From owner-freebsd-security Sun Nov 25 3:15:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 8527837B405 for ; Sun, 25 Nov 2001 03:15:42 -0800 (PST) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id WAA12744; Sun, 25 Nov 2001 22:15:05 +1100 Date: Sun, 25 Nov 2001 22:13:44 +1100 (EST) From: Bruce Evans X-X-Sender: To: Cc: Subject: Re: fts_print bug? In-Reply-To: <20011123015505.A5165@c7.campus.utcluj.ro> Message-ID: <20011125220611.U5577-100000@delplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 23 Nov 2001 veedee@c7.campus.utcluj.ro wrote: > Does anyone know anything about this? > > It didn't worked on my box (4.3-RELEASE), but it did make some directories > which I can't erase anymore... > > [#] rm -r 4965/ > rm: fts_read: File name too long > ... > Sorry for the messy output. A friend of mine found the "exploit" (see > attachement) on BUGTRAQ. I think the security holes in fts were fixed soon after they turned up (this is an old exploit). I fixed the bug in rm (rm was using FTS_NOCHDIR, wich prevents fts handling deep directory). The fix is in 4.3. It still works for me. cp, pax and pkg_install are the only applications in /usr/src that use FTS_NOCHDIR. It breaks at least cp in the same way as it breaks rm. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 4:17:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id BCE8F37B405 for ; Sun, 25 Nov 2001 04:17:51 -0800 (PST) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id XAA15978; Sun, 25 Nov 2001 23:17:24 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 25 Nov 2001 23:17:24 +1100 (EST) From: Ian Smith To: Brett Glass Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Security zone In-Reply-To: <4.3.2.7.2.20011124162959.04085de0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 24 Nov 2001, Brett Glass wrote: > At 04:11 PM 11/24/2001, Kris Kennaway wrote: > > >It's basically a lie; you can do all this and more under FreeBSD. > > FreeBSD doesn't have per-application control of ports and sockets, > which is what ZoneAlarm *tries* to provide. It'd be nice to add this > as built-in feature, either in the base OS or in ipfw. Yeah, Windows security 'features' for FreeBSD, just what we lack! :) Can't you do 'per-app' stuff in ipfw with users and/or groups? Frankly I'm more contented relying on having port access control in rc.firewall. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 11:52:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts17-srv.bellnexxia.net (tomts17.bellnexxia.net [209.226.175.71]) by hub.freebsd.org (Postfix) with ESMTP id A91EF37B416 for ; Sun, 25 Nov 2001 11:52:40 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.177.56]) by tomts17-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011125195240.XPVV16532.tomts17-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Sun, 25 Nov 2001 14:52:40 -0500 Received: from anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id D04C31A1F; Sun, 25 Nov 2001 14:54:52 -0500 (EST) Message-ID: <3C014C5B.9765067F@anarcat.dyndns.org> Date: Sun, 25 Nov 2001 14:54:03 -0500 From: The Anarcat X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: fr-CA,fr,en MIME-Version: 1.0 To: Ian Smith Cc: Brett Glass , Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Security zone References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ian Smith wrote: > > On Sat, 24 Nov 2001, Brett Glass wrote: > > > At 04:11 PM 11/24/2001, Kris Kennaway wrote: > > > > >It's basically a lie; you can do all this and more under FreeBSD. > > > > FreeBSD doesn't have per-application control of ports and sockets, > > which is what ZoneAlarm *tries* to provide. It'd be nice to add this > > as built-in feature, either in the base OS or in ipfw. > > Yeah, Windows security 'features' for FreeBSD, just what we lack! :) > > Can't you do 'per-app' stuff in ipfw with users and/or groups? Frankly > I'm more contented relying on having port access control in rc.firewall. You can't do "per-app" stuff. You can control on the local user or group id, but that is about it. Anyways, I can't figure out how one can pretend to have that level of control over the stack (per-app) and why one would want to have it anyways. "apps" are installed/deinstall, modified, upgraded, etc. It would be impossible and simply useless to have that kind of control. a. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 12: 0:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail9.wlv.netzero.net (mail9.wlv.netzero.net [209.247.163.66]) by hub.freebsd.org (Postfix) with SMTP id 2944F37B41A for ; Sun, 25 Nov 2001 12:00:39 -0800 (PST) Received: (qmail 13143 invoked from network); 25 Nov 2001 20:00:37 -0000 Received: from ppp-65-91-243-213.mclass.broadwing.net (HELO musicstudio) (65.91.243.213) by mail9.wlv.netzero.net with SMTP; 25 Nov 2001 20:00:37 -0000 Message-ID: <03e501c175ec$19332b40$d5f35b41@musicstudio> From: "Kevin & Anita Kinsey" To: Subject: analysis of attack ?? Date: Sun, 25 Nov 2001 14:02:21 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_03E2_01C175B9.CD39C780" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_03E2_01C175B9.CD39C780 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable A hobbyist (me) recently set up a FreeBSD box for a friend's SOHO. It = serves as MTA, WWW, and FTP (for webpage upload) server, and sits behind = a NAT-ting router, which passes ftp/www/smtp traffic to appropriate = ports (under 'ideal' conditions, anyway). =20 During a recent visit [after too long an absence] I discovered his = bandwidth was totally eaten up (ping>2 seconds to upstream server) and = the cause was this box. Unusually named files appeared in = /var/ftp/pub/pub, and /etc/group showed that guest had root privileges. = I removed the machine from the net promptly and began wiping the disk = for a reinstall. =20 Questions: *Does the fact that the files were in the public ftp directory mean that = Mr. Badguy came in via anonymous FTP, or did he sniff a user password = floating unencrypted over the 'Net? *What should I do if/when (God forbid) this happens again to give me = (you?) more to analyze.....? *Is there a better way [than FTP] to have his 'webmaster' (page = designer) upload pages to the site? *I realize I'm probably a total idiot who doesn't deserve a root pw, but = please don't hit me too hard, the last 'friend' he had gave him no mail = service at all and had anonymous FTP login default to /wwwroot on his = IIS server. (Thanks, Nimda....) Kevin Kinsey ------=_NextPart_000_03E2_01C175B9.CD39C780 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
A hobbyist (me) recently set up a = FreeBSD box=20 for a friend's SOHO.  It serves as MTA, WWW, and FTP (for = webpage=20 upload) server, and sits behind a NAT-ting router, which passes=20 ftp/www/smtp traffic to appropriate ports (under 'ideal' = conditions,=20 anyway). 
 
During a recent visit [after too long = an=20 absence] I discovered his bandwidth was totally eaten up=20 (ping>2 seconds to upstream server) and the cause was this box.  = Unusually named files appeared in /var/ftp/pub/pub, and /etc/group = showed that=20 guest had root privileges.  I removed the machine from the net = promptly and=20 began wiping the disk for a reinstall.  
 
Questions:
*Does the fact that the files were in = the public=20 ftp directory mean that Mr. Badguy came in via anonymous FTP, or did he = sniff a=20 user password floating unencrypted over the 'Net?
 
*What should I do if/when (God forbid) = this happens=20 again to give me (you?) more to analyze.....?
 
*Is there a better way [than FTP] to = have his=20 'webmaster' (page designer) upload pages to the site?
 
*I realize I'm probably a total idiot = who doesn't=20 deserve a root pw, but please don't hit me too hard, the last 'friend' = he had=20 gave him no mail service at all and had anonymous FTP login default = to=20 /wwwroot on his IIS server.  (Thanks, Nimda....)
 
Kevin Kinsey
------=_NextPart_000_03E2_01C175B9.CD39C780-- ---------------------------------------------------- Sign Up for NetZero Platinum Today Only $9.95 per month! http://my.netzero.net/s/signup?r=platinum&refcd=PT97 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 12:20:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 635E737B405 for ; Sun, 25 Nov 2001 12:20:11 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id EE86A81D2D; Sun, 25 Nov 2001 14:20:05 -0600 (CST) Date: Sun, 25 Nov 2001 14:20:05 -0600 From: Alfred Perlstein To: Kevin & Anita Kinsey Cc: freebsd-security@freebsd.org Subject: Re: analysis of attack ?? Message-ID: <20011125142005.D13393@elvis.mu.org> References: <03e501c175ec$19332b40$d5f35b41@musicstudio> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <03e501c175ec$19332b40$d5f35b41@musicstudio>; from k_a_kinsey@netzero.net on Sun, Nov 25, 2001 at 02:02:21PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Kevin & Anita Kinsey [011125 14:00] wrote: > > Questions: > *Does the fact that the files were in the public ftp directory > mean that Mr. Badguy came in via anonymous FTP, or did he sniff a > user password floating unencrypted over the 'Net? That's really not possible to determine for sure, even if your ftp site configuration data was available. > *What should I do if/when (God forbid) this happens again to give > me (you?) more to analyze.....? Keeping better logfiles would be good, setting them immutable or having them sent to a completely seperate machine or even to a printer could work and hopefully keep the log entries from being altered. > *Is there a better way [than FTP] to have his 'webmaster' (page > designer) upload pages to the site? Actually I recently saw that _finally_ they came out with a client that does ftp over ssh. I think DataFellows has such a client you should check it out. > *I realize I'm probably a total idiot who doesn't deserve a root > pw, but please don't hit me too hard, the last 'friend' he had gave > him no mail service at all and had anonymous FTP login default to > /wwwroot on his IIS server. (Thanks, Nimda....) Being proactive and knowing when to ask for help speaks a lot for you, however it would probably make sense for you to hire a decent consultant, take a look at the commercial consultants available on www.freebsd.org or www.bsdmall.com (they offer training last i checked). best of luck, -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 12:24:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by hub.freebsd.org (Postfix) with ESMTP id B9E1337B417 for ; Sun, 25 Nov 2001 12:24:30 -0800 (PST) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.11.6/8.11.4) id fAPKNpd33754; Sun, 25 Nov 2001 21:23:51 +0100 (CET) (envelope-from stijn) Date: Sun, 25 Nov 2001 21:23:51 +0100 From: Stijn Hoop To: Alfred Perlstein Cc: freebsd-security@freebsd.org Subject: Re: analysis of attack ?? Message-ID: <20011125212351.A32145@pcwin002.win.tue.nl> References: <03e501c175ec$19332b40$d5f35b41@musicstudio> <20011125142005.D13393@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011125142005.D13393@elvis.mu.org>; from bright@mu.org on Sun, Nov 25, 2001 at 02:20:05PM -0600 X-Bright-Idea: Let's abolish HTML mail! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [slightly offtopic] On Sun, Nov 25, 2001 at 02:20:05PM -0600, Alfred Perlstein wrote: > Actually I recently saw that _finally_ they came out with a > client that does ftp over ssh. I think DataFellows has such a client > you should check it out. Ehm, sftp(1)? ssh.com has a nice windows GUI client available [1], which should work with recent -STABLE servers (after OpenSSH upgrade at least). Or install openssh-portable. --Stijn [1] For a fee of course. -- Nostalgia ain't what it used to be. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 12:53:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mrtwig.citlink.net (mrtwig.citlink.net [207.173.229.137]) by hub.freebsd.org (Postfix) with ESMTP id F1C5B37B416 for ; Sun, 25 Nov 2001 12:53:34 -0800 (PST) Received: from blacklamb.mykitchentable.net ([207.173.255.209]) by mrtwig.citlink.net (InterMail vK.4.03.04.00 201-232-130 license a3e2d54ac3b1df4217e834deb9d77e31) with ESMTP id <20011125205810.MNKO136188.mrtwig@blacklamb.mykitchentable.net> for ; Sun, 25 Nov 2001 14:58:10 -0600 Received: from tagalong (unknown [192.168.1.11]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 18D69EE547 for ; Sun, 25 Nov 2001 07:09:50 -0800 (PST) Message-ID: <003001c175c3$0c81a4e0$0b01a8c0@lc.ca.gov> From: "Drew Tomlinson" To: Subject: Port 1214 - Is It Used For A Specific Purpose? Date: Sun, 25 Nov 2001 07:08:33 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was looking over my firewall logs this morning and noticed that there are many attempts to connect to TCP port 1214 from different addresses. I've searched the web but found no specific mention of any standard purpose for this port. I suppose this is some sort of scan but was just wondering if anyone knows exactly what this is? I included a snip of my log from two complete attempts. It's probably more than is needed but I thought maybe someone might see a pattern that I'm missing. Thanks, Drew P.S. 192.168.10.2 is my outside interface to my firewall. I know it is a private address but it's OK as my ADSL modem/router gets a public address from my ISP via DHCP and performs NAT for the rest of my machines. > ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 141.157.125.23:1043 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 141.157.125.23:1043 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 141.157.125.23:1043 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 141.157.125.23:1057 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 141.157.125.23:1057 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 141.157.125.23:1057 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 141.157.125.23:1043 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 141.157.125.23:1057 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:1853 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:1854 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:1854 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:1853 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:1854 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:1853 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:1854 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:1853 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2282 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2282 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2282 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2282 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2283 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2283 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2283 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2283 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2355 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2355 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2355 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2355 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2362 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2362 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2362 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2362 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2447 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2447 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2447 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2447 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via ed1 > ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via ed1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 12:58:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 8E9DD37B405 for ; Sun, 25 Nov 2001 12:58:20 -0800 (PST) Received: from tarmap.schulte.org (tarmap.schulte.org [209.134.156.198]) by poontang.schulte.org (Postfix) with ESMTP id 6322ED1598; Sun, 25 Nov 2001 14:58:19 -0600 (CST) Message-Id: <5.1.0.14.0.20011125145704.02da3748@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 25 Nov 2001 14:58:18 -0600 To: "Drew Tomlinson" , From: Christopher Schulte Subject: Re: Port 1214 - Is It Used For A Specific Purpose? In-Reply-To: <003001c175c3$0c81a4e0$0b01a8c0@lc.ca.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://www.incidents.org/archives/intrusions/msg01930.html came up when I did a little searching. At 07:08 AM 11/25/2001 -0800, Drew Tomlinson wrote: >I was looking over my firewall logs this morning and noticed that there >are many attempts to connect to TCP port 1214 from different addresses. >I've searched the web but found no specific mention of any standard >purpose for this port. I suppose this is some sort of scan but was just >wondering if anyone knows exactly what this is? > >I included a snip of my log from two complete attempts. It's probably >more than is needed but I thought maybe someone might see a pattern that >I'm missing. > >Thanks, > >Drew -- Christopher Schulte christopher@schulte.org http://noc.schulte.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 13: 0:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id D4A4737B405 for ; Sun, 25 Nov 2001 13:00:18 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id DA28813652; Sun, 25 Nov 2001 16:00:17 -0500 (EST) Date: Sun, 25 Nov 2001 16:00:17 -0500 From: Chris Faulhaber To: Drew Tomlinson Cc: freebsd-security@freebsd.org Subject: Re: Port 1214 - Is It Used For A Specific Purpose? Message-ID: <20011125160017.A70820@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Drew Tomlinson , freebsd-security@freebsd.org References: <003001c175c3$0c81a4e0$0b01a8c0@lc.ca.gov> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline In-Reply-To: <003001c175c3$0c81a4e0$0b01a8c0@lc.ca.gov> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Nov 25, 2001 at 07:08:33AM -0800, Drew Tomlinson wrote: > I was looking over my firewall logs this morning and noticed that there > are many attempts to connect to TCP port 1214 from different addresses. > I've searched the web but found no specific mention of any standard > purpose for this port. I suppose this is some sort of scan but was just > wondering if anyone knows exactly what this is? >=20 Probably KaZaa, a file-sharing network. See http://www.securityfocus.com/archive/75/241439 for a possible explanation. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjwBW+EACgkQObaG4P6BelC7SgCfctqsS6G13irxknrAz93BhV7t 1CYAnipFepSjuqkHgy9o6z6z+AJlSc8e =FSp9 -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 13: 7:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mrtwig.citlink.net (mrtwig.citlink.net [207.173.229.137]) by hub.freebsd.org (Postfix) with ESMTP id 952B737B419 for ; Sun, 25 Nov 2001 13:07:29 -0800 (PST) Received: from blacklamb.mykitchentable.net ([207.173.255.209]) by mrtwig.citlink.net (InterMail vK.4.03.04.00 201-232-130 license a3e2d54ac3b1df4217e834deb9d77e31) with ESMTP id <20011125211159.MVUM136188.mrtwig@blacklamb.mykitchentable.net>; Sun, 25 Nov 2001 15:11:59 -0600 Received: from bigdaddy (bigdaddy [192.168.1.3]) by blacklamb.mykitchentable.net (Postfix) with SMTP id D45D8EE547; Sun, 25 Nov 2001 13:08:38 -0800 (PST) Message-ID: <008901c175f5$2c9b5820$0301a8c0@bigdaddy> From: "Drew Tomlinson" To: "Chris Faulhaber" , "Christopher Schulte" Cc: References: <003001c175c3$0c81a4e0$0b01a8c0@lc.ca.gov> <20011125160017.A70820@peitho.fxp.org> Subject: Re: Port 1214 - Is It Used For A Specific Purpose? Date: Sun, 25 Nov 2001 13:07:21 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Chris Faulhaber" To: "Drew Tomlinson" Cc: Sent: Sunday, November 25, 2001 1:00 PM Subject: Re: Port 1214 - Is It Used For A Specific Purpose? > Probably KaZaa, a file-sharing network. See > http://www.securityfocus.com/archive/75/241439 for a possible > explanation. ----- Original Message ----- From: "Christopher Schulte" To: "Drew Tomlinson" ; Sent: Sunday, November 25, 2001 12:58 PM Subject: Re: Port 1214 - Is It Used For A Specific Purpose? > http://www.incidents.org/archives/intrusions/msg01930.html > > came up when I did a little searching. Thank you both. That clears up the mystery. Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 17: 3:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 57AA237B41B for ; Sun, 25 Nov 2001 17:03:50 -0800 (PST) Received: from user-33qtmct.dialup.mindspring.com ([199.174.217.157] helo=gohan.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 168ABT-0006J5-00; Sun, 25 Nov 2001 17:03:45 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAP6a4j00325; Sat, 24 Nov 2001 22:36:04 -0800 (PST) (envelope-from cjc) Date: Sat, 24 Nov 2001 22:36:03 -0800 From: "Crist J. Clark" To: Krzysztof Zaraska Cc: security@FreeBSD.ORG Subject: Re: Firewall design [was: Re: Best security topology for FreeBSD] Message-ID: <20011124223603.A228@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011122031739.A226@gohan.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Thu, Nov 22, 2001 at 08:55:30PM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 22, 2001 at 08:55:30PM +0100, Krzysztof Zaraska wrote: > On Thu, 22 Nov 2001, Crist J. Clark wrote: > > > > It is sad to see this poor design, > > > > Internet > > | > > | > > Firewall--"DMZ" > > | > > | > > Internal > > > > Used so very, very much these days (I think thanks to several firewall > > vendors pushing this as a standard design). > > > > A much better design, is > > > > Internet > > | > > | > > Firewall1 > > | > > | > > DMZ > > | > > | > > Firewall2 > > | > > | > > Internal > > > > (This design is actually where the term "DMZ" comes from since it > > actually looks like one here.) > > Could you please explain why the second design is better? The fundamental security concept: defense in depth. In the first design, there is only a single layer of security between any of your networks and the hostile network. In the second, you have an additional layer of security for internal network. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 17: 5: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 68A2437B416 for ; Sun, 25 Nov 2001 17:04:53 -0800 (PST) Received: from user-33qtmct.dialup.mindspring.com ([199.174.217.157] helo=gohan.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 168ACV-0006J5-00; Sun, 25 Nov 2001 17:04:50 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAP6mwb00339; Sat, 24 Nov 2001 22:48:58 -0800 (PST) (envelope-from cjc) Date: Sat, 24 Nov 2001 22:48:58 -0800 From: "Crist J. Clark" To: Cy Schubert - ITSD Open Systems Group Cc: Fernando Germano , security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011124224858.B228@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011122031739.A226@gohan.cjclark.org> <200111231250.fANCoha19105@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111231250.fANCoha19105@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Fri, Nov 23, 2001 at 04:49:46AM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Nov 23, 2001 at 04:49:46AM -0800, Cy Schubert - ITSD Open Systems Group wrote: > In message <20011122031739.A226@gohan.cjclark.org>, "Crist J. Clark" writes: > > It is sad to see this poor design, > > > > Internet > > | > > | > > Firewall--"DMZ" > > | > > | > > Internal > > > > Used so very, very much these days (I think thanks to several firewall > > vendors pushing this as a standard design). > > > > A much better design, is > > > > Internet > > | > > | > > Firewall1 > > | > > | > > DMZ > > | > > | > > Firewall2 > > | > > | > > Internal > > > > (This design is actually where the term "DMZ" comes from since it > > actually looks like one here.) > > Given the capability of today's firewalls, packet filtering software > and packet filtering capabilities within routers, I don't see what > the advantage of the second design would be in 2001. Defense in depth. Examples: A glitch/security breach in Firewall1's ruleset/software does not necesarily expose the internal network. Any vulnerabilities in Firewall2 are harder to exploit when protected by Firewall1. > Actually today (2001), the second design is quite dangerous. Sure it > protects your internal network, however it is more difficult to > contain compromised systems from being used as a launching point to > elsewhere on the Internet. I don't see why this is true. > If you want the additional protection of security through depth, try > this: > > Internet > | > | > Firewall1 -- DMZ > | > | > Firewall2 > | > | > Internal > > What does this give you? Well, your DMZ can be easily configured to > protect not only you but make it difficult to launch attacks from your > DMZ. The second firewall is a redundant firewall. If you see any > messages in the second firewall's logs, you might want to investigate > a possible compromise of your first firewall. Many organisations do > this. For example, firewall 1 could be a packet filtering router while > firewall 2 could be firewall with various proxy services, e.g. IP > Filter's FTP proxy, or a firewall with NAT capability. Of course all > of this depends on what you're trying to protect and how much you're > willing to spend to protect whatever you're trying to protect. For > many applications one firewall should be enough. This is not as good, IMHO. One typically allows special access between DMZ hosts and the internal network. Putting these rules on Firewall1, which also faces the hostile network, potentially weakens security. > Also, one could set up other firewalls within an internal network to > control which hosts within your internal network have access to your > most sensitive data, e.g. your financial records. Yep, access controls between different "areas" (for a business: finance, HR, marketing, engineering, etc., for a university: student housing, public machines, academic departments, the registrar, other administrative groups, etc.) of your internal networks is always a good idea when the security benefits balance against the costs. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 17:59:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from shadow.booms.net (shadow.booms.net [204.188.101.238]) by hub.freebsd.org (Postfix) with ESMTP id A9ADF37B419 for ; Sun, 25 Nov 2001 17:59:25 -0800 (PST) Received: from cortsen (c1735868-a.arvada1.co.home.com [65.7.159.215]) by shadow.booms.net (8.11.1/8.11.1) with SMTP id fAQ26fw49129 for ; Sun, 25 Nov 2001 19:06:41 -0700 (MST) (envelope-from lists-inet@booms.net) From: "Brandon Harper" To: Subject: RE: Security zone Date: Sun, 25 Nov 2001 18:59:27 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <3C014C5B.9765067F@anarcat.dyndns.org> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Anyways, I can't figure out how one can pretend to have that level of > control over the stack (per-app) and why one would want to have it > anyways. > > "apps" are installed/deinstall, modified, upgraded, etc. It would be > impossible and simply useless to have that kind of control. > I for one use ZoneAlarm Pro on my *cough* XP Pro workstation even though there is another box which serves as my firewall/gateway. Why? Well, although its not a 100% solid solution, it lets me know what other programs are trying to access the internet.. such as Spyware or the possible backdoor (such as BackOriface, etc). No, I don't think its the best or most secure thing in the world as programs are able to access the internet without my knowledge via IE dll's anyhow, but every extra layer helps. Its also nice to know when the version numbers of programs change. Very rarely do I change software on my machine because I do development work on it, and its interesting to see if applications decide to update themselves, etc. YMMV, - Brandon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 25 19:39: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 6392437B405 for ; Sun, 25 Nov 2001 19:38:58 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 2099181D2D; Sun, 25 Nov 2001 21:38:53 -0600 (CST) Date: Sun, 25 Nov 2001 21:38:53 -0600 From: Alfred Perlstein To: Stijn Hoop Cc: freebsd-security@freebsd.org Subject: Re: analysis of attack ?? Message-ID: <20011125213853.E13393@elvis.mu.org> References: <03e501c175ec$19332b40$d5f35b41@musicstudio> <20011125142005.D13393@elvis.mu.org> <20011125212351.A32145@pcwin002.win.tue.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011125212351.A32145@pcwin002.win.tue.nl>; from stijn@win.tue.nl on Sun, Nov 25, 2001 at 09:23:51PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Stijn Hoop [011125 14:24] wrote: > [slightly offtopic] > > On Sun, Nov 25, 2001 at 02:20:05PM -0600, Alfred Perlstein wrote: > > Actually I recently saw that _finally_ they came out with a > > client that does ftp over ssh. I think DataFellows has such a client > > you should check it out. > > Ehm, sftp(1)? ssh.com has a nice windows GUI client available [1], which > should work with recent -STABLE servers (after OpenSSH upgrade at least). > Or install openssh-portable. Yes, this is what I meant to referto, I only rarely have to cater to crippled windows boxes, the last time I had to (almost a year ago) I think it was the software which you are pointing at that i deployed. > [1] For a fee of course. Yes, both a monetary and karma fee apply. :) -- -Alfred Perlstein [alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 1:24:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.pair.com (relay1.pair.com [209.68.1.20]) by hub.freebsd.org (Postfix) with SMTP id 9FEB837B405 for ; Mon, 26 Nov 2001 01:24:46 -0800 (PST) Received: (qmail 37978 invoked from network); 26 Nov 2001 09:24:45 -0000 Received: from pd9005891.dip.t-dialin.net (HELO laptop) (217.0.88.145) by relay1.pair.com with SMTP; 26 Nov 2001 09:24:45 -0000 X-pair-Authenticated: 217.0.88.145 Message-ID: <001f01c1765c$3ccfba80$0901a8c0@system> From: "Tom Beer" To: Subject: Amanda - inetd Date: Mon, 26 Nov 2001 10:25:05 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm planning to install amanda (remote backup solution) on a freebsd box as a client. Unfourtunately amanda needs inetd, which I don't want to start for security reasons. Even not tcpwarrped. Is there a way to bring my ppp dialup connection down, start inetd, start amanda, ending inetd after the backup and starting my ppp connection again? Or is there a better solution? Greets Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 2:44: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.interbgc.com (mail.interbgc.com [217.9.224.3]) by hub.freebsd.org (Postfix) with SMTP id 67A8137B405 for ; Mon, 26 Nov 2001 02:44:01 -0800 (PST) Received: (qmail 92493 invoked by uid 1005); 26 Nov 2001 10:43:55 -0000 Received: from borislav.nikolov@interbgc.com by keeper.interbgc.com with qmail-scanner-1.01 (uvscan: v4.0.50/v4168. . Clean. Processed in 0.426979 secs); 26 Nov 2001 10:43:55 -0000 Received: from mail.interbgc.com (HELO keeper.interbgc.com) (217.9.224.3) by mail.interbgc.com with SMTP; 26 Nov 2001 10:43:54 -0000 Date: Mon, 26 Nov 2001 12:43:54 +0200 (EET) From: X-X-Sender: To: Tom Beer Cc: Subject: Re: Amanda - inetd In-Reply-To: <001f01c1765c$3ccfba80$0901a8c0@system> Message-ID: <20011126123643.K63543-100000@keeper.interbgc.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 26 Nov 2001, Tom Beer wrote: > Hi, > > I'm planning to install amanda (remote backup > solution) on a freebsd box as a client. Unfourtunately > amanda needs inetd, which I don't want to start > for security reasons. Even not tcpwarrped. > Is there a way to bring my ppp dialup connection > down, start inetd, start amanda, ending inetd after > the backup and starting my ppp connection > again? Or is there a better solution? just use tcpserv OR you can write a simple shell script. #!/bin/bash killall pppd sleep 3 #wait for user request (15 signal) iface=`ifconfig ppp0 | wc -l` if [ $iface -gt 1 ]; then echo "error there is ppp connection alive" exit 2 fi path/to/inetd -a 127.0.0.1 (paranoia) #here start the amanda (if it can be run into foreground) else put one sleep 606060 (i do not know the time for backupping #wait killall inetd pppd connect 'chat -f /etc/ppp/dial-conf' /dev/cuaaX speed #end or something like this :) > > Greets Tom > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > #! small bobi # mail to : borislav.nikolov@interbgc.com # www page: http://web.interbgc.com/~noun # icq uin : 8912353 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 3: 7: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 4C0BE37B405 for ; Mon, 26 Nov 2001 03:06:57 -0800 (PST) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id LAA04776; Mon, 26 Nov 2001 11:06:53 GMT Date: Mon, 26 Nov 2001 11:06:53 +0000 (GMT) From: freebsd-security@rikrose.net X-Sender: rik@pkl.net To: Stijn Hoop Cc: Alfred Perlstein , freebsd-security@FreeBSD.ORG Subject: Re: analysis of attack ?? In-Reply-To: <20011125212351.A32145@pcwin002.win.tue.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 25 Nov 2001, Stijn Hoop wrote: > On Sun, Nov 25, 2001 at 02:20:05PM -0600, Alfred Perlstein wrote: > > client that does ftp over ssh. I think DataFellows has such a client > > Ehm, sftp(1)? ssh.com has a nice windows GUI client available [1], which CuteFTP Pro also does SSH 1 and 2 connections. It looked good, but my free trial timed out. There may also have been allegations of "spyware" floating around, but if you buy a nice legitamate copy, then you've got nothing to worry about anyway. -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 3:47:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by hub.freebsd.org (Postfix) with ESMTP id E046E37B41B for ; Mon, 26 Nov 2001 03:47:20 -0800 (PST) Received: from wolf.isltd.insignia.com (wolf.isltd.insignia.com [172.16.1.3]) by highland.isltd.insignia.com (8.11.3/8.11.3/check_local4.2) with ESMTP id fAQBlDg00838 for ; Mon, 26 Nov 2001 11:47:13 GMT Received: (from news@localhost) by wolf.isltd.insignia.com (8.9.3/8.9.3) id LAA24355 for freebsd-security@freebsd.org; Mon, 26 Nov 2001 11:47:13 GMT From: freebsd-security-local@insignia.com To: freebsd-security@freebsd.org Subject: Re: KAME IPSec <->Redcreek Date: Mon, 26 Nov 2001 11:47:12 +0000 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 22 Nov 2001 15:36:13 +0900, sakane@kame.net (Shoichi Sakane) wrote: >> I wonder anyone has had success talking to a RedCreek Ravlin >> VPN gateway. I have some colleagues who are successfully using >> freeswan, but I'm having none at all with racoon. >> >> A packet trace shows the initial packet going to port 500 of >> the Ravlin, but no response. Unfortunately the Ravlin doesn't >> syslog anything at all in this situation, so it's kind of >> hard to debug! > >did you compare between the ravlin's configuration and racoon's one ? >if there was a mismatch, the negotiation would fail. during the phase1 >negotiation, sometime the node would discard siliently. > >there is a possibility that the ravlin requires the main mode of IKE. >but according to your explanation, the packet might not reach the port >500 of the ravlin because there might be a packet filtering. Yes, I believe I am using the same settings. I don't think there is any packet filterin in place. I plan to wait until the latest snapshot appears in the FreeBSD ports system and try again. Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 5:20: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by hub.freebsd.org (Postfix) with ESMTP id 83E2237B416 for ; Mon, 26 Nov 2001 05:20:02 -0800 (PST) Received: from [194.97.50.138] (helo=mx0.freenet.de) by mout0.freenet.de with esmtp (Exim 3.33 #3) id 168Lg1-0006O2-00; Mon, 26 Nov 2001 14:20:01 +0100 Received: from aabb4.pppool.de ([213.6.171.180] helo=Magelan.Leidinger.net) by mx0.freenet.de with esmtp (Exim 3.33 #3) id 168Lg0-00073O-00; Mon, 26 Nov 2001 14:20:00 +0100 Received: from Leidinger.net (netchild@localhost [127.0.0.1]) by Magelan.Leidinger.net (8.11.6/8.11.6) with ESMTP id fAQCDkK02743; Mon, 26 Nov 2001 13:13:47 +0100 (CET) (envelope-from netchild@Leidinger.net) Message-Id: <200111261213.fAQCDkK02743@Magelan.Leidinger.net> Date: Mon, 26 Nov 2001 13:13:44 +0100 (CET) From: Alexander Leidinger Subject: Re: analysis of attack ?? To: k_a_kinsey@netzero.net Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <03e501c175ec$19332b40$d5f35b41@musicstudio> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 25 Nov, Kevin & Anita Kinsey wrote: > Questions: > *Does the fact that the files were in the public ftp directory mean > that Mr. Badguy came in via anonymous FTP, or did he sniff a user > password floating unencrypted over the 'Net? Any chance the box also allowed telnet access (depending on which version of FreeBSD you had running on it, they may used an exploit for it)? Which FTP server software are you using (proftpd and wu-ftpd are known to have had a lot of exploitable bugs, if your friend can life with the base ftpd you better switch to it)? > *What should I do if/when (God forbid) this happens again to give me > (you?) more to analyze.....? You should also tell us the names and versions of used software. > *Is there a better way [than FTP] to have his 'webmaster' (page > designer) upload pages to the site? This depends on his webmaster, if he didn't fears the commandline and you are able to find the programs for the platform he uses: rsync (/usr/ports/net/rsync) over ssh. Bye, Alexander. -- The best things in life are free, but the expensive ones are still worth a look. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 5:34: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from star.rila.bg (star.rila.bg [194.141.1.32]) by hub.freebsd.org (Postfix) with ESMTP id 3274B37B405; Mon, 26 Nov 2001 05:34:05 -0800 (PST) Received: from star.rila.bg (vlady@localhost [127.0.0.1]) by star.rila.bg (8.11.4/8.11.4) with ESMTP id fAQDY4c95306; Mon, 26 Nov 2001 15:34:04 +0200 (EET) (envelope-from vlady@star.rila.bg) Message-Id: <200111261334.fAQDY4c95306@star.rila.bg> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.3 To: freebsd-hackers@freebsd.org Cc: freebsd-security@freebsd.org From: "Vladimir Terziev" Subject: Strange FTPD behavior Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 26 Nov 2001 15:34:04 +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I run FreeBSD 4.3-STABLE machine. I use ftpd for ftp server daemon. It has very strange behavior with one of user accounts on my machine. Every one user account on my machine can access it via ftp, exept this account, let call it ttt. The ttt is not in /etc/ftpusers file and it can access the machine via ssh and telnet, but with ftp it can't! The ftpd says "530 User ttt access denied", as a replay of command "user ttt". I saw in the rfc, that 530 replay code means "Not logged in", but the ftpd doesn't allow on ttt to supply its credentials. My ftpd is not chroot -ed, if this is important! Any ideas? Vladimir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 5:44: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from star.rila.bg (star.rila.bg [194.141.1.32]) by hub.freebsd.org (Postfix) with ESMTP id 1EFC237B41A for ; Mon, 26 Nov 2001 05:43:52 -0800 (PST) Received: from star.rila.bg (vlady@localhost [127.0.0.1]) by star.rila.bg (8.11.4/8.11.4) with ESMTP id fAQDhqc95440 for ; Mon, 26 Nov 2001 15:43:52 +0200 (EET) (envelope-from vlady@star.rila.bg) Message-Id: <200111261343.fAQDhqc95440@star.rila.bg> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.3 To: security@freebsd.org From: "Vladimir Terziev" Subject: Strange FTPD behavior Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 26 Nov 2001 15:43:52 +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I run FreeBSD 4.3-STABLE machine. I use ftpd for ftp server daemon. It has very strange behavior with one of user accounts on my machine. Every one user account on my machine can access it via ftp, exept this account, let call it ttt. The ttt is not in /etc/ftpusers file and it can access the machine via ssh and telnet, but with ftp it can't! The ftpd says "530 User ttt access denied", as a replay of command "user ttt". I saw in the rfc, that 530 replay code means "Not logged in", but the ftpd doesn't allow on ttt to supply its credentials. My ftpd is not chroot -ed, if this is important! Any ideas? Vladimir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 5:44:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 5513637B437; Mon, 26 Nov 2001 05:44:20 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id fAQDi9W87538; Mon, 26 Nov 2001 08:44:09 -0500 (EST) Date: Mon, 26 Nov 2001 08:44:09 -0500 (EST) From: Ralph Huntington To: Vladimir Terziev Cc: , Subject: Re: Strange FTPD behavior In-Reply-To: <200111261334.fAQDY4c95306@star.rila.bg> Message-ID: <20011126084254.I54163-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is the user's shell listed in /etc/shells? It must be there for ftpd to let them in. On Mon, 26 Nov 2001, Vladimir Terziev wrote: > > I run FreeBSD 4.3-STABLE machine. I use ftpd for ftp server daemon. It has > very strange behavior with one of user accounts on my machine. Every one user > account on my machine can access it via ftp, exept this account, let call it > ttt. The ttt is not in /etc/ftpusers file and it can access the machine via > ssh and telnet, but with ftp it can't! The ftpd says "530 User ttt access > denied", as a replay of command "user ttt". I saw in the rfc, that 530 replay > code means "Not logged in", but the ftpd doesn't allow on ttt to supply its > credentials. > My ftpd is not chroot -ed, if this is important! > > Any ideas? > > Vladimir > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 6: 3: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id CC99737B416 for ; Mon, 26 Nov 2001 06:02:39 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id JAA18429; Mon, 26 Nov 2001 09:03:46 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id JAA18876; Mon, 26 Nov 2001 09:02:36 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Mon, 26 Nov 2001 09:02:36 -0500 (EST) From: Mitch Collinsworth X-Sender: mitch@ruby.ccmr.cornell.edu To: Tom Beer Cc: security@FreeBSD.ORG Subject: Re: Amanda - inetd In-Reply-To: <001f01c1765c$3ccfba80$0901a8c0@system> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You'll find more folks with amanda experience on the amanda-users list than on freebsd-security. See www.amanda.org for info. The question you're asking resolves into 'I want to run a network service on this machine without using inetd.' The typical solution to this is to write a long-running daemon, a-la named or dhcpd, but amandad is not written that way. It expects to be called from inetd. The shell script outline someone else offered does not work because it fails to recognize the whole point of your question, that amandad wants to be started from inetd. What you're asking to do is probably possible to accomplish, though it seems excessively paranoid IMHO. If this is a firewall box you could run inetd with just the amandad entry and locked to only allow access from the amanda server. Ruling that out the easiest answer is to put a tape drive directly on this box and run its backups directly to local tape. If you really want to go the way you're asking about then you need to figure out how long the backup window is, and use a cron job to kill pppd and start inetd for the duration of your backup window, and then kill inetd and re-start pppd afterward. The actual duration of the backup run will vary from one day to the next depending on what else the amanda server is doing, and whether this machine is getting a level 0 or a higher level dump run. But you pretty much have to use inetd since the amanda server will contact the backup client several times for various functions over the course of a single day's backup run, even if you're only backing up a single filesystem. -Mitch On Mon, 26 Nov 2001, Tom Beer wrote: > Hi, > > I'm planning to install amanda (remote backup > solution) on a freebsd box as a client. Unfourtunately > amanda needs inetd, which I don't want to start > for security reasons. Even not tcpwarrped. > Is there a way to bring my ppp dialup connection > down, start inetd, start amanda, ending inetd after > the backup and starting my ppp connection > again? Or is there a better solution? > > Greets Tom > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 7:20:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsas1i.audiotel.com.ar (host030038.prima.com.ar [200.42.30.38]) by hub.freebsd.org (Postfix) with ESMTP id 9378437B416 for ; Mon, 26 Nov 2001 07:20:34 -0800 (PST) Received: from audi2k (audi2k.audiotel.com.ar [192.168.100.237]) (authenticated) by bsas1i.audiotel.com.ar (8.11.6/8.11.6) with ESMTP id fAQFKJj05393; Mon, 26 Nov 2001 12:20:28 -0300 (ART) From: "Fernando Germano" To: "Mike Silbersack" Cc: Subject: RE: What's this? Date: Mon, 26 Nov 2001 12:20:53 -0300 Message-ID: <009301c1768d$f0685440$ed64a8c0@audi2k> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal In-Reply-To: <20011123161855.U13774-100000@achilles.silby.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually we're on it, we're testing 4.4 ;) -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mike Silbersack Sent: Viernes, 23 de Noviembre de 2001 07:21 p.m. To: Fernando Germano Cc: security@FreeBSD.ORG Subject: Re: What's this? On Fri, 23 Nov 2001, Fernando Germano wrote: > I've found many of these, are these the result of a portscan or something > like that???, how do you read this line??? > > Nov 23 11:11:50 server /kernel: icmp-response bandwidth limit 187/100 pps > Nov 23 11:11:51 server /kernel: icmp-response bandwidth limit 264/100 pps > > Thanks you > Fernando It's probably just a portscan. Do not worry about it. Instead, worry about the fact that you're running an old release, and consider upgrading to 4.4 for the zillion other (legitimate) security issues that have been fixed. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 7:32: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law2-f68.hotmail.com [216.32.181.68]) by hub.freebsd.org (Postfix) with ESMTP id 668DF37B416 for ; Mon, 26 Nov 2001 07:32:05 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 26 Nov 2001 07:32:05 -0800 Received: from 213.84.199.53 by lw2fd.hotmail.msn.com with HTTP; Mon, 26 Nov 2001 15:32:05 GMT X-Originating-IP: [213.84.199.53] From: "Danny Carroll" To: security@freebsd.org Subject: IPFW, natd and an internal FTP server. Date: Mon, 26 Nov 2001 15:32:05 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 26 Nov 2001 15:32:05.0106 (UTC) FILETIME=[807B7520:01C1768F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I know this question has been covered before in many different ways, but I can't seem to find the solution I am looking for. Here is my situation. machine guard is the firewall / natd server on a dedicated internet line. machine app is the web/ftp server let's say it runs win2k. This machine is on an internal (192.168) network and the firewall's natd diverts web/ftp stuff almost brilliantly. The firewall works fine for active FTP (server initiated data connections). If I configure my FTP server to use passive ports in a limited range and allow those ports specifically then all is well. But I want to be a little more secure. So I tried using punch_fw to add the rules dynamically. I figured if it works for active clients, it must work for passive servers? Am I wrong in this assumption or have I screwed something up? Also, will I see the rules inserted into the ipfw list or are they hidden for some reason? Thanks in advance. -D _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 7:46:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from purgatory.unfix.org (purgatory.xs4all.nl [194.109.237.229]) by hub.freebsd.org (Postfix) with ESMTP id 61E3A37B41E for ; Mon, 26 Nov 2001 07:46:24 -0800 (PST) Received: from HELL (hell.unfix.org [::ffff:10.100.13.66]) by purgatory.unfix.org (Postfix) with ESMTP id 64992335F; Mon, 26 Nov 2001 16:46:21 +0100 (CET) From: "Jeroen Massar" To: "'Stijn Hoop'" , "'Alfred Perlstein'" Cc: Subject: RE: analysis of attack ?? Date: Mon, 26 Nov 2001 16:43:41 +0100 Organization: Unfix Message-ID: <006001c17691$1fad4870$420d640a@HELL> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <20011125212351.A32145@pcwin002.win.tue.nl> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Stijn Hoop wrote: > [slightly offtopic] > > On Sun, Nov 25, 2001 at 02:20:05PM -0600, Alfred Perlstein wrote: > > Actually I recently saw that _finally_ they came out with a > > client that does ftp over ssh. I think DataFellows has such a client > > you should check it out. > > Ehm, sftp(1)? ssh.com has a nice windows GUI client available > [1], which should work with recent -STABLE servers (after OpenSSH > upgrade at least). Or install openssh-portable. > [1] For a fee of course. http://www.chiark.greenend.org.uk/~sgtatham/putty/ <-- PuTTY has an sftp command line client too ;) PS: For free and with source ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 8:51:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id D79BC37B416 for ; Mon, 26 Nov 2001 08:51:39 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fAQGpOg27827; Mon, 26 Nov 2001 18:51:24 +0200 (EET) (envelope-from ru) Date: Mon, 26 Nov 2001 18:51:24 +0200 From: Ruslan Ermilov To: Danny Carroll Cc: security@FreeBSD.ORG Subject: Re: IPFW, natd and an internal FTP server. Message-ID: <20011126185124.A27588@sunbay.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 26, 2001 at 03:32:05PM +0000, Danny Carroll wrote: > Hello, > > I know this question has been covered before in many different ways, but I > can't seem to find the solution I am looking for. > > Here is my situation. > > machine guard is the firewall / natd server on a dedicated internet line. > machine app is the web/ftp server let's say it runs win2k. This machine is > on an internal (192.168) network and the firewall's natd diverts web/ftp > stuff almost brilliantly. > > The firewall works fine for active FTP (server initiated data connections). > > If I configure my FTP server to use passive ports in a limited range and > allow those ports specifically then all is well. > > But I want to be a little more secure. So I tried using punch_fw to add the > > rules dynamically. I figured if it works for active clients, it must work > for passive servers? > Yes. > Am I wrong in this assumption or have I screwed something up? > So, you tried it and it did not work? What's the FreeBSD version? > Also, will I see the rules inserted into the ipfw list or are they hidden > for some reason? > Yes. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 9: 2:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law2-f79.hotmail.com [216.32.181.79]) by hub.freebsd.org (Postfix) with ESMTP id E30BE37B416; Mon, 26 Nov 2001 09:02:27 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 26 Nov 2001 09:02:27 -0800 Received: from 213.84.199.53 by lw2fd.hotmail.msn.com with HTTP; Mon, 26 Nov 2001 17:02:27 GMT X-Originating-IP: [213.84.199.53] From: "Danny Carroll" To: ru@FreeBSD.ORG Cc: security@FreeBSD.ORG Subject: Re: IPFW, natd and an internal FTP server. Date: Mon, 26 Nov 2001 17:02:27 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 26 Nov 2001 17:02:27.0874 (UTC) FILETIME=[20B43020:01C1769C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>rules dynamically. I figured if it works for active clients, it must work >>for passive servers? >> >Yes. No.... At least it doens't for me. > > Am I wrong in this assumption or have I screwed something up? >So, you tried it and it did not work? What's the FreeBSD version? > Yes, I tried it and it failed... But I then tried active FTP out and I could clearly see two wonderful new rules created right where I wanted them. I'm using FreeBSD 4.4-RELEASE straight from the ISO. I can send the firewall rules but since punch_fw is working as an active client, there is nothing there that would affect it. I mean it's making the control connection fine... -D _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 9:39: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mrtwig.citlink.net (mrtwig.citlink.net [207.173.229.137]) by hub.freebsd.org (Postfix) with ESMTP id 17B0C37B430 for ; Mon, 26 Nov 2001 09:38:43 -0800 (PST) Received: from blacklamb.mykitchentable.net ([207.173.248.249]) by mrtwig.citlink.net (InterMail vK.4.03.04.00 201-232-130 license a3e2d54ac3b1df4217e834deb9d77e31) with ESMTP id <20011126174319.DPLM60244.mrtwig@blacklamb.mykitchentable.net>; Mon, 26 Nov 2001 11:43:19 -0600 Received: from tagalong (unknown [165.107.42.150]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 79542EE653; Mon, 26 Nov 2001 09:39:59 -0800 (PST) Message-ID: <005a01c176a1$2fe31cf0$962a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: "Ian Smith" Cc: References: Subject: Re: Port 1214 - Is It Used For A Specific Purpose? Date: Mon, 26 Nov 2001 09:38:40 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Ian Smith" To: "Drew Tomlinson" Cc: Sent: Monday, November 26, 2001 6:49 AM Subject: Re: Port 1214 - Is It Used For A Specific Purpose? > On Sun, 25 Nov 2001, Drew Tomlinson wrote: > > > I was looking over my firewall logs this morning and noticed that there > > are many attempts to connect to TCP port 1214 from different addresses. > > Good replies re the specific gadget, but you'll be seeing similar scans > for any number of mystery ports to every accessible address in your net. > > [..] > > > P.S. 192.168.10.2 is my outside interface to my firewall. I know it is > > a private address but it's OK as my ADSL modem/router gets a public > > address from my ISP via DHCP and performs NAT for the rest of my > > machines. > > > > > ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via ed1 > [..] > > > ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via ed1 > > I don't understand why a firewall, upstream on ed1 as you describe it, > would be passing TCP setup for this port on to you in the first place, > unless it's a service that's been specifically allowed? > > Perhaps I misunderstand the topology - is this your local ipfw logging? My network setup is like this: ISP | | IP is DHCP (RFC 1918 & draft-manning nets | inbound blocked here) | ADSL Modem/Router (provides DNS & NAT) |192.168.10.1 RFC 1918 & draft-manning nets | outbound blocked here) | |192.168.10.2 (ed1) | Firewall (FBSD/IPFW Box) | |192.168.1.2 (ed0) | Internal Network 192.168.1.0/24 The ADSL modem/router (3Com OCR 812) is set to forward all packets to the FBSD box. The modem/router has limited filtering capabilities unless I can figure out how to write what the manual terms as "generic packet filters" where one actually calculates the offset and examines then next "n" bytes (bits?). But irregardless of the type of filter, there is no logging as far as I can tell. I setup the FBSD box as a firewall for finer control and so that I could see what's happening via log files. In other words, the modem/router is mostly a modem. Because I have been unsuccesful in setting it up as a bridge (which is what I think I really want), I left NAT running on the router as there's no reason to NAT twice. Ultimately, I would like the modem/router to be a modem only and pass *everything* (isn't this what a bridge does?) to ed1 on my FBSD box so I may filter it there. When I originally signed up for DSL, the modem my telco offered would only work with Windows as there was no "dial-up" software for PPPoA. Thus I went for the router as it does the "dial-up" internally. I've fiddled with my setup several times and this is the best I could come up with. However I'm always open to suggestions. Thanks, Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 9:42:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 71C5C37B416 for ; Mon, 26 Nov 2001 09:42:21 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fAQHgFf22245; Mon, 26 Nov 2001 11:42:15 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id LAA11967; Mon, 26 Nov 2001 11:42:17 -0600 (CST) Message-ID: <3C027EE3.42197913@centtech.com> Date: Mon, 26 Nov 2001 11:41:55 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Drew Tomlinson Cc: Ian Smith , freebsd-security@freebsd.org Subject: Re: Port 1214 - Is It Used For A Specific Purpose? References: <005a01c176a1$2fe31cf0$962a6ba5@lc.ca.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The only time I have seen mass 1214 ports probes is when running mp3 p2p clients, like morpheous or kazaa. Eric (Sorry if someone mentioned this already, I missed a chunk of mail) Drew Tomlinson wrote: > > ----- Original Message ----- > From: "Ian Smith" > To: "Drew Tomlinson" > Cc: > Sent: Monday, November 26, 2001 6:49 AM > Subject: Re: Port 1214 - Is It Used For A Specific Purpose? > > > On Sun, 25 Nov 2001, Drew Tomlinson wrote: > > > > > I was looking over my firewall logs this morning and noticed that > there > > > are many attempts to connect to TCP port 1214 from different > addresses. > > > > Good replies re the specific gadget, but you'll be seeing similar > scans > > for any number of mystery ports to every accessible address in your > net. > > > > [..] > > > > > P.S. 192.168.10.2 is my outside interface to my firewall. I know > it is > > > a private address but it's OK as my ADSL modem/router gets a public > > > address from my ISP via DHCP and performs NAT for the rest of my > > > machines. > > > > > > > ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via > ed1 > > [..] > > > > ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via > ed1 > > > > I don't understand why a firewall, upstream on ed1 as you describe it, > > would be passing TCP setup for this port on to you in the first place, > > unless it's a service that's been specifically allowed? > > > > Perhaps I misunderstand the topology - is this your local ipfw > logging? > > My network setup is like this: > > ISP > | > | IP is DHCP (RFC 1918 & draft-manning nets > | inbound blocked here) > | > ADSL Modem/Router (provides DNS & NAT) > |192.168.10.1 RFC 1918 & draft-manning nets > | outbound blocked here) > | > |192.168.10.2 (ed1) > | > Firewall (FBSD/IPFW Box) > | > |192.168.1.2 (ed0) > | > Internal Network 192.168.1.0/24 > > The ADSL modem/router (3Com OCR 812) is set to forward all packets to > the FBSD box. The modem/router has limited filtering capabilities > unless I can figure out how to write what the manual terms as "generic > packet filters" where one actually calculates the offset and examines > then next "n" bytes (bits?). But irregardless of the type of filter, > there is no logging as far as I can tell. I setup the FBSD box as a > firewall for finer control and so that I could see what's happening via > log files. In other words, the modem/router is mostly a modem. Because > I have been unsuccesful in setting it up as a bridge (which is what I > think I really want), I left NAT running on the router as there's no > reason to NAT twice. > > Ultimately, I would like the modem/router to be a modem only and pass > *everything* (isn't this what a bridge does?) to ed1 on my FBSD box so I > may filter it there. When I originally signed up for DSL, the modem my > telco offered would only work with Windows as there was no "dial-up" > software for PPPoA. Thus I went for the router as it does the "dial-up" > internally. > > I've fiddled with my setup several times and this is the best I could > come up with. However I'm always open to suggestions. > > Thanks, > > Drew > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology An unbreakable toy is useful for breaking other toys. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 10:20:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id DC2F137B417 for ; Mon, 26 Nov 2001 10:20:06 -0800 (PST) Received: from user-38lc2nf.dialup.mindspring.com ([209.86.10.239] helo=gohan.cjclark.org) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 168QMN-0002Py-00; Mon, 26 Nov 2001 10:20:04 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAQ83ID00332; Mon, 26 Nov 2001 00:03:18 -0800 (PST) (envelope-from cjc) Date: Mon, 26 Nov 2001 00:03:18 -0800 From: "Crist J. Clark" To: G Brehm Cc: security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011126000318.B222@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011122031739.A226@gohan.cjclark.org> <20011125013812.9839.qmail@web10106.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011125013812.9839.qmail@web10106.mail.yahoo.com>; from gbbrehm@yahoo.com on Sat, Nov 24, 2001 at 05:38:12PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Nov 24, 2001 at 05:38:12PM -0800, G Brehm wrote: [snip] > I am confused by your bias. > You'd think if it was firewall OEM pushing one design > it would go for your preferered, (twice the $). There _is_ competition in the business. The market share gained by, "We can protect all of your networks with one machine!" is more important to firewall retailers than the possibility of selling multiple units to a single site. Most corporations underspend on information security. The one machine, many-interface firewall caters to this group. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 10:20:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id ABE9D37B416 for ; Mon, 26 Nov 2001 10:20:23 -0800 (PST) Received: from user-38lc2nf.dialup.mindspring.com ([209.86.10.239] helo=gohan.cjclark.org) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 168QMd-0002Py-00; Mon, 26 Nov 2001 10:20:21 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAQ8JVQ00357; Mon, 26 Nov 2001 00:19:31 -0800 (PST) (envelope-from cjc) Date: Mon, 26 Nov 2001 00:19:31 -0800 From: "Crist J. Clark" To: Andre Hall Cc: myraq@mgm51.com, G Brehm , security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011126001931.D222@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011125013812.9839.qmail@web10106.mail.yahoo.com> <200111242124560932.023F3386@home.24cl.com> <002801c17564$1b5e2a60$060aa8c0@pcgameauthority.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002801c17564$1b5e2a60$060aa8c0@pcgameauthority.com>; from ahall@pcgameauthority.com on Sat, Nov 24, 2001 at 07:48:55PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Nov 24, 2001 at 07:48:55PM -0800, Andre Hall wrote: [snip] > There is a reason why most security industry has > stuck with the approach, Because it is cheaper and easier to do as a "drop in" solution. > it is practical It is actually harder to properly configure. However, the fact many vendors cater to the market has made the "knowledge base" on the design fairly deep. > and a fool proof It is far, far from fool proof. Security is never fool proof. > way of guarding > internal assets while provided the necessary exposures to services others > need to access. I do agree that for small sites it may not make sense to devote the resources to the stronger, layered design. Security is never absolute. It is always balanced against cost. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 10:20:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id 8DE6A37B417 for ; Mon, 26 Nov 2001 10:20:29 -0800 (PST) Received: from user-38lc2nf.dialup.mindspring.com ([209.86.10.239] helo=gohan.cjclark.org) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 168QMk-0002Py-00; Mon, 26 Nov 2001 10:20:28 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAQ89fU00343; Mon, 26 Nov 2001 00:09:41 -0800 (PST) (envelope-from cjc) Date: Mon, 26 Nov 2001 00:09:41 -0800 From: "Crist J. Clark" To: MikeM Cc: G Brehm , security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011126000941.C222@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011125013812.9839.qmail@web10106.mail.yahoo.com> <200111242124560932.023F3386@home.24cl.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111242124560932.023F3386@home.24cl.com>; from MyRaQ@mgm51.com on Sat, Nov 24, 2001 at 09:24:56PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Nov 24, 2001 at 09:24:56PM -0500, MikeM wrote: [snip] > I'm not sure I agree with your comments. Yes, your architecture is more akin to the origin of the term "DMZ", but is that the real functionality that we want to provide? Should we be more concerned with staying within the strict definition of the military term "DMZ" or should our firewalls provide the needed function? The needed function is maintaining defense from the hostile network. A layered approach is a good way to do this. > In my "DMX", the server only sees port 80 traffic. *only port 80* I cannot possibly provide that functionality with your strict interpretation of a DMZ firewall. Given the options of tossing aside your strict definition of DMZ of re-architecturing my firewall, I think I'd vote for tossing aside your definition. Why can it not only see such traffic? On the external firewall (and from the internal network to the server too if you'd like), you only pass port 80 to and from the server. No other traffic is allowed to the server. I don't understand why you claim I cannot do this. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 10:23: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 9962537B417 for ; Mon, 26 Nov 2001 10:22:37 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fAQIMPc39767; Mon, 26 Nov 2001 20:22:25 +0200 (EET) (envelope-from ru) Date: Mon, 26 Nov 2001 20:22:25 +0200 From: Ruslan Ermilov To: Danny Carroll Cc: security@FreeBSD.ORG Subject: Re: IPFW, natd and an internal FTP server. Message-ID: <20011126202225.A38902@sunbay.com> References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="KsGdsel6WgEHnImy" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Nov 26, 2001 at 05:02:27PM +0000, Danny Carroll wrote: > >>rules dynamically. I figured if it works for active clients, it must work > >> > >>for passive servers? > >> > >Yes. > > No.... At least it doens't for me. > > >> Am I wrong in this assumption or have I screwed something up? > >So, you tried it and it did not work? What's the FreeBSD version? > > > > Yes, I tried it and it failed... But I then tried active FTP out and I > could clearly see two wonderful new rules created right where I wanted them. > > I'm using FreeBSD 4.4-RELEASE straight from the ISO. > > I can send the firewall rules but since punch_fw is working as an active > client, there is nothing there that would affect it. I mean it's making > the control connection fine... > Doh, you're right! We don't currently punch firewall holes for 227/229 FTP server replies, for no apparent reason. Could you please try the attached patch? It worked for me, both for the PASV and EPSV modes with an FTP server running on a NAT box. You'll have to recompile both lib/libalias and sbin/natd, in that order. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: alias_ftp.c =================================================================== RCS file: /home/ncvs/src/lib/libalias/alias_ftp.c,v retrieving revision 1.16 diff -u -p -r1.16 alias_ftp.c --- alias_ftp.c 2001/11/03 11:34:09 1.16 +++ alias_ftp.c 2001/11/26 18:18:59 @@ -483,11 +483,8 @@ NewFtpMessage(struct ip *pip, struct tcphdr *tc; #ifndef NO_FW_PUNCH - if (ftp_message_type == FTP_PORT_COMMAND || - ftp_message_type == FTP_EPRT_COMMAND) { - /* Punch hole in firewall */ - PunchFWHole(ftp_link); - } + /* Punch hole in firewall */ + PunchFWHole(ftp_link); #endif /* Calculate data length of TCP packet */ --KsGdsel6WgEHnImy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 10:52:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law2-f106.hotmail.com [216.32.181.106]) by hub.freebsd.org (Postfix) with ESMTP id 9C12C37B405; Mon, 26 Nov 2001 10:52:23 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 26 Nov 2001 10:52:23 -0800 Received: from 213.84.199.53 by lw2fd.hotmail.msn.com with HTTP; Mon, 26 Nov 2001 18:52:23 GMT X-Originating-IP: [213.84.199.53] From: "Danny Carroll" To: ru@FreeBSD.ORG Cc: security@FreeBSD.ORG Subject: Re: IPFW, natd and an internal FTP server. Date: Mon, 26 Nov 2001 18:52:23 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 26 Nov 2001 18:52:23.0579 (UTC) FILETIME=[7C0CE6B0:01C176AB] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Rusland, Works like an absolute charm... You are a lgend. Can anyone see any reason why someone should not do this? -D >Doh, you're right! We don't currently punch firewall holes for 227/229 >FTP server replies, for no apparent reason. Could you please try the >attached patch? It worked for me, both for the PASV and EPSV modes >with an FTP server running on a NAT box. You'll have to recompile both >lib/libalias and sbin/natd, in that order. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 10:54:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id EBDD237B405 for ; Mon, 26 Nov 2001 10:54:40 -0800 (PST) Received: from randy by rip.psg.com with local (Exim 3.33 #1) id 168Qts-000Bj5-00 for freebsd-security@freebsd.org; Mon, 26 Nov 2001 10:54:40 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: crypted remote backup Message-Id: Date: Mon, 26 Nov 2001 10:54:40 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i want to back up some large files over the net, like 40gb. i want to do something like rsync. but i want the data crypted not only as it passes over the net (rsync over ssh), but also as it resides on the remote disk. any recommended practice on this? randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 11:12:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.comsats.net.pk (athena.comsats.net.pk [210.56.4.8]) by hub.freebsd.org (Postfix) with ESMTP id 4E08B37B405 for ; Mon, 26 Nov 2001 11:12:19 -0800 (PST) Received: from khi.comsats.net.pk (localhost.localdomain [127.0.0.1]) by athena.comsats.net.pk (8.11.2/8.11.2) with ESMTP id fAQJIGG10274 for ; Tue, 27 Nov 2001 00:18:16 +0500 Received: from ahsanalikh (ppp7-144khi.comsats.net.pk [210.56.7.144] (may be forged)) by khi.comsats.net.pk (8.11.4/8.11.4) with SMTP id fAQJAhi28469 for ; Tue, 27 Nov 2001 00:10:44 +0500 (PKT) Message-ID: <001901c057dc$c69b9300$0100a8c0@ahsanalikh> From: "Ahsan Ali" To: References: <20011125013812.9839.qmail@web10106.mail.yahoo.com> <200111242124560932.023F3386@home.24cl.com> <002801c17564$1b5e2a60$060aa8c0@pcgameauthority.com> <20011126001931.D222@gohan.cjclark.org> Subject: Re: Best security topology for FreeBSD Date: Mon, 27 Nov 2000 00:12:06 +0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What would the ideal security model for an ISP with a lot of sites and services hosted be? Clients coming in through access servers and additional routers/router interfaces. I'd look at number two but apart from the main authentication servers, there isn't much that goes at the extreme backend, is there? -Ahsan ----- Original Message ----- From: "Crist J. Clark" To: "Andre Hall" Cc: ; "G Brehm" ; Sent: Monday, November 26, 2001 1:19 PM Subject: Re: Best security topology for FreeBSD > On Sat, Nov 24, 2001 at 07:48:55PM -0800, Andre Hall wrote: > [snip] > > > There is a reason why most security industry has > > stuck with the approach, > > Because it is cheaper and easier to do as a "drop in" solution. > > > it is practical > > It is actually harder to properly configure. However, the fact many > vendors cater to the market has made the "knowledge base" on the > design fairly deep. > > > and a fool proof > > It is far, far from fool proof. Security is never fool proof. > > > way of guarding > > internal assets while provided the necessary exposures to services others > > need to access. > > I do agree that for small sites it may not make sense to devote the > resources to the stronger, layered design. Security is never > absolute. It is always balanced against cost. > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 11:48:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from dg.net.ua (dg.net.ua [213.186.192.10]) by hub.freebsd.org (Postfix) with ESMTP id B043337B405 for ; Mon, 26 Nov 2001 11:48:27 -0800 (PST) Received: (from hunter@localhost) by dg.net.ua (Latest/Secure) id fAQJm8c04157; Mon, 26 Nov 2001 21:48:08 +0200 (EET) Message-Id: <200111261948.fAQJm8c04157@dg.net.ua> Subject: Re: crypted remote backup In-Reply-To: from Randy Bush at "Nov 26, 2001 10:54:40 am" To: Randy Bush Date: Mon, 26 Nov 2001 21:48:08 +0200 (EET) Cc: freebsd-security@FreeBSD.ORG From: Sergey Smitienko X-Mailer: elm X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Randy Bush! > i want to back up some large files over the net, like 40gb. i want to do > something like rsync. but i want the data crypted not only as it passes > over the net (rsync over ssh), but also as it resides on the remote disk. > any recommended practice on this? cat file | some_encryption_software -with_parameters| ssh -i id.key remotehost "cat > the_big_encrypted_file" -- The Emperor wants to control the outer space, Yoda wants to explore the inner space.That's the fundamental difference between the good and the bad sides of the Force. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 12:20:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 1A84937B416 for ; Mon, 26 Nov 2001 12:20:40 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A95F166B27; Mon, 26 Nov 2001 12:20:39 -0800 (PST) Date: Mon, 26 Nov 2001 12:20:39 -0800 From: Kris Kennaway To: Randy Bush Cc: freebsd-security@freebsd.org Subject: Re: crypted remote backup Message-ID: <20011126122039.C13902@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3siQDZowHQqNOShm" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from randy@psg.com on Mon, Nov 26, 2001 at 10:54:40AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3siQDZowHQqNOShm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Nov 26, 2001 at 10:54:40AM -0800, Randy Bush wrote: > i want to back up some large files over the net, like 40gb. i want to do > something like rsync. but i want the data crypted not only as it passes > over the net (rsync over ssh), but also as it resides on the remote disk. > any recommended practice on this? Break it into chunks on the local system (e.g. tar -L), encrypt them with openssl(1) and then send that to the remote system over an authenticated link (e.g. ssh) Kris --3siQDZowHQqNOShm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8AqQWWry0BWjoQKURAo4tAJ0ZdncggWuVqVgDAJ9QLgUeRAWkZgCg2hyU KE2EiGWWkz0wxoVI0PJ6h5U= =jn+s -----END PGP SIGNATURE----- --3siQDZowHQqNOShm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 15: 6: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id 3483F37B419 for ; Mon, 26 Nov 2001 15:05:52 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id 7F622136F3 for ; Mon, 26 Nov 2001 18:09:54 -0500 (EST) Message-Id: <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 26 Nov 2001 18:07:21 -0500 To: freebsd-security@freebsd.org From: Allen Landsidel Subject: Re: Best security topology for FreeBSD In-Reply-To: <20011124224858.B228@gohan.cjclark.org> References: <200111231250.fANCoha19105@cwsys.cwsent.com> <20011122031739.A226@gohan.cjclark.org> <200111231250.fANCoha19105@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Defense in depth. Examples: A glitch/security breach in Firewall1's >ruleset/software does not necesarily expose the internal network. >Any vulnerabilities in Firewall2 are harder to exploit when protected >by Firewall1. I have to say.. I've been biting my tongue on this topic, but I feel like speaking up now. The above paragraph is well and good for actual firewalls (like you find in vehicles) and actual DMZ's (like you find in a warzone) because depth means that many more layers of opposing force you have to fight your way through. It seems pretty meaningless however when applied to a network.(*) Chances are if an attacker can compromise "Firewall1" then they can use an identical exploit/hole/vulnerability to exploit "Firewall2." In war, there are such exploits, and they're called bullets. They are not however, magic bullets, that always hit their targets and disable them in such a way that they immdiately talk when captured. In the IT definition, they are exactly that. It would be best if we just stick to the terminology as it's been adopted, but try and not carry the metaphor too far.. it just falls down. The only case where the second example may prove more secure in protecting the inside network is if the machines in the DMZ are the ones compromised, and not the firewalls themselves. Consider this, however: The DMZ is used to contain normally "insecure" services such as web, ftp and mail servers. The area past the firewall(s) would ideally contain machines to which no incoming connections are allowed to be initiated. The flip side of this is that the machines furthest to the inside are those that are most often operated by unclued users who are historically very good at running trojans, viruses, and other malicious code on their machines without proper investigation. In any event, the first configuration, with the DMZ hanging off the firewall (or more likely, off the same switch/hub that the firewall is connected to) is likely more secure than the two firewall option with the DMZ in the middle. If you run your DMZ servers with only things listening on the port that you configured to listen on the port, and there are vulnerabilities in said servers, then they will be accessible no matter which side of the firewall(s) the server is on; If not, what's the point in the service? So, the question is, would you rather have a machine compromised inside one of your firewalls, or outside of it? Personally, I'd rather have it on the outside, where the chances of a compromise affecting the security of the other machines in the DMZ is negligible, and the chance of compromising the security of machines inside the firewall is no higher than it was before the attack took place. (*) I'm assuming that while the configuration may be different, the firewalls are virtually identical when it comes to the OS and Firewall itself; The same vulnerability is more than likely to exist in both, if it exists in either. If you have two different firewalls, not only in name and configuration but in OS and firewall software (ipfw/ipf/whatever) as well, then You've got a 50/50 chance of either strengthening or weaking the net security to the inside of both. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 15:52:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mighty.grot.org (mighty.grot.org [216.15.97.5]) by hub.freebsd.org (Postfix) with ESMTP id B373737B416 for ; Mon, 26 Nov 2001 15:52:12 -0800 (PST) Received: by mighty.grot.org (Postfix, from userid 515) id 483EB5E4E; Mon, 26 Nov 2001 15:52:12 -0800 (PST) To: randy@psg.com (Randy Bush) Cc: freebsd-security@freebsd.org Subject: Re: crypted remote backup References: From: aditya@grot.org (R.P. Aditya) In-Reply-To: (randy@psg.com's message of "Mon, 26 Nov 2001 18:54:54 +0000 (UTC)") Message-ID: Date: 26 Nov 2001 15:52:12 -0800 Lines: 13 User-Agent: Gnus/5.090003 (Oort Gnus v0.03) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Randy, > i want to back up some large files over the net, like 40gb. i want to > do something like rsync. but i want the data crypted not only as it > passes over the net (rsync over ssh), but also as it resides on the > remote disk. any recommended practice on this? If you want rsync to only copy the updated/modified stuff you'll have to do the encryption on the "source" server and keep it in a separate "tree"...and using PGP/GPG to do the encryption is the easiest way I've found to do it. Adi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 15:57:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 670E637B41A for ; Mon, 26 Nov 2001 15:57:09 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.177.56]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011126235708.JTNH9080.tomts7-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Mon, 26 Nov 2001 18:57:08 -0500 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id 8A0761A41; Mon, 26 Nov 2001 18:59:39 -0500 (EST) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 8134A20ACB; Mon, 26 Nov 2001 18:58:33 -0500 (EST) Date: Mon, 26 Nov 2001 18:58:33 -0500 From: The Anarcat To: Allen Landsidel Cc: freebsd-security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011126235832.GB1281@shall.anarcat.dyndns.org> Mail-Followup-To: Allen Landsidel , freebsd-security@freebsd.org References: <200111231250.fANCoha19105@cwsys.cwsent.com> <20011122031739.A226@gohan.cjclark.org> <200111231250.fANCoha19105@cwsys.cwsent.com> <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NMuMz9nt05w80d4+" Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NMuMz9nt05w80d4+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon Nov 26, 2001 at 06:07:21PM -0500, Allen Landsidel wrote: >=20 >=20 > >Defense in depth. Examples: A glitch/security breach in Firewall1's > >ruleset/software does not necesarily expose the internal network. > >Any vulnerabilities in Firewall2 are harder to exploit when protected > >by Firewall1. >=20 > I have to say.. I've been biting my tongue on this topic, but I feel like= =20 > speaking up now. >=20 > The above paragraph is well and good for actual firewalls (like you find = in=20 > vehicles) and actual DMZ's (like you find in a warzone) because depth mea= ns=20 > that many more layers of opposing force you have to fight your way throug= h. >=20 > It seems pretty meaningless however when applied to a network.(*) > > (*) I'm assuming that while the configuration may be different, the=20 > firewalls are virtually identical when it comes to the OS and Firewall=20 > itself; The same vulnerability is more than likely to exist in both, if i= t=20 > exists in either.=20 Agreed. But even then, you might put different software and OS on each machine. :) > If you have two different firewalls, not only in name=20 > and configuration but in OS and firewall software (ipfw/ipf/whatever) as= =20 > well, then You've got a 50/50 chance of either strengthening or weaking t= he=20 > net security to the inside of both. No. You have a 50/50 chance of strengthening you network. I don't think you can *weaken* (sp?) it since the machine are placed in serie, not in parallel. The alternative to the dual config is to put a single machine, right? How can you weaken your network by putting another gate, even if it is breakable as much as the first one? You might not strenghten, but you sure do not weaken. > The only case where the second example may prove more secure in protectin= g=20 > the inside network is if the machines in the DMZ are the ones compromised= ,=20 > and not the firewalls themselves. So we here have a case where the network is actually strenghten and no case where it is weaker. > Consider this, however: The DMZ is used to contain normally "insecure"=20 > services such as web, ftp and mail servers. The area past the firewall(s= )=20 > would ideally contain machines to which no incoming connections are allow= ed=20 > to be initiated. The flip side of this is that the machines furthest to= =20 > the inside are those that are most often operated by unclued users who ar= e=20 > historically very good at running trojans, viruses, and other malicious= =20 > code on their machines without proper investigation. In any event, the= =20 > first configuration, with the DMZ hanging off the firewall (or more likel= y,=20 > off the same switch/hub that the firewall is connected to) is likely more= =20 > secure than the two firewall option with the DMZ in the middle. Why? > If you run your DMZ servers with only things listening on the port that y= ou=20 > configured to listen on the port, and there are vulnerabilities in said= =20 > servers, then they will be accessible no matter which side of the=20 > firewall(s) the server is on; If not, what's the point in the service? Not. Some services are internal, some are external. And the firewall should control that, not the server. > So,=20 > the question is, would you rather have a machine compromised inside one o= f=20 > your firewalls, or outside of it?=20 Er... You're going to put this machine where then? Outside your firewall? I'm not following you. > Personally, I'd rather have it on the=20 > outside, where the chances of a compromise affecting the security of the= =20 > other machines in the DMZ is negligible, and the chance of compromising t= he=20 > security of machines inside the firewall is no higher than it was before= =20 > the attack took place. You'll have to define your "firewall"'s definition, I guess, because it is imprecise. Wether you have the single or dual configuration, you always have the machine "inside the firewall"...=20 Having a dual firewall setup is easier to setup, IMHO. Another advantage I see: if a machine is broke or DOS'd, you pull the plug and cut off only a *part* of the services. In other words, you don't have performances penalties for oustide and inside services. :) The 2 firewalls are still independant services and an attack that affects the first one *might* affect the second one, but not necessarly. And in order to do this, it must get to it in the first place, which means breaking into it. If you have a single firewall, it can be DOS attacked and the 2 functionalities (services) are affected. a. --NMuMz9nt05w80d4+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwC1ygACgkQttcWHAnWiGc1JwCeLtFjO4i4FNMhiB44clC6LUAO TAcAn3hRtz4MjVIi/JWI2t/AGlfTqZJS =C4MH -----END PGP SIGNATURE----- --NMuMz9nt05w80d4+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 17:12:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 865FB37B417 for ; Mon, 26 Nov 2001 17:12:43 -0800 (PST) Received: from randy by rip.psg.com with local (Exim 3.33 #1) id 168Wnh-0000EG-00; Mon, 26 Nov 2001 17:12:41 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: aditya@grot.org (R.P. Aditya) Cc: freebsd-security@freebsd.org Subject: Re: crypted remote backup References: Message-Id: Date: Mon, 26 Nov 2001 17:12:41 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > If you want rsync to only copy the updated/modified stuff you'll have > to do the encryption on the "source" server and keep it in a separate > "tree" so i have been thinking > and using PGP/GPG to do the encryption is the easiest way I've found to > do it. is this feasible for 2GB files? randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 17:17:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id C53EC37B41A for ; Mon, 26 Nov 2001 17:17:31 -0800 (PST) Received: from user-112103a.dsl.mindspring.com ([66.32.128.106] helo=kushkush) by swan.prod.itd.earthlink.net with smtp (Exim 3.33 #1) id 168WsN-0005Vu-00 for freebsd-security@FreeBSD.ORG; Mon, 26 Nov 2001 17:17:31 -0800 Message-ID: <009c01c176e1$9025f390$6e00a8c0@kushkush> From: "Bara Zani" To: Subject: freebsd 4.4 finger tips ? Date: Mon, 26 Nov 2001 20:19:29 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi , I am running freebsd 4.4 release and ipfilter as a dsl gateway to a home network . ipfilter is configured to allow only ssh and https in from tun0 . never the less nmap will identify the os as freebsd 4.something . how can i erase the finger tips ? barazani To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 17:47:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from e-shipley.com (dws-66-177-28-52.jacksonville.net [66.177.28.52]) by hub.freebsd.org (Postfix) with ESMTP id A63F937B417 for ; Mon, 26 Nov 2001 17:47:17 -0800 (PST) Received: (from steve@localhost) by e-shipley.com (8.11.6/8.11.1) id fAR1lDk16602; Mon, 26 Nov 2001 20:47:13 -0500 (EST) (envelope-from steve) Date: Mon, 26 Nov 2001 20:47:13 -0500 (EST) From: "Stephen T. Shipley" Message-Id: <200111270147.fAR1lDk16602@e-shipley.com> To: freebsd-security@FreeBSD.ORG, randy@psg.com Subject: Re: crypted remote backup In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Configure rsync.conf on source server (with 40g file) and run as a daemon. Provide a net name like "www" for alias to path. And possibly run from one of the /etc/periodic/daily scripts like this (on destination box). /usr/local/bin/rsync -e /usr/bin/ssh -avz ::www /usr/local/www/data/home_something_destination && rc=0||rc=3 Updates quickly and only what has changed. If I'm mistaken please let me know if I'm open on this one. --Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 17:53:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 80F9137B417 for ; Mon, 26 Nov 2001 17:53:21 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E1C5666B27; Mon, 26 Nov 2001 17:53:20 -0800 (PST) Date: Mon, 26 Nov 2001 17:53:20 -0800 From: Kris Kennaway To: Randy Bush Cc: "R.P. Aditya" , freebsd-security@freebsd.org Subject: Re: crypted remote backup Message-ID: <20011126175320.C20635@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="vEao7xgI/oilGqZ+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from randy@psg.com on Mon, Nov 26, 2001 at 05:12:41PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --vEao7xgI/oilGqZ+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 26, 2001 at 05:12:41PM -0800, Randy Bush wrote: > > If you want rsync to only copy the updated/modified stuff you'll have > > to do the encryption on the "source" server and keep it in a separate > > "tree" >=20 > so i have been thinking >=20 > > and using PGP/GPG to do the encryption is the easiest way I've found to > > do it. >=20 > is this feasible for 2GB files? I wouldn't recommend using it on all 2GB..a single bit error will render your backup useless. That's why I suggested breaking the file into chunks in my earlier mail. I wouldn't recommend using PGP either; you probably don't need it, and it will be slower than alternatives. Just use OpenSSL..e.g. an appropriate symmetric cipher and passphrase. Kris --vEao7xgI/oilGqZ+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8AvIPWry0BWjoQKURAkm4AKCQxkjexCoNrplni7NytYkKy7ti3ACfaGp1 f+XKE7Hp08/XZ8Ioy3J/nT4= =sGvD -----END PGP SIGNATURE----- --vEao7xgI/oilGqZ+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 17:54:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 1847137B41B for ; Mon, 26 Nov 2001 17:54:11 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5F81366C79; Mon, 26 Nov 2001 17:54:10 -0800 (PST) Date: Mon, 26 Nov 2001 17:54:10 -0800 From: Kris Kennaway To: Bara Zani Cc: freebsd-security@FreeBSD.ORG Subject: Re: freebsd 4.4 finger tips ? Message-ID: <20011126175410.D20635@xor.obsecurity.org> References: <009c01c176e1$9025f390$6e00a8c0@kushkush> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PHCdUe6m4AxPMzOu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <009c01c176e1$9025f390$6e00a8c0@kushkush>; from bara_zani@yahoo.com on Mon, Nov 26, 2001 at 08:19:29PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --PHCdUe6m4AxPMzOu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Nov 26, 2001 at 08:19:29PM -0500, Bara Zani wrote: > Hi , > I am running freebsd 4.4 release and ipfilter as a dsl gateway to a home > network . > ipfilter is configured to allow only ssh and https in from tun0 . > never the less nmap will identify the os as freebsd 4.something . > how can i erase the finger tips ? Don't send or receive any traffic to or from the internet. This may conflict with your intended uses for the system. Kris --PHCdUe6m4AxPMzOu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8AvJBWry0BWjoQKURAgfUAJ4ktgt5fOCSTQa2RboSPt3Ehu39tgCgkiP/ ii0AZ9hPf3BMJOACdR/me4I= =G1g3 -----END PGP SIGNATURE----- --PHCdUe6m4AxPMzOu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 17:58:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 30F9F37B43A for ; Mon, 26 Nov 2001 17:58:22 -0800 (PST) Received: (from root@localhost) by cage.simianscience.com (8.11.6/8.11.6) id fAR1wLA29878; Mon, 26 Nov 2001 20:58:21 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6av) with ESMTP id fAR1wI129870; Mon, 26 Nov 2001 20:58:18 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011126205442.043d1fe0@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 26 Nov 2001 20:58:17 -0500 To: Kris Kennaway From: Mike Tancsa Subject: Re: crypted remote backup Cc: freebsd-security@freebsd.org In-Reply-To: <20011126175320.C20635@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What is password security like in programs like RAR ? The warez traders seem to like to use it for posting to newsgroups because you can add extra recovery information into each of the parts/volumes. There is also a built in encryption option. Do think it is sufficiently safe ? ---Mike At 05:53 PM 11/26/2001 -0800, Kris Kennaway wrote: >On Mon, Nov 26, 2001 at 05:12:41PM -0800, Randy Bush wrote: > > > If you want rsync to only copy the updated/modified stuff you'll have > > > to do the encryption on the "source" server and keep it in a separate > > > "tree" > > > > so i have been thinking > > > > > and using PGP/GPG to do the encryption is the easiest way I've found to > > > do it. > > > > is this feasible for 2GB files? > >I wouldn't recommend using it on all 2GB..a single bit error will >render your backup useless. That's why I suggested breaking the file >into chunks in my earlier mail. I wouldn't recommend using PGP >either; you probably don't need it, and it will be slower than >alternatives. Just use OpenSSL..e.g. an appropriate symmetric cipher >and passphrase. > >Kris -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 18: 9:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id ADF3437B405 for ; Mon, 26 Nov 2001 18:09:12 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C388F66C29; Mon, 26 Nov 2001 18:09:11 -0800 (PST) Date: Mon, 26 Nov 2001 18:09:11 -0800 From: Kris Kennaway To: Mike Tancsa Cc: Kris Kennaway , freebsd-security@freebsd.org Subject: Re: crypted remote backup Message-ID: <20011126180911.B21006@xor.obsecurity.org> References: <20011126175320.C20635@xor.obsecurity.org> <5.1.0.14.0.20011126205442.043d1fe0@192.168.0.12> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NMuMz9nt05w80d4+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20011126205442.043d1fe0@192.168.0.12>; from mike@sentex.net on Mon, Nov 26, 2001 at 08:58:17PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NMuMz9nt05w80d4+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 26, 2001 at 08:58:17PM -0500, Mike Tancsa wrote: >=20 > What is password security like in programs like RAR ? The warez traders= =20 > seem to like to use it for posting to newsgroups because you can add extr= a=20 > recovery information into each of the parts/volumes. There is also a bui= lt=20 > in encryption option. Do think it is sufficiently safe ? I don't know enough about it to evaluate it. It all depends on what encryption algorithm they use. Kris --NMuMz9nt05w80d4+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8AvXGWry0BWjoQKURAoOqAKCFRrxXs8myqoZL6ovAnKtnf2CLqwCfXy5c zNMnRfFPI/NFjL8qN6Xpf4I= =0djo -----END PGP SIGNATURE----- --NMuMz9nt05w80d4+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 18:27:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-66-67-16-161.stny.rr.com [66.67.16.161]) by hub.freebsd.org (Postfix) with ESMTP id 6752437B416 for ; Mon, 26 Nov 2001 18:27:04 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.6/8.11.4) with ESMTP id fAR2R3w25750 for ; Mon, 26 Nov 2001 21:27:03 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Mon, 26 Nov 2001 21:27:03 -0500 (EST) From: Matt Piechota To: Subject: Re: crypted remote backup In-Reply-To: <5.1.0.14.0.20011126205442.043d1fe0@192.168.0.12> Message-ID: <20011126212255.M25710-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 26 Nov 2001, Mike Tancsa wrote: > > What is password security like in programs like RAR ? The warez traders > seem to like to use it for posting to newsgroups because you can add extra > recovery information into each of the parts/volumes. There is also a built > in encryption option. Do think it is sufficiently safe ? While you're at it, you might want to look at http://sourceforge.net/projects/parchive/ It's a utility to recreate parts of split files that become damaged or lost. It's basicly RAID for files. I haven't used it myself on BSD, but a tried it on a Windows box, and it did as advertised. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 20:36:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id 1B3C937B405 for ; Mon, 26 Nov 2001 20:36:32 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id B79CC136F3 for ; Mon, 26 Nov 2001 23:40:34 -0500 (EST) Message-Id: <5.1.0.14.0.20011126232315.00a8fce0@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 26 Nov 2001 23:38:01 -0500 To: freebsd-security@freebsd.org From: Allen Landsidel Subject: Re: Best security topology for FreeBSD Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:58 PM 11/26/2001 -0500, The Anarcat wrote: >No. You have a 50/50 chance of strengthening you network. I don't think >you can *weaken* (sp?) it since the machine are placed in serie, not in Spelling is correct, conclusion incorrect. Imagine : You have Firewall_A letting packet X through. Firewall_B is also letting packet X through, because X matches the rules on both that say the packet is safe. Uh-oh, X was actually a malicious packet that (pardon a contrived example) crashes Firewall_B after running some code that it inserted before smashing the stack. Now Firewall_B is open, and Firewall_A may as well be, because any packets that Firewall_A would have blocked can simply be tunneled through a connection to compromised Firewall_B. >So we here have a case where the network is actually strenghten and no >case where it is weaker. --snip-- No reply here. Read above. > > Consider this, however: The DMZ is used to contain normally "insecure" > > services such as web, ftp and mail servers. The area past the firewall(s) > > would ideally contain machines to which no incoming connections are > allowed > > to be initiated. The flip side of this is that the machines furthest to > > the inside are those that are most often operated by unclued users who are > > historically very good at running trojans, viruses, and other malicious > > code on their machines without proper investigation. In any event, the > > first configuration, with the DMZ hanging off the firewall (or more > likely, > > off the same switch/hub that the firewall is connected to) is likely more > > secure than the two firewall option with the DMZ in the middle. > >Why? Because traffic will be exposed that normally wouldn't be; In a one firewall suggestion with the DMZ being just some ethernet ports hanging off the same device that the firewall plugs into, you'll be forced to assume that everything going on outside the firewall is fair game for sniffing, spoofing, whatever. A two machine system gives you a false sense of security inside the DMZ. >Not. Some services are internal, some are external. And the firewall >should control that, not the server. So your answer is to leave every insecure piece of junk server listening on all the machines, and just block them with the firewall. Pardon me while I fire you. > > So, > > the question is, would you rather have a machine compromised inside one of > > your firewalls, or outside of it? > >Er... You're going to put this machine where then? Outside your >firewall? I'm not following you. Now I'm not following you.. put what machine? The compromised machine? Assuming one does get compromised, would you rather have it : A) Inside one of your firewalls you thought was secure. or B) Outside your firewall, where even if it -is- compromised, the security of the interior is not breached along with it. > > Personally, I'd rather have it on the > > outside, where the chances of a compromise affecting the security of the > > other machines in the DMZ is negligible, and the chance of compromising > the > > security of machines inside the firewall is no higher than it was before > > the attack took place. > >You'll have to define your "firewall"'s definition, I guess, because it >is imprecise. Wether you have the single or dual configuration, you >always have the machine "inside the firewall"... No, in the single-firewall method there is only one firewall, and all the untrusted servers hang off the DMZ on the outside. >Having a dual firewall setup is easier to setup, IMHO. Another advantage I >see: if a machine is broke or DOS'd, you pull the plug and cut off only >a *part* of the services. In other words, you don't have performances >penalties for oustide and inside services. :) I don't follow this logic at all. Let N = Number of machines you currently have, and W = Work required to set up and maintain. your network; L = Labor required to set up just one machine. Most of us know pretty much that W = N * L. Are you saying that with N + 1, W is suddenly not only less than (2 * N * L), but also less than the original N * L? The "performance penalties" part of it was utter gibberish to me. >The 2 firewalls are still independant services and an attack that >affects the first one *might* affect the second one, but not necessarly. >And in order to do this, it must get to it in the first place, which >means breaking into it. If you have a single firewall, it can be DOS >attacked and the 2 functionalities (services) are affected. You missed the point. Say you do (what most people will do when setting up this configuration) is buy two identical machines, install the identical OS onto them, and set up identical services.. minimal as they may be for a firewall. At this point, the differences enter, entirely in the firewall rulesets. If someone can compromise the first firewall through some bug or vulnerability, chances are near 100% that they can compromise the second one the exact same way. How would the packets reach the second one you say? Well.. um.. they've already circumvented the first one, so what's stopping them? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 20:40:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.optymalni.com (wsp598951wss.cpe.net.cable.rogers.com [24.112.237.79]) by hub.freebsd.org (Postfix) with ESMTP id 69B3737B41D for ; Mon, 26 Nov 2001 20:40:44 -0800 (PST) Received: from MARCIN_XP (marcin.optymalni.com [192.168.1.70]) by fw.optymalni.com (8.11.0/8.8.7) with SMTP id fAR4ZhD09117 for ; Mon, 26 Nov 2001 23:35:43 -0500 From: guru@optymalni.com Message-ID: <1006817941@MARCIN_XP> Date: Mon, 26 Nov 2001 23:39:01 -0500 Subject: messanger and file sharing To: freebsd-security@FreeBSD.ORG Reply-To: guru@optymalni.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I saw you participating in a security newsgroup. I'm evaluating a new product available at www.cryptoheaven.com (with source) and would like your opinion and evaluation of the user experiance as well as its security features. I find the folder sharing features quite useful and unique. Any feedback is welcome, thanks in advance. You can contact me at the cryptoheaven network when you log in, my user id is 1293. Guru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 20:49:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.optymalni.com (wsp598951wss.cpe.net.cable.rogers.com [24.112.237.79]) by hub.freebsd.org (Postfix) with ESMTP id 5DB1937B416 for ; Mon, 26 Nov 2001 20:49:14 -0800 (PST) Received: from MARCIN_XP (marcin.optymalni.com [192.168.1.70]) by fw.optymalni.com (8.11.0/8.8.7) with SMTP id fAR4iDD10397 for ; Mon, 26 Nov 2001 23:44:13 -0500 From: guru@optymalni.com Message-ID: <1006818452@MARCIN_XP> Date: Mon, 26 Nov 2001 23:47:31 -0500 Subject: messanger and file sharing To: security@FreeBSD.ORG Reply-To: guru@optymalni.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I saw you participating in a security newsgroup. I'm evaluating a new product available at www.cryptoheaven.com (with source) and would like your opinion and evaluation of the user experiance as well as its security features. I find the folder sharing features quite useful and unique. Any feedback is welcome, thanks in advance. You can contact me at the cryptoheaven network when you log in, my user id is 1293. Guru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 21:39:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts19-srv.bellnexxia.net (tomts19.bellnexxia.net [209.226.175.73]) by hub.freebsd.org (Postfix) with ESMTP id EEB1C37B405 for ; Mon, 26 Nov 2001 21:39:03 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.177.56]) by tomts19-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011127053902.REAM10804.tomts19-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Tue, 27 Nov 2001 00:39:02 -0500 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id D9D5A1A4A; Tue, 27 Nov 2001 00:41:39 -0500 (EST) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id C670920ACB; Tue, 27 Nov 2001 00:40:31 -0500 (EST) Date: Tue, 27 Nov 2001 00:40:31 -0500 From: The Anarcat To: Allen Landsidel Cc: freebsd-security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011127054030.GB5828@shall.anarcat.dyndns.org> Mail-Followup-To: Allen Landsidel , freebsd-security@freebsd.org References: <5.1.0.14.0.20011126232315.00a8fce0@rfnj.