2001 02:30:30 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 18 Aug 2001 02:30:30 +1000 (EST) From: Ian Smith To: default - Subscriptions Cc: freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 17 Aug 2001, default - Subscriptions wrote: I see you've now been brought up to speed, but you can do little things! [.. cut to bits ..] > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT server... Apache logs Hundreds of thousands, some say. Still quite a few pumping away .. > HTTP/1.0" 404 276 "-" "-" note 276 byte response; you can save some on that .. or send 'em more! > to gain access to my machine. Really all it does is pester me by sucking up > a small percentage of my bandwidth, and system resources... I'd added an ipfw rule, after allowing access to the valid webserver IPs within our public subnet but before mass denial for protected and unused IPS, just to get an idea of the scope of it: # ipfw add 62612 deny log tcp from any to ${us}/26 80 in recv ${oif} setup After about a fortnight, just the requests to 50-odd non-webserving IPs: # ipfw -t show | grep 62612 62612 180299 8675060 Sat Aug 18 01:08:59 2001 [deny as above ..] and we're just a little crew on a permanent 56k modem connection. we're up for a couple of dollars for that lot, but it's not worth suing .. > can take a look at how it works? And what are the rest of you guys doing > about this if anything? I got bored with various httpd-error.log rolling over daily instead of more often monthly, so decided to feed the ravaging monster something: # pwd /usr/local/www/data # ll *ida; cat *ida -rw-r--r-- 1 root wheel 64 Aug 8 07:47 default.ida Bad luck using that costly, broken, closed-source m$ webserver! and now have back useful error.logs, and have reduced outbound traffic, not that that costs us, by about 75% of the 404 response, no big deal. Didn't even bother giving .ida a MIME type, it just went .. now get: 203.75.142.254 - - [18/Aug/2001:00:21:04 +1000] "GET /default.ida?X [..] HTTP/1.0" 200 64 "-" "-" Still have to grep these out or exclude 'em from log analysis, boring .. > I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but > they have done nothing, and have not even replied to my complaints. I have Happy hunting! :-) Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 10:12:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from kawoserv.kawo2.rwth-aachen.de (kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by hub.freebsd.org (Postfix) with ESMTP id 5322F37B401 for ; Fri, 17 Aug 2001 10:12:28 -0700 (PDT) (envelope-from alex@fump.kawo2.rwth-aachen.de) Received: from fump.kawo2.rwth-aachen.de (root@fump.kawo2.rwth-aachen.de [134.130.181.148]) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id TAA28942; Fri, 17 Aug 2001 19:12:14 +0200 Received: (from alex@localhost) by fump.kawo2.rwth-aachen.de (8.11.3/8.11.3) id f7HHCJC41496; Fri, 17 Aug 2001 19:12:19 +0200 (CEST) (envelope-from alex) Date: Fri, 17 Aug 2001 19:12:18 +0200 From: Alexander Langer To: David Kirchner Cc: randall ehren , freebsd-security@FreeBSD.ORG, Steve McGhee Subject: Re: [Fwd: Silly crackers... NT is for kids...] Message-ID: <20010817191218.A41441@fump.kawo2.rwth-aachen.de> References: <3B7D3797.ED5ED033@isber.ucsb.edu> <20010817072502.A38221-100000@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010817072502.A38221-100000@localhost>; from davidk@accretivetg.com on Fri, Aug 17, 2001 at 07:27:33AM -0700 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake David Kirchner (davidk@accretivetg.com): > To put it in to perspective, consider that a server I am on is hit by Code > Red 15-20,000 times a day for the past month. That's a hell of a lot of 15-20,000 times a day? Code Red 1 and 2 use IP numbers for scans. I have gotten approx. 200 hits per IP since the beginning. Why is yours hitten that often? Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 10:14:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id AE7F837B407 for ; Fri, 17 Aug 2001 10:14:06 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7HG9G755486; Fri, 17 Aug 2001 09:09:16 -0700 (PDT) Date: Fri, 17 Aug 2001 09:09:16 -0700 (PDT) From: David Kirchner X-X-Sender: To: Alexander Langer Cc: randall ehren , , Steve McGhee Subject: Re: [Fwd: Silly crackers... NT is for kids...] In-Reply-To: <20010817191218.A41441@fump.kawo2.rwth-aachen.de> Message-ID: <20010817090853.E38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 17 Aug 2001, Alexander Langer wrote: > Thus spake David Kirchner (davidk@accretivetg.com): > > > To put it in to perspective, consider that a server I am on is hit by Code > > Red 15-20,000 times a day for the past month. That's a hell of a lot of > > 15-20,000 times a day? > Code Red 1 and 2 use IP numbers for scans. I have gotten approx. > 200 hits per IP since the beginning. > > Why is yours hitten that often? The servers I'm accessing to check these stats have a huge footprint on the 'net - 2000 or so IPs each. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 12: 0:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from cerebellum.za.net (cerebellum.za.net [196.34.172.103]) by hub.freebsd.org (Postfix) with ESMTP id 1DC4237B40F; Fri, 17 Aug 2001 12:00:02 -0700 (PDT) (envelope-from dave@reason.za.org) Received: from mandy (nunetnt2.nutech.co.za [196.34.172.5]) by cerebellum.za.net (8.11.3/8.11.3) with SMTP id f7HIsi264999; Fri, 17 Aug 2001 20:54:44 +0200 (SAST) (envelope-from dave@reason.za.org) Message-ID: <001f01c1274e$cdc8b620$3400a8c0@mandy> From: "Dave" To: , Subject: IDS Date: Fri, 17 Aug 2001 20:59:54 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I have been using snort for some time now and I stumbled across a program named Hogwash (http://hogwash.sourceforge.org) which uses the snort base to detect possible intrusion, but then DROPS the packet if it matches a ruleset. E.g. Code red can just be dropped instead of blocking port 80. This seems like a very good idea to me however hogwash is a linux program. Can anyone perhaps recommend another program and/or method to do this. Thanks in advance, --Dave. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 12:21:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from bunning.skiltech.com (bunning.skiltech.com [216.235.79.240]) by hub.freebsd.org (Postfix) with ESMTP id 07B7937B406 for ; Fri, 17 Aug 2001 12:21:22 -0700 (PDT) (envelope-from minter@lunenburg.org) Received: from skiltech.com (localhost [127.0.0.1]) by bunning.skiltech.com (8.11.3/8.11.0) with SMTP id f7HJLFY00497 for ; Fri, 17 Aug 2001 15:21:15 -0400 (EDT) (envelope-from minter@lunenburg.org) Received: from 63.167.1.26 (SquirrelMail authenticated user minter) by webmail.skiltech.com with HTTP; Fri, 17 Aug 2001 15:21:15 -0400 (EDT) Message-ID: <26359.63.167.1.26.998076075.squirrel@webmail.skiltech.com> Date: Fri, 17 Aug 2001 15:21:15 -0400 (EDT) Subject: RE: Silly crackers... NT is for kids... From: "H. Wade Minter" To: In-Reply-To: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet> References: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet> X-Mailer: SquirrelMail (version 1.2.0 [rc1]) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Aug 17, 2001, "Carroll, D. (Danny)" wrote: > Even for authentication? > > I can understand using a telnet client to manually test SMTP servers or > other protocols, but I cannot understand why you *need* telnet. > Mind you I am against using pop3 as well, unless it's encrypted. Well, there could be a case where the Powers That Be with the corporate firewall allow telnet out, but refuse to allow SSH out, and no amount of rational argument will convince them to do otherwise. Not that I'm currently living that, no. --Wade -- Do your part in the fight against injustice. Free Dmitry Sklyarov! http://www.freesklyarov.org/ Fight the DMCA! http://www.anti-dmca.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 12:31:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from courier.netrail.net (courier.netrail.net [205.215.10.53]) by hub.freebsd.org (Postfix) with ESMTP id 9805337B415 for ; Fri, 17 Aug 2001 12:31:30 -0700 (PDT) (envelope-from jhartley@netrail.net) Received: from foo (localhost.netrail.net [127.0.0.1]) by courier.netrail.net (Postfix) with SMTP id 93176C1 for ; Fri, 17 Aug 2001 15:31:29 -0400 (EDT) From: "MoS" To: Subject: RE: [Fwd: Silly crackers... NT is for kids...] Date: Fri, 17 Aug 2001 15:29:03 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <3B7D3797.ED5ED033@isber.ucsb.edu> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Side note: You might want to read the various advisories regarding enabling (er, not DISabling) web jetadmin on those jetdirect cards/boxes. Tends to make telnetting password-free (not that password protecting telnet helps much). Incidentally, jetdirect happens to be a case of telnet-only (along with Cabletron/Riverstone gear, sadly enough). When will equipment vendors get it?!? -Jeff -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of randall ehren Sent: Friday, August 17, 2001 11:26 AM hey, i have several freebsd web servers getting attacked all day long. they are basically hitting anything with port 80 open (hp jet admin boxes as well) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 12:33:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from shumai.marcuscom.com (rdu26-228-058.nc.rr.com [66.26.228.58]) by hub.freebsd.org (Postfix) with ESMTP id 4389337B410; Fri, 17 Aug 2001 12:33:47 -0700 (PDT) (envelope-from marcus@marcuscom.com) Received: from localhost (marcus@localhost) by shumai.marcuscom.com (8.11.3/8.11.3) with ESMTP id f7HJWw259954; Fri, 17 Aug 2001 15:32:58 -0400 (EDT) (envelope-from marcus@marcuscom.com) X-Authentication-Warning: shumai.marcuscom.com: marcus owned process doing -bs Date: Fri, 17 Aug 2001 15:32:58 -0400 (EDT) From: Joe Clarke To: Dave Cc: , Subject: Re: IDS In-Reply-To: <001f01c1274e$cdc8b620$3400a8c0@mandy> Message-ID: <20010817153110.U59726-100000@shumai.marcuscom.