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="aM3YZ0Iwxop3KEKx" Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20011126232315.00a8fce0@rfnj.org> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --aM3YZ0Iwxop3KEKx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon Nov 26, 2001 at 11:38:01PM -0500, Allen Landsidel wrote: > At 06:58 PM 11/26/2001 -0500, The Anarcat wrote: >=20 >=20 > >No. You have a 50/50 chance of strengthening you network. I don't think > >you can *weaken* (sp?) it since the machine are placed in serie, not in >=20 > Spelling is correct, conclusion incorrect. >=20 > Imagine : You have Firewall_A letting packet X through. Firewall_B is al= so=20 > letting packet X through, because X matches the rules on both that say th= e=20 > packet is safe. Uh-oh, X was actually a malicious packet that (pardon a= =20 > contrived example) crashes Firewall_B after running some code that it=20 > inserted before smashing the stack. >=20 > Now Firewall_B is open, and Firewall_A may as well be, because any packet= s=20 > that Firewall_A would have blocked can simply be tunneled through a=20 > connection to compromised Firewall_B. Yes. But a single firewall design is also vulnerable to this attack. The same way. > >So we here have a case where the network is actually strenghten and no > >case where it is weaker. >=20 > No reply here. Read above. Same here. ;) > >> Consider this, however: The DMZ is used to contain normally "insecure" > >> services such as web, ftp and mail servers. The area past the=20 > >firewall(s) > >> would ideally contain machines to which no incoming connections are=20 > >allowed > >> to be initiated. The flip side of this is that the machines furthest = to > >> the inside are those that are most often operated by unclued users who= =20 > >are > >> historically very good at running trojans, viruses, and other malicious > >> code on their machines without proper investigation. In any event, the > >> first configuration, with the DMZ hanging off the firewall (or more=20 > >likely, > >> off the same switch/hub that the firewall is connected to) is likely m= ore > >> secure than the two firewall option with the DMZ in the middle. > > > >Why? >=20 > Because traffic will be exposed that normally wouldn't be; In a one=20 > firewall suggestion with the DMZ being just some ethernet ports hanging o= ff=20 > the same device that the firewall plugs into, you'll be forced to assume= =20 > that everything going on outside the firewall is fair game for sniffing,= =20 > spoofing, whatever. A two machine system gives you a false sense of=20 > security inside the DMZ. So you say it is more secure because it doesn't give you a false sense of security? Interesting. I guess it's a good point. > >Not. Some services are internal, some are external. And the firewall > >should control that, not the server. >=20 > So your answer is to leave every insecure piece of junk server listening = on=20 > all the machines, and just block them with the firewall. Pardon me while= I=20 > fire you. No. You misunderstood. And you snipped the context of my answer.. This was the context: > If you run your DMZ servers with only things listening on the port > that you=20 > configured to listen on the port, and there are vulnerabilities in > said=20 > servers, then they will be accessible no matter which side of the=20 > firewall(s) the server is on; If not, what's the point in the service? I say, no. They will not be accessible all-round, first because they have host-restrictions algorithms such as host.access and second because the firewall will block some traffic accessing illegitimate port/address combinations.=20 > >> So, > >> the question is, would you rather have a machine compromised inside on= e=20 > >of > >> your firewalls, or outside of it? > > > >Er... You're going to put this machine where then? Outside your > >firewall? I'm not following you. >=20 > Now I'm not following you.. put what machine? The compromised=20 > machine?=20 Yes. > Assuming one does get compromised, would you rather have it : > A) Inside one of your firewalls you thought was secure. > or > B) Outside your firewall, where even if it -is- compromised, the=20 > security of the interior is not breached along with it. I am confused here. If it is in the DMZ, it is still "in" the firewall, no? Wether the design of the firewall is single or dual, the DMZ is still "in" the firewall. > >> Personally, I'd rather have it on the > >> outside, where the chances of a compromise affecting the security of t= he > >> other machines in the DMZ is negligible, and the chance of compromisin= g=20 > >the > >> security of machines inside the firewall is no higher than it was befo= re > >> the attack took place. > > > >You'll have to define your "firewall"'s definition, I guess, because it > >is imprecise. Wether you have the single or dual configuration, you > >always have the machine "inside the firewall"... >=20 > No, in the single-firewall method there is only one firewall, and all the= =20 > untrusted servers hang off the DMZ on the outside. Then we have a definition problem. I consider a firewall as not a single piece of soft/hardware, but as a set of it. It's basically an implementation detail to choose a single or dual firewall setup. I'm just saying that one does not weaken the system's security, apart from the "false sense of security" you mentionned that I consider solvable with proper education. :) The firewall wether it is single or dual, have the same functionality, in the presence of a DMZ: (2 designs of dual fw): (and a single fw design): out out out | | | fw1 fw1----+ | | | | | dmz | dmz fw ---- dmz | | | | fw2 fw2----+ | | | | in in in In the second one, you setup a private line between the 2 fws to have direct traffic let through unsniffable directly by the dmz. That is, even if you let direct traffic, where you might prefer having proxies somewhere to avoid direct traffic. =46rom my point of view, the "firewall" in these drawings, is composed of fw1 and fw2 in the dual design, and just fw in the second one.=20 So the dmz is always "within" the firewall, since the single fw design wraps the functionality of fw1 and fw2 within itself to allow access to the dmz: out | +---+ |fw1|---+ +---+ dmz |fw2|---+ +---+ | in > >Having a dual firewall setup is easier to setup, IMHO. Another advantage= I > >see: if a machine is broke or DOS'd, you pull the plug and cut off only > >a *part* of the services. In other words, you don't have performances > >penalties for oustide and inside services. :) >=20 > I don't follow this logic at all. Let N =3D Number of machines you curre= ntly=20 > have, and W =3D Work required to set up and maintain. your network; L = =3D=20 > Labor required to set up just one machine. Most of us know pretty much= =20 > that W =3D N * L. Are you saying that with N + 1, W is suddenly not only= =20 > less than (2 * N * L), but also less than the original N * L? If you want to get into this...=20 Could I modify the equation to say: W =3D N * L * C where C is a variable mesuring the similarity between the machines? :) Given that, L: labor to setup single firewall in single-firewall-design L': labor to setup a single fw machine in a dual-firewall-design W: work to maitain the single firewall network W': work to maintain the dual firewall network In single setup: W =3D 1 * L In dual setup: W' =3D c * 2 * L' where c is a variable mesuring the similarity of the 2 firewalls. If the 2 firewalls are completely different, c =3D=3D 1. If they are the same, c approaches 0.5, so maintaining the 2 firewalls approaches the cost of maintain a single one because they are similar. A single firewall handling everything is (arguably) harder to setup than 2 more simple firewalls. So L >=3D L'. Is L >=3D 2 * L'? Arguable. In other words, you have a few variables you missed. Mainly, the fact that L is not uniform. > The "performance penalties" part of it was utter gibberish to me. Too bad then.=20 > >The 2 firewalls are still independant services and an attack that > >affects the first one *might* affect the second one, but not necessarly. > >And in order to do this, it must get to it in the first place, which > >means breaking into it. If you have a single firewall, it can be DOS > >attacked and the 2 functionalities (services) are affected. >=20 > You missed the point. Say you do (what most people will do when setting = up=20 > this configuration) is buy two identical machines, install the identical = OS=20 > onto them, and set up identical services.. minimal as they may be for a= =20 > firewall. At this point, the differences enter, entirely in the firewall= =20 > rulesets. Agreed. > If someone can compromise the first firewall through some bug or=20 > vulnerability, chances are near 100% that they can compromise the second= =20 > one the exact same way. How would the packets reach the second one you= =20 > say? Well.. um.. they've already circumvented the first one, so what's= =20 > stopping them? Hmm.. Agreed. But I still maintain this doesn't make the dual firewall design *weaker*. Comparable with the other one, yes. Let's not kill each other over this. ;) A. --aM3YZ0Iwxop3KEKx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEUEARECAAYFAjwDJ00ACgkQttcWHAnWiGejPACYgkLdnLiMoeOmq9gwiEBiJifY SACgijOZkPn1lozO/HXgEl9z1lYBd24= =LfNy -----END PGP SIGNATURE----- --aM3YZ0Iwxop3KEKx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 26 23:58:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id DF07937B420 for ; Mon, 26 Nov 2001 23:58:42 -0800 (PST) Received: from user-2ivfo8b.dialup.mindspring.com ([165.247.225.11] helo=gohan.cjclark.org) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 168d8a-0005Gn-00; Mon, 26 Nov 2001 23:58:42 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAR1BOa00719; Mon, 26 Nov 2001 17:11:24 -0800 (PST) (envelope-from cjc) Date: Mon, 26 Nov 2001 17:05:04 -0800 From: "Crist J. Clark" To: Ahsan Ali Cc: security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011126170503.C418@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011125013812.9839.qmail@web10106.mail.yahoo.com> <200111242124560932.023F3386@home.24cl.com> <002801c17564$1b5e2a60$060aa8c0@pcgameauthority.com> <20011126001931.D222@gohan.cjclark.org> <001901c057dc$c69b9300$0100a8c0@ahsanalikh> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001901c057dc$c69b9300$0100a8c0@ahsanalikh>; from ahsan@khi.comsats.net.pk on Mon, Nov 27, 2000 at 12:12:06AM +0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 27, 2000 at 12:12:06AM +0500, Ahsan Ali wrote: > What would the ideal security model for an ISP with a lot of sites and > services hosted be? A traditional ISP does (and should do) almost no filtering between its peer points and its clients. An ISP should protect its administrative network (accounting, marketing, etc.) and external service servers (SMTP, POP, HTTP, Radius, etc.) pretty much like any other large business. Some of these, like a Radius server, are not really seen in many other businesses and have different requirements (it is accepting requests from ISP owned machines on ISP owned network, but the network must be considered hostile since the customers have "raw" access to it). In an ISP environment, you have to depend on hardening hosts a lot more since many are required to operate in very insecure environments. And you might want to fix that clock of yours. Or you seem to be existing in some kind of time warp. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 1:50:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from argyre.fr.uu.net (mail.fr.uu.net [194.98.0.9]) by hub.freebsd.org (Postfix) with ESMTP id D2B4E37C2A2 for ; Tue, 27 Nov 2001 01:47:23 -0800 (PST) Received: from [213.11.39.71] ([213.11.39.71]) by argyre.fr.uu.net (8.9.3/8.8.7) with SMTP id KAA00658 for ; Tue, 27 Nov 2001 10:53:47 +0100 (MET) From: annuaire@annuairefrancais.com Message-Id: <200111270953.KAA00658@argyre.fr.uu.net> Mime-Version: 1.0 Content-Type: text/plain;charset="us-ascii" Content-Transfer-Encoding: 7bit Date: Tue, 27 Nov 2001 10:46:04 +0100 To: FreeBSD-security@FreeBSD.org Subject: Info : L'Annuaire Francais par Departement facilite vos recherches Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bonjour, L'annuaire Francais Par departement http://www.annuairefrancais.com integre desormais un moteur de recherche pour affiner vos recherches sur le web. L'inscription reste gratuite et la validation toujours manuelle. L'adresse d'inscription est desormais http://inscrip.annuairefrancais.com Pour toutes suggestions contactez par mail : direction : laurent@annuairefrancais.com validation : validation@annuairefrancais.com publicite : publicite@annuairefrancais.com partenariat : partenariat@annuairefrancais.com INFORMATIONS : retrait de notre liste d'info : http://supressinfo.annuairefrancais.com (L'annuaire francais envoi 2 infos par an) L'annuaire Francais 119 Rue des Pyrenees 75020 PARIS +33 (0)1 43 67 00 74 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 2:53:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id A0B5037B432 for ; Tue, 27 Nov 2001 02:52:58 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fARApYn47219; Tue, 27 Nov 2001 12:51:34 +0200 (EET) (envelope-from ru) Date: Tue, 27 Nov 2001 12:51:34 +0200 From: Ruslan Ermilov To: Danny Carroll Cc: security@FreeBSD.ORG Subject: Re: IPFW, natd and an internal FTP server. Message-ID: <20011127125134.C34943@sunbay.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 26, 2001 at 06:52:23PM +0000, Danny Carroll wrote: > Rusland, > > Works like an absolute charm... You are a lgend. > Can anyone see any reason why someone should not do this? > > -D > > >Doh, you're right! We don't currently punch firewall holes for 227/229 > >FTP server replies, for no apparent reason. Could you please try the > >attached patch? It worked for me, both for the PASV and EPSV modes > >with an FTP server running on a NAT box. You'll have to recompile both > >lib/libalias and sbin/natd, in that order. > Committed to 5.0-CURRENT, will MFC in 1 week. Thanks! Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 3: 4:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id 4D4D137B419; Tue, 27 Nov 2001 03:04:40 -0800 (PST) Received: from win ([61.144.145.58]) (authenticated) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id fARB4cH33361; Tue, 27 Nov 2001 19:04:39 +0800 (CST) (envelope-from slack@suntop-cn.com) Message-ID: <007e01c17733$64bc8b40$9201a8c0@home.net> From: "edwin chen" To: "Danny Carroll" , Cc: References: Subject: Re: IPFW, natd and an internal FTP server. Date: Tue, 27 Nov 2001 19:05:10 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi, do you can send a piece of you firewall rules to me that show me how punch hole work ? I don't understand this function, and I am not a programmer don't understand source code either. thanks. edwin chen ----- Original Message ----- From: "Danny Carroll" To: Cc: Sent: Tuesday, November 27, 2001 2:52 AM Subject: Re: IPFW, natd and an internal FTP server. > Rusland, > > Works like an absolute charm... You are a lgend. > Can anyone see any reason why someone should not do this? > > -D > > >Doh, you're right! We don't currently punch firewall holes for 227/229 > >FTP server replies, for no apparent reason. Could you please try the > >attached patch? It worked for me, both for the PASV and EPSV modes > >with an FTP server running on a NAT box. You'll have to recompile both > >lib/libalias and sbin/natd, in that order. > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 3:17:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id D9F9F37B405 for ; Tue, 27 Nov 2001 03:17:13 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fARBGdC51330; Tue, 27 Nov 2001 13:16:39 +0200 (EET) (envelope-from ru) Date: Tue, 27 Nov 2001 13:16:39 +0200 From: Ruslan Ermilov To: edwin chen Cc: Danny Carroll , security@FreeBSD.ORG Subject: Re: IPFW, natd and an internal FTP server. Message-ID: <20011127131639.E34943@sunbay.com> References: <007e01c17733$64bc8b40$9201a8c0@home.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <007e01c17733$64bc8b40$9201a8c0@home.net> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Nov 27, 2001 at 07:05:10PM +0800, edwin chen wrote: > hi, do you can send a piece of you firewall rules to me that show me how > punch hole work ? I don't understand this function, and I am not a > programmer don't understand source code either. thanks. > This works like this: # natd -n rl0 -punch_fw 12345:100 # ipfw list 00050 divert 8668 ip from any to any via rl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any # ftp -a 192.168.4.71 ftp> deb Debugging on (debug=1). ftp> dir ---> PORT 192,168,4,115,192,5 200 PORT command successful. ---> LIST 150 Opening ASCII mode data connection for /bin/ls. [...] 226 Transfer complete. # ipfw list 00050 divert 8668 ip from any to any via rl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 12346 allow tcp from 192.168.4.115 49157 to 192.168.4.71 20 12346 allow tcp from 192.168.4.71 20 to 192.168.4.115 49157 65000 allow ip from any to any 65535 deny ip from any to any Imagine what would happen without -punch_fw if the 65000 rule would be "allow ip from any to any out via rl0". > ----- Original Message ----- > From: "Danny Carroll" > To: > Cc: > Sent: Tuesday, November 27, 2001 2:52 AM > Subject: Re: IPFW, natd and an internal FTP server. > > > > Rusland, > > > > Works like an absolute charm... You are a lgend. > > Can anyone see any reason why someone should not do this? > > > > -D > > > > >Doh, you're right! We don't currently punch firewall holes for 227/229 > > >FTP server replies, for no apparent reason. Could you please try the > > >attached patch? It worked for me, both for the PASV and EPSV modes > > >with an FTP server running on a NAT box. You'll have to recompile both > > >lib/libalias and sbin/natd, in that order. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 4:22:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id F1DC037B42A; Tue, 27 Nov 2001 04:22:24 -0800 (PST) Received: by ING-mailhub; id NAA02904; Tue, 27 Nov 2001 13:24:31 +0100 (MET) Received: from somewhere by smtpxd Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: IPFW, natd and an internal FTP server. X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Date: Tue, 27 Nov 2001 13:22:09 +0100 Message-ID: <98829DC07ECECD47893074C4D525EFC321EA16@citsnl007b.europe.intranet> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFW, natd and an internal FTP server. thread-index: AcF3MflKsJcB1A0/TgOK1t2bXQgO7gAC9pgg From: "Carroll, D. (Danny)" Importance: normal To: "Ruslan Ermilov" Cc: X-OriginalArrivalTime: 27 Nov 2001 12:22:10.0757 (UTC) FILETIME=[23558750:01C1773E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :From: Ruslan Ermilov [mailto:ru@FreeBSD.ORG] :On Mon, Nov 26, 2001 at 06:52:23PM +0000, Danny Carroll wrote: :>=20 :Committed to 5.0-CURRENT, will MFC in 1 week. Thanks! : Cooley... Is there a rule of thumb as to how many rules you should allow for punch_fw I mean if I had 100 ftp sessions would a ruleset of 300 be enough? =20 I imagine it would start to slow down rather quickly as teh ipfw rules get larger. -D -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 4:26:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id 4F25C37B405 for ; Tue, 27 Nov 2001 04:26:34 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id D2DFC136F3 for ; Tue, 27 Nov 2001 07:30:32 -0500 (EST) Message-Id: <5.1.0.14.0.20011127071415.00aa4a18@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 27 Nov 2001 07:27:59 -0500 To: freebsd-security@freebsd.org From: Allen Landsidel Subject: Re: Best security topology for FreeBSD Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:40 AM 11/27/2001 -0500, you wrote: > > Now Firewall_B is open, and Firewall_A may as well be, because any packets > > that Firewall_A would have blocked can simply be tunneled through a > > connection to compromised Firewall_B. > >Yes. But a single firewall design is also vulnerable to this attack. The >same way. After reading your response from front to back.. I see we have a fundamental disagreement or misunderstanding on how to set up the single firewall system.. I'll get to it in a minute. >I say, no. They will not be accessible all-round, first because they >have host-restrictions algorithms such as host.access and second because >the firewall will block some traffic accessing illegitimate port/address >combinations. Still.. I don't follow this with regard to what you previously said. In any event, I think it's best if you lock down each machine as much as possible, and do your best not to run public-access services alongside private-access services on a single machine. If the machine is compromised, you'll suffer headaches and nausea on a greater scale than you should. ;) >I am confused here. If it is in the DMZ, it is still "in" the firewall, >no? Wether the design of the firewall is single or dual, the DMZ is >still "in" the firewall. OK here is where I think the confusion comes in. In my personal experience, if you do as I indicated above with regard to securing every box, then a "normal" configuration is not so much a three-interface firewall. You would just set up a normal two-interface firewall.. one of the ports on the firewall goes to the "black" side, which represents the hub/switch that your T1 or whatever goes into. The "red" side represents the interior of the firewalled network, after filtering. The DMZ can exist as machines plugged into the same ethernet hub/switch as the black side of the firewall... you follow? Nothing in the DMZ is firewalled, and perhaps "sacrificial host" is a more appropriate description of the machines in that area, but if you're making backups as you should, then all the machines could be considered sacrificial. ;) This ties into my point about not running services willy-nilly on the machine and doing your best to secure each and every box. If you have a webserver say, it should only be listening on port 80. If it's going to be inside the firewall you have to punch a hole allowing that traffic through, so everything there is going to hit the webserver and possibly compromise it. Thus, if you keep it on the outside of the firewall, damage to the rest of the network after the compromise will be minimal. >It's basically an implementation detail to choose a single or dual >firewall setup. I'm just saying that one does not weaken the system's >security, apart from the "false sense of security" you mentionned that >I consider solvable with proper education. :) Well there is more to it than just that. The simple fact is it opens up two points of attack, unless the outer firewall is blocking all traffic, in which case, you don't need two. Either you build two similar machines, with the same OS and firewall software, and thus identical exploits.. or you build two dissimilar machines, with perhaps a different OS and firewall, and thus different (and twice as many total) exploits. Do you follow? >So the dmz is always "within" the firewall, since the single fw design >wraps the functionality of fw1 and fw2 within itself to allow access to >the dmz: I snipped all this due to my explaination above. I see it : out | wan | switch --- dmz | fw | switch | lan >If you want to get into this... > >Could I modify the equation to say: Again.. see my own personal above description of "single" firewall design.. perhaps we weren't talking about the same thing.. I'm sure we weren't. >Hmm.. Agreed. But I still maintain this doesn't make the dual firewall >design *weaker*. Comparable with the other one, yes. See above. It can and will. >Let's not kill each other over this. ;) Hmm.. lemme think about that. Deal. ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 4:30: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 994A037B417 for ; Tue, 27 Nov 2001 04:29:21 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fARCSrv62698; Tue, 27 Nov 2001 14:28:53 +0200 (EET) (envelope-from ru) Date: Tue, 27 Nov 2001 14:28:53 +0200 From: Ruslan Ermilov To: "Carroll, D. (Danny)" Cc: security@FreeBSD.ORG Subject: Re: IPFW, natd and an internal FTP server. Message-ID: <20011127142853.A58633@sunbay.com> References: <98829DC07ECECD47893074C4D525EFC321EA16@citsnl007b.europe.intranet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <98829DC07ECECD47893074C4D525EFC321EA16@citsnl007b.europe.intranet> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Nov 27, 2001 at 01:22:09PM +0100, Carroll, D. (Danny) wrote: > > > :From: Ruslan Ermilov [mailto:ru@FreeBSD.ORG] > :On Mon, Nov 26, 2001 at 06:52:23PM +0000, Danny Carroll wrote: > :> > :Committed to 5.0-CURRENT, will MFC in 1 week. Thanks! > : > > Cooley... > Is there a rule of thumb as to how many rules you should allow for > punch_fw > > I mean if I had 100 ftp sessions would a ruleset of 300 be enough? > I imagine it would start to slow down rather quickly as teh ipfw rules > get larger. > Ruleset of precisely 200 would be enough. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 6:31:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f136.law3.hotmail.com [209.185.241.136]) by hub.freebsd.org (Postfix) with ESMTP id 1E88037B405 for ; Tue, 27 Nov 2001 06:31:39 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 27 Nov 2001 06:31:39 -0800 Received: from 170.253.164.1 by lw3fd.law3.hotmail.msn.com with HTTP; Tue, 27 Nov 2001 14:31:38 GMT X-Originating-IP: [170.253.164.1] From: "WebSec WebSec" To: freebsd-security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Date: Tue, 27 Nov 2001 14:31:38 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 27 Nov 2001 14:31:39.0031 (UTC) FILETIME=[39961270:01C17750] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org See below ####################################################################### To: all@biosys.net cc: freebsd-security@FreeBSD.ORG Date: 11/27/2001 12:40 AM From: owner-freebsd-security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD >Imagine : You have Firewall_A letting packet X through. Firewall_B is also >letting packet X through, because X matches the rules on both that say the >packet is safe. Uh-oh, X was actually a malicious packet that (pardon a >contrived example) crashes Firewall_B after running some code that it >inserted before smashing the stack. > Can someone show me an example of "a packet" that can execute arbitrary code on a firewall that only does filtering... :) Clearly, either I am too far behind or someone is too far ahead.... If you are implying a compromise of a proxy server, this same proxy should not be moving "outbound" traffic and the filtering firewall should be configured as such. This would prevent someone getting a shell access, at least immediately. Note that you created "one" more hop and, therefore, have extra time for your IDS to detect the attack. Mission accomplished! In case you have a single firewall..... you did not get that extra time. To make it even more interesting, a "triple" firewall set-up help to mitigate many of the risk. IT is, however, an overkill in many-many-many cases except where security really matters. :) Now, a quad system will probably not be practical or at least I have not seen a situation where it would be practical :) >>Yes. But a single firewall design is also vulnerable to this attack. >>The >>same way. No it is not if it is properly configured and is not doing proxying... > >> Consider this, however: The DMZ is used to contain normally "insecure" > >> services such as web, ftp and mail servers. The area past the > >firewall(s) > >> would ideally contain machines to which no incoming connections are > >allowed > >> to be initiated. The flip side of this is that the machines furthest >to > >> the inside are those that are most often operated by unclued users who > >are > >> historically very good at running trojans, viruses, and other malicious > >> code on their machines without proper investigation. In any event, the > >> first configuration, with the DMZ hanging off the firewall (or more > >likely, > >> off the same switch/hub that the firewall is connected to) is likely >more > >> secure than the two firewall option with the DMZ in the middle. > > Whoever put this together have not ever set-up web - sql architecture... Your web server should be on "DMZ".. but what do you do with SQL if it does not accept connections...? :) Keep it on DMZ also? In other words, dual firewalls are "a lot" better in many (NOT ALL) cases (if one uses different products). But you do need to match products carefully. AND DO PUT THAT IDS ...... _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 8:42:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id D85F237B405 for ; Tue, 27 Nov 2001 08:42:43 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id fARGgfU32312; Tue, 27 Nov 2001 11:42:41 -0500 (EST) (envelope-from wollman) Date: Tue, 27 Nov 2001 11:42:41 -0500 (EST) From: Garrett Wollman Message-Id: <200111271642.fARGgfU32312@khavrinen.lcs.mit.edu> To: Allen Landsidel Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD In-Reply-To: <5.1.0.14.0.20011127071415.00aa4a18@rfnj.org> References: <5.1.0.14.0.20011127071415.00aa4a18@rfnj.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > out > | > wan > | > switch --- dmz > | > fw > | > switch > | > lan I think the more traditional version (of the ``two-firewall'' implementation) is not much different from this: big-bad-Internet --- packet-filtering-router --- DMZ-switch --- DMZ-hosts | internal-network --- firewall The point being that the first layer of defense protects both DMZ-hosts and internal-network (not to mention the DMZ-switch and firewall themselves, which is necessary for some commercial ``firewall'' products); an additional layer of defense protects internal-network from both big-bad-Internet and any potentially-compromised DMZ-hosts. In addition, the policy for traversal of the firewall can be made much stricter than the rules on the packet-filtering router, since all of the systems which are normally visible from the outside are outside the firewall. This also helps to isolate the various segments of the network from faults in other segments, which is just good design practice. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 10:18:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13]) by hub.freebsd.org (Postfix) with ESMTP id E731937B417 for ; Tue, 27 Nov 2001 10:18:26 -0800 (PST) Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by male.aldigital.co.uk (Postfix) with ESMTP id 7ED816A1428; Tue, 27 Nov 2001 18:18:23 +0000 (GMT) Message-ID: <3C03D8EF.58AF9BF9@algroup.co.uk> Date: Tue, 27 Nov 2001 18:18:23 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Tom Beer Cc: security@FreeBSD.ORG Subject: Re: Amanda - inetd References: <001f01c1765c$3ccfba80$0901a8c0@system> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tom Beer wrote: > > Hi, > > I'm planning to install amanda (remote backup > solution) on a freebsd box as a client. Unfourtunately > amanda needs inetd, which I don't want to start > for security reasons. Even not tcpwarrped. > Is there a way to bring my ppp dialup connection > down, start inetd, start amanda, ending inetd after > the backup and starting my ppp connection > again? Or is there a better solution? use xinetd and bind amanda's service only to loopback. oh, and make sure your loopback is protected against remote routing. ipfw in "open" mode will do this if you're not already running a firewall anyway. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 10:47:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id A4B6037B417 for ; Tue, 27 Nov 2001 10:47:43 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id NAA16594; Tue, 27 Nov 2001 13:48:53 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id NAA31481; Tue, 27 Nov 2001 13:47:42 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Tue, 27 Nov 2001 13:47:42 -0500 (EST) From: Mitch Collinsworth To: Adam Laurie Cc: Tom Beer , security@FreeBSD.ORG Subject: Re: Amanda - inetd In-Reply-To: <3C03D8EF.58AF9BF9@algroup.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 27 Nov 2001, Adam Laurie wrote: > Tom Beer wrote: > > > > I'm planning to install amanda (remote backup > > solution) on a freebsd box as a client. Unfourtunately > > amanda needs inetd, which I don't want to start > > for security reasons. Even not tcpwarrped. > > Is there a way to bring my ppp dialup connection > > down, start inetd, start amanda, ending inetd after > > the backup and starting my ppp connection > > again? Or is there a better solution? > > use xinetd and bind amanda's service only to loopback. oh, and make sure > your loopback is protected against remote routing. ipfw in "open" mode > will do this if you're not already running a firewall anyway. He said amanda client. This means an amanda server will come calling to initiate the client's backups. This means the amanda port on the client needs to be accessible to the amanda server. Your solution is not 'better', it's 'nonsense'. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 11: 7: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13]) by hub.freebsd.org (Postfix) with ESMTP id D0FDF37B417 for ; Tue, 27 Nov 2001 11:07:03 -0800 (PST) Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by male.aldigital.co.uk (Postfix) with ESMTP id CE37A6A1428; Tue, 27 Nov 2001 19:07:02 +0000 (GMT) Message-ID: <3C03E456.6BD7FB3E@algroup.co.uk> Date: Tue, 27 Nov 2001 19:07:02 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Cc: "Michael M. Butler" Subject: Re: some shit to see References: <200111230926.fAN9Qw630403@peony.ezo.net> <3BFF9D53.CBB692E2@comp-lib.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Michael M. Butler" wrote: > > Nuke this turkey, won't you? Thanks! :) > > jflowers@ezo.net wrote: > > > > peace > > > > Name: whatever.exe > > whatever.exe Type: WAV Audio (audio/x-wav) > > Encoding: base64 unfortunately it seems a little more intelligent than a turkey as it can bypass some security scanners such qmail-scanner (http://qmail-scanner.sourceforge.net/) - i guess there's a bug relating to the mime type, since we have this rule: .exe 0 Executable attachment (not allowed) which should block all .exe attachments, but this one gets through... i will forward this to the qmail list as well instead of cross-posting, but thought you might like to be aware in case your scanner is also at risk... cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 11:13:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13]) by hub.freebsd.org (Postfix) with ESMTP id D849737B417 for ; Tue, 27 Nov 2001 11:13:05 -0800 (PST) Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by male.aldigital.co.uk (Postfix) with ESMTP id 0FB706A1428; Tue, 27 Nov 2001 19:13:05 +0000 (GMT) Message-ID: <3C03E5C0.395B5BC@algroup.co.uk> Date: Tue, 27 Nov 2001 19:13:04 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Mitch Collinsworth Cc: Tom Beer , security@FreeBSD.ORG Subject: Re: Amanda - inetd References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mitch Collinsworth wrote: > > On Tue, 27 Nov 2001, Adam Laurie wrote: > > > Tom Beer wrote: > > > > > > I'm planning to install amanda (remote backup > > > solution) on a freebsd box as a client. Unfourtunately > > > amanda needs inetd, which I don't want to start > > > for security reasons. Even not tcpwarrped. > > > Is there a way to bring my ppp dialup connection > > > down, start inetd, start amanda, ending inetd after > > > the backup and starting my ppp connection > > > again? Or is there a better solution? > > > > use xinetd and bind amanda's service only to loopback. oh, and make sure > > your loopback is protected against remote routing. ipfw in "open" mode > > will do this if you're not already running a firewall anyway. > > He said amanda client. This means an amanda server will come > calling to initiate the client's backups. This means the amanda > port on the client needs to be accessible to the amanda server. doh! misread his mail! > Your solution is not 'better', it's 'nonsense'. ah... thank you for pointing out that extra detail... i have such respect for those that are willing to go the extra mile... :) cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 11:14: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id ED2BC37B417 for ; Tue, 27 Nov 2001 11:14:05 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA05785; Tue, 27 Nov 2001 12:13:48 -0700 (MST) Message-Id: <4.3.2.7.2.20011127121153.056cdd10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 27 Nov 2001 12:13:00 -0700 To: Adam Laurie , security@FreeBSD.ORG From: Brett Glass Subject: Re: some shit to see Cc: "Michael M. Butler" In-Reply-To: <3C03E456.6BD7FB3E@algroup.co.uk> References: <200111230926.fAN9Qw630403@peony.ezo.net> <3BFF9D53.CBB692E2@comp-lib.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:07 PM 11/27/2001, Adam Laurie wrote: >unfortunately it seems a little more intelligent than a turkey as it can >bypass some security scanners such qmail-scanner >(http://qmail-scanner.sourceforge.net/) - i guess there's a bug relating >to the mime type, since we have this rule: > > .exe 0 Executable attachment (not allowed) > >which should block all .exe attachments, but this one gets through... i >will forward this to the qmail list as well instead of cross-posting, >but thought you might like to be aware in case your scanner is also at >risk... See the paper I presented at BSDCon (and then updated for OSCon 2001) for information on scanners that will catch it. http://www.brettglass.com/spam/paper.html --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 12:14:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id ACC2837B405 for ; Tue, 27 Nov 2001 12:14:08 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id PAA18699; Tue, 27 Nov 2001 15:15:18 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id PAA17735; Tue, 27 Nov 2001 15:14:07 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Tue, 27 Nov 2001 15:14:07 -0500 (EST) From: Mitch Collinsworth To: Adam Laurie Cc: Tom Beer , security@FreeBSD.ORG Subject: Re: Amanda - inetd In-Reply-To: <3C03E5C0.395B5BC@algroup.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 27 Nov 2001, Adam Laurie wrote: > ah... thank you for pointing out that extra detail... i have such > respect for those that are willing to go the extra mile... :) Sorry. That was unnecessary. I apologize. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 13: 4:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168]) by hub.freebsd.org (Postfix) with ESMTP id 694A437B416 for ; Tue, 27 Nov 2001 13:04:27 -0800 (PST) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id fARL49N57902 for ; Tue, 27 Nov 2001 16:04:17 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Tue, 27 Nov 2001 16:04:04 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: Best security topology for FreeBSD In-Reply-To: <20011127054030.GB5828@shall.anarcat.dyndns.org> Message-ID: <20011127160049.N57709-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 27 Nov 2001, The Anarcat wrote: > The firewall wether it is single or dual, have the same functionality, > in the presence of a DMZ: > > (2 designs of dual fw): (and a single fw design): > > out out out > | | | > fw1 fw1----+ | > | | | | > dmz | dmz fw ---- dmz > | | | | > fw2 fw2----+ | > | | | > in in in > > In the second one, you setup a private line between the 2 fws to have > direct traffic let through unsniffable directly by the dmz. That is, ^^^^^^^^^^^ > even if you let direct traffic, where you might prefer having proxies > somewhere to avoid direct traffic. No, not unsniffable. If an attacker manages to install arp-spoof software on the DMZ, then he can easily mount a man-in-the-middle attack and reroute all the traffic between fw1 and fw2 through the DMZ. Even routers can be overcome. There's a good discussion about this kind of thing on the dsniff website. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 16:15:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id 0407737B427 for ; Tue, 27 Nov 2001 16:15:19 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id C7EB5136F3 for ; Tue, 27 Nov 2001 19:19:23 -0500 (EST) Message-Id: <5.1.0.14.0.20011127185418.00af0828@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 27 Nov 2001 19:16:48 -0500 To: freebsd-security@freebsd.org From: Allen Landsidel Subject: Re: Best security topology for FreeBSD In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:31 PM 11/27/2001 +0000, you wrote: >Can someone show me an example of "a packet" that can execute arbitrary >code on a firewall that only does filtering... :) I don't imagine they can. If they could, chances are it would be patched before you ever even heard of it. So what you're saying is security based on "I haven't seen such a thing, so I'm safe from it?" >Clearly, either I am too far behind or someone is too far ahead.... If you >are implying a compromise of a proxy server, this same proxy should not be >moving "outbound" traffic and the filtering firewall should be configured >as such. This would prevent someone getting a shell access, at least >immediately. Note that you created "one" more hop and, therefore, have >extra time for your IDS to detect the attack. Mission accomplished! You figure a less than one ms hop (that has already taken place) gives your IDS "more time" to respond? Please. Any IDS worth it's salt is going to get the packets, examine them, and then pass them on. I'm talking wrappers or firewall type stuff here, not something like snort that just puts the thing in promiscuous mode and listens to traffic that it can't stop. >In case you have a single firewall..... you did not get that extra time. It doesn't matter anyway, the "extra time" is a silly concept. It's not going to matter. Even a 486 has the processing power and bandwidth to handle a T1 and a reasonable set of firewall rules.. it's getting out there into the really expensive part of the bandwidth world where even a mediocre machine can't keep up. >To make it even more interesting, a "triple" firewall set-up help to >mitigate many of the risk. IT is, however, an overkill in many-many-many >cases except where security really matters. :) > >Now, a quad system will probably not be practical or at least I have not >seen a situation where it would be practical :) Now, you're just talking out of, for lack of a better term, your ass. Maybe we should imagine ourselves up a network where there is a double firewall system like has been discussed here, and then another one on each and every port for each and every hub and switch! Wouldn't that bad boy sure be secure!! >>>Yes. But a single firewall design is also vulnerable to this >>>attack. >>The same way. > >No it is not if it is properly configured and is not doing proxying... This is a reply to something someone else said, so I'll let them respond to it. >Whoever put this together have not ever set-up web - sql architecture... >Your web server should be on "DMZ".. but what do you do with SQL if it >does not accept connections...? :) Keep it on DMZ also? You have a SQL that doesn't accept connections? Doesn't sound like any firewall configuration is going to affect that piece of junk in any way, shape or form. FYI, I have set up SQL backends for webservers in a DMZ exactly as described above, and there are plenty of ways to enhance their security. The most basic is an encrypted VPN connection between the webserver and the SQL server. In reality however, this sort of thing isn't really needed. If your router is set up to stop as many spoofed packets as it can detect(*) which it should be no matter what your goals are, then your only real problem here is something flawed I see implied in your design : You code your database passwords into the web frontend for access to the DB. If your DB data is critical enough that you can't risk bogus records being inserted, and sensitive enough that you can't risk the wrong person on the outside seeing it, at the very least it should be https access only, and use a user supplied password. In reality, it probably shouldn't be a webserver at all. (*) Basically this is only three rules. #1 deny all packets from inside your network that don't come from your netblock(s), #2 deny all packets from outside your network that do come from your netblock(s), #3 deny all packets that have a source or destination address on a private IP subnet with very specific allow rules only if you really need them. >In other words, dual firewalls are "a lot" better in many (NOT ALL) cases >(if one uses different products). But you do need to match products carefully. You didn't make an argument to this point; Nothing constructive was offered that bolsters the credibility of a two firewall design. I'll cover the simple facts once again. 1. One firewall can easily do the job of the two described if the rulesets are merged. 2. Two firewalls does not for the most part provide two "layers" for an attacker to work through; it simply provides two different targets for an attacker to attempt to compromise. I am not against the previous definition of a single firewall with three interfaces; one for outside, one for inside, and one for the dmz.. but it's usually not required. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 16:18:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id E060737B416 for ; Tue, 27 Nov 2001 16:18:18 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id 45E61136F3 for ; Tue, 27 Nov 2001 19:22:29 -0500 (EST) Message-Id: <5.1.0.14.0.20011127191737.00ae1bd0@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 27 Nov 2001 19:19:54 -0500 To: freebsd-security@freebsd.org From: Allen Landsidel Subject: Re: Best security topology for FreeBSD In-Reply-To: <200111271642.fARGgfU32312@khavrinen.lcs.mit.edu> References: <5.1.0.14.0.20011127071415.00aa4a18@rfnj.org> <5.1.0.14.0.20011127071415.00aa4a18@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:42 AM 11/27/2001 -0500, you wrote: >I think the more traditional version (of the ``two-firewall'' >implementation) is not much different from this: ... I hadn't really thought of the packet-filtering router as a firewall, but I suppose it does fit the definition. I always took it as a given that everone had some level of ACLs on their routers, and thus didn't include it as a "firewall" in the diagram. I would guess the original poster of the "two firewalls is better; a single one is a poor design" message was probably thinking the same thing. If not, well, I guess we're all in agreement then, except for "Mr quad firewalls are cool" to whom I just responded. ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 18: 2:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id AA48B37B405 for ; Tue, 27 Nov 2001 18:02:20 -0800 (PST) Received: (from root@localhost) by cage.simianscience.com (8.11.6/8.11.6) id fAS22Jf40654 for freebsd-security@freebsd.org; Tue, 27 Nov 2001 21:02:19 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6av) with ESMTP id fAS22F140646 for ; Tue, 27 Nov 2001 21:02:16 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 27 Nov 2001 21:02:13 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: wu-ftpd ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I guess the post below is relates to what was on bugtraq last week about the mysterious new wu-ftpd vulnerability. I still dont see anything on wu-ftpd's site about it. Is this something specific to LINUX then ? Anyone have any info ? ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Subject: [RHSA-2001:157-06] Updated wu-ftpd packages are available >From: bugzilla@redhat.com >Date: Tue, 27 Nov 2001 18:37 -0500 >To: redhat-watch-list@redhat.com >Cc: bugtraq@securityfocus.com, linux-security@redhat.com >X-Virus-Scanned: by AMaViS perl-10 >X-MIME-Autoconverted: from quoted-printable to 8bit by >cage.simianscience.com id fAS1enD40368 > >--------------------------------------------------------------------- > Red Hat, Inc. Red Hat Security Advisory > >Synopsis: Updated wu-ftpd packages are available >Advisory ID: RHSA-2001:157-06 >Issue date: 2001-11-20 >Updated on: 2001-11-26 >Product: Red Hat Linux >Keywords: wu-ftpd buffer overrun glob ftpglob >Cross references: >Obsoletes: RHSA-2000:039 >--------------------------------------------------------------------- > >1. Topic: > >Updated wu-ftpd packages are available to fix an overflowable buffer. > >2. Relevant releases/architectures: > >Red Hat Linux 6.2 - alpha, i386, sparc > >Red Hat Linux 7.0 - alpha, i386 > >Red Hat Linux 7.1 - alpha, i386, ia64 > >Red Hat Linux 7.2 - i386 > >3. Problem description: > >An overflowable buffer exists in earlier versions of wu-ftpd. >An attacker could gain access to the machine by sending malicious >commands. > >It is recommended that all users of wu-ftpd upgrade to the lastest >version. > >4. Solution: > >Before applying this update, make sure all previously released errata >relevant to your system have been applied. > >To update all RPMs for your particular architecture, run: > >rpm -Fvh [filenames] > >where [filenames] is a list of the RPMs you wish to upgrade. Only those >RPMs which are currently installed will be updated. Those RPMs which are >not installed but included in the list will not be updated. Note that you >can also use wildcards (*.rpm) if your current directory *only* contains the >desired RPMs. > >Please note that this update is also available via Red Hat Network. Many >people find this an easier way to apply updates. To use Red Hat Network, >launch the Red Hat Update Agent with the following command: > >up2date > >This will start an interactive process that will result in the appropriate >RPMs being upgraded on your system. > >5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): > > > >6. RPMs required: > >Red Hat Linux 6.2: > >SRPMS: >ftp://updates.redhat.com/6.2/en/os/SRPMS/wu-ftpd-2.6.1-0.6x.21.src.rpm > >alpha: >ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm > >i386: >ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm > >sparc: >ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm > >Red Hat Linux 7.0: > >SRPMS: >ftp://updates.redhat.com/7.0/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm > >alpha: >ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm > >i386: >ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm > >Red Hat Linux 7.1: > >SRPMS: >ftp://updates.redhat.com/7.1/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm > >alpha: >ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm > >i386: >ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm > >ia64: >ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm > >Red Hat Linux 7.2: > >SRPMS: >ftp://updates.redhat.com/7.2/en/os/SRPMS/wu-ftpd-2.6.1-20.src.rpm > >i386: >ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm > > > >7. Verification: > >MD5 sum Package Name >-------------------------------------------------------------------------- >a33d4557c473b88cc7bed8718bd07a2f 6.2/en/os/SRPMS/wu-ftpd-2.6.1-0.6x.21.src.rpm >da84b22853f1048d45803ebeec8d061c >6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm >281fa607c3f6479e369673cb9247d169 6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm >20bf731056d48351d2194956f4762091 >6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm >52406d7ddd2c14c669a8c9203f99ac5c 7.0/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm >35315a5fa466beb3bdc26aa4fc1c872f >7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm >c97683b85603d34853b3825c9b694f20 7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm >52406d7ddd2c14c669a8c9203f99ac5c 7.1/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm >35315a5fa466beb3bdc26aa4fc1c872f >7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm >c97683b85603d34853b3825c9b694f20 7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm >56af9e1de2b3d532e1e4dce18636f6c4 7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm >efd2a876ad8d7c4879d3eeaeeec7fcef 7.2/en/os/SRPMS/wu-ftpd-2.6.1-20.src.rpm >7306f24d3d7d518068c5e08959d43bdd 7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm > > >These packages are GPG signed by Red Hat, Inc. for security. Our key >is available at: > http://www.redhat.com/about/contact/pgpkey.html > >You can verify each package with the following command: > rpm --checksig > >If you only wish to verify that each package has not been corrupted or >tampered with, examine only the md5sum with the following command: > rpm --checksig --nogpg > >8. References: > > > > >Copyright(c) 2000, 2001 Red Hat, Inc. -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 19:26:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from TYO201.gate.nec.co.jp (TYO201.gate.nec.co.jp [202.32.8.214]) by hub.freebsd.org (Postfix) with ESMTP id E134837B419 for ; Tue, 27 Nov 2001 19:26:26 -0800 (PST) Received: from mailgate4.nec.co.jp ([10.7.69.195]) by TYO201.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id fAS3Q2R14454; Wed, 28 Nov 2001 12:26:02 +0900 (JST) Received: from mailsv4.nec.co.jp (mailgate51.nec.co.jp [10.7.69.196]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP id fAS3Pqa16511; Wed, 28 Nov 2001 12:25:52 +0900 (JST) Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv4.nec.co.jp (8.11.6/3.7W-MAILSV4-NEC) with ESMTP id fAS3Pqi24235; Wed, 28 Nov 2001 12:25:52 +0900 (JST) Received: from localhost (localhost [127.0.0.1]) by necspl.do.mms.mt.nec.co.jp (8.12.1/8.12.1) with ESMTP id fAS3PqlC009970; Wed, 28 Nov 2001 12:25:52 +0900 (JST) Date: Wed, 28 Nov 2001 12:25:52 +0900 (JST) Message-Id: <20011128.122552.45455442.y-koga@jp.FreeBSD.org> To: mike@sentex.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? From: Koga Youichirou In-Reply-To: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> References: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> X-Mailer: Mew version 3.0.50 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Tancsa : > I guess the post below is relates to what was on bugtraq last week about > the mysterious new wu-ftpd vulnerability. I still dont see anything on > wu-ftpd's site about it. Is this something specific to LINUX then ? Anyone > have any info ? Following is RedHat's patch: --- wu-ftpd/src/glob.c.sec Thu May 31 09:30:36 2001 +++ wu-ftpd/src/glob.c Wed Nov 21 18:22:17 2001 @@ -309,7 +309,7 @@ if (lm >= restbufend) return (0); } - for (pe = ++p; *pe; pe++) + for (pe = ++p; *pe; pe++) { switch (*pe) { case '{': @@ -325,11 +325,19 @@ case '[': for (pe++; *pe && *pe != ']'; pe++) continue; + if (!*pe) { + globerr = "Missing ]"; + return (0); + } continue; } + } pend: - brclev = 0; - for (pl = pm = p; pm <= pe; pm++) + if (brclev || !*pe) { + globerr = "Missing }"; + return (0); + } + for (pl = pm = p; pm <= pe; pm++) { switch (*pm & (QUOTE | TRIM)) { case '{': @@ -365,19 +373,18 @@ return (1); sort(); pl = pm + 1; - if (brclev) - return (0); continue; case '[': for (pm++; *pm && *pm != ']'; pm++) continue; - if (!*pm) - pm--; + if (!*pm) { + globerr = "Missing ]"; + return (0); + } continue; } - if (brclev) - goto doit; + } return (0); } @@ -429,11 +436,10 @@ else if (scc == (lc = cc)) ok++; } - if (cc == 0) - if (ok) - p--; - else - return 0; + if (cc == 0) { + globerr = "Missing ]"; + return (0); + } continue; case '*': @@ -486,67 +492,6 @@ } } -/* This function appears to be unused, so why waste time and space on it? */ -#if 0 == 1 -static int Gmatch(register char *s, register char *p) -{ - register int scc; - int ok, lc; - int c, cc; - - for (;;) { - scc = *s++ & TRIM; - switch (c = *p++) { - - case '[': - ok = 0; - lc = 077777; - while (cc = *p++) { - if (cc == ']') { - if (ok) - break; - return (0); - } - if (cc == '-') { - if (lc <= scc && scc <= *p++) - ok++; - } - else if (scc == (lc = cc)) - ok++; - } - if (cc == 0) - if (ok) - p--; - else - return 0; - continue; - - case '*': - if (!*p) - return (1); - for (s--; *s; s++) - if (Gmatch(s, p)) - return (1); - return (0); - - case 0: - return (scc == 0); - - default: - if ((c & TRIM) != scc) - return (0); - continue; - - case '?': - if (scc == 0) - return (0); - continue; - - } - } -} -#endif /* Gmatch exclusion */ - static void Gcat(register char *s1, register char *s2) { register size_t len = strlen(s1) + strlen(s2) + 1; -- Koga, Youichirou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 20: 9:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 1A05137B405 for ; Tue, 27 Nov 2001 20:09:11 -0800 (PST) Received: (from root@localhost) by cage.simianscience.com (8.11.6/8.11.6) id fAS49A042164; Tue, 27 Nov 2001 23:09:10 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6av) with ESMTP id fAS496142156; Tue, 27 Nov 2001 23:09:06 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011127230846.0392b000@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 27 Nov 2001 23:09:05 -0500 To: Koga Youichirou From: Mike Tancsa Subject: Re: wu-ftpd ? Cc: freebsd-security@freebsd.org In-Reply-To: <20011128.122552.45455442.y-koga@jp.FreeBSD.org> References: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:25 PM 11/28/2001 +0900, Koga Youichirou wrote: >Mike Tancsa : > > I guess the post below is relates to what was on bugtraq last week about > > the mysterious new wu-ftpd vulnerability. I still dont see anything on > > wu-ftpd's site about it. Is this something specific to LINUX then ? > Anyone > > have any info ? > >Following is RedHat's patch: Thanks, http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0059.html sheds some more light on it as well. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 27 23: 1:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id C3C0937B405 for ; Tue, 27 Nov 2001 23:01:47 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 8FD0014C54; Wed, 28 Nov 2001 08:01:46 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Bara Zani" Cc: Subject: Re: freebsd 4.4 finger tips ? References: <009c01c176e1$9025f390$6e00a8c0@kushkush> From: Dag-Erling Smorgrav Date: 28 Nov 2001 08:01:46 +0100 In-Reply-To: <009c01c176e1$9025f390$6e00a8c0@kushkush> Message-ID: Lines: 11 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Bara Zani" writes: > ipfilter is configured to allow only ssh and https in from tun0 . > never the less nmap will identify the os as freebsd 4.something . > how can i erase the finger tips ? Try blocking TCP segments that have both the SYN and the FIN flags set. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 0:44:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 076C237B416 for ; Wed, 28 Nov 2001 00:44:43 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id fAS8iIQ32553; Wed, 28 Nov 2001 11:44:19 +0300 (MSK) (envelope-from ache) Date: Wed, 28 Nov 2001 11:44:17 +0300 From: "Andrey A. Chernov" To: Koga Youichirou Cc: mike@sentex.net, freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? Message-ID: <20011128084416.GA32507@nagual.pp.ru> References: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> <20011128.122552.45455442.y-koga@jp.FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011128.122552.45455442.y-koga@jp.FreeBSD.org> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 12:25:52 +0900, Koga Youichirou wrote: > Mike Tancsa : > > I guess the post below is relates to what was on bugtraq last week about > > the mysterious new wu-ftpd vulnerability. I still dont see anything on > > wu-ftpd's site about it. Is this something specific to LINUX then ? Anyone > > have any info ? > > Following is RedHat's patch: > > --- wu-ftpd/src/glob.c.sec Thu May 31 09:30:36 2001 > +++ wu-ftpd/src/glob.c Wed Nov 21 18:22:17 2001 > @@ -309,7 +309,7 @@ > if (lm >= restbufend) > return (0); > } It seems that this patch is over another patch and not for original 2.6.1 sources. Could you please provide cumulative patch compared to original sources? -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 1: 6:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from TYO201.gate.nec.co.jp (TYO201.gate.nec.co.jp [202.32.8.214]) by hub.freebsd.org (Postfix) with ESMTP id F05ED37B41C for ; Wed, 28 Nov 2001 01:06:05 -0800 (PST) Received: from mailgate4.nec.co.jp ([10.7.69.195]) by TYO201.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id fAS95GR16576; Wed, 28 Nov 2001 18:05:17 +0900 (JST) Received: from mailsv4.nec.co.jp (mailgate51.nec.co.jp [10.7.69.190]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP id fAS958a07642; Wed, 28 Nov 2001 18:05:09 +0900 (JST) Received: from siaew3.ksp.nis.nec.co.jp (siaew3.ksp.nis.nec.co.jp [10.57.25.208]) by mailsv4.nec.co.jp (8.11.6/3.7W-MAILSV4-NEC) with ESMTP id fAS94ji16277; Wed, 28 Nov 2001 18:05:01 +0900 (JST) Received: by siaew3.ksp.nis.nec.co.jp (8.11.5/kajino-07/01/01) id fAS952G13031; Wed, 28 Nov 2001 18:05:02 +0900 (JST) Message-Id: <200111280905.fAS952G13031@SIS.ksp.nis.nec.co.jp> To: "Andrey A. Chernov" Cc: Koga Youichirou , mike@sentex.net, freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? In-reply-to: Your message of "Wed, 28 Nov 2001 11:44:17 JST." <20011128084416.GA32507@nagual.pp.ru> User-Agent: EMH/1.14.1 SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=) APEL/10.3 Emacs/21.1 (sparc-sun-solaris2.8) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=) MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: multipart/mixed; boundary="Multipart_Wed_Nov_28_18:05:02_2001-1" Date: Wed, 28 Nov 2001 18:05:02 +0900 From: =?ISO-2022-JP?B?IlMuS2FqaW5vLxskQjNhTG4/OBsoQiI=?= Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Multipart_Wed_Nov_28_18:05:02_2001-1 Content-Type: text/plain; charset=US-ASCII >>In Article <20011128084416.GA32507@nagual.pp.ru> > "Andrey A. Chernov" writes: >> Following is RedHat's patch: ; >It seems that this patch is over another patch and not for original 2.6.1 >sources. Could you please provide cumulative patch compared to original >sources? That's as follows. //////////////////////////////////////////////////////////////// NEC informatec systems Co.,ltd. TEL 044-812-8418 Shared Infrastructure and Service Div., 2nd SP Group. kajino@nis.nec.co.jp (S.Kajino) --Multipart_Wed_Nov_28_18:05:02_2001-1 Content-Type: text/plain; charset=US-ASCII diff -Naur wu-ftpd-2.6.1.orig/src/glob.c wu-ftpd-2.6.1/src/glob.c --- wu-ftpd-2.6.1.orig/src/glob.c Sun Jul 2 03:17:39 2000 +++ wu-ftpd-2.6.1/src/glob.c Wed Nov 28 14:10:55 2001 @@ -298,7 +298,7 @@ for (lm = restbuf; *p != '{'; *lm++ = *p++) continue; - for (pe = ++p; *pe; pe++) + for (pe = ++p; *pe; pe++) { switch (*pe) { case '{': @@ -314,11 +314,19 @@ case '[': for (pe++; *pe && *pe != ']'; pe++) continue; + if (!*pe) { + globerr = "Missing ]"; + return (0); + } continue; } + } pend: - brclev = 0; - for (pl = pm = p; pm <= pe; pm++) + if (brclev || !*pe) { + globerr = "Missing }"; + return (0); + } + for (pl = pm = p; pm <= pe; pm++) { switch (*pm & (QUOTE | TRIM)) { case '{': @@ -352,19 +360,18 @@ return (1); sort(); pl = pm + 1; - if (brclev) - return (0); continue; case '[': for (pm++; *pm && *pm != ']'; pm++) continue; - if (!*pm) - pm--; + if (!*pm) { + globerr = "Missing ]"; + return (0); + } continue; } - if (brclev) - goto doit; + } return (0); } @@ -416,11 +423,10 @@ else if (scc == (lc = cc)) ok++; } - if (cc == 0) - if (ok) - p--; - else - return 0; + if (cc == 0) { + globerr = "Missing ]"; + return (0); + } continue; case '*': @@ -472,67 +478,6 @@ } } } - -/* This function appears to be unused, so why waste time and space on it? */ -#if 0 == 1 -static int Gmatch(register char *s, register char *p) -{ - register int scc; - int ok, lc; - int c, cc; - - for (;;) { - scc = *s++ & TRIM; - switch (c = *p++) { - - case '[': - ok = 0; - lc = 077777; - while (cc = *p++) { - if (cc == ']') { - if (ok) - break; - return (0); - } - if (cc == '-') { - if (lc <= scc && scc <= *p++) - ok++; - } - else if (scc == (lc = cc)) - ok++; - } - if (cc == 0) - if (ok) - p--; - else - return 0; - continue; - - case '*': - if (!*p) - return (1); - for (s--; *s; s++) - if (Gmatch(s, p)) - return (1); - return (0); - - case 0: - return (scc == 0); - - default: - if ((c & TRIM) != scc) - return (0); - continue; - - case '?': - if (scc == 0) - return (0); - continue; - - } - } -} -#endif /* Gmatch exclusion */ static void Gcat(register char *s1, register char *s2) { --Multipart_Wed_Nov_28_18:05:02_2001-1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 1: 8:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from imfiko.bishkek.su (ns1.elcat.kg [212.42.96.1]) by hub.freebsd.org (Postfix) with ESMTP id E33D137B41A for ; Wed, 28 Nov 2001 01:08:10 -0800 (PST) Received: from moon.elcat.kg (moon.elcat.kg [212.42.96.3]) by imfiko.bishkek.su (8.8.8/Relcom-2A) with ESMTP id OAA67266 for ; Wed, 28 Nov 2001 14:08:00 +0500 (KGT) from zed@mail.kg X-Sender: zed@mail.kg X-Recipient: Message-ID: <3C04A96F.7734E2AF@mail.kg> Date: Wed, 28 Nov 2001 14:07:59 +0500 From: Malik Abdugaliev Organization: 1609489566 X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security Subject: Free Antivirus Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello. Does anybody known freeware antivirus program for sendmail? THX. --- Malik. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 1:12:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from hq1.tyfon.net (hq1.tyfon.net [217.27.162.35]) by hub.freebsd.org (Postfix) with ESMTP id 21B0237B446 for ; Wed, 28 Nov 2001 01:12:25 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id EA8C01C7F6; Wed, 28 Nov 2001 10:12:21 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id BA4921C7F5; Wed, 28 Nov 2001 10:12:17 +0100 (CET) Date: Wed, 28 Nov 2001 10:12:17 +0100 (CET) From: Dan Larsson To: Malik Abdugaliev Cc: FreeBSD Security Subject: Re: Free Antivirus In-Reply-To: <3C04A96F.7734E2AF@mail.kg> Message-ID: <20011128101142.U82240-100000@hq1.tyfon.net> Organization: Tyfon Svenska AB X-NCC-NIC: DL1999-RIPE X-NCC-RegID: se.tyfon MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by hq1.tyfon.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 28 Nov 2001, Malik Abdugaliev wrote: | Hello. | Does anybody known freeware antivirus program for sendmail? | THX. Perhaps not all are free but it's a start: % cd /usr/ports ; make search key=antivirus | Regards +------ Dan Larsson -+- Tyfon Svenska AB -+- DL1999-RIPE 2AA5 90AE 5185 5924 1E0B 1A99 EC8A EA84 406B 06B9 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 1:16:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.megasoft.ru (gw.megasoft.ptci.ru [194.67.183.18]) by hub.freebsd.org (Postfix) with ESMTP id 3C3BF37B416 for ; Wed, 28 Nov 2001 01:16:23 -0800 (PST) Received: from drweb by ns2.megasoft.ru with drweb-scanned (Exim 3.33 #1) id 1690t6-00013f-00; Wed, 28 Nov 2001 12:20:16 +0300 Received: from dima.mipt.ru ([193.125.143.191] helo=wizard) by ns2.megasoft.ru with smtp (Exim 3.33 #1) id 1690t5-00013M-00; Wed, 28 Nov 2001 12:20:15 +0300 Message-ID: <03ce01c177ed$5644d2b0$1364a8c0@wizard> Reply-To: "Andrew Tyuckachev" From: "Andrew Tyuckachev" To: "Dan Larsson" Cc: References: <20011128101142.U82240-100000@hq1.tyfon.net> Subject: Re: Free Antivirus Date: Wed, 28 Nov 2001 12:16:17 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-Envelope-To: dl@tyfon.net, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org try /usr/ports/security/drweb-sendmail ----- Original Message ----- From: "Dan Larsson" To: "Malik Abdugaliev" Cc: "FreeBSD Security" Sent: Wednesday, November 28, 2001 12:12 PM Subject: Re: Free Antivirus > On Wed, 28 Nov 2001, Malik Abdugaliev wrote: > > | Hello. > | Does anybody known freeware antivirus program for sendmail? > | THX. > > Perhaps not all are free but it's a start: > > % cd /usr/ports ; make search key=antivirus > > | > > > Regards > +------ > Dan Larsson -+- Tyfon Svenska AB -+- DL1999-RIPE > 2AA5 90AE 5185 5924 1E0B 1A99 EC8A EA84 406B 06B9 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 1:26:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from postoffice.aims.com.au (eth0.lnk.aims.com.au [203.31.73.253]) by hub.freebsd.org (Postfix) with ESMTP id 129BE37B419 for ; Wed, 28 Nov 2001 01:26:50 -0800 (PST) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.10.2]) by postoffice.aims.com.au with ESMTP id fAS9Qm184507 for ; Wed, 28 Nov 2001 20:26:49 +1100 (EST) (envelope-from chris@aims.com.au) Received: from ntsts1 by aims.com.au with SMTP (MDaemon.v3.5.3.R) for ; Wed, 28 Nov 2001 20:26:09 +1100 Reply-To: From: "Chris Knight" To: Subject: Latest Outlook-borne Viruses and sendmail Date: Wed, 28 Nov 2001 20:26:07 +1100 Message-ID: <004201c177ee$b68a4000$020aa8c0@aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-Return-Path: chris@aims.com.au X-MDaemon-Deliver-To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy, If anyone's interested, I've found the following snippet useful for blocking the latest round of Outlook viruses using sendmail. Just remove the LOCAL_RULESETS and add it before the mailer definitions section in sendmail.cf if you're not using m4 config files. You'll need to fix the wordwrap of course. Naturally, use at your own risk, YMMV, etc... --->snip<--- LOCAL_RULESETS HX-Unsent: $>CheckUnsent SCheckUnsent R1 $#error $@ 5.7.1 $: 550 X-Unsent header suggests e-mail virus; please remove virus then resend --->snip<--- Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 1:30:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from TYO202.gate.nec.co.jp (TYO202.gate.nec.co.jp [202.247.6.41]) by hub.freebsd.org (Postfix) with ESMTP id 32F1D37B417 for ; Wed, 28 Nov 2001 01:30:19 -0800 (PST) Received: from mailgate4.nec.co.jp ([10.7.69.193]) by TYO202.