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can certainly get hogwash to compile on FreeBSD. I just did it. Let me know if you have questions on the build. Joe Clarke On Fri, 17 Aug 2001, Dave wrote: > Hello, > I have been using snort for some time now and I stumbled across a > program named Hogwash (http://hogwash.sourceforge.org) which uses the snort > base to detect possible intrusion, but then DROPS the packet if it matches a > ruleset. E.g. Code red can just be dropped instead of blocking port 80. > > This seems like a very good idea to me however hogwash is a linux program. > Can anyone perhaps recommend another program and/or method to do this. > > Thanks in advance, > --Dave. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 12:39:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from nebula-bsd.dyndns.org (ptldme-cmt2-c3-66-30-32-135.maine.rr.com [66.30.32.135]) by hub.freebsd.org (Postfix) with ESMTP id DEC7037B403 for ; Fri, 17 Aug 2001 12:39:55 -0700 (PDT) (envelope-from richard@nebula-bsd.dyndns.org) Received: from localhost (richard@localhost) by nebula-bsd.dyndns.org (8.11.1/8.11.1) with ESMTP id f7HJdle03604 for ; Fri, 17 Aug 2001 15:39:47 -0400 (EDT) (envelope-from richard@nebula-bsd.dyndns.org) Date: Fri, 17 Aug 2001 15:39:46 -0400 (EDT) From: Richard Stanaford X-Sender: richard@localhost To: freebsd-security@FreeBSD.ORG Subject: RE: [Fwd: Silly crackers... NT is for kids...] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org And certain DSL routers. The worm has been giving Qwest Communications fits upon fits. I am sitting here right now watching one to five attempts to propagate the work to my box every five minutes. The log just keeps scrollin' and I wonder when it will dawn on those infected that they are contributing to a nuisance and to apply the very readily available patch. -R On Fri, 17 Aug 2001, MoS wrote: > i have several freebsd web servers getting attacked all day long. they > are basically hitting anything with port 80 open (hp jet admin boxes as > well) > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 13:56:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from virtual-voodoo.com (bdsl.66.12.217.106.gte.net [66.12.217.106]) by hub.freebsd.org (Postfix) with ESMTP id D0A7E37B40A; Fri, 17 Aug 2001 13:56:39 -0700 (PDT) (envelope-from steve@virtual-voodoo.com) Received: from inlafrec (bdsl.66.12.217.40.gte.net [66.12.217.40]) (authenticated) by virtual-voodoo.com (8.11.5/8.11.5) with ESMTP id f7HKuc452329; Fri, 17 Aug 2001 15:56:38 -0500 (EST) (envelope-from steve@virtual-voodoo.com) Message-ID: <021401c1275e$99119540$28d90c42@eservoffice.com> From: "Steven Ames" To: "Steven Ames" , "Robert Watson" Cc: "Igor Roshchin" , References: <005101c12670$dc57d1a0$28d90c42@eservoffice.com> Subject: Re: cvs commit: src/etc inetd.conf Date: Fri, 17 Aug 2001 15:52:57 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So... not having heard any feedback... is it worth spending time on it to produce patches to inetd (to handle Option #1) and a command line tool to modify the configuration using either #1 or #2 (below)? Both are pretty straight forward... > On Wed, 15 Aug 2001, Robert Watson wrote: > > > > One of the problems with this solution is that sites frequently modify > > their inetd.conf to add services, such as pop or imap, and that if they > > ran sysinstall to select a template, they would risk squashing their > > current install. > > Absolutely. I was only suggesting a selection of fixed configurations > for initial install. For the "out of the box" approach. Anything past > initial install I get iffy letting a script make decisions for me :) > > > I agree with your thoughts on a menu-driven editor, but doing that > > properly relies on having a machine-parsable file format that supports > > in-band disabling of services. > > Sort of. As others have pointed out, changing our inetd.conf file makes > us different than other UNIX and that's bad from a learning curve/standards > type of position. OTOH, I see two possible ways around this objection: > > 1. The radical approach. Add an option to inetd that tells it to use a > machine > readable file instead of inetd.conf (maybe inetd.db or some such). > My feeling was that our current file. This doesn't really violate POLA as > its > something readily apparent and the admin goes into it with his eyes open. > > 2. Make use of the existing inetd.conf format with some special handling of > comments. Assume that anything starting with '#OFF#' is a usable option > that is currently turned off. Anything else starting with '#' is just a > comment. > While this won't work with a lot of existing inetd.conf files out there it > won't > barf on them either. It just means that instead of being able to just click > the > "ON" button for a disabled option you'll have to use the inetd editor to ADD > a new service. No biggie. Any comments read in, get regurgitated back out > in the order they apear in. Clicking the "OFF" button for an active service > will cause it to be commented out with the "#OFF#" syntax. > > > format didn't lend itself to that, and as such I went with the current > > "spit the user a text editor" over implementing one before 4.4-RELEASE. > > If someone would like to write an editor that understands the syntax and > > semantics of inetd.conf, they should feel free. However, it needs to > > handle the cases where users have custom comments (etc) properly, and be > > able to handle the full scope of valid inetd.conf files, not just the set > > of files it could possibly generate. > > Agreed in all regards. > > -Steve > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 14: 4:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136]) by hub.freebsd.org (Postfix) with ESMTP id 1ACAA37B406 for ; Fri, 17 Aug 2001 14:04:21 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.4/8.11.4) with ESMTP id f7HL45T05034; Fri, 17 Aug 2001 17:04:05 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Fri, 17 Aug 2001 17:04:04 -0400 (EDT) From: Matt Piechota To: "Carroll, D. (Danny)" Cc: Subject: RE: Silly crackers... NT is for kids... In-Reply-To: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet> Message-ID: <20010817165323.F4969-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 17 Aug 2001, Carroll, D. (Danny) wrote: > Even for authentication? > > I can understand using a telnet client to manually test SMTP servers or > other protocols, but I cannot understand why you *need* telnet. > Mind you I am against using pop3 as well, unless it's encrypted. Example 1: You're on an internal heavily firewalled corporate LAN, where none of your information is hidden between employees. So you don't care, and you don't have to worry about installing ssh on every PC's desktop, and teaching cluon-deprived people to use it. Example 2: You're running realtime applications, or applications that need all available processing power for performance reasons. The extra overhead of encrypting and decrypting the ssh traffic may drop your performance. Let's not forget that until the recently done work of the OpenSSH team, you couldn't use SSH in a commercial environment with out paying for it. And besides, sniffing passwords isn't that terribly easy if you're using switched Ethernet anyways. As an experiment, I've tried to sniff passwords here (Falls under Example 1: we telnet everywhere, and even allow root to telnet and ftp in), I've never gotten one unless it was from the box I was running the sniffer from. I'll agree that these aren't all that typical, but they do exist. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 14:11:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 28D2F37B407 for ; Fri, 17 Aug 2001 14:11:21 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 15Xqta-0000uo-00 for freebsd-security@FreeBSD.ORG; Fri, 17 Aug 2001 17:11:10 -0400 Date: Fri, 17 Aug 2001 17:11:09 -0400 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... Message-ID: <20010817171109.F28291@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet> <20010817165323.F4969-100000@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010817165323.F4969-100000@cithaeron.argolis.org>; from piechota@argolis.org on Fri, Aug 17, 2001 at 05:04:04PM -0400 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Piechota probably said: > And besides, sniffing passwords isn't that terribly easy if you're using > switched Ethernet anyways. As an experiment, I've tried to sniff > passwords here (Falls under Example 1: we telnet everywhere, and even > allow root to telnet and ftp in), I've never gotten one unless it was from > the box I was running the sniffer from. http://naughty.monkey.org/~dugsong/dsniff/ http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 14:11:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id E2B8937B412 for ; Fri, 17 Aug 2001 14:11:52 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id PAA15144; Fri, 17 Aug 2001 15:11:47 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id PAA15505; Fri, 17 Aug 2001 15:11:47 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15229.34962.653064.226276@nomad.yogotech.com> Date: Fri, 17 Aug 2001 15:11:46 -0600 To: Matt Piechota Cc: "Carroll, D. (Danny)" , Subject: RE: Silly crackers... NT is for kids... In-Reply-To: <20010817165323.F4969-100000@cithaeron.argolis.org> References: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet> <20010817165323.F4969-100000@cithaeron.argolis.org> X-Mailer: VM 6.95 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Even for authentication? > > > > I can understand using a telnet client to manually test SMTP servers or > > other protocols, but I cannot understand why you *need* telnet. > > Mind you I am against using pop3 as well, unless it's encrypted. > > Example 1: > You're on an internal heavily firewalled corporate LAN, where none of your > information is hidden between employees. So you don't care, and you don't > have to worry about installing ssh on every PC's desktop, and teaching > cluon-deprived people to use it. Agreed, but given the recent telnetd exploit, I'm not sure you want it on by default. Even in our heavily-firewalled environment, we don't want *ALL* of the users to have root access on our FreBSD boxes. :) Having the users enable it by default makes them more aware of what's going on. (Although, one could argue that all the folks who are still infected with CodeRed initially enabled it, and have done nothing since...) > Example 2: You're running realtime applications, or applications that > need all available processing power for performance reasons. The > extra overhead of encrypting and decrypting the ssh traffic may drop > your performance. Then don't telnet into the box. If you need to monitor a box over an insecure network, then encryption/decryption is a necessity, IMHO. > Let's not forget that until the recently done work of the OpenSSH team, > you couldn't use SSH in a commercial environment with out paying for it. > And besides, sniffing passwords isn't that terribly easy if you're using > switched Ethernet anyways. Actually, it is. See the archives of how easy it is to blow the switch out of the water. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 14:22:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from nyc.rr.com (nycsmtp1fb.rdc-nyc.rr.com [24.29.99.76]) by hub.freebsd.org (Postfix) with ESMTP id 64F6737B403; Fri, 17 Aug 2001 14:22:38 -0700 (PDT) (envelope-from jslivko@4evermail.com) Received: (apparently) from equinox ([24.168.44.136]) by nyc.rr.com with Microsoft SMTPSVC(5.5.1877.357.35); Fri, 17 Aug 2001 17:22:23 -0400 Message-ID: <007901c12762$d3ac7ea0$8701a8c0@equinox> From: "Jonathan M. Slivko" To: "Nate Williams" , "Matt Piechota" Cc: "Carroll, D. (Danny)" , , References: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet><20010817165323.F4969-100000@cithaeron.argolis.org> <15229.34962.653064.226276@nomad.yogotech.com> Subject: Re: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 17:23:13 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Which just brings me to another point, why not just turn ssh on by default and turn telnetd off by default, given the latest exploit. Thanks for bringing up a point that I wanted to bring to the security team for awhile. -- Jonathan M. Slivko 4EverMail Hosting Services http://www.4evermail.com "Are YOU ready for the new Internet?" -- ----- Original Message ----- From: "Nate Williams" To: "Matt Piechota" Cc: "Carroll, D. (Danny)" ; Sent: Friday, August 17, 2001 5:11 PM Subject: RE: Silly crackers... NT is for kids... > > Even for authentication? > > > > I can understand using a telnet client to manually test SMTP servers or > > other protocols, but I cannot understand why you *need* telnet. > > Mind you I am against using pop3 as well, unless it's encrypted. > > Example 1: > You're on an internal heavily firewalled corporate LAN, where none of your > information is hidden between employees. So you don't care, and you don't > have to worry about installing ssh on every PC's desktop, and teaching > cluon-deprived people to use it. Agreed, but given the recent telnetd exploit, I'm not sure you want it on by default. Even in our heavily-firewalled environment, we don't want *ALL* of the users to have root access on our FreBSD boxes. :) Having the users enable it by default makes them more aware of what's going on. (Although, one could argue that all the folks who are still infected with CodeRed initially enabled it, and have done nothing since...) > Example 2: You're running realtime applications, or applications that > need all available processing power for performance reasons. The > extra overhead of encrypting and decrypting the ssh traffic may drop > your performance. Then don't telnet into the box. If you need to monitor a box over an insecure network, then encryption/decryption is a necessity, IMHO. > Let's not forget that until the recently done work of the OpenSSH team, > you couldn't use SSH in a commercial environment with out paying for it. > And besides, sniffing passwords isn't that terribly easy if you're using > switched Ethernet anyways. Actually, it is. See the archives of how easy it is to blow the switch out of the water. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 14:34:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id 4632C37B40F; Fri, 17 Aug 2001 14:34:09 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f7HLXwT73320; Fri, 17 Aug 2001 14:33:59 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3B7D8DC6.A0B600AA@ursine.com> Date: Fri, 17 Aug 2001 14:33:58 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... References: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet><20010817165323.F4969-100000@cithaeron.argolis.org> <15229.34962.653064.226276@nomad.yogotech.com> <007901c12762$d3ac7ea0$8701a8c0@equinox> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Jonathan M. Slivko" wrote: > > Which just brings me to another point, why not just turn ssh on by default > and turn telnetd off by default, given the latest exploit. Umm, because the -next- exploitable bug might be in sshd, not telnetd? There are lots of good reasons to run ssh and not telnet by default, but the fact that telnetd had a recent exploitable bug is not one of those reasons. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 14:37:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail32.sdc1.sfba.home.com (femail32.sdc1.sfba.home.com [24.254.60.22]) by hub.freebsd.org (Postfix) with ESMTP id 1EF4E37B409; Fri, 17 Aug 2001 14:37:52 -0700 (PDT) (envelope-from bmah@employees.org) Received: from intruder.bmah.org ([24.176.204.87]) by femail32.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010817213726.JDPL1756.femail32.sdc1.sfba.home.com@intruder.bmah.org>; Fri, 17 Aug 2001 14:37:26 -0700 Received: (from bmah@localhost) by intruder.bmah.org (8.11.5/8.11.3) id f7HLbPT12574; Fri, 17 Aug 2001 14:37:25 -0700 (PDT) (envelope-from bmah) Message-Id: <200108172137.f7HLbPT12574@intruder.bmah.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "Jonathan M. Slivko" Cc: "Nate Williams" , "Matt Piechota" , "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... In-Reply-To: <007901c12762$d3ac7ea0$8701a8c0@equinox> References: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet><20010817165323.F4969-100000@cithaeron.argolis.org> <15229.34962.653064.226276@nomad.yogotech.com> <007901c12762$d3ac7ea0$8701a8c0@equinox> Comments: In-reply-to "Jonathan M. Slivko" message dated "Fri, 17 Aug 2001 17:23:13 -0400." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1009623041P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Fri, 17 Aug 2001 14:37:25 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_1009623041P Content-Type: text/plain; charset=us-ascii If memory serves me right, "Jonathan M. Slivko" wrote: > Which just brings me to another point, why not just turn ssh on by default > and turn telnetd off by default, given the latest exploit. Thanks for > bringing up a point that I wanted to bring to the security team for awhile. From the release notes for -CURRENT and 4-STABLE: All services in inetd.conf are now disabled by default for new installations. sysinstall(8) gives the option of enabling or disabling inetd(8) on new installations, as well as editing inetd.conf. Bruce. --==_Exmh_1009623041P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: Exmh version 2.3.1+ 05/14/2001 iD8DBQE7fY6V2MoxcVugUsMRAjWFAKD3ma6yZ79564ihsDgvJZcVBth3RgCeIbZo XsPMaAgvD+VzSd/dTPa6lI4= =ozkt -----END PGP SIGNATURE----- --==_Exmh_1009623041P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 14:39: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 014FA37B40A; Fri, 17 Aug 2001 14:39:00 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7HLcGs33275; Fri, 17 Aug 2001 14:38:16 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Fri, 17 Aug 2001 14:38:16 -0700 (PDT) Message-Id: <200108172138.f7HLcGs33275@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:53.ipfw Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:53 Security Advisory FreeBSD, Inc. Topic: ipfw `me' on P2P interfaces matches remote address Category: core Module: ipfw Announced: 2001-08-17 Credits: Igor M Podlesny Affects: FreeBSD 4-STABLE after February 20, 2001 and prior to the correction date FreeBSD 4.3-RELEASE Corrected: 2001-07-17 10:50:01 UTC (FreeBSD 4.3-STABLE) 2001-07-18 06:56:23 UTC (RELENG_4_3) FreeBSD only: YES I. Background ipfw is a system facility which allows IP packet filtering, redirecting, and traffic accounting. ipfw `me' rules are filter rules that specify a source or destination address of `me', intended to match any IP address configured on a local interface. II. Problem Description A flaw in the implementation of the ipfw `me' rules when used in conjunction with point-to-point interfaces results in filter rules which match the remote IP address of the point-to-point interface in addition to the intended local IP address. III. Impact IP datagrams with a source or destination IP address of a remote point-to-point link may be handled in a way unintended by the system administrator. For example, given an interface such as tun0: flags=8051 mtu 1500 inet 1.1.1.1 --> 2.2.2.2 netmask 0xff000000 and this ipfw rule: 00010 allow ip from me to any packets with a source address of 2.2.2.2 would be allowed to pass when the administrator may have reasonably expected it not to match this rule. IV. Workaround Do not use ipfw `me' rules. Rewrite any existing `me' rules to use explicit IP addresses. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 4.x systems prior to the correction date: The following patches have been verified to apply to FreeBSD 4.3-RELEASE and 4-STABLE dated prior to the correction date. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:53/ipfw.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:53/ipfw.patch.asc # cd /usr/src # patch -p < /path/to/patch # install -c -m 0444 -o root -g wheel /usr/src/sys/netinet/in_var.h /usr/include/netinet/ # cd /usr/src/sbin/ipfw # make depend && make all install The following steps will be different depending upon whether your system has ipfw compiled into the kernel or is using the ipfw KLD. If the output of `kldstat' includes `ipfw.ko', then you are using the KLD and should follow the directions listed in (2a) below. Otherwise, if your kernel configuration file contains the line `options IPFIREWALL', you should follow the directions listed in (2b) below. 2a) Execute the following commands as root: # cd /usr/src/sys/modules/ipfw # make depend && make all install 2b) Rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html In either case 2a) or 2b), you must reboot your system to load the new module or kernel. 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:53/security-patch-ipfw-01.53.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:53/security-patch-ipfw-01.53.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-ipfw-01:53.tgz Restart your system after applying the patch. VI. Correction details The following list contains the $FreeBSD$ revision numbers of each file that was corrected, for the supported branches of FreeBSD. The $FreeBSD$ revision of installed sources can be examined using the ident(1) command. [FreeBSD 4.3-STABLE] Revision Path 1.33.4.1 src/sys/netinet/in_var.h [RELENG_4_3] Revision Path 1.33.2.2 src/sys/netinet/in_var.h VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO32OK1UuHi5z0oilAQGFaAQAoeOYBYHehpMs28K1K4BKneLF4/KBfel/ NGmGslQVe4DHxiIfV2WWyQw1KjH/N8NSOiBsri8+pMZkFaOyBw1Q41vUCd+2pZW1 97qYWj6aWjIlpNm9/zOPnWN6smge4OZ7UCqX1+VsP6nf8VBrEfOYl44hl82oCMk9 S9NvqSOqDsI= =HqMM -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 14:40:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from nyc.rr.com (nycsmtp2fb.rdc-nyc.rr.com [24.29.99.78]) by hub.freebsd.org (Postfix) with ESMTP id 79E6737B405; Fri, 17 Aug 2001 14:39:57 -0700 (PDT) (envelope-from jslivko@4evermail.com) Received: from equinox ([24.168.44.136]) by nyc.rr.com with Microsoft SMTPSVC(5.5.1877.357.35); Fri, 17 Aug 2001 17:39:16 -0400 Message-ID: <00a801c12765$2f83c6f0$8701a8c0@equinox> From: "Jonathan M. Slivko" To: Cc: "Nate Williams" , "Matt Piechota" , "Carroll, D. (Danny)" , , References: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet><20010817165323.F4969-100000@cithaeron.argolis.org> <15229.34962.653064.226276@nomad.yogotech.com> <007901c12762$d3ac7ea0$8701a8c0@equinox> <200108172137.f7HLbPT12574@intruder.bmah.org> Subject: Re: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 17:40:08 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm saying without any intervention of any kind. -- Jonathan -- Jonathan M. Slivko 4EverMail Hosting Services http://www.4evermail.com "Are YOU ready for the new Internet?" -- ----- Original Message ----- From: "Bruce A. Mah" To: "Jonathan M. Slivko" Cc: "Nate Williams" ; "Matt Piechota" ; "Carroll, D. (Danny)" ; ; Sent: Friday, August 17, 2001 5:37 PM Subject: Re: Silly crackers... NT is for kids... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 14:57: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from holly.calldei.com (adsl-208-191-149-190.dsl.hstntx.swbell.net [208.191.149.190]) by hub.freebsd.org (Postfix) with ESMTP id 3DFF737B40D; Fri, 17 Aug 2001 14:57:01 -0700 (PDT) (envelope-from chris@holly.calldei.com) Received: (from chris@localhost) by holly.calldei.com (8.11.4/8.9.3) id f7HLskT23021; Fri, 17 Aug 2001 16:54:46 -0500 (CDT) (envelope-from chris) Date: Fri, 17 Aug 2001 16:54:45 -0500 From: Chris Costello To: "Jonathan M. Slivko" Cc: bmah@FreeBSD.ORG, Nate Williams , Matt Piechota , "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... Message-ID: <20010817165445.A16395@holly.calldei.com> Reply-To: chris@calldei.com References: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet><20010817165323.F4969-100000@cithaeron.argolis.org> <15229.34962.653064.226276@nomad.yogotech.com> <007901c12762$d3ac7ea0$8701a8c0@equinox> <200108172137.f7HLbPT12574@intruder.bmah.org> <00a801c12765$2f83c6f0$8701a8c0@equinox> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00a801c12765$2f83c6f0$8701a8c0@equinox>; from jslivko@4evermail.com on Fri, Aug 17, 2001 at 05:40:08PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday, August 17, 2001, Jonathan M. Slivko wrote: > I'm saying without any intervention of any kind. -- Jonathan Hence the part about "By default". If the person installing FreeBSD does nothing when asked about inetd.conf, no inetd services are enabled. This means telnetd, too. -- +-------------------+--------------------------------------------+ | Chris Costello | Wasting time is an important part of life. | | chris@calldei.com | | +-------------------+--------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 15:28:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id EB85537B403; Fri, 17 Aug 2001 15:28:09 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id PAA15674; Fri, 17 Aug 2001 15:42:38 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id PAA15645; Fri, 17 Aug 2001 15:42:38 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15229.36814.232456.549513@nomad.yogotech.com> Date: Fri, 17 Aug 2001 15:42:38 -0600 To: "Jonathan M. Slivko" Cc: "Nate Williams" , "Matt Piechota" , "Carroll, D. (Danny)" , , Subject: Re: Silly crackers... NT is for kids... In-Reply-To: <007901c12762$d3ac7ea0$8701a8c0@equinox> References: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet> <20010817165323.F4969-100000@cithaeron.argolis.org> <15229.34962.653064.226276@nomad.yogotech.com> <007901c12762$d3ac7ea0$8701a8c0@equinox> X-Mailer: VM 6.95 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Which just brings me to another point, why not just turn ssh on by default > and turn telnetd off by default, given the latest exploit. As Bruce already mentioned, this is the new default in 4.4. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 16:13:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from gnjilux.srk.fer.hr (gnjilux.srk.fer.hr [161.53.70.141]) by hub.freebsd.org (Postfix) with ESMTP id 4EB1937B406 for ; Fri, 17 Aug 2001 16:13:47 -0700 (PDT) (envelope-from ike@gnjilux.srk.fer.hr) Received: from gnjilux.srk.fer.hr (ike@localhost [127.0.0.1]) by localhost (8.12.0.Beta16/8.12.0.Beta16/Debian 8.12.0.Beta16) with ESMTP id f7HNDjxX014246; Sat, 18 Aug 2001 01:13:45 +0200 Received: (from ike@localhost) by gnjilux.srk.fer.hr (8.12.0.Beta16/8.12.0.Beta16/Debian 8.12.0.Beta16) id f7HNDihs014243; Sat, 18 Aug 2001 01:13:44 +0200 From: Ivan Krstic Date: Sat, 18 Aug 2001 01:13:44 +0200 To: Etienne de Bruin Cc: freebsd-security@freebsd.org Subject: Re: Separate firewall or not...OOPS no subject sorry! Message-ID: <20010818011344.A7870@gnjilux.cc.fer.hr> References: <9D4A4E19244ED4119BE90050DAD5DD47BC5608@mail.quidel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9D4A4E19244ED4119BE90050DAD5DD47BC5608@mail.quidel.com> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 17, 2001 at 04:06:46PM -0700, Etienne de Bruin wrote: > Hi Ivan, please will you keep me posted on when you will complete this > article - I would be interested in reading it as well. Thanks > > eT > > > -----Original Message----- > > From: Ivan Krstic [mailto:ike@gnjilux.srk.fer.hr] > > Sent: Thursday, August 09, 2001 6:15 PM > > > > I'm currently in the process of writing a brief > > locking-down-FreeBSD paper, and > > I'll be sure to post its address here once it's completed To Whom It May Concern, daemonnews.org has two quite decent articles about locking down a FreeBSD machine - one by Matt Dillon and one by Aeon Flux. The URLs are: http://www.daemonnews.org/200108/security_overview.html http://www.daemonnews.org/200108/security-howto.html I believe these papers cover most of the topics I intended to write a paper about myself, and I've hence given this up. Best regards, -- Ivan Krstic - ike " life is the road beneath my feet, love is the girl I wait to meet, and art is everything I create, rob me of any and I will hate, you, my God, my devil, my fate " To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 17:21:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.confusion.net (208-219-21-30.dsl.aros.net [208.219.21.30]) by hub.freebsd.org (Postfix) with ESMTP id 55BE637B40B for ; Fri, 17 Aug 2001 17:21:36 -0700 (PDT) (envelope-from stuyman@euphoria.confusion.net) Received: from localhost (localhost [127.0.0.1]) by euphoria.confusion.net (8.11.2/8.11.2) with SMTP id f7HDqSO17491; Fri, 17 Aug 2001 06:52:28 -0700 (PDT) Date: Fri, 17 Aug 2001 06:52:28 -0700 (PDT) From: Laurence Berland To: "Carroll, D. (Danny)" Cc: freebsd-security@FreeBSD.ORG Subject: RE: Silly crackers... NT is for kids... In-Reply-To: <98829DC07ECECD47893074C4D525EFC311561E@citsnl007.europe.intranet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In a corporate environment, telnet should be long dead. Unfortunately, when your user base is the various and random members of a program at a University, it's not so easy. I took telnet down on a Linux server until I had a patch. It was down for three days. My replies to their emails included a free ssh client for windows, but alas, start->run->"telnet" is what they want to do, and taking telnet down only makes them mad. L: On Fri, 17 Aug 2001, Carroll, D. (Danny) wrote: > Agreed > As far as I am concerned, anything less than SSH is asking for trouble. > > -----Original Message----- > From: Mikhail Aronov [mailto:aronov@parkline.ru] > Sent: Friday, August 17, 2001 12:54 PM > To: freebsd-security@FreeBSD.ORG > Subject: Re: Silly crackers... NT is for kids... > > > On Aug 17, 2001, Roger Chien wrote: > > >Don't you know that the effect of Code Red infected machine? > >Most of them are innocent. > > > >BTW, your FreeBSD isn't absolutely secure, apply telnet-AYT patch > >already? > I was sure telnet died about 20 years ago together with passwordless > logins etc. Uncrypted session == broadcast session, isn't it? > > Mikhail Aronov > aronov@parkline.ru > ----------------------------------------------------------------- > ATTENTION: > The information in this electronic mail message is private and > confidential, and only intended for the addressee. Should you > receive this message by mistake, you are hereby notified that > any disclosure, reproduction, distribution or use of this > message is strictly prohibited. Please inform the sender by > reply transmission and delete the message without copying or > opening it. > > Messages and attachments are scanned for all viruses known. > If this message contains password-protected attachments, the > files have NOT been scanned for viruses by the ING mail domain. > Always scan attachments before opening them. > ----------------------------------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Laurence Berland http://www.isp.northwestern.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 17:30:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 381E837B40A for ; Fri, 17 Aug 2001 17:30:42 -0700 (PDT) (envelope-from pat@hex.databits.net) Received: (qmail 10203 invoked by uid 1042); 18 Aug 2001 00:30:41 -0000 Date: Fri, 17 Aug 2001 20:30:41 -0400 From: Patrick Li To: freebsd-security@FreeBSD.ORG Subject: [Fwd:] Re: Silly crackers... NT is for kids... Message-ID: <20010817203041.A10116@databits.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Forwarded message from Patrick Li ----- | Date: Fri, 17 Aug 2001 20:29:03 -0400 | From: Patrick Li | To: Laurence Berland | Subject: Re: Silly crackers... NT is for kids... | User-Agent: Mutt/1.2.5i | | Fact #1: Old stuff die hard. SIGH | | -pat | ++ 17/08/01 06:52 -0700 - Laurence Berland: | | In a corporate environment, telnet should be long dead. Unfortunately, | | when your user base is the various and random members of a program at a | | University, it's not so easy. I took telnet down on a Linux server until | | I had a patch. It was down for three days. My replies to their emails | | included a free ssh client for windows, but alas, start->run->"telnet" is | | what they want to do, and taking telnet down only makes them mad. | | | | L: | | | | On Fri, 17 Aug 2001, Carroll, D. (Danny) wrote: | | | | > Agreed | | > As far as I am concerned, anything less than SSH is asking for trouble. | | > | | > -----Original Message----- | | > From: Mikhail Aronov [mailto:aronov@parkline.ru] | | > Sent: Friday, August 17, 2001 12:54 PM | | > To: freebsd-security@FreeBSD.ORG | | > Subject: Re: Silly crackers... NT is for kids... | | > | | > | | > On Aug 17, 2001, Roger Chien wrote: | | > | | > >Don't you know that the effect of Code Red infected machine? | | > >Most of them are innocent. | | > > | | > >BTW, your FreeBSD isn't absolutely secure, apply telnet-AYT patch | | > >already? | | > I was sure telnet died about 20 years ago together with passwordless | | > logins etc. Uncrypted session == broadcast session, isn't it? | | > | | > Mikhail Aronov | | > aronov@parkline.ru | | > ----------------------------------------------------------------- | | > ATTENTION: | | > The information in this electronic mail message is private and | | > confidential, and only intended for the addressee. Should you | | > receive this message by mistake, you are hereby notified that | | > any disclosure, reproduction, distribution or use of this | | > message is strictly prohibited. Please inform the sender by | | > reply transmission and delete the message without copying or | | > opening it. | | > | | > Messages and attachments are scanned for all viruses known. | | > If this message contains password-protected attachments, the | | > files have NOT been scanned for viruses by the ING mail domain. | | > Always scan attachments before opening them. | | > ----------------------------------------------------------------- | | > | | > To Unsubscribe: send mail to majordomo@FreeBSD.org | | > with "unsubscribe freebsd-security" in the body of the message | | > | | | | Laurence Berland | | http://www.isp.northwestern.edu | | | | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | | with "unsubscribe freebsd-security" in the body of the message ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 21:51:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from barry.mail.mindspring.net (barry.mail.mindspring.net [207.69.200.25]) by hub.freebsd.org (Postfix) with ESMTP id 955E037B413 for ; Fri, 17 Aug 2001 21:51:21 -0700 (PDT) (envelope-from meshko@polkan2.dyndns.org) Received: from user-2ivef2a.dsl.mindspring.com (user-2ivef2a.dsl.mindspring.com [165.247.60.74]) by barry.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id AAA30266; Sat, 18 Aug 2001 00:51:13 -0400 (EDT) Date: Sat, 18 Aug 2001 00:51:32 -0400 (EDT) From: Mikhail Kruk X-X-Sender: To: Laurence Berland Cc: "Carroll, D. (Danny)" , Subject: RE: Silly crackers... NT is for kids... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In a corporate environment (as it was mentioned here before) telnet is useful. Users of Unix boxes in big companies tend to be programmers, not system administrators and hackers. The best environment for development is when any service is enabled and all users have blank passwords so that anyone can use anyone's machine. But of course disabling telnet for accessing from the outside world is a problem because people do want to use start, run, telnet, not some weird ssh program. But there exists a way to make people stop using telnet. First of all tell them about ssh clients. Putty is absolutely the best for Win32: http://www.chiark.greenend.org.uk/~sgtatham/putty/ Install MindTerm applet on your server so that people will be able to access it without any downloads. And finally setup your telnetd so that it will print a message saying "telnet is insecure. please use ssh" etc. It will display this message, sleep for 60 seconds and then run normal telnetd. Most people will just sit there and wait for 60 seconds, then use telnet. After one or two month of this torture disable telnetd for good (keep the message, but don't run telnetd). People will download ssh and think "Thank God, I don't have to wait for 60 seconds now! I love that SSH thing!" That's what our sysadmin did (shell server used by some 4000 undergrads) and it worked. On Fri, 17 Aug 2001, Laurence Berland wrote: > In a corporate environment, telnet should be long dead. Unfortunately, > when your user base is the various and random members of a program at a > University, it's not so easy. I took telnet down on a Linux server until > I had a patch. It was down for three days. My replies to their emails > included a free ssh client for windows, but alas, start->run->"telnet" is > what they want to do, and taking telnet down only makes them mad. > > L: > > On Fri, 17 Aug 2001, Carroll, D. (Danny) wrote: > > > Agreed > > As far as I am concerned, anything less than SSH is asking for trouble. > > > > -----Original Message----- > > From: Mikhail Aronov [mailto:aronov@parkline.ru] > > Sent: Friday, August 17, 2001 12:54 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: Re: Silly crackers... NT is for kids... > > > > > > On Aug 17, 2001, Roger Chien wrote: > > > > >Don't you know that the effect of Code Red infected machine? > > >Most of them are innocent. > > > > > >BTW, your FreeBSD isn't absolutely secure, apply telnet-AYT patch > > >already? > > I was sure telnet died about 20 years ago together with passwordless > > logins etc. Uncrypted session == broadcast session, isn't it? > > > > Mikhail Aronov > > aronov@parkline.ru > > ----------------------------------------------------------------- > > ATTENTION: > > The information in this electronic mail message is private and > > confidential, and only intended for the addressee. Should you > > receive this message by mistake, you are hereby notified that > > any disclosure, reproduction, distribution or use of this > > message is strictly prohibited. Please inform the sender by > > reply transmission and delete the message without copying or > > opening it. > > > > Messages and attachments are scanned for all viruses known. > > If this message contains password-protected attachments, the > > files have NOT been scanned for viruses by the ING mail domain. > > Always scan attachments before opening them. > > ----------------------------------------------------------------- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > Laurence Berland > http://www.isp.northwestern.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 22:18:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from inconnu.isu.edu (inconnu.isu.edu [134.50.8.55]) by hub.freebsd.org (Postfix) with ESMTP id DE71737B407; Fri, 17 Aug 2001 22:18:20 -0700 (PDT) (envelope-from galt@inconnu.isu.edu) Received: from localhost (galt@localhost) by inconnu.isu.edu (8.11.2/8.11.2) with ESMTP id f7I5Hca05265; Fri, 17 Aug 2001 23:17:38 -0600 Date: Fri, 17 Aug 2001 23:17:36 -0600 (MDT) From: John Galt To: Joe Clarke Cc: Dave , , , Subject: Re: IDS In-Reply-To: <20010817153110.U59726-100000@shumai.marcuscom.com> Message-ID: Mail-Followup-To: galt@inconnu.isu.edu MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We DO have a -users list, and we ARE trying to go with the BSD setup, it's just our main author is more comfortable with Linux. However, I believe that we should have a FreeBSD test box RSN (4.3R), as we have two people working on getting one up: one'll be up within a week. Pity :( I was waiting until FreeBSD 4.4 came out to get the box in question up: looks like a cvsup/make world... On Fri, 17 Aug 2001, Joe Clarke wrote: >You can certainly get hogwash to compile on FreeBSD. I just did it. Let >me know if you have questions on the build. > >Joe Clarke > >On Fri, 17 Aug 2001, Dave wrote: > >> Hello, >> I have been using snort for some time now and I stumbled across a >> program named Hogwash (http://hogwash.sourceforge.org) which uses the snort >> base to detect possible intrusion, but then DROPS the packet if it matches a >> ruleset. E.g. Code red can just be dropped instead of blocking port 80. >> >> This seems like a very good idea to me however hogwash is a linux program. >> Can anyone perhaps recommend another program and/or method to do this. >> >> Thanks in advance, >> --Dave. >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >> >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > -- The Internet must be a medium for it is neither Rare nor Well done! John Galt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 22:46:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 7238A37B412; Fri, 17 Aug 2001 22:46:12 -0700 (PDT) (envelope-from support@JEAH.net) Received: from localhost (support@localhost) by awww.jeah.net (8.11.4/8.11.4) with ESMTP id f7I5juf92451; Sat, 18 Aug 2001 00:45:56 -0500 (CDT) (envelope-from support@JEAH.net) Date: Sat, 18 Aug 2001 00:45:55 -0500 (CDT) From: Technical Support To: Message-ID: <20010818004524.D92438-100000@awww.jeah.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Aug 18 00:41:39 server02 /kernel: pid 92100 (ftpd), uid 1004: exited on signal 11 Today I downloaded and applied the patch successfully, in regards to the recent FTP/libc vuln. Now you can't connect to the box via FTP, and the ftpd that opens when a user connects signal 11s. Ideas? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 17 23:57:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id 1A50C37B40F for ; Fri, 17 Aug 2001 23:57:33 -0700 (PDT) (envelope-from mitch@ccmr.cornell.edu) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id CAA26226; Sat, 18 Aug 2001 02:57:32 -0400 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id CAA28019; Sat, 18 Aug 2001 02:57:31 -0400 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Sat, 18 Aug 2001 02:57:31 -0400 (EDT) From: Mitch Collinsworth To: Mikhail Kruk Cc: freebsd-security@FreeBSD.ORG Subject: RE: Silly crackers... NT is for kids... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 18 Aug 2001, Mikhail Kruk wrote: > The best environment for development is > when any service is enabled and all users have blank passwords so that > anyone can use anyone's machine. That's crazy. There's no audit trail. If nothing else, one disgruntled employee can wreak havoc without anyone even knowning who it was. > Putty is absolutely the best for Win32: Putty is great. I use it and love it, but with no X11 forwarding it is NOT the absolute best. > And finally setup your telnetd so that it will print a message saying > "telnet is insecure. please use ssh" etc. It will display this message, > sleep for 60 seconds and then run normal telnetd. Most people will just > sit there and wait for 60 seconds, then use telnet. After one or two month > of this torture disable telnetd for good (keep the message, but don't run > telnetd). People will download ssh and think "Thank God, I don't have to > wait for 60 seconds now! I love that SSH thing!" > That's what our sysadmin did (shell server used by some 4000 undergrads) > and it worked. Now this is a great idea! I think I'll give it a try. Thanks for passing it on. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 0:10:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 1884237B411 for ; Sat, 18 Aug 2001 00:10:25 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.4/8.11.4) with ESMTP id f7I7AXH39705 for ; Sat, 18 Aug 2001 03:10:33 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Sat, 18 Aug 2001 03:10:27 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: RE: Silly crackers... NT is for kids... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 18 Aug 2001, Mitch Collinsworth wrote: > On Sat, 18 Aug 2001, Mikhail Kruk wrote: > > > The best environment for development is > > when any service is enabled and all users have blank passwords so that > > anyone can use anyone's machine. > > That's crazy. There's no audit trail. If nothing else, one disgruntled > employee can wreak havoc without anyone even knowning who it was. > > > Putty is absolutely the best for Win32: > > Putty is great. I use it and love it, but with no X11 forwarding it > is NOT the absolute best. From the same site: plink -ssh -X > [...snip fantastic idea to train (l)users away from using telnet...] -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 1: 5:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id AD6E037B407; Sat, 18 Aug 2001 01:05:08 -0700 (PDT) (envelope-from bright@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1192) id A8BCD81D08; Sat, 18 Aug 2001 03:05:08 -0500 (CDT) Date: Sat, 18 Aug 2001 03:05:08 -0500 From: Alfred Perlstein To: John Galt Cc: Joe Clarke , Dave , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, hogwash-users@lists.sourceforge.net Subject: Re: IDS Message-ID: <20010818030508.V38066@elvis.mu.org> References: <20010817153110.U59726-100000@shumai.marcuscom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from galt@inconnu.isu.edu on Fri, Aug 17, 2001 at 11:17:36PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * John Galt [010818 00:18] wrote: > > We DO have a -users list, and we ARE trying to go with the BSD setup, it's > just our main author is more comfortable with Linux. However, I believe > that we should have a FreeBSD test box RSN (4.3R), as we have two people > working on getting one up: one'll be up within a week. Pity :( I was > waiting until FreeBSD 4.4 came out to get the box in question up: looks > like a cvsup/make world... Please trim emails. :) go to: ftp://releng4.freebsd.org/pub/FreeBSD/snapshots/i386/4.3-20010817-STABLE/ for a snapshot of a recent freebsd. -- -Alfred Perlstein [alfred@freebsd.org] Ok, who wrote this damn function called '??'