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id fAS9UIO19985; Wed, 28 Nov 2001 18:30:19 +0900 (JST) Received: from mailsv4.nec.co.jp (mailgate51.nec.co.jp [10.7.69.196]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP id fAS9UEU05121; Wed, 28 Nov 2001 18:30:14 +0900 (JST) Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv4.nec.co.jp (8.11.6/3.7W-MAILSV4-NEC) with ESMTP id fAS9UDi22126; Wed, 28 Nov 2001 18:30:13 +0900 (JST) Received: from localhost (localhost [127.0.0.1]) by necspl.do.mms.mt.nec.co.jp (8.12.1/8.12.1) with ESMTP id fAS9UClC053596; Wed, 28 Nov 2001 18:30:12 +0900 (JST) Date: Wed, 28 Nov 2001 18:30:12 +0900 (JST) Message-Id: <20011128.183012.26333334.y-koga@jp.FreeBSD.org> To: ache@nagual.pp.ru Cc: freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? From: Koga Youichirou In-Reply-To: <20011128084416.GA32507@nagual.pp.ru> References: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> <20011128.122552.45455442.y-koga@jp.FreeBSD.org> <20011128084416.GA32507@nagual.pp.ru> X-Mailer: Mew version 3.0.50 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Andrey A. Chernov" : > > Following is RedHat's patch: > > > > --- wu-ftpd/src/glob.c.sec Thu May 31 09:30:36 2001 > > +++ wu-ftpd/src/glob.c Wed Nov 21 18:22:17 2001 > > @@ -309,7 +309,7 @@ > > if (lm >= restbufend) > > return (0); > > } > > It seems that this patch is over another patch and not for original 2.6.1 > sources. Could you please provide cumulative patch compared to original > sources? The patch I sent is included in RedHat's wu-ftpd source package. There includes wu-ftpd-2.7.0-20010531.tar.bz2 in it and the patch is for 2.7.0-20010531 (although it is named as "wu-ftpd-2.6.1-sec.patch" ;). Kajino-san has sent a patch for original 2.6.1, and I think it works well. -- Koga, Youichirou PS Just FYI. CHANGES of wu-ftpd-2.7.0-2001-531 since 2.6.1 are: BEGIN----------------------------------------------------- Changes in 2.7.0: Released o Spurious home directory restrictions would occur if the user did not have permission to read their own home or one of its parent directories. o Still MORE changes to ftpaccess parsing. All looping parses now continue past missing parameters instead of stopping unexpectedly. o When using PAM, the anonymous user (ftp) can be authenticated but may not be known to the local system. If this occurs, try the "nobody" user. If neither exists, log a suitable message and kill the session. This should probably be done for other network-based authentication methods: patches would be very welcome. o Treat ASCII CR (\r) as white space in the fptaccess file. Done the Wrong Way but good enough to prevent most problems when a clueless admin uses Windows Notepad to edit the file instead of a real editor like emacs or vi. o New ftpaccess clause "iptos" to allow management of IP Type Of Service for both control and data connections. Note: the default IPTOS changes to use the same TOS as previous versions you must add the following to your ftpaccess: iptos control lowdelay iptos data throughput See the ftpaccess manpage for a full description of these options. o Guestserver clause with no parameters hangs the control socket. o New ftpaccess clauses "signoff" and "stat" work similar to "greeting". Please read the ftpaccess man page for more information on these new options. o Log security issue on denied umask and chmod. o Properly log security issue if RMD is denied because deletes are not allowed for this user. o Restricted users should be allowed to use chmod and umask as well as SITE GROUP and SITE GPASS, but still cannot use SITE EXEC and SITE INDEX. o Make y/n for chmod, umask, chmod, delete, overwrite case-insensitive. o Correct chmod, umask, overwrite and rename to match documented operation. Namely, anonymous users cannot use them and all other can. o Avoid crashes on certain configuration problems by making parameters optional and choosing reasonable defaults. Effected clauses are: private (default is no) log commands (default is log commands for all users) log transfers (default to log all transfers) log security (default to log all issues) compress (default to allow compression/uncompression) tar (default to allow tar on-the-fly) Also, ignore without crashing on banner clause without a pathname. o In fixpath(), don't remove a trailing '.' at the end of the path. From John Simmons . o If using OPIE, don't accept regular passwords if OPIE tells us not to. From Ken Mort . o Added optional parameters to the upload clause. Newly created directories can now be given user/group ownership different than newly created files. o For autoconf, some systems define __SVR4 and not SVR4. So, in src/config.h.in, if we see __SVR4 and not SVR4, go ahead and define SVR4. Solaris is the most-cited culprit here, but there may be others. The old build configs specifically define SVR4 so they have no problems. o Add support for tcpwrappers in standalone daemon mode. Read the comments at the end of src/config.h.noac for instructions on how to enable them. o Add logging of restart point and actual byte count in the xferlog. Since this will break xferstats and other llog analyzers, it is disabled by default. o Add To: and Date: headers for upload notification emails. Note the Date: header is *always* in UTC. If someone wants to change it to local time with a correct UTC offset, send the patch along. o Update ftpaccess manpage to better describe lslong, lsshort and lsplain. o Fix passive ports, missing ntohl() call caused misinterpretation. o Document logfile ftpaccess option. Promote it to be usable in all configurations instead of just new-style virtual hosts (with /etc/ftphosts existing). o Fix crash following timeout on a data connection. o Add an option to track logins via the lastlog file. This option is enabled by default. o Add user= to work similarly to class=; this also fixes a long-standing problem with class=. Things should now work a bit more like we'd expect when you use class=. o Add throughput rate limiting to ASCII-mode file transfers. For some reason it was only applied to binary transfers. o Use mkstemp() and mktemp() for temp file creation in privatepw if those functions are available o Fix so virtual hosts work with the standalone daemon. o Add an option to define an alternate home directory to log real users into if we're doing strict_homedir checking or base_homedir checking and we fail either one of those. o Split up the PARANOID configuration option into individual options for finer control. o Add an option to check a user's home directory against a "base" directory and refuse the login if the former isn't below the latter. o Renamed support/ftw.h to support/wuftpd_ftw.h to ensure the system ftw.h is used when HAVE_FTW is defined. o Changed the way support headers are included to work with VPATH. o Added workarounds for stdio bugs, email on anonymous upload now works on Solaris and AIX. o Send a 502 reply instead of a 500 in disabled SITE commands. o Fixed command and transfer logging so -L, -i and -o work with -a. o Someone moved the call to get quota data earlier in the msg_massage function. This little optimization causes a segfault. Rather than reverse the change, just output "[unknown]" when quota information is desired and not yet available (for instance in the initial banner). o Added host-limit configuration which enables the limiting of the number of sessions from one IP. o Added NO_UTMP #ifdefs for systems that don't have a wtmp file. o Improved the error reporting in ftpshut, ftprestart and ftpcount. o Send a 502 reply instead of a 425 when PASV support is disabled. Send 502 instead of 500 when PORT is disabled. o Two PASV commands in the same second get the same port assigned. Add some salt to spice things up. o Host matching on the class clause and elsewhere used to allow [] ranges as well as wildcards. They are now allowed once more. o Off-by-one in wu_fnmatch caused problems parsing [] ranges. o Fix a segfault if there's a typo on pasv-allow. For instance, "pasv-allow all *" instead of "pasv-allow all 0.0.0.0/0". To be save, for NOMATCH result instead of allowing the PASV connection. o If using restricted-uid and the user's home includes symlinks, the PWD command can cause a crash. Run both paths through realpath to fix this. o guestserver should deny anonymous access with no parameters. o When using OPIE, don't require an OPIE reply if the user does not have an opie key. o Don't lose last character when STOU exceeds 9 probes to find a unique filename. o When using OPIE, don't allow normal passwords when OPIE is required. o On command-line -u option, don't allow non-octal digits. Doh. o Need HAVE_QUOTACTL on IRIX. o In src/extensions.c is a definition of snprintf. If needs to be protected by HAVE_SNPRINTF. o SunOS really doesn't have a working fchdir(). o NLST should not send the names of dangling symlinks since they can not be retrieved. o guestuser and guestgroup no longer make anonymous users into guests when matching wildcards and ranges. o Corrected an information leak when failing a MKD with restricted-uid. The pathname reported in the error needs to have the user's home stripped off the error reply. From Richard Mirch o AIX 4.1.x needs libbsd.a & libs.a. o Added definition for AIX's file system (JFS). o AIX 4.1.x has no has getrlimit() but no RLIMIT_NOFILE. It does have gettablesize(). o Fixed a problem with the order of the includes of sys/mnttab.h and sys/mntent.h. Solaris has them both but only defines struct mnttab. o IRIX has no NCARGS in the system's include files but defines it in the kernel ('systune ncargs' outputs: ncargs = 20480 (0x5000)). o Local quota updates can now be seen during the session. Two exceptions: 1) It wont work in a chroot() environment unless the quota DB can be accessed there. 2) WU-FTPD does not support displaying of files with cookies more than once. So the current solution is to display different files in different places (in example cd to other directories). o Fixed file descriptor and memory leaks in the email on anonymous upload code. o Michael Brennen has contributed the Guest HOWTO to the project. It is now located in the doc/HOWTO section and will be included in all future releases. o Provide a compile-time option to revert NLST to showing directories. o Somehow the fix for pasv-allow didn't actually make it into 2.6.1 o Off-by-one and missing step-increment in a couple routines for throughput limiting. o Fix another missing format string. This was in debugging code, so it's not considered serious enough to push a new release yet. END------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 1:46:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from TYO201.gate.nec.co.jp (TYO201.gate.nec.co.jp [202.32.8.214]) by hub.freebsd.org (Postfix) with ESMTP id 8F93A37B433 for ; Wed, 28 Nov 2001 01:46:27 -0800 (PST) Received: from mailgate4.nec.co.jp ([10.7.69.195]) by TYO201.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id fAS9jwR10218; Wed, 28 Nov 2001 18:45:58 +0900 (JST) Received: from mailsv4.nec.co.jp (mailgate51.nec.co.jp [10.7.69.190]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP id fAS9jsa12507; Wed, 28 Nov 2001 18:45:54 +0900 (JST) Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv4.nec.co.jp (8.11.6/3.7W-MAILSV4-NEC) with ESMTP id fAS9jsi11596; Wed, 28 Nov 2001 18:45:54 +0900 (JST) Received: from localhost (localhost [127.0.0.1]) by necspl.do.mms.mt.nec.co.jp (8.12.1/8.12.1) with ESMTP id fAS9jrlC053712; Wed, 28 Nov 2001 18:45:54 +0900 (JST) Date: Wed, 28 Nov 2001 18:45:53 +0900 (JST) Message-Id: <20011128.184553.116411455.y-koga@jp.FreeBSD.org> To: ache@nagual.pp.ru Cc: freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? From: Koga Youichirou In-Reply-To: <20011128.183012.26333334.y-koga@jp.FreeBSD.org> References: <20011128.122552.45455442.y-koga@jp.FreeBSD.org> <20011128084416.GA32507@nagual.pp.ru> <20011128.183012.26333334.y-koga@jp.FreeBSD.org> X-Mailer: Mew version 3.0.50 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > The patch I sent is included in RedHat's wu-ftpd source package. > There includes wu-ftpd-2.7.0-20010531.tar.bz2 in it and > the patch is for 2.7.0-20010531 (although it is named as > "wu-ftpd-2.6.1-sec.patch" ;). and diff about src/glob.c from 2.6.1 to 2.7.0-20010531 (w/o wu-ftpd-2.6.1-sec.patch): --- ../wu-ftpd-2.6.1/src/glob.c Sun Jul 2 03:17:39 2000 +++ src/glob.c Thu May 31 16:30:36 2001 @@ -1,5 +1,5 @@ /**************************************************************************** - Copyright (c) 1999,2000 WU-FTPD Development Group. + Copyright (c) 1999,2000,2001 WU-FTPD Development Group. All rights reserved. Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 @@ -20,7 +20,7 @@ If you did not receive a copy of the license, it may be obtained online at http://www.wu-ftpd.org/license.html. - $Id: glob.c,v 1.14 2000/07/01 18:17:39 wuftpd Exp $ + $Id: glob.c,v 1.19 2001/05/30 12:59:07 wuftpd Exp $ ****************************************************************************/ /* @@ -41,6 +41,7 @@ #include #include #include +#include #include #include "proto.h" @@ -48,6 +49,11 @@ #define QUOTE 0200 #define TRIM 0177 #define eq(a,b) (strcmp(a, b)==0) + +#ifndef NCARGS +#define NCARGS 20480 /* at least on SGI IRIX */ +#endif + #define GAVSIZ (NCARGS/6) #define isdir(d) ((d.st_mode & S_IFMT) == S_IFDIR) @@ -174,19 +180,21 @@ sort(); } +static int +argcmp(const void *p1, const void *p2) +{ + char *s1 = *(char **) p1; + char *s2 = *(char **) p2; + + return (strcmp(s1, s2)); +} + static void sort(void) { - register char **p1, **p2, *c; char **Gvp = &gargv[gargc]; - p1 = sortbas; - while (p1 < Gvp - 1) { - p2 = p1; - while (++p2 < Gvp) - if (strcmp(*p1, *p2) > 0) - c = *p1, *p1 = *p2, *p2 = c; - p1++; - } + if (!globerr) + qsort(sortbas, Gvp - sortbas, sizeof (*sortbas), argcmp); sortbas = Gvp; } @@ -292,12 +300,15 @@ static int execbrc(char *p, char *s) { char restbuf[BUFSIZ + 2]; + char *restbufend = &restbuf[sizeof(restbuf)]; register char *pe, *pm, *pl; int brclev = 0; char *lm, savec, *sgpathp; - for (lm = restbuf; *p != '{'; *lm++ = *p++) - continue; + for (lm = restbuf; *p != '{'; *lm++ = *p++) { + if (lm >= restbufend) + return (0); + } for (pe = ++p; *pe; pe++) switch (*pe) { @@ -339,6 +350,8 @@ doit: savec = *pm; *pm = 0; + if (lm + strlen(pl) + strlen(pe + 1) >= restbufend) + return (0); (void) strcpy(lm, pl); (void) strcat(restbuf, pe + 1); *pm = savec; @@ -538,8 +551,12 @@ { register size_t len = strlen(s1) + strlen(s2) + 1; + if (globerr) + return; if (len >= gnleft || gargc >= GAVSIZ - 1) globerr = "Arguments too long"; + else if (len > MAXPATHLEN) + globerr = "Pathname too long"; else { gargc++; gnleft -= len; @@ -620,6 +637,7 @@ { register char **av = av0; + if (av) while (*av) free(*av++); } @@ -627,7 +645,7 @@ char *strspl(register char *cp, register char *dp) { register char *ep = - (char *) malloc((unsigned) (strlen(cp) + strlen(dp) + 1)); + (char *) malloc((unsigned) (strlen(cp) + strlen(dp) + 1)); if (ep == (char *) 0) fatal("Out of memory"); @@ -652,6 +670,7 @@ cp++; return (cp); } + /* * Extract a home directory from the password file * The argument points to a buffer where the name of the -- Koga, Youichirou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 2: 0:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id 700F637B41A for ; Wed, 28 Nov 2001 02:00:12 -0800 (PST) Received: (from shelton@localhost) by sentry.granch.com (8.11.6/8.11.6) id fAS9xeY91264; Wed, 28 Nov 2001 15:59:40 +0600 (NOVT) (envelope-from shelton) Message-Id: <200111280959.fAS9xeY91264@sentry.granch.com> Content-Type: text/plain; charset="koi8-r" From: "Rashid N. Achilov" Organization: Granch Ltd. To: "Andrew Tyuckachev" , "Dan Larsson" Subject: Re: Free Antivirus Date: Wed, 28 Nov 2001 15:59:39 +0600 X-Mailer: KMail [version 1.3.1] Cc: References: <20011128101142.U82240-100000@hq1.tyfon.net> <03ce01c177ed$5644d2b0$1364a8c0@wizard> In-Reply-To: <03ce01c177ed$5644d2b0$1364a8c0@wizard> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday 28 November 2001 15:16, Andrew Tyuckachev wrote: > try /usr/ports/security/drweb-sendmail > Is it really free? :-) Or simlpy shareware with 30-days eval? -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Web: http://granch.ru/~shelton Granch Ltd. system administrator, e-mail: achilov@granch.ru PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 2: 0:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id B047D37B419 for ; Wed, 28 Nov 2001 02:00:28 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id fASA0HT34191; Wed, 28 Nov 2001 13:00:18 +0300 (MSK) (envelope-from ache) Date: Wed, 28 Nov 2001 13:00:14 +0300 From: "Andrey A. Chernov" To: Koga Youichirou Cc: freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? Message-ID: <20011128100012.GB34069@nagual.pp.ru> References: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> <20011128.122552.45455442.y-koga@jp.FreeBSD.org> <20011128084416.GA32507@nagual.pp.ru> <20011128.183012.26333334.y-koga@jp.FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011128.183012.26333334.y-koga@jp.FreeBSD.org> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 18:30:12 +0900, Koga Youichirou wrote: > Kajino-san has sent a patch for original 2.6.1, > and I think it works well. I don't think so. This patch not add much sense to 2.6.1 code, I mean it not prevents overflow. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 2: 9:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id 6594737B416 for ; Wed, 28 Nov 2001 02:09:39 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 1691g0-0006jd-00; Wed, 28 Nov 2001 10:10:48 +0000 Date: Wed, 28 Nov 2001 10:10:48 +0000 From: Rasputin To: "Stephen T. Shipley" Cc: security@freebsd.org Subject: Re: crypted remote backup Message-ID: <20011128101048.A25860@shikima.mine.nu> Reply-To: Rasputin References: <200111270147.fAR1lDk16602@e-shipley.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111270147.fAR1lDk16602@e-shipley.com>; from steve@e-shipley.com on Mon, Nov 26, 2001 at 08:47:13PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Stephen T. Shipley [011127 03:57]: > Configure rsync.conf on source server (with 40g file) and run as a daemon. Provide a net name like "www" for alias to path. > And possibly run from one of the /etc/periodic/daily scripts like this (on destination box). > > /usr/local/bin/rsync -e /usr/bin/ssh -avz ::www \ I think (though could be wrong) that the double colon here ^^ will cause rsync to use rsh as a transport, despite the fact that you specified ssh as an *available* transport with '-e ssh' earlier. And while we're on the subject, what's the safest way of doing this as root (to preserve permissions, and have access to a whole fs tree; I'm not too bothered about crypto at the destination directory) Cheers. > /usr/local/www/data/home_something_destination && rc=0||rc=3 -- Love and scandal are the best sweeteners of tea. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 2:11:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.megasoft.ru (gw.megasoft.ptci.ru [194.67.183.18]) by hub.freebsd.org (Postfix) with ESMTP id 04CC337B405 for ; Wed, 28 Nov 2001 02:11:45 -0800 (PST) Received: from drweb by ns2.megasoft.ru with drweb-scanned (Exim 3.33 #1) id 1691kh-0001ax-00; Wed, 28 Nov 2001 13:15:39 +0300 Received: from dima.mipt.ru ([193.125.143.191] helo=wizard) by ns2.megasoft.ru with smtp (Exim 3.33 #1) id 1691kg-0001ao-00; Wed, 28 Nov 2001 13:15:38 +0300 Message-ID: <04ea01c177f5$13008aa0$1364a8c0@wizard> Reply-To: "Andrew Tyuckachev" From: "Andrew Tyuckachev" To: "Rashid N. Achilov" Cc: References: <20011128101142.U82240-100000@hq1.tyfon.net> <03ce01c177ed$5644d2b0$1364a8c0@wizard> <200111280959.fAS9xeY91264@sentry.granch.com> Subject: Re: Free Antivirus Date: Wed, 28 Nov 2001 13:11:40 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-Envelope-To: shelton@sentry.granch.ru, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org cut from drweb README ... Limitations Both the scanner and the daemon do not test boot sectors and main memory. If the evaluation key is used the following limitations are imposed: the scanner does not perform curing of infected objects, checking of the files placed into archives, into mail bases and packed by the programs for executable modules compression (DIET, PKLITE etc.). The same limitations valid for daemon except for working with mail bases. .... Nothing about evaluation period. Nevertheless, it blocks viruses very well ( I use drweb with exim ) ----- Original Message ----- From: "Rashid N. Achilov" To: "Andrew Tyuckachev" ; "Dan Larsson" Cc: Sent: Wednesday, November 28, 2001 12:59 PM Subject: Re: Free Antivirus > On Wednesday 28 November 2001 15:16, Andrew Tyuckachev wrote: > > try /usr/ports/security/drweb-sendmail > > > > Is it really free? :-) Or simlpy shareware with 30-days eval? > -- > With Best Regards. > Rashid N. Achilov (RNA1-RIPE), Web: http://granch.ru/~shelton > Granch Ltd. system administrator, e-mail: achilov@granch.ru > PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 2:51:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from luke.twenty4help.nu (ns1.twenty4help.nu [62.108.207.78]) by hub.freebsd.org (Postfix) with ESMTP id E047637B419 for ; Wed, 28 Nov 2001 02:51:11 -0800 (PST) Received: from rambo.simx.org (malin.twenty4help.se [195.67.108.195]) (authenticated) by luke.twenty4help.nu (8.11.2/8.11.2) with ESMTP id fASAsuw37007; Wed, 28 Nov 2001 11:54:59 +0100 (CET) (envelope-from listsub@rambo.simx.org) Message-ID: <3C04C180.7040601@rambo.simx.org> Date: Wed, 28 Nov 2001 11:50:40 +0100 From: "Roger 'Rocky' Vetterberg" User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: en-us MIME-Version: 1.0 To: Andrew Tyuckachev Cc: Dan Larsson , security@FreeBSD.ORG Subject: Re: Free Antivirus References: <20011128101142.U82240-100000@hq1.tyfon.net> <03ce01c177ed$5644d2b0$1364a8c0@wizard> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Correct me if Im wrong, but DrWeb does not seem to be free software. -- R Andrew Tyuckachev wrote: >try /usr/ports/security/drweb-sendmail > >>On Wed, 28 Nov 2001, Malik Abdugaliev wrote: >> >>| Hello. >>| Does anybody known freeware antivirus program for sendmail? >>| THX. >> >>[snip] >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 4:35:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.pair.com (relay1.pair.com [209.68.1.20]) by hub.freebsd.org (Postfix) with SMTP id BA24137B419 for ; Wed, 28 Nov 2001 04:35:16 -0800 (PST) Received: (qmail 30018 invoked from network); 28 Nov 2001 12:35:15 -0000 Received: from pd95029ca.dip.t-dialin.net (HELO laptop) (217.80.41.202) by relay1.pair.com with SMTP; 28 Nov 2001 12:35:15 -0000 X-pair-Authenticated: 217.80.41.202 Message-ID: <000901c17809$2f085ac0$0901a8c0@system> From: "Tom Beer" To: Subject: Route entry Date: Wed, 28 Nov 2001 13:35:36 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, My box is connected to the net via a ppp dsl dialup line. Sometimes an additional route is created: 255.255.255.255 172.88.0.134 UHb 0 tun0 the gateway adress is not on the local net. Is this a kind of a smurf attack, or why and how is the route created? Greets Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 6: 4:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 7C14837B416 for ; Wed, 28 Nov 2001 06:04:45 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fASE4if18085; Wed, 28 Nov 2001 08:04:44 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id IAA17931; Wed, 28 Nov 2001 08:04:43 -0600 (CST) Message-ID: <3C04EEF9.D10C1B41@centtech.com> Date: Wed, 28 Nov 2001 08:04:41 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Rasputin Cc: "Stephen T. Shipley" , security@freebsd.org Subject: Re: crypted remote backup References: <200111270147.fAR1lDk16602@e-shipley.com> <20011128101048.A25860@shikima.mine.nu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What I have been doing is croning a script (as root) that tarballs the right stuff, and then scp the file as another user ("backup" in my case) to another box. This way I'm not logging in as root to copy a file over the net, and I don't have to have sshd set up to allow root logins at all. If you wanted to use rsync, there are a few ways to do it, but scp does a good job at recursively scp'ing files, although it will do ALL files every time. You can also look into unison, it may have some better options for you. Eric Rasputin wrote: > > * Stephen T. Shipley [011127 03:57]: > > Configure rsync.conf on source server (with 40g file) and run as a daemon. Provide a net name like "www" for alias to path. > > And possibly run from one of the /etc/periodic/daily scripts like this (on destination box). > > > > /usr/local/bin/rsync -e /usr/bin/ssh -avz ::www \ > > I think (though could be wrong) that the double colon here ^^ > will cause rsync to use rsh as a transport, despite the fact that > you specified ssh as an *available* transport with '-e ssh' earlier. > > And while we're on the subject, what's the safest way of doing this as root > (to preserve permissions, and have access to a whole fs tree; > I'm not too bothered about crypto at the destination directory) > > Cheers. > > > /usr/local/www/data/home_something_destination && rc=0||rc=3 > > -- > Love and scandal are the best sweeteners of tea. > Rasputin :: Jack of All Trades - Master of Nuns :: > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology An unbreakable toy is useful for breaking other toys. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 6: 7: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168]) by hub.freebsd.org (Postfix) with ESMTP id 15ADA37B405 for ; Wed, 28 Nov 2001 06:07:04 -0800 (PST) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id fASE6wN61198 for ; Wed, 28 Nov 2001 09:06:59 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Wed, 28 Nov 2001 09:06:53 -0500 (EST) From: Chris BeHanna Reply-To: To: Subject: Re: crypted remote backup In-Reply-To: <20011128101048.A25860@shikima.mine.nu> Message-ID: <20011128085832.D61032-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Note: Reply-To set to freebsd-questions. On Wed, 28 Nov 2001, Rasputin wrote: > * Stephen T. Shipley [011127 03:57]: > > Configure rsync.conf on source server (with 40g file) and run as a daemon. Provide a net name like "www" for alias to path. > > And possibly run from one of the /etc/periodic/daily scripts like this (on destination box). > > > > /usr/local/bin/rsync -e /usr/bin/ssh -avz ::www \ > > I think (though could be wrong) that the double colon here ^^ > will cause rsync to use rsh as a transport, despite the fact that > you specified ssh as an *available* transport with '-e ssh' earlier. > > And while we're on the subject, what's the safest way of doing this as root > (to preserve permissions, and have access to a whole fs tree; > I'm not too bothered about crypto at the destination directory) If you drop a "cookie" file at the end of each backup, you could do something like: find targetdir -newer cookiefile -type f -print | tar cf - -I - | \ ssh user@backuphost dd of=incremental`date "+%Y%m%d-%H%M%S"`.tgz Then, if you have to restore, you unpack the incremental tarball with tar xvpf (restoring file ownership and permission will require unpacking as root, but you can ship it to the archive host as another user). This isn't really any longer security-related. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 7:48:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f140.law3.hotmail.com [209.185.241.140]) by hub.freebsd.org (Postfix) with ESMTP id A4ED337B416 for ; Wed, 28 Nov 2001 07:48:08 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 28 Nov 2001 07:48:08 -0800 Received: from 170.253.164.1 by lw3fd.law3.hotmail.msn.com with HTTP; Wed, 28 Nov 2001 15:48:08 GMT X-Originating-IP: [170.253.164.1] From: "WebSec WebSec" To: freebsd-security@FreeBSD.ORG Subject: Best security topology for FreeBSD Date: Wed, 28 Nov 2001 15:48:08 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 28 Nov 2001 15:48:08.0635 (UTC) FILETIME=[139DD0B0:01C17824] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org NOT TO START A BIG DISCUSSION BUT I THINK THESE RESPONSES ARE REALLY OFF THE TARGET. I do not have much time and will not be able to respond to more comments but did want to give myself a chance to explain.... >Can someone show me an example of "a packet" that can execute arbitrary >code on a firewall that only does filtering... :) >>I don't imagine they can. If they could, chances are it would be >> >>patched >>before you ever even heard of it. So what you're saying is security >> >>based >>on "I haven't seen such a thing, so I'm safe from it?" This is an ignorant response. To "smash a stack" you need at a minimum a connection to the machine. The most you can do without a connection is to run a DOS. I do not see how it is possible to smash the stack by playing with queuing. Do a little reading sir or at least show how it can be done in theory... we will take to the next step :) Your phrase is equivalent to saying something like this: If you have not heard about GMC SUBURBAN ( A really big car) transporting 700 people cross-Atlantic - it does not mean it cannot be done. I agree that things are a bit more complicated in our world but com'mn... show me how you would approach executing a stack on any non-trojaned packet filtering device... at least in theory... I thought you couldn't :) >Clearly, either I am too far behind or someone is too far ahead.... If you >are implying a compromise of a proxy server, this same proxy should not be >moving "outbound" traffic and the filtering firewall should be configured >as such. This would prevent someone getting a shell access, at least >immediately. Note that you created "one" more hop and, therefore, have >extra time for your IDS to detect the attack. Mission accomplished! You figure a less than one ms hop (that has already taken place) gives your IDS "more time" to respond? Please. Any IDS worth it's salt is going to get the packets, examine them, and then pass them on. I'm talking wrappers or firewall type stuff here, not something like snort that just puts the thing in promiscuous mode and listens to traffic that it can't stop. This is just silly.... I hope you understand what it means to not allow outbound connections. IT would take time to poke around and figure out how and what to do on a machine that does not produce an output. Most likely the machine will crash....soon... And your "IDS" as in " monitoring - analysis - incidence response on network and host levels" not as in " a product" WILL TELL YOU ABOUT. THIS IS TIME. Clearly, you are not sure what you are saying here. IN YOUR SINGLE FIREWALL DESIGN - IF A FIREWALL IS COMPROMISED YOUR ENTIRE SECURITY MODEL IS BLOWN OUT OF THE WATER! >In case you have a single firewall..... you did not get that extra time. It doesn't matter anyway, the "extra time" is a silly concept. It's not going to matter. Even a 486 has the processing power and bandwidth to handle a T1 and a reasonable set of firewall rules.. it's getting out there into the really expensive part of the bandwidth world where even a mediocre machine can't keep up. THE EXTRA TIME IS THE KEY SECURITY CONCEPT. IF YOU HAVE UNLIMITED TIME - YOU CAN GET TO ANYTHING... WELL ALMOST :) Ever wondered why "Important" Banks and other installations are not to far from police stations? Your phrase that time is not important goes beyond technical incompetence right into security ignorance. No offense. >To make it even more interesting, a "triple" firewall set-up help to >mitigate many of the risk. IT is, however, an overkill in many-many-many >cases except where security really matters. :) > >Now, a quad system will probably not be practical or at least I have not >seen a situation where it would be practical :) Now, you're just talking out of, for lack of a better term, your ass. Maybe we should imagine ourselves up a network where there is a double firewall system like has been discussed here, and then another one on each and every port for each and every hub and switch! Wouldn't that bad boy sure be secure!! Well actually "ass" is not a very professional term - I would personally try to avoid it on the Net - but yes a TCP WRAPPER is a firewall and it is recommended to use the as much as possible... More so, IPSec is a firewall "concept" because it "authenticates" source and, again, it is recommended. So you are right it would be nice to do firewalling everywhere... Except that these firewalls will not help to mitigate application layer problems.... And, therefore, in many cases are not very helpful. For example, putting many firewalls in a chain that do the same thing (such as filtering the same) does not help with security. This is not what I meant. >>>Yes. But a single firewall design is also vulnerable to this >>>attack. >>The same way. > >No it is not if it is properly configured and is not doing proxying... This is a reply to something someone else said, so I'll let them respond to it. >Whoever put this together have not ever set-up web - sql architecture... >Your web server should be on "DMZ".. but what do you do with SQL if it >does not accept connections...? :) Keep it on DMZ also? >You have a SQL that doesn't accept connections? Doesn't sound like any >firewall configuration is going to affect that piece of junk in any way, >shape or form. FYI, I have set up SQL backbends for webservers in a DMZ exactly as described above, and there are plenty of ways to enhance their security. >The most basic is an encrypted VPN connection between the webserver and > >the >SQL server. If you would like, we could demonstrate to you that a VPN connection from a WEB server that can execute "arbitrary" code will not help you to keep credit cards secure...but I guess you know that see below. In reality however, this sort of thing isn't really needed. If your router is set up to stop as many spoofed packets as it can detect(*) which it should be no matter what your goals are, then your only real problem here is something flawed I see implied in your design : You code your database passwords into the web frontend for access to the DB. If your DB data is critical enough that you can't risk bogus records being inserted, and sensitive enough that you can't risk the wrong person on the outside seeing it, at the very least it should be https access only, and use a user supplied password. In reality, it probably shouldn't be a webserver at all. I agree with the webserver concept - it is really smart (no sarcasm) (*) Basically this is only three rules. #1 deny all packets from inside your network that don't come from your netblock(s), #2 deny all packets from outside your network that do come from your netblock(s), #3 deny all packets that have a source or destination address on a private IP subnet with very specific allow rules only if you really need them. Agreed - but we are talking about a firewall compromise here :) This is where time and 3-tripple firewall architecture and IDS process comes to play... Hope you see this now. >In other words, dual firewalls are "a lot" better in many (NOT ALL) cases >(if one uses different products). But you do need to match products >carefully. You didn't make an argument to this point; Nothing constructive was offered that bolsters the credibility of a two firewall design. I'll cover the simple facts once again. 