? And why do my programs keep crashing in it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 11:33:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from shumai.marcuscom.com (rdu26-228-058.nc.rr.com [66.26.228.58]) by hub.freebsd.org (Postfix) with ESMTP id E0B8537B403; Sat, 18 Aug 2001 11:33:00 -0700 (PDT) (envelope-from marcus@marcuscom.com) Received: from localhost (marcus@localhost) by shumai.marcuscom.com (8.11.3/8.11.3) with ESMTP id f7IIWf767879; Sat, 18 Aug 2001 14:32:41 -0400 (EDT) (envelope-from marcus@marcuscom.com) X-Authentication-Warning: shumai.marcuscom.com: marcus owned process doing -bs Date: Sat, 18 Aug 2001 14:32:41 -0400 (EDT) From: Joe Clarke To: John Galt Cc: Dave , , , Subject: Re: IDS In-Reply-To: Message-ID: <20010818143216.F67826-100000@shumai.marcuscom.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would be happy to put a FreeBSD port together if people want it. I think this would be a useful application. Joe Clarke On Fri, 17 Aug 2001, John Galt wrote: > > We DO have a -users list, and we ARE trying to go with the BSD setup, it's > just our main author is more comfortable with Linux. However, I believe > that we should have a FreeBSD test box RSN (4.3R), as we have two people > working on getting one up: one'll be up within a week. Pity :( I was > waiting until FreeBSD 4.4 came out to get the box in question up: looks > like a cvsup/make world... > > On Fri, 17 Aug 2001, Joe Clarke wrote: > > >You can certainly get hogwash to compile on FreeBSD. I just did it. Let > >me know if you have questions on the build. > > > >Joe Clarke > > > >On Fri, 17 Aug 2001, Dave wrote: > > > >> Hello, > >> I have been using snort for some time now and I stumbled across a > >> program named Hogwash (http://hogwash.sourceforge.org) which uses the snort > >> base to detect possible intrusion, but then DROPS the packet if it matches a > >> ruleset. E.g. Code red can just be dropped instead of blocking port 80. > >> > >> This seems like a very good idea to me however hogwash is a linux program. > >> Can anyone perhaps recommend another program and/or method to do this. > >> > >> Thanks in advance, > >> --Dave. > >> > >> > >> > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-questions" in the body of the message > >> > >> > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > > -- > The Internet must be a medium for it is neither Rare nor Well done! > John Galt > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 11:47:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136]) by hub.freebsd.org (Postfix) with ESMTP id 217F137B412 for ; Sat, 18 Aug 2001 11:47:54 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.4/8.11.4) with ESMTP id f7IIlgO11063; Sat, 18 Aug 2001 14:47:42 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Sat, 18 Aug 2001 14:47:42 -0400 (EDT) From: Matt Piechota To: "H. Wade Minter" Cc: Subject: RE: Silly crackers... NT is for kids... In-Reply-To: <26359.63.167.1.26.998076075.squirrel@webmail.skiltech.com> Message-ID: <20010818144512.P4969-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 17 Aug 2001, H. Wade Minter wrote: > Well, there could be a case where the Powers That Be with the corporate > firewall allow telnet out, but refuse to allow SSH out, and no amount of > rational argument will convince them to do otherwise. > > Not that I'm currently living that, no. I feel your pain, bother. The best thing I've been able to figure out is to use SSLTelnet. I've been meaning to try running ssh on port 23, but I haven't gotten around to it yet. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 11:59:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136]) by hub.freebsd.org (Postfix) with ESMTP id 1F28D37B40B for ; Sat, 18 Aug 2001 11:59:24 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.4/8.11.4) with ESMTP id f7IIx8U11112; Sat, 18 Aug 2001 14:59:08 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Sat, 18 Aug 2001 14:59:08 -0400 (EDT) From: Matt Piechota To: Mikhail Kruk Cc: Laurence Berland , "Carroll, D. (Danny)" , Subject: RE: Silly crackers... NT is for kids... In-Reply-To: Message-ID: <20010818145557.H4969-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 18 Aug 2001, Mikhail Kruk wrote: > And finally setup your telnetd so that it will print a message saying > "telnet is insecure. please use ssh" etc. It will display this message, > sleep for 60 seconds and then run normal telnetd. Most people will just > sit there and wait for 60 seconds, then use telnet. After one or two month > of this torture disable telnetd for good (keep the message, but don't run > telnetd). People will download ssh and think "Thank God, I don't have to > wait for 60 seconds now! I love that SSH thing!" > That's what our sysadmin did (shell server used by some 4000 undergrads) > and it worked. While not a bad idea in the .edu universe, if I tried to pull that on our development servers, I'd have a torrent of angry email not only from developers but their managers. Being accountable sucks. :) -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 12: 5:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136]) by hub.freebsd.org (Postfix) with ESMTP id 1066337B408 for ; Sat, 18 Aug 2001 12:05:16 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.4/8.11.4) with ESMTP id f7IJ55B11143; Sat, 18 Aug 2001 15:05:05 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Sat, 18 Aug 2001 15:05:05 -0400 (EDT) From: Matt Piechota To: Nate Williams Cc: "Carroll, D. (Danny)" , Subject: RE: Silly crackers... NT is for kids... In-Reply-To: <15229.34962.653064.226276@nomad.yogotech.com> Message-ID: <20010818150053.C4969-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 17 Aug 2001, Nate Williams wrote: > Agreed, but given the recent telnetd exploit, I'm not sure you want it > on by default. Even in our heavily-firewalled environment, we don't > want *ALL* of the users to have root access on our FreBSD boxes. :) I must have misspoke. There's only 4 of us that have the root password on our machines, but we 4 telnet everywhere as root. And just horrify everyone, my lead actaully runs X as root, as did I for awhile. > Having the users enable it by default makes them more aware of what's > going on. (Although, one could argue that all the folks who are still > infected with CodeRed initially enabled it, and have done nothing > since...) I completely agree. I like the way RedHat 7.1 disables almost everything on install. One could argue that they shouldn't even install sshd, since they may well have a bug in it as well. > Actually, it is. See the archives of how easy it is to blow the switch > out of the water. :) Fair enough. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 12:34: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id A599D37B409; Sat, 18 Aug 2001 12:33:51 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f7IJXMb45464; Sat, 18 Aug 2001 12:33:22 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Joe Clarke" , "John Galt" Cc: "Dave" , , , Subject: RE: IDS Date: Sat, 18 Aug 2001 12:33:21 -0700 Message-ID: <002d01c1281c$a3baacc0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <20010818143216.F67826-100000@shumai.marcuscom.com> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org While it would be great if you wanted to put a port of this together, unless you want to be responsible for this for a long period of time - years that is - then please consider this carefully. We already have many ports in FreeBSD that have been abandonded by their maintainers and cause a lot of trouble for users. A much better solution for those that aren't comitted to this is to go through the code of the package and make sure that it cleanly compiles under FreeBSD without a string of compiler warnings, and get the changes fed back into the package distribution maintainers. In particular pay attention to: http://www.freebsd.org/porters-handbook/porting-versions.html http://www.freebsd.org/porters-handbook/porting-prefix.html http://www.freebsd.org/porters-handbook/x1895.html http://www.freebsd.org/porters-handbook/x1947.html The problems covered by these links are really portability issues. It becomes a lot harder when packages that people write make a bunch of assumptions about hard coding directory names, stomping on variables, and putting wrong ifdef's in the code. That just forces the port maintainer to create huge sets of patch files to be applied to the package and greatly increase the maintainence requirements. It's much better if these suggestions can be fed back into the package developers so they get included in their source, without having to be patched in later. If this is done then even an inexperienced person can create a port of the package and add that into the FreeBSD ports section later on. I agree with Dave that this is a great idea, let's make sure that the things get done to it now so that it doesen't become a maintainence problem for us later on. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Joe Clarke >Sent: Saturday, August 18, 2001 11:33 AM >To: John Galt >Cc: Dave; freebsd-security@FreeBSD.ORG; freebsd-questions@FreeBSD.ORG; >hogwash-users@lists.sourceforge.net >Subject: Re: IDS > > >I would be happy to put a FreeBSD port together if people want it. I >think this would be a useful application. > >Joe Clarke > >On Fri, 17 Aug 2001, John Galt wrote: > >> >> We DO have a -users list, and we ARE trying to go with the BSD setup, it's >> just our main author is more comfortable with Linux. However, I believe >> that we should have a FreeBSD test box RSN (4.3R), as we have two people >> working on getting one up: one'll be up within a week. Pity :( I was >> waiting until FreeBSD 4.4 came out to get the box in question up: looks >> like a cvsup/make world... >> >> On Fri, 17 Aug 2001, Joe Clarke wrote: >> >> >You can certainly get hogwash to compile on FreeBSD. I just did it. Let >> >me know if you have questions on the build. >> > >> >Joe Clarke >> > >> >On Fri, 17 Aug 2001, Dave wrote: >> > >> >> Hello, >> >> I have been using snort for some time now and I stumbled across a >> >> program named Hogwash (http://hogwash.sourceforge.org) which >uses the snort >> >> base to detect possible intrusion, but then DROPS the packet if >it matches a >> >> ruleset. E.g. Code red can just be dropped instead of blocking port 80. >> >> >> >> This seems like a very good idea to me however hogwash is a >linux program. >> >> Can anyone perhaps recommend another program and/or method to do this. >> >> >> >> Thanks in advance, >> >> --Dave. >> >> >> >> >> >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> with "unsubscribe freebsd-questions" in the body of the message >> >> >> >> >> > >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-questions" in the body of the message >> > >> >> -- >> The Internet must be a medium for it is neither Rare nor Well done! >> John Galt >> >> >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 18:43:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server2.tampabay.rr.com (smtp-server2.tampabay.rr.com [65.32.1.39]) by hub.freebsd.org (Postfix) with ESMTP id 01EF037B407 for ; Sat, 18 Aug 2001 18:43:32 -0700 (PDT) (envelope-from wade@ezri.org) Received: from ezri (242687hfc133.tampabay.rr.com [24.26.87.133]) by smtp-server2.tampabay.rr.com (8.11.2/8.11.2) with SMTP id f7J1hVj22828 for ; Sat, 18 Aug 2001 21:43:31 -0400 (EDT) From: "Wade Majors" To: Subject: RE: Silly crackers... NT is for kids... Date: Sat, 18 Aug 2001 21:43:06 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010818150053.C4969-100000@cithaeron.argolis.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2512.0001 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Agreed, but given the recent telnetd exploit, I'm not sure you want it > > on by default. Even in our heavily-firewalled environment, we don't > > want *ALL* of the users to have root access on our FreBSD boxes. :) > > I must have misspoke. There's only 4 of us that have the root password on > our machines, but we 4 telnet everywhere as root. And just horrify > everyone, my lead actaully runs X as root, as did I for awhile. > I believe he was referring to the recent telnetd root exploit. A disgrunted, bored, and/or curious employee can be just as dangerous as someone on the outside. -Wade To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 21:30:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id 91CC137B442 for ; Sat, 18 Aug 2001 21:30:25 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from jimslaptop.int (jimslaptop.int [192.168.5.8]) by w2xo.pgh.pa.us (8.11.3/8.11.3) with ESMTP id f7J4e9m64918 for ; Sun, 19 Aug 2001 00:40:09 -0400 (EDT) (envelope-from durham@w2xo.pgh.pa.us) Date: Sun, 19 Aug 2001 00:30:50 -0400 (EDT) From: Jim Durham X-X-Sender: To: Subject: Code Red is from default setup Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My friends who have to deal with M$ server things tell me that the default setup for Win2k server is that the IIS server is installed. This means that a clueless person installing Win2k server is probably not going to uncheck the little box that says to install it. So, there is this lovely little IIS server sitting there just waiting to be infrected by Code Red. I have tried doing an HTTP connect to perhaps 20 IP addresses collected from "Code Red" attempts on my web server and they *all* report "This page under construction". I believe these are web servers that are running unknown to their owners. If this is the case, then they are *not* going to patch their IIS servers because they probably don't know they have them, and this silliness is going to keep right on going 8-(. One downside of this is that ISPs are starting to block port 80 in an attempt to kill the bug and those of us who have had the ability to run web service on our home DSL or cable services are probably going to lose that ability. Thanks, Bill.... -Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 22: 7:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts6-srv.bellnexxia.net (tomts6.bellnexxia.net [209.226.175.26]) by hub.freebsd.org (Postfix) with ESMTP id E659937B403 for ; Sat, 18 Aug 2001 22:07:33 -0700 (PDT) (envelope-from adamtuttle@sympatico.ca) Received: from Tracey ([64.228.141.163]) by tomts6-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010819050733.ZAFG3759.tomts6-srv.bellnexxia.net@Tracey> for ; Sun, 19 Aug 2001 01:07:33 -0400 Message-ID: <000f01c1286d$18df05a0$a38de440@Tracey> From: "Adam Tuttle" To: Subject: Rooted Date: Sun, 19 Aug 2001 01:09:17 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000C_01C1284B.9171D820" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000C_01C1284B.9171D820 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable My box recently got rooted by a user on mIRC, they said it was because = telnet was to old, where can I get a new version of telnet? Also where = can i find patches for security on my box. Thanks Adam Tuttle ------=_NextPart_000_000C_01C1284B.9171D820 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
My box recently got rooted by a user on = mIRC, they=20 said it was because telnet was to old, where can I get a new version of = telnet?=20 Also where can i find patches for security on my box.
 
Thanks

Adam = Tuttle
------=_NextPart_000_000C_01C1284B.9171D820-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 22:24: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp15.singnet.com.sg (smtp15.singnet.com.sg [165.21.6.35]) by hub.freebsd.org (Postfix) with ESMTP id B976537B40B for ; Sat, 18 Aug 2001 22:23:59 -0700 (PDT) (envelope-from spades@galaxynet.org) Received: from bryan (ad202.166.105.70.magix.com.sg [202.166.105.70]) by smtp15.singnet.com.sg (8.11.4/8.11.2) with SMTP id f7J5Nsl13143; Sun, 19 Aug 2001 13:23:55 +0800 Message-Id: <3.0.32.20010819134033.0287f5cc@smtp.magix.com.sg> X-Sender: spades@smtp.magix.com.sg X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 19 Aug 2001 13:40:34 +0800 To: "Adam Tuttle" From: Spades Subject: Re: Rooted Cc: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You probably didn't update your source lately, you may like to cvsup as quite a few vulnerabilities appeared during the last 3-4 weeks. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch.asc # cd /usr/src/ # patch -p << /path/to/patch # cd /usr/src/libexec/telnetd # make depend && make all install Spades At 01:09 AM 8/19/01 -0400, you wrote: >>>> My box recently got rooted by a user on mIRC, they said it was because telnet was to old, where can I get a new version of telnet? Also where can i find patches for security on my box.Arial Thanks Adam Tuttle Arial To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 18 22:37:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id CE65237B405 for ; Sat, 18 Aug 2001 22:37:31 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7J4QR060386; Sat, 18 Aug 2001 21:26:27 -0700 (PDT) Date: Sat, 18 Aug 2001 21:26:27 -0700 (PDT) From: David Kirchner X-X-Sender: To: Spades Cc: Adam Tuttle , Subject: Re: Rooted In-Reply-To: <3.0.32.20010819134033.0287f5cc@smtp.magix.com.sg> Message-ID: <20010818212540.W38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You may also be backdoored; if you weren't running something like tripwire to catch changes in your system files, you may want to go ahead and re-install FreeBSD entirely. May not be necessary, but it shouldn't hurt. On Sun, 19 Aug 2001, Spades wrote: > You probably didn't update your source lately, you may like to cvsup > > as quite a few vulnerabilities appeared during the last 3-4 weeks. > > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch.asc > > > # cd /usr/src/ > > # patch -p << /path/to/patch > > # cd /usr/src/libexec/telnetd > > # make depend && make all install > > > Spades > > > At 01:09 AM 8/19/01 -0400, you wrote: > > >>>> > > My box recently got rooted by a user on mIRC, they said > it was because telnet was to old, where can I get a new version of > telnet? Also where can i find patches for security on my > box.Arial Thanks > > Adam Tuttle > > Arial > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message