1. One firewall can easily do the job of the two described if the rulesets are merged. 2. Two firewalls does not for the most part provide two "layers" for an attacker to work through; it simply provides two different targets for an attacker to attempt to compromise. I am not against the previous definition of a single firewall with three interfaces; one for outside, one for inside, and one for the dmz.. but it's usually not required. The point is "WHAT-IF" you did have a proxy compromise (internal or external). If we were to imagine a single SUPER-SECURE firewall out there would be no need to do anytnhing else... Thank you it was a pleasure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 8:38:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 9D08937B416 for ; Wed, 28 Nov 2001 08:38:41 -0800 (PST) Received: (qmail 73152 invoked by uid 1000); 28 Nov 2001 16:38:39 -0000 Date: Wed, 28 Nov 2001 17:38:39 +0100 From: Bart Matthaei To: WebSec WebSec Cc: security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011128173839.G70628@heresy.dreamflow.nl> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from secure21st@hotmail.com on Wed, Nov 28, 2001 at 03:48:08PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 28, 2001 at 03:48:08PM +0000, WebSec WebSec wrote: > NOT TO START A BIG DISCUSSION BUT I THINK THESE RESPONSES ARE REALLY OFF = THE=20 > TARGET. I do not have much time and will not be able to respond to more= =20 > comments but did want to give myself a chance to explain.... And i think posting in caps is the lamest thing you can do. So cool down. Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 /* Welcome to my world.. You just live in it */ --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8BRMPgcc6pR+tCegRAmKBAJsGr3+fq8xSiqDf8cbmEVqjG8CdNQCfUM9m T/RXvpLiAxXGjv15TgZvVhE= =/agy -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 9: 8:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from yamato.ccrle.nec.de (yamato.ccrle.nec.de [195.37.70.1]) by hub.freebsd.org (Postfix) with ESMTP id E5D7337B41C; Wed, 28 Nov 2001 09:08:44 -0800 (PST) Received: from citadel.mobility.ccrle.nec.de ([192.168.156.1]) by yamato.ccrle.nec.de (8.11.6/8.10.1) with ESMTP id fASFMxk70357; Wed, 28 Nov 2001 16:22:59 +0100 (CET) Received: from [192.168.102.87] (agrajag.heidelberg.ccrle.nec.de [192.168.102.87]) by citadel.mobility.ccrle.nec.de (Postfix on SuSE eMail Server 2.0) with ESMTP id 8CCB2C040; Wed, 28 Nov 2001 16:23:04 +0100 (CET) Date: Wed, 28 Nov 2001 16:23:04 +0100 From: Enrico Giakas Reply-To: Enrico Giakas To: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: USB Network access Message-ID: <1114418789.1006964583@[192.168.102.87]> In-Reply-To: <20011128085832.D61032-100000@topperwein.dyndns.org> References: <20011128085832.D61032-100000@topperwein.dyndns.org> X-Mailer: Mulberry/2.1.0 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I want to introduce a paralell network structure to our LAN, to administer our servers (eg Webmin, SNMP, Mrtg). To do so I want to use the USB Port because my Servers have only one PCI connector (they are so called "pizza box" Server). Does anyone know if there is a IP over USB or PPP over USB solution for FreeBSD ? Or how I can search for this? Thanks in advance Enrico _____________________________________________________ Enrico Giakas Network Laboratories Heidelberg NEC Europe Ltd. Adenauerplatz 6 D-69115 Heidelberg, Germany Tel.:+49/(0) 62 21/905 11- 12 Fax :+49/(0) 62 21/905 11- 55 email: Enrico.Giakas@ccrle.nec.de _____________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 9:14:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C437A37B416 for ; Wed, 28 Nov 2001 09:14:36 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fASHE1r41082; Wed, 28 Nov 2001 12:14:02 -0500 (EST) (envelope-from arr@FreeBSD.org) X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs Date: Wed, 28 Nov 2001 12:14:01 -0500 (EST) From: "Andrew R. Reiter" X-Sender: arr@fledge.watson.org To: "Andrey A. Chernov" Cc: Koga Youichirou , freebsd-security@FreeBSD.org Subject: Re: wu-ftpd ? In-Reply-To: <20011128100012.GB34069@nagual.pp.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 28 Nov 2001, Andrey A. Chernov wrote: : :I don't think so. :This patch not add much sense to 2.6.1 code, I mean it not prevents :overflow. Are you _sure_ that the fixes aren't related to new input validation and glob problems? Andrew -- Andrew R. Reiter arr@watson.org arr@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 9:18: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id CB27D37B41B; Wed, 28 Nov 2001 09:17:54 -0800 (PST) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.32 #1) id 1698LG-0003Uw-00; Wed, 28 Nov 2001 17:17:50 +0000 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 1698LH-0006HU-00; Wed, 28 Nov 2001 17:17:51 +0000 X-Mailer: exmh version 2.0.2 2/24/98 To: Enrico Giakas Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: USB Network access In-reply-to: Your message of "Wed, 28 Nov 2001 16:23:04 +0100." <1114418789.1006964583@[192.168.102.87]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 28 Nov 2001 17:17:51 +0000 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I want to introduce a paralell network structure to our LAN, to administer > our servers (eg Webmin, SNMP, Mrtg). > To do so I want to use the USB Port because my Servers have only > one PCI connector (they are so called "pizza box" Server). > > Does anyone know if there is a IP over USB or PPP over USB solution > for FreeBSD ? Or how I can search for this? Use USB Ethernet NICs? "aue", "cue", &c. See "/usr/src/sys/i386/conf/LINT". -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 9:45:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 4B51937B41A for ; Wed, 28 Nov 2001 09:45:11 -0800 (PST) Received: (qmail 10364 invoked by uid 0); 28 Nov 2001 17:45:09 -0000 Received: from cp427045-b.mtgmry1.md.home.com (HELO danny) (67.161.38.142) by mail.gmx.net (mp009-rz3) with SMTP; 28 Nov 2001 17:45:09 -0000 From: "Danny" To: Subject: Ipfw + bpf interaction Date: Wed, 28 Nov 2001 12:44:36 -0500 Message-ID: <000e01c17834$5cf1d670$020144c0@danny> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've been experimenting with ipfw to horde off the hundreds of attempted http requests per day (primarily all from @home customers) which I suspect to be part of some lingering worm/ddos. My question is if a connection attempt will still be recorded by clog(8) if the source IP is blocked by ipfw? The reason I ask is because I am still seeing connection attempts in the network log from a specific IP belonging to a class B network which I thought I had blocked. The syntax for the rule I used was: ipfw add deny log logamount 500 ip from 67.161.0.0:255.255.0.0 to my.ip.address The rule seems to be added to ipfw's rule set, which for my box is as follows: 00050 1915738 1315695882 divert 8668 ip from any to any via ep1 00100 3360 1384342 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 1596 65772 deny log logamount 500 ip from another.bad.host to my.ip.address 00500 0 0 deny log logamount 500 ip from 67.161.0.0/16 to my.ip.address 65535 3795144 2623014796 allow ip from any to any The firewall blocks 'another.bad.host' without any problems, at least according to the ipfw logs, but I am still seeing connections from the 67.161.0.0 subnet (where all the connections are coming from) in the clog logs (that's fun to say). Do there seem to be any flaws in this particular rule set? This is not intended to be a integral firewall, just simply one to block some of the nuisances that have recently been afflicting a machine on my network. Thanks for any pointers. Danny McQuade To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 9:58:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id A7F3437B41C for ; Wed, 28 Nov 2001 09:57:26 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fASHvDr43335 for ; Wed, 28 Nov 2001 12:57:13 -0500 (EST) (envelope-from arr@FreeBSD.org) X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs Date: Wed, 28 Nov 2001 12:57:12 -0500 (EST) From: "Andrew R. Reiter" X-Sender: arr@fledge.watson.org To: freebsd-security@FreeBSD.org Subject: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI -- regarding the wu-ftpd discsion.. Guess it _was_ a globbing problem :-P Andrew -- Andrew R. Reiter arr@watson.org arr@FreeBSD.org ---------- Forwarded message ---------- Date: Wed, 28 Nov 2001 10:05:28 -0700 (MST) From: Dave Ahmad To: bugtraq@securityfocus.com Subject: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability --------------------------------------------------------------------------- Security Alert Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability BUGTRAQ ID: 3581 CVE ID: CVE-MAP-NOMATCH Published: Nov 27, 2001 Updated: Nov 28, 2001 01:12:56 Remote: Yes Local: No Availability: Always Authentication: Not Required Credibility: Vendor Confirmed Ease: No Exploit Available Class: Failure to Handle Exceptional Conditions Impact: 10.0 Severity: 10.0 Urgency: 8.2 Last Change: Initial analysis. --------------------------------------------------------------------------- Vulnerable Systems: Washington University wu-ftpd 2.6.1 + Caldera OpenLinux Server 3.1 + Caldera OpenLinux Workstation 3.1 + Cobalt Qube 1.0 + Conectiva Linux 7.0 + Conectiva Linux 6.0 + MandrakeSoft Corporate Server 1.0.1 + MandrakeSoft Linux Mandrake 8.1 + MandrakeSoft Linux Mandrake 8.0 ppc + MandrakeSoft Linux Mandrake 8.0 + MandrakeSoft Linux Mandrake 7.2 + MandrakeSoft Linux Mandrake 7.1 + MandrakeSoft Linux Mandrake 7.0 + MandrakeSoft Linux Mandrake 6.1 + MandrakeSoft Linux Mandrake 6.0 + RedHat Linux 7.2 noarch + RedHat Linux 7.2 ia64 + RedHat Linux 7.2 i686 + RedHat Linux 7.2 i586 + RedHat Linux 7.2 i386 + RedHat Linux 7.2 athlon + RedHat Linux 7.2 alpha + RedHat Linux 7.1 noarch + RedHat Linux 7.1 ia64 + RedHat Linux 7.1 i686 + RedHat Linux 7.1 i586 + RedHat Linux 7.1 i386 + RedHat Linux 7.1 alpha + RedHat Linux 7.0 sparc + RedHat Linux 7.0 i386 + RedHat Linux 7.0 alpha + TurboLinux TL Workstation 6.1 + TurboLinux Turbo Linux 6.0.5 + TurboLinux Turbo Linux 6.0.4 + TurboLinux Turbo Linux 6.0.3 + TurboLinux Turbo Linux 6.0.2 + TurboLinux Turbo Linux 6.0.1 + TurboLinux Turbo Linux 6.0 + Wirex Immunix OS 7.0-Beta + Wirex Immunix OS 7.0 Washington University wu-ftpd 2.6.0 + Cobalt Qube 1.0 + Conectiva Linux 5.1 + Conectiva Linux 5.0 + Conectiva Linux 4.2 + Conectiva Linux 4.1 + Conectiva Linux 4.0es + Conectiva Linux 4.0 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 + RedHat Linux 6.2 sparc + RedHat Linux 6.2 i386 + RedHat Linux 6.2 alpha + RedHat Linux 6.1 sparc + RedHat Linux 6.1 i386 + RedHat Linux 6.1 alpha + RedHat Linux 6.0 sparc + RedHat Linux 6.0 i386 + RedHat Linux 6.0 alpha + RedHat Linux 5.2 sparc + RedHat Linux 5.2 i386 + RedHat Linux 5.2 alpha + S.u.S.E. Linux 6.4ppc + S.u.S.E. Linux 6.4alpha + S.u.S.E. Linux 6.4 + S.u.S.E. Linux 6.3 ppc + S.u.S.E. Linux 6.3 alpha + S.u.S.E. Linux 6.3 + S.u.S.E. Linux 6.2 + S.u.S.E. Linux 6.1 alpha + S.u.S.E. Linux 6.1 + TurboLinux Turbo Linux 4.0 + Wirex Immunix OS 6.2 Washington University wu-ftpd 2.5.0 + Caldera eDesktop 2.4 + Caldera eServer 2.3.1 + Caldera eServer 2.3 + Caldera OpenLinux 2.4 + Caldera OpenLinux Desktop 2.3 + RedHat Linux 6.0 sparc + RedHat Linux 6.0 i386 + RedHat Linux 6.0 alpha Summary: Wu-Ftpd contains a remotely exploitable heap corruption bug. Impact: A remote attacker may execute arbitrary code on the vulnerable server. Technical Description: Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by Washington University. Wu-Ftpd allows for clients to organize files for ftp actions based on "file globbing" patterns. File globbing is also used by various shells. The implementation of file globbing included in Wu-Ftpd contains a heap corruption vulnerability that may allow for an attacker to execute arbitrary code on a server remotely. During the processing of a globbing pattern, the Wu-Ftpd implementation creates a list of the files that match. The memory where this data is stored is on the heap, allocated using malloc(). The globbing function simply returns a pointer to the list. It is up to the calling functions to free the allocated memory. If an error occurs processing the pattern, memory will not be allocated and a variable indicating this should be set. The calling functions must check the value of this variable before attempting to use the globbed filenames (and later freeing the memory). When certain globbing patterns are processed, the globbing function does not set this variable when an error occurs. As a result of this, Wu-Ftpd may eventually attempt to free uninitialized memory. There are a number of possibly exploitable conditions. If this region of memory contained user-controllable data before the free call, it may be possible to have an arbitrary word in memory overwritten with an arbitrary value. This can lead to execution of arbitrary code if function pointers or return addresses are overwritten. If anonymous FTP is not enabled, valid user credentials are required to exploit this vulnerability. This vulnerability was initially scheduled for public release on December 3, 2001. However, Red Hat has made details public as of November 27, 2001. As a result, we are forced to warn other users of the vulnerable product, so that they may take appropriate actions. Attack Scenarios: To exploit this vulnerability, an attacker must have either valid credentials required to log in as an FTP user, or anonymous access must be enabled. The attacker must ensure that a maliciously constructed malloc header containing the target address and it's replacement value are in the right location in the uninitialized part of the heap. The attacker must also place shellcode in server process memory. The attacker must send an FTP command containing a specific globbing pattern that does not set the error variable. When the server attempts to free the memory used to store the globbed filenames, the target word in memory will be overwritten. If an attacker overwrites a function pointer or return address with a pointer to the shellcode, it may be executed by the server process. Exploits: The following (from the CORE advisory) demonstrates the existence of this vulnerability: ftp> open localhost Connected to localhost (127.0.0.1). 220 sasha FTP server (Version wu-2.6.1-18) ready. Name (localhost:root): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls ~{ 227 Entering Passive Mode (127,0,0,1,241,205) 421 Service not available, remote server has closed connection 1405 ? S 0:00 ftpd: accepting connections on port 21 7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd 26256 ? S 0:00 ftpd: sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 26265 tty3 R 0:00 bash -c ps ax | grep ftpd (gdb) at 26256 Attaching to program: /usr/sbin/wu.ftpd, process 26256 Symbols already loaded for /lib/libcrypt.so.1 Symbols already loaded for /lib/libnsl.so.1 Symbols already loaded for /lib/libresolv.so.2 Symbols already loaded for /lib/libpam.so.0 Symbols already loaded for /lib/libdl.so.2 Symbols already loaded for /lib/i686/libc.so.6 Symbols already loaded for /lib/ld-linux.so.2 Symbols already loaded for /lib/libnss_files.so.2 Symbols already loaded for /lib/libnss_nisplus.so.2 Symbols already loaded for /lib/libnss_nis.so.2 0x40165544 in __libc_read () from /lib/i686/libc.so.6 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. __libc_free (mem=0x61616161) at malloc.c:3136 3136 in malloc.c Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com Mitigating Strategies: This vulnerability is remotely exploitable. Restricting access to the network port, (TCP port 21 is standard for FTP), will block clients from unauthorized networks. With some operating systems, anonymous FTP is enabled by default. Anonymous FTP is often in use on public FTP sites, most often software repositories. It is basically a guest account with access to download files from within a restricted environment. This vulnerability is exploitable by clients logged in through anonymous FTP. Anonymous FTP should be disabled immediately until fixes are available, as it would allow any host on the Internet who can connect to the service to exploit this vulnerability. It is a good idea to disable it normally unless it is absolutely necessary (in which case the FTP server should be on a dedicated, isolated host). Stack and other memory protection schemes may complicate exploitability, and/or prevent commonly available exploits from working. This should not be relied upon for security. This vulnerability involves 'poking' words in memory. This means that there are many different ways that it may be exploited. Making the stack non-executable or checking the integrity of stack variables may not be enough to prevent all possibile methods of exploitation. It is advised to disable the service and use alternatives until fixes are available. Solutions: Vendor notified on Nov 14, 2001. Fixes will be available from the author as well as from vendors who ship products that include Wu-Ftpd as core or optional components. This vulnerability was initially scheduled for public release on December 3, 2001. Red Hat pre-emptively released an advisory on November 27, 2001. As a result, other vendors may not yet have fixes available. This record will be updated as fixes from various vendors become available. For Washington University wu-ftpd 2.6.1: Red Hat RPM 6.2 alpha wu-ftpd-2.6.1-0.6x.21.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm Red Hat RPM 6.2 sparc wu-ftpd-2.6.1-0.6x.21.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm Red Hat RPM 7.0 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm Red Hat RPM 7.0 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm Red Hat RPM 7.1 alpha wu-ftpd-2.6.1-16.7x.1.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm Red Hat RPM 7.1 i386 wu-ftpd-2.6.1-16.7x.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm Red Hat RPM 7.1 ia64 wu-ftpd-2.6.1-16.7x.1.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm Red Hat RPM 7.2 i386 wu-ftpd-2.6.1-20.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm Red Hat RPM 6.2 i386 wu-ftpd-2.6.1-0.6x.21.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm Credit: Condition first reported by Matt Power, deemed non-exploitable. Rediscovered and exploitability later confirmed by Luciano Notarfrancesco and Juan Pablo Martinez Kuhn from Core Security Technologies, Buenos Aires, Argentina. References: advisory: RedHat RHSA-2001:157-06: Updated wu-ftpd packages are available http://www.securityfocus.com/advisories/3680 web page: CORE SDI Homepage (CORE) http://www.core-sdi.com web page: Wu-Ftpd Homepage (Washington University) http://www.wu-ftpd.org ChangeLog: Nov 26, 2001: Initial analysis. --------------------------------------------------------------------------- HOW TO INTERPRET THIS ALERT BUGTRAQ ID: This is a unique identifier assigned to the vulnerability by SecurityFocus.com. CVE ID: This is a unique identifier assigned to the vulnerability by the CVE. Published: The date the vulnerability was first made public. Updated: The date the information was last updated. Remote: Whether this is a remotely exploitable vulnerability. Local: Whether this is a locally exploitable vulnerability. Credibility: Describes how credible the information about the vulnerability is. Possible values are: Conflicting Reports: The are multiple conflicting about the existance of the vulnerability. Single Source: There is a single non-reliable source reporting the existence of the vulnerability. Reliable Source: There is a single reliable source reporting the existence of the vulnerability. Conflicting Details: There is consensus on the existence of the vulnerability but not it's details. Multiple Sources: There is consensus on the existence and details of the vulnerability. Vendor Confirmed: The vendor has confirmed the vulnerability. Class: The class of vulnerability. Possible values are: Boundary Condition Error, Access Validation Error, Origin Validation Error, Input Valiadtion Error, Failure to Handle Exceptional Conditions, Race Condition Error, Serialization Error, Atomicity Error, Environment Error, and Configuration Error. Ease: Rates how easiliy the vulnerability can be exploited. Possible values are: No Exploit Available, Exploit Available, and No Exploit Required. Impact: Rates the impact of the vulnerability. It's range is 1 through 10. Severity: Rates the severity of the vulnerability. It's range is 1 through 10. It's computed from the impact rating and remote flag. Remote vulnerabiliteis with a high impact rating receive a high severity rating. Local vulnerabilities with a low impact rating receive a low severity rating. Urgency: Rates how quickly you should take action to fix or mitigate the vulnerability. It's range is 1 through 10. It's computed from the severity rating, the ease rating, and the credibility rating. High severity vulnerabilities with a high ease rating, and a high confidence rating have a higher urgency rating. Low severity vulnerabilities with a low ease rating, and a low confidence rating have a lower urgency rating. Last Change: The last change made to the vulnerability information. Vulnerable Systems: The list of vulnerable systems. A '+' preceding a system name indicates that one of the system components is vulnerable vulnerable. For example, Windows 98 ships with Internet Explorer. So if a vulnerability is found in IE you may see something like: Microsoft Internet Explorer + Microsoft Windows 98 Non-Vulnerable Systems: The list of non-vulnerable systems. Summary: A concise summary of the vulnerability. Impact: The impact of the vulnerability. Technical Description: The in-depth description of the vulnerability. Attack Scenarios: Ways an attacker may make use of the vulnerability. Exploits: Exploit intructions or programs. Mitigating Strategies: Ways to mitigate the vulnerability. Solutions: Solutions to the vulnerability. Credit: Information about who disclosed the vulnerability. References: Sources of information on the vulnerability. Related Resources: Resources that might be of additional value. ChangeLog: History of changes to the vulnerability record. --------------------------------------------------------------------------- Copyright 2001 SecurityFocus.com ---------- SecurityFocus - the leading provider of Security Intelligence Services for business. Visit our website at www.securityfocus.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 10: 3:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id 182E637B41A for ; Wed, 28 Nov 2001 10:03:33 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id C0DB6136F3 for ; Wed, 28 Nov 2001 13:07:38 -0500 (EST) Message-Id: <5.1.0.14.0.20011128124756.00a9d9e8@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 28 Nov 2001 13:05:01 -0500 To: freebsd-security@freebsd.org From: Allen Landsidel Subject: Re: Best security topology for FreeBSD In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:48 PM 11/28/2001 +0000, you wrote: >Your phrase is equivalent to saying something like this: If you have not >heard about GMC SUBURBAN ( A really big car) transporting 700 people >cross-Atlantic - it does not mean it cannot be done. I agree that things >are a bit more complicated in our world but com'mn... show me how you >would approach executing a stack on any non-trojaned packet filtering >device... at least in theory... I thought you couldn't :) Again.. you miss the point. I'm not suprised. Imagine you have a crummy stack that just looks at the length header of the packet when getting the packet, then pushes the actual packet size onto the stack. Which one is larger or smaller doesn't matter, you've just flubbed the machine and a smash is inevitable on the return from the call. There are other ways of doing this as well, and as most smashes go, they all involve specially constructed packets that are invalid. I thought I could! Why were you yelling at me by the way? No need for caps there cowboy. >This is just silly.... I hope you understand what it means to not allow >outbound connections. IT would take time to poke around and figure out >how and what to do on a machine that does not produce an output. Most >likely the machine will crash....soon... And your "IDS" as in " monitoring >- analysis - incidence response on network and host levels" not as in " a >product" WILL TELL YOU ABOUT. THIS IS TIME. Clearly, you are not sure >what you are saying here. I certainly know what I'm saying.. I have no idea however what you were just saying. I couldn't make any sense of this paragraph. >IN YOUR SINGLE FIREWALL DESIGN - IF A FIREWALL IS COMPROMISED YOUR ENTIRE >SECURITY MODEL IS BLOWN OUT OF THE WATER! Yep. In a two firewall design, the same is true. Designing a security "gray area" into your network is lame. >THE EXTRA TIME IS THE KEY SECURITY CONCEPT. IF YOU HAVE UNLIMITED TIME - >YOU CAN GET TO ANYTHING... WELL ALMOST :) Ever wondered why "Important" >Banks and other installations are not to far from police stations? Your >phrase that time is not important goes beyond technical incompetence >right into security ignorance. No offense. I didn't say time is meaningless, I said your "extra time" is meaningless. As for your other argument.. is that also the reason that everything around the bank is where it is.. like the laundromat? For that heightened security? Maybe it's more likely that the bank was built where land was cheap, and the same goes for the police station. >Well actually "ass" is not a very professional term - I would personally >try to avoid it on the Net - but yes a TCP WRAPPER is a firewall and it is >recommended to use the as much as possible... More so, IPSec is a firewall >"concept" because it "authenticates" source and, again, it is recommended. TCP Wrapper is not a firewall, it's a logging and analysis tool. IPSec is not a firewall either, it's an encryption and authentication system. Neither one has anything to do with firewalls. >Agreed - but we are talking about a firewall compromise here :) This is >where time and 3-tripple firewall architecture and IDS process comes to >play... Hope you see this now. I agree with using an IDS, or as many of them as you can if you're paranoid. I still don't agree with your "extra time" concept because you never covered the basic fact that if the firewalls are the same or similar, you'll probably have all of about 15 seconds before the second one falls. Chances are you won't even know it happened until it's too late. Rare is the case where a firewall is compromised and someone immediately catches on before any damage is done to other systems. >I am not against the previous definition of a single firewall with three >interfaces; one for outside, one for inside, and one for the dmz.. but it's >usually not required. If it's not required, then by definition, the two firewall design is not required either. They're the same thing functionally, only requiring less hardware. Please fix your mail quoting if you continue to reply.. you had everything all jumbled this time. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 10:31:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from ezri.unstable.org (209-122-104-39.c3-0.crm-ubr1.crm.ny.cable.rcn.com [209.122.104.39]) by hub.freebsd.org (Postfix) with ESMTP id 731DC37B416 for ; Wed, 28 Nov 2001 10:31:01 -0800 (PST) Received: by ezri.unstable.org (Postfix, from userid 1000) id C73D0E6DF; Wed, 28 Nov 2001 13:30:56 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by ezri.unstable.org (Postfix) with ESMTP id C1607E6DE; Wed, 28 Nov 2001 13:30:56 -0500 (EST) Date: Wed, 28 Nov 2001 13:30:56 -0500 (EST) From: klik To: Danny Cc: Subject: Re: Ipfw + bpf interaction In-Reply-To: <000e01c17834$5cf1d670$020144c0@danny> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Put those deny statments before your divert rule On Wed, 28 Nov 2001, Danny wrote: > Date: Wed, 28 Nov 2001 12:44:36 -0500 > From: Danny > To: freebsd-security@freebsd.org > Subject: Ipfw + bpf interaction > > > I've been experimenting with ipfw to horde off the hundreds of attempted > http requests per day (primarily all from @home customers) which I > suspect to be part of some lingering worm/ddos. My question is if a > connection attempt will still be recorded by clog(8) if the source IP is > blocked by ipfw? The reason I ask is because I am still seeing > connection attempts in the network log from a specific IP belonging to a > class B network which I thought I had blocked. The syntax for the rule I > used was: > > ipfw add deny log logamount 500 ip from 67.161.0.0:255.255.0.0 > to my.ip.address > > The rule seems to be added to ipfw's rule set, which for my box is as > follows: > > 00050 1915738 1315695882 divert 8668 ip from any to any via ep1 > 00100 3360 1384342 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 1596 65772 deny log logamount 500 ip from > another.bad.host to my.ip.address > 00500 0 0 deny log logamount 500 ip from > 67.161.0.0/16 to my.ip.address > 65535 3795144 2623014796 allow ip from any to any > > The firewall blocks 'another.bad.host' without any problems, at least > according to the ipfw logs, but I am still seeing connections from the > 67.161.0.0 subnet (where all the connections are coming from) in the > clog logs (that's fun to say). Do there seem to be any flaws in this > particular rule set? This is not intended to be a integral firewall, > just simply one to block some of the nuisances that have recently been > afflicting a machine on my network. Thanks for any pointers. > > Danny McQuade > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 11:16:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id A5C1737B41B; Wed, 28 Nov 2001 11:16:44 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id fASJGiu00666; Wed, 28 Nov 2001 14:16:44 -0500 (EST) (envelope-from wollman) Date: Wed, 28 Nov 2001 14:16:44 -0500 (EST) From: Garrett Wollman Message-Id: <200111281916.fASJGiu00666@khavrinen.lcs.mit.edu> To: "Andrew R. Reiter" Cc: freebsd-security@FreeBSD.org Subject: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability (fwd) In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < quotes a bugtrraq advisory stating: > The attacker must ensure that a maliciously constructed malloc header > containing the target address and it's replacement value are in the > right location in the uninitialized part of the heap. The attacker > must also place shellcode in server process memory. ...which means that this vulnerability does not exist under FreeBSD, since PHK-malloc does not mingle its metadata with its heap. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 11:23:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id C77ED37B419 for ; Wed, 28 Nov 2001 11:23:20 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id fASJNKq03399 for ; Wed, 28 Nov 2001 11:23:20 -0800 (PST) Date: Wed, 28 Nov 2001 11:23:20 -0800 (PST) From: Roger Marquis To: Subject: Re: crypted remote backup Message-ID: <20011128103543.Y99493-100000@roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > If you want rsync to only copy the updated/modified stuff you'll have > to do the encryption on the "source" server and keep it in a separate > "tree" We gave up on rsync years ago. Too many bugs, too little QA, and too many changes between versions. IMHO, dump/restore/ufsdump/ufsrestore are still the best tools for backing up Unix systems. Dump/restore, when combined with scratch files or partitions and ssh, is a solid and reliable solution with good degree of forward and backward compatibility. The first step in a production backup hierarchy are near-line archives, typically to one or more local hard drives. This step does not normally require encryption: ##### on the (source) server: mount /dev/da0a /var/d2 (or mount /dev/da0{b,d,e,f,g} ...) cd /var/d2 dump 0uf - / | restore xf - umount /var/d2 The second step is migration to a centralized backup server. This usually involves a network which may or may not be secure. An IPsec+3DES VPN based on hardware like Cisco's PIX or Checkpoint's Firewall-1 is one way to encrypt this traffic. For considerably less money you can achieve the same result using OpenSSH: ##### on the (destination) central backup host: touch /var/backups/${server}-`date|nawk '{print $2"-"$3"-"$NF}'` chmod 400 /var/backups/${server}-`date|nawk '{print $2"-"$3"-"$NF}'` /usr/local/bin/ssh root@${server} -n 'dump -0f - /dev/da0a' | \ dd of=/var/backups/${server}-`date|nawk '{print $2"-"$3"-"$NF}'` Finally, long term storage is most economically done to tape: dump 0f /dev/rmt/0 /var/backups These tapes can then, ideally, be stored in fire-proof data safes at one or more off-site locations. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 11:33:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP2.MC.VANDERBILT.EDU (mcsmtp2.mc.Vanderbilt.Edu [160.129.50.78]) by hub.freebsd.org (Postfix) with ESMTP id 090CC37B4CF for ; Wed, 28 Nov 2001 11:33:29 -0800 (PST) Subject: ipfw rules To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.6a January 17, 2001 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Wed, 28 Nov 2001 13:30:53 -0600 X-MIMETrack: Serialize by Router on MCSMTP2.MC.vanderbilt.edu/VUMC/Vanderbilt(Release 5.0.6a |January 17, 2001) at 11/28/2001 01:24:44 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What are the ipfw rules for letting the ftp protocol second port setup ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 12: 0:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 104FB37B419 for ; Wed, 28 Nov 2001 12:00:50 -0800 (PST) Received: from hades.hell.gr (patr530-a236.otenet.gr [212.205.215.236]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id fASK0jY09746; Wed, 28 Nov 2001 22:00:45 +0200 (EET) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id fASK0kw19314; Wed, 28 Nov 2001 22:00:46 +0200 (EET) (envelope-from charon@labs.gr) Date: Wed, 28 Nov 2001 22:00:46 +0200 From: Giorgos Keramidas To: Allen Landsidel Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011128200045.GB8893@hades.hell.gr> References: <200111231250.fANCoha19105@cwsys.cwsent.com> <20011122031739.A226@gohan.cjclark.org> <200111231250.fANCoha19105@cwsys.cwsent.com> <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org> User-Agent: Mutt/1.3.23.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-11-26 18:07:21, Allen Landsidel wrote: > > >Defense in depth. Examples: A glitch/security breach in Firewall1's > >ruleset/software does not necesarily expose the internal network. > >Any vulnerabilities in Firewall2 are harder to exploit when protected > >by Firewall1. > > I have to say.. I've been biting my tongue on this topic, but I feel like > speaking up now. > > The above paragraph is well and good for actual firewalls (like you find in > vehicles) and actual DMZ's (like you find in a warzone) because depth means > that many more layers of opposing force you have to fight your way through. > > It seems pretty meaningless however when applied to a network.(*) > > Chances are if an attacker can compromise "Firewall1" then they can use an > identical exploit/hole/vulnerability to exploit "Firewall2." In war, there > are such exploits, and they're called bullets. That is why most books I've read on firewalls suggest the use of `different' types of firewalls when one is stacked behind the other. To avoid having two identical firewalls that can be passed with exactly the same bugs/exploits :-) The depth principle still applies, IMHO. -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 12:19:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id 907A037B405 for ; Wed, 28 Nov 2001 12:19:36 -0800 (PST) Received: from there (localhost [127.0.0.1]) by borja.sarenet.es (8.11.3/8.11.3) with SMTP id fASKIqA25080; Wed, 28 Nov 2001 21:18:53 +0100 (CET) (envelope-from borjamar@sarenet.es) Message-Id: <200111282018.fASKIqA25080@borja.sarenet.es> Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: Brett Glass Subject: Re: Security zone Date: Wed, 28 Nov 2001 21:18:50 +0100 X-Mailer: KMail [version 1.3.1] References: <4.3.2.7.2.20011124162959.04085de0@localhost> <4.3.2.7.2.20011125091418.049f7450@localhost> In-Reply-To: <4.3.2.7.2.20011125091418.049f7450@localhost> Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sunday 25 November 2001 17:15, you wrote: > This only helps if you run every application setuid to a > unique uid. And then it can't get at your personal files.... > There's an additional matrix of capabilities here that > ought to be independent of uid or gid. =09(Sorry for the delay) =09I find the issue a bit complex. Which criteria could I use in ipfw rul= es?=20 The program name? I use process accounting in most machines, and it can b= e a=20 great tool, but an intruder can notice it and rename his/her programs so = that=20 the executions get logged as harmless commands. At least the uid is more=20 difficult for an user to alter than a process name. =09Or are you thinking about something more complex? Perhaps using progra= m=20 signatures? For now, I think that the uid/gid parameters in ipfw rules ca= n be=20 very convenient. =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 14: 7:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f49.law11.hotmail.com [64.4.17.49]) by hub.freebsd.org (Postfix) with ESMTP id B813D37B416 for ; Wed, 28 Nov 2001 14:07:56 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 28 Nov 2001 14:07:56 -0800 Received: from 204.56.251.7 by lw11fd.law11.hotmail.msn.com with HTTP; Wed, 28 Nov 2001 22:07:56 GMT X-Originating-IP: [204.56.251.7] From: "Jay Keller" To: freebsd-security@freebsd.org Subject: Updating ssh Date: Wed, 28 Nov 2001 22:07:56 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 28 Nov 2001 22:07:56.0456 (UTC) FILETIME=[22375A80:01C17859] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm trying to update the ssh that is part of the base of 4.4. The latest version (after updating using cvs RELENG_4) is openssh-2.9 shown with /usr/bin/ssh -V. Openssh 3.0.x is available via ports or packages and is set to be installed to /usr/local/whatever. What is the correct way to update ssh? Do I go through and delete all of the original ssh files in /usr/bin, /etc, the man pages, and so on and then just install the version 3x package? Or should I use the port and somehow change the install dir to something to match the original or just use /usr/local? Thanks in advance _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 14:15:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 8841E37B417 for ; Wed, 28 Nov 2001 14:15:10 -0800 (PST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.6/8.11.6) id fASMF9d74486; Wed, 28 Nov 2001 14:15:09 -0800 (PST) (envelope-from emechler) Date: Wed, 28 Nov 2001 14:15:08 -0800 From: Erick Mechler To: Jay Keller Cc: freebsd-security@FreeBSD.ORG Subject: Re: Updating ssh Message-ID: <20011128141508.A67199@techometer.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Jay Keller on Wed, Nov 28, 2001 at 10:07:56PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Install the port into /usr/local as you normally would (make sure LOCALBASE is set to /usr/local), and then edit /etc/rc.conf such that sshd_enable="YES" sshd_program="/usr/local/sbin/sshd" You should probably also set sshd_flags to use the desired host key (most likely in /etc/ssh). This may not be necesary; I'm not entirely sure. If you were to install the port over the BOS version of OpenSSH, you'd just end up blowing it away the next time you did a system upgrade. --Erick At Wed, Nov 28, 2001 at 10:07:56PM +0000, Jay Keller said this: :: I'm trying to update the ssh that is part of the base of 4.4. The latest :: version (after updating using cvs RELENG_4) is openssh-2.9 shown with :: /usr/bin/ssh -V. Openssh 3.0.x is available via ports or packages and is set :: to be installed to /usr/local/whatever. What is the correct way to update :: ssh? Do I go through and delete all of the original ssh files in /usr/bin, :: /etc, the man pages, and so on and then just install the version 3x package? :: Or should I use the port and somehow change the install dir to something to :: match the original or just use /usr/local? :: :: Thanks in advance :: :: _________________________________________________________________ :: Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 14:16:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 5109A37B41E for ; Wed, 28 Nov 2001 14:16:37 -0800 (PST) Received: from pir by moek.pir.net with local (Exim) id 169D0O-0006bN-00 for freebsd-security@freebsd.org; Wed, 28 Nov 2001 17:16:36 -0500 Date: Wed, 28 Nov 2001 17:16:36 -0500 From: Peter Radcliffe To: freebsd-security@freebsd.org Subject: Re: Updating ssh Message-ID: <20011128171636.D16465@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jaykeller4@hotmail.com on Wed, Nov 28, 2001 at 10:07:56PM +0000 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jay Keller probably said: > I'm trying to update the ssh that is part of the base of 4.4. The latest > version (after updating using cvs RELENG_4) is openssh-2.9 shown with > /usr/bin/ssh -V. Openssh 3.0.x is available via ports or packages and is set > to be installed to /usr/local/whatever. What is the correct way to update > ssh? Do I go through and delete all of the original ssh files in /usr/bin, > /etc, the man pages, and so on and then just install the version 3x package? > Or should I use the port and somehow change the install dir to something to > match the original or just use /usr/local? Personally I download the latest portable openssh (I'm running 3.0.1 right now) and configure it with; ./configure --with-tcp-wrappers \ --with-default-path=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin \ --disable-suid-ssh --with-pam --with-pid-dir=/var/run \ --sysconfdir=/etc/ssh --prefix=/usr \ --with-xauth=/usr/X11R6/bin/xauth and it replaces the installed version with no problems for me. HOWEVER there are some of the features that the properly integrated openssh provides which the portable configured in this way will not (things like Kerberos support, if I am not mistaken). I don't use any of these features so don't have any issues with this ... P. -- pir pir-sig@pir.net pir-sig@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 14:21:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id AFD6237B41E; Wed, 28 Nov 2001 14:21:22 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id fASMLJI45684; Thu, 29 Nov 2001 01:21:19 +0300 (MSK) (envelope-from ache) Date: Thu, 29 Nov 2001 01:21:18 +0300 From: "Andrey A. Chernov" To: "Andrew R. Reiter" Cc: Koga Youichirou , freebsd-security@FreeBSD.org Subject: Re: wu-ftpd ? Message-ID: <20011128222118.GA45632@nagual.pp.ru> References: <20011128100012.GB34069@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 12:14:01 -0500, Andrew R. Reiter wrote: > > > On Wed, 28 Nov 2001, Andrey A. Chernov wrote: > : > :I don't think so. > :This patch not add much sense to 2.6.1 code, I mean it not prevents > :overflow. > > > Are you _sure_ that the fixes aren't related to new input validation and > glob problems? See cumulative patch I recently commit into wu-ftpd port. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 14:26:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.hq.newdream.net (mail.hq.newdream.net [216.246.35.10]) by hub.freebsd.org (Postfix) with ESMTP id E0C9C37B416 for ; Wed, 28 Nov 2001 14:26:16 -0800 (PST) Received: from zugzug.hq.newdream.net (zugzug.hq.newdream.net [127.0.0.1]) by ravscan.zugzug.hq.newdream.net (Postfix) with SMTP id AD7253B396 for ; Wed, 28 Nov 2001 14:26:16 -0800 (PST) Received: by mail.hq.newdream.net (Postfix, from userid 1012) id 6B9EF3B379; Wed, 28 Nov 2001 14:26:16 -0800 (PST) Date: Wed, 28 Nov 2001 14:26:16 -0800 From: Dairy Wall Limey To: freebsd-security@FreeBSD.ORG Subject: Re: Updating ssh Message-ID: <20011128142616.T2779@hq.newdream.net> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20011128141508.A67199@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011128141508.A67199@techometer.net> User-Agent: Mutt/1.3.23i Organization: New Dream Network Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Erick Mechler wrote: > Install the port into /usr/local as you normally would (make sure > LOCALBASE is set to /usr/local), and then edit /etc/rc.conf such that > sshd_enable="YES" > sshd_program="/usr/local/sbin/sshd" > You should probably also set sshd_flags to use the desired host key > (most likely in /etc/ssh). This may not be necesary; I'm not entirely > sure. > > If you were to install the port over the BOS version of OpenSSH, you'd > just end up blowing it away the next time you did a system upgrade. you could always put: NO_OPENSSH= true in /etc/make.conf i do this for bind and sendmail since i use postfix (shouldn't matter if you use 'make replace' from the postfix port), but i've removed the main binaries for bind by hand as i don't really want to put /usr/local/{sbin|bin} ahead of /usr/{sbin|bin} in my $path and $PATH. i do wish that there were a way to cleanly remove stuff from the base os... presumably it could be bad in some cases to leave an older (and possibly exploitable) version of something on the system. at best it's unnecessary. w To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 14:27:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id E452037B416 for ; Wed, 28 Nov 2001 14:27:09 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA24041; Wed, 28 Nov 2001 15:26:50 -0700 (MST) Message-Id: <4.3.2.7.2.20011128151923.041d0710@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 28 Nov 2001 15:26:40 -0700 To: "Jay Keller" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Updating ssh In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:07 PM 11/28/2001, Jay Keller wrote: >I'm trying to update the ssh that is part of the base of 4.4. The latest version (after updating using cvs RELENG_4) is openssh-2.9 shown with /usr/bin/ssh -V. Openssh 3.0.x is available via ports or packages and is set to be installed to /usr/local/whatever. What is the correct way to update ssh? Do I go through and delete all of the original ssh files in /usr/bin, /etc, the man pages, and so on and then just install the version 3x package? Or should I use the port and somehow change the install dir to something to match the original or just use /usr/local? This reflects a common problem in FreeBSD. When you install a port or compile a newer version of an application which is included in the base install, it usually goes into /usr/local, so the system keeps on using the old version (which is ahead of the newer one in the path). What's more, the configuration files are often required to be in different places. FreeBSD uses /etc/ssh for SSH configuration files, while by default OpenSSH dumps them into /usr/local/etc. When I recently upgraded SSH on a few systems, it was a painful process that took a LOT of manual editing. To keep the original host keys, I had to delete the new keys generated by the install. I symlinked the files back into /etc/ssh and also added a -f command line argument for SSH to rc.conf, just for good measure. I also deleted the old SSH utilities from /usr/bin and replaced them with symlinks leading to /usr/local/bin. Upgrading Perl or Sendmail is equally painful. (I recently had to build a threaded version of Perl.... Not hard to build, but a MESS to get installed.) Perhaps FreeBSD should put these things in /usr/local from the get-go? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 14:29:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 930B437B419; Wed, 28 Nov 2001 14:29:24 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id fASMTK345755; Thu, 29 Nov 2001 01:29:20 +0300 (MSK) (envelope-from ache) Date: Thu, 29 Nov 2001 01:29:20 +0300 From: "Andrey A. Chernov" To: Garrett Wollman Cc: "Andrew R. Reiter" , freebsd-security@FreeBSD.ORG Subject: Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability (fwd) Message-ID: <20011128222920.GB45632@nagual.pp.ru> References: <200111281916.fASJGiu00666@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200111281916.fASJGiu00666@khavrinen.lcs.mit.edu> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 14:16:44 -0500, Garrett Wollman wrote: > < quotes a bugtrraq advisory stating: > > > The attacker must ensure that a maliciously constructed malloc header > > containing the target address and it's replacement value are in the > > right location in the uninitialized part of the heap. The attacker > > must also place shellcode in server process memory. > > ...which means that this vulnerability does not exist under FreeBSD, > since PHK-malloc does not mingle its metadata with its heap. The vulnerability is buffer overflow, not destroying malloc data. I fix it in wu-ftpd-2.6.1_7 -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 14:47:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 33FDA37B41A for ; Wed, 28 Nov 2001 14:47:38 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fASMlbf01053 for ; Wed, 28 Nov 2001 16:47:37 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id QAA01400 for ; Wed, 28 Nov 2001 16:47:36 -0600 (CST) Message-ID: <3C056986.163131B9@centtech.com> Date: Wed, 28 Nov 2001 16:47:34 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: ipf return-rst Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm trying to figure out why my return-rst lines aren't working. Here's a sample of a line: block return-rst in quick on xl0 proto tcp from any to my.ext.ip/32 port = 23 flags S/SA and I've tried: block return-rst in quick on xl0 proto tcp from any to my.ext.ip/32 port = 23 flags Both block the connection, but timeout instead of giving the "Connection refused" line. What am I missing? Thanks! Eric -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology An unbreakable toy is useful for breaking other toys. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 14:57:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 2BB2037B405 for ; Wed, 28 Nov 2001 14:57:18 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id fASMvI412986 for ; Wed, 28 Nov 2001 14:57:18 -0800 (PST) Date: Wed, 28 Nov 2001 14:57:17 -0800 (PST) From: Roger Marquis To: Subject: Re: Updating ssh In-Reply-To: Message-ID: <20011128143641.X12621-100000@roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > This reflects a common problem in FreeBSD. When you install a port or > compile a newer version of an application which is included in the base > install, it usually goes into /usr/local, so the system keeps on using > the old version (which is ahead of the newer one in the path). This problem has bit us more than a few times. It's also one of the things that keeps FreeBSD from gaining market share in large and high-security networks. If FreeBSD QA implemented the KIS principle there would be a single official location for every file and no duplicates anywhere on the system. The root of the problem is that few FreeBSD developers have extensive systems administration experience and few FreeBSD sysadmins have a background in large site configuration management. Seems to be an inevitable weakness of cutting-edge OSs. > Perhaps FreeBSD should put these things in /usr/local from the get-go? Either that or configure ports to put things where they already are. I'd vote for the latter as it fosters compatibility across versions, architectures and OSs and doesn't conflict with NFS sites that mount /usr/local from a fileserver. Unfortunately most FreeBSD installations are not multi-user, don't run NIS or NFS, aren't part of a large installation, and most FreeBSD ports are designed accordingly. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 14:58:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 2F6EA37B417 for ; Wed, 28 Nov 2001 14:58:27 -0800 (PST) Received: from schulte-laptop.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by clink.schulte.org (Postfix) with ESMTP id B94752440C; Wed, 28 Nov 2001 16:58:25 -0600 (CST) Message-Id: <5.1.0.14.0.20011128165106.03da5e78@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 28 Nov 2001 16:58:18 -0600 To: Brett Glass , "Jay Keller" , freebsd-security@FreeBSD.ORG From: Christopher Schulte Subject: Re: Updating ssh In-Reply-To: <4.3.2.7.2.20011128151923.041d0710@localhost> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:26 PM 11/28/2001 -0700, Brett Glass wrote: >Perhaps FreeBSD should put these things in /usr/local from the get-go? No. /usr/local is for software installed outside the base system. The ssh package is part of the base system, so it's placed in /usr/sbin and /usr/bin. When I look at /usr/local, I know exactly what's there. Not Base software. It's important to maintain the distinction. I agree a better method should be available to *replace* base software with locally modified packages, but the solution is definitely not to place base software in /usr/local. >--Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 15:14:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id CF8AD37B405 for ; Wed, 28 Nov 2001 15:14:33 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id QAA28090; Wed, 28 Nov 2001 16:14:32 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id fASNEVc01610; Wed, 28 Nov 2001 16:14:31 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15365.28631.76543.817423@caddis.yogotech.com> Date: Wed, 28 Nov 2001 16:14:31 -0700 To: Roger Marquis Cc: Subject: Re: Updating ssh In-Reply-To: <20011128143641.X12621-100000@roble.com> References: <20011128143641.X12621-100000@roble.com> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > This reflects a common problem in FreeBSD. When you install a port or > > compile a newer version of an application which is included in the base > > install, it usually goes into /usr/local, so the system keeps on using > > the old version (which is ahead of the newer one in the path). That's a configuration issue. I've never had the sorts of problems that you are experiencing, but maybe it's because I don't consider the 'out-of-box' FreeBSD system to be the complete solution to my problem. Instead, I consider it the baseline, so if there are other configurations changes that are appropriate for my setup, I'll make them and make sure all of the boxes I administer also have them. (These kind of things can be easily automated, if you have enough experience with doing them. Most good system administrators are good at that sort of things, which flies in the face of what was said below.) > This problem has bit us more than a few times. It's also one of > the things that keeps FreeBSD from gaining market share in large > and high-security networks. If FreeBSD QA implemented the KIS > principle there would be a single official location for every file > and no duplicates anywhere on the system. Not quite. What if you want *two* copies of the software on your system. Many people want two copies of GCC on their system. Maybe you want both SSH1 and OpenSSH on your system. The system shouldn't enforce your ideas on what should be done, because that's a policy decision that not every site would share. > The root of the problem is that few FreeBSD developers have extensive > systems administration experience *Bwah* *hah* *hah* *hah* All I can see it that you're sadly mistaken. Many of the FreeBSD developers *ARE* system administrators in their day jobs (in some form or the other). > and few FreeBSD sysadmins have > a background in large site configuration management. I'll bet you consider the Yahoo clusters 'small', right? The current situation reflects the bias of the current developers who want to give more flexibility to their users. Remember, tools, not policy. I administer a bunch of FreeBSD systems, and to be honest, at each installation I've been required to customize my 'configuration' setups simply because each site wants things done differently. No one solution works for everyone, so it's really not the OS's job to do it. FWIW, FreeBSD does a better job of supplying you with the tools for building a solution. Certainly it does a much better job than NT, Novell, Solaris, or any other 'network' OS. Yes, you can buy 3rd party software for doing it on the other OS's, but's that because their is a demand for such things, not because they are better or worse at doing the job. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 15:25:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.fnal.gov (nova.fnal.gov [131.225.121.207]) by hub.freebsd.org (Postfix) with ESMTP id 8E08237B405 for ; Wed, 28 Nov 2001 15:25:39 -0800 (PST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id fASNPc113696 for ; Wed, 28 Nov 2001 17:25:38 -0600 (CST) X-Authentication-Warning: nova.fnal.gov: tez owned process doing -bs Date: Wed, 28 Nov 2001 17:25:38 -0600 (CST) From: Tim Zingelman X-Sender: To: Subject: Re: Updating ssh In-Reply-To: <15365.28631.76543.817423@caddis.yogotech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is no longer on topic for security@FreeBSD.ORG please take the inevitable interminable discussion elsewhere. Thanks! - Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 15:28:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f198.law11.hotmail.com [64.4.17.198]) by hub.freebsd.org (Postfix) with ESMTP id 9DED537B405 for ; Wed, 28 Nov 2001 15:28:23 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 28 Nov 2001 15:28:23 -0800 Received: from 204.56.251.7 by lw11fd.law11.hotmail.msn.com with HTTP; Wed, 28 Nov 2001 23:28:23 GMT X-Originating-IP: [204.56.251.7] From: "Jay Keller" To: freebsd-security@freebsd.org Subject: Re: Updating ssh Date: Wed, 28 Nov 2001 23:28:23 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 28 Nov 2001 23:28:23.0396 (UTC) FILETIME=[5F4BF240:01C17864] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Excuse my flaming ignorance, but why isn't the source for the base OS (of openssh in this case) updated to match the current release? So that it would be updated on a cvs run. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 16:14:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 9F84837B419 for ; Wed, 28 Nov 2001 16:14:49 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA25545; Wed, 28 Nov 2001 17:14:33 -0700 (MST) Message-Id: <4.3.2.7.2.20011128171207.056cd1d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 28 Nov 2001 17:14:23 -0700 To: Christopher Schulte , "Jay Keller" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Updating ssh In-Reply-To: <5.1.0.14.0.20011128165106.03da5e78@pop.schulte.org> References: <4.3.2.7.2.20011128151923.041d0710@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:58 PM 11/28/2001, Christopher Schulte wrote: >At 03:26 PM 11/28/2001 -0700, Brett Glass wrote: >>Perhaps FreeBSD should put these things in /usr/local from the get-go? > >No. /usr/local is for software installed outside the base system. The ssh package is part of the base system, Not really. It's not maintained by the FreeBSD Core Team and is updated independently. It merely "comes with" the base system. That's an important distinction. Myself, I believe that third-party products should be kept in separate directories -- preferably in the default ones used by the developers, unless these are totally bogus. If this were done with SSH, it would be in /usr/local from the get-go and upgrades would work. Ditto with Perl. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 16:19:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail11.speakeasy.net (mail11.speakeasy.net [216.254.0.211]) by hub.freebsd.org (Postfix) with ESMTP id 78AFC37B417 for ; Wed, 28 Nov 2001 16:19:41 -0800 (PST) Received: (qmail 15706 invoked from network); 29 Nov 2001 00:20:11 -0000 Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender ) by mail11.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 29 Nov 2001 00:20:11 -0000 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <4.3.2.7.2.20011128171207.056cd1d0@localhost> Date: Wed, 28 Nov 2001 16:19:37 -0800 (PST) From: John Baldwin To: Brett Glass Subject: Re: Updating ssh Cc: freebsd-security@FreeBSD.ORG, Jay Keller , Christopher Schulte Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 29-Nov-01 Brett Glass wrote: > At 03:58 PM 11/28/2001, Christopher Schulte wrote: > >>At 03:26 PM 11/28/2001 -0700, Brett Glass wrote: >>>Perhaps FreeBSD should put these things in /usr/local from the get-go? >> >>No. /usr/local is for software installed outside the base system. The ssh >>package is part of the base system, > > Not really. It's not maintained by the FreeBSD Core Team and is updated > independently. It merely "comes with" the base system. That's an important > distinction. Very few things are maintained by the Core Team. Many things are maintained by the committers however, including ssh. FreeBSD has some FreeBSD-specific features that are maintained in parallel with OpenSSH development. > Myself, I believe that third-party products should be kept in separate > directories -- preferably in the default ones used by the developers, > unless these are totally bogus. If this were done with SSH, it would > be in /usr/local from the get-go and upgrades would work. Ditto with > Perl. Let's just move all of /usr/bin into /usr/ucb then since it's 3rd party Berkeley code. :-P > --Brett -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 16:25:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id B3E8337B444 for ; Wed, 28 Nov 2001 16:25:08 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id RAA00956; Wed, 28 Nov 2001 17:24:57 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id fAT0Ou502901; Wed, 28 Nov 2001 17:24:56 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15365.32855.717257.546724@caddis.yogotech.com> Date: Wed, 28 Nov 2001 17:24:55 -0700 To: Brett Glass Cc: Christopher Schulte , "Jay Keller" , freebsd-security@FreeBSD.ORG Subject: Re: Updating ssh In-Reply-To: <4.3.2.7.2.20011128171207.056cd1d0@localhost> References: <4.3.2.7.2.20011128151923.041d0710@localhost> <4.3.2.7.2.20011128171207.056cd1d0@localhost> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > >>Perhaps FreeBSD should put these things in /usr/local from the get-go? > > > >No. /usr/local is for software installed outside the base system. The ssh package is part of the base system, > > Not really. It's not maintained by the FreeBSD Core Team and is updated > independently. Almost nothing is maintained by the core team. It is however maintained by a non-core developer (green), who creates FreeBSD-specific patches and applies them to the released OpenSSH software. So, in effect, it is maintained as part of FreeBSD. (The installed version is different from the ports version). > It merely "comes with" the base system. That's an important > distinction. See above. > Myself, I believe that third-party products should be kept in separate > directories -- preferably in the default ones used by the developers, > unless these are totally bogus. If this were done with SSH, it would > be in /usr/local from the get-go and upgrades would work. Ditto with > Perl. The software that is part of the base system is *part of the base system*. In other words, it's required (in some sense of the word) in order for the rest of the system to work. If you want a completely modular system, go with PCIX. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 16:29:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP2.MC.VANDERBILT.EDU (mcsmtp2.mc.Vanderbilt.Edu [160.129.50.78]) by hub.freebsd.org (Postfix) with ESMTP id 8945F37B405 for ; Wed, 28 Nov 2001 16:29:47 -0800 (PST) Subject: SSH user authentication problem To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.6a January 17, 2001 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Wed, 28 Nov 2001 18:27:40 -0600 X-MIMETrack: Serialize by Router on MCSMTP2.MC.vanderbilt.edu/VUMC/Vanderbilt(Release 5.0.6a |January 17, 2001) at 11/28/2001 06:20:59 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I use password authentication for ssh. A single user account not authenticate when the correct password is given. It just prompts for the password again. Other accounts can successfuly login as expected. Configuration is protocol 2 only. This occurs on both FreeBSD 4.3 and 4.4 RELEASE. Any ideas ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 16:32:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 24DBE37B416 for ; Wed, 28 Nov 2001 16:32:48 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id B9F7181D04; Wed, 28 Nov 2001 18:32:42 -0600 (CST) Date: Wed, 28 Nov 2001 18:32:42 -0600 From: Alfred Perlstein To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: SSH user authentication problem Message-ID: <20011128183242.O46769@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Wed, Nov 28, 2001 at 06:27:40PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * George.Giles@mcmail.vanderbilt.edu [011128 18:29] wrote: > > I use password authentication for ssh. > > A single user account not authenticate when the correct password is given. > > It just prompts for the password again. > > Other accounts can successfuly login as expected. > > Configuration is protocol 2 only. > > This occurs on both FreeBSD 4.3 and 4.4 RELEASE. > > Any ideas ? Output from 'ssh -v host' and the exact command line given might help. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 17: 5:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail15.sdc1.sfba.home.com (femail15.sdc1.sfba.home.com [24.0.95.142]) by hub.freebsd.org (Postfix) with ESMTP id C2C6C37B405; Wed, 28 Nov 2001 17:05:37 -0800 (PST) Received: from cl3112948a ([24.250.242.36]) by femail15.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20011129010536.ITEQ680.femail15.sdc1.sfba.home.com@cl3112948a>; Wed, 28 Nov 2001 17:05:36 -0800 Message-ID: <000501c17871$a5dac4e0$24f2fa18@mdsn1.wi.home.com> Reply-To: "Chris Byrnes" From: "Chris Byrnes" To: Subject: sshd exploit? Date: Wed, 28 Nov 2001 19:03:23 -0600 Organization: JEAH Communications, LLC MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A colleague sent me a very vague e-mail, telling me that I should 'disable SSHD now' because of a 'private exploit being circulated since Saturday'. Anyone know anything about this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 17: 5:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail15.sdc1.sfba.home.com (femail15.sdc1.sfba.home.com [24.0.95.142]) by hub.freebsd.org (Postfix) with ESMTP id C2C6C37B405; Wed, 28 Nov 2001 17:05:37 -0800 (PST) Received: from cl3112948a ([24.250.242.36]) by femail15.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20011129010536.ITEQ680.femail15.sdc1.sfba.home.com@cl3112948a>; Wed, 28 Nov 2001 17:05:36 -0800 Message-ID: <000501c17871$a5dac4e0$24f2fa18@mdsn1.wi.home.com> Reply-To: "Chris Byrnes" From: "Chris Byrnes" To: Subject: sshd exploit? Date: Wed, 28 Nov 2001 19:03:23 -0600 Organization: JEAH Communications, LLC MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A colleague sent me a very vague e-mail, telling me that I should 'disable SSHD now' because of a 'private exploit being circulated since Saturday'. Anyone know anything about this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 17:17:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail28.sdc1.sfba.home.com (femail28.sdc1.sfba.home.com [24.254.60.18]) by hub.freebsd.org (Postfix) with ESMTP id 0EFBC37B419; Wed, 28 Nov 2001 17:17:50 -0800 (PST) Received: from cl3112948a ([24.250.242.36]) by femail28.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20011129011749.CRSV19113.femail28.sdc1.sfba.home.com@cl3112948a>; Wed, 28 Nov 2001 17:17:49 -0800 Message-ID: <000d01c17873$5a84a860$24f2fa18@mdsn1.wi.home.com> Reply-To: "Chris Byrnes" From: "Chris Byrnes" To: Subject: sshd exploit? Date: Wed, 28 Nov 2001 19:15:35 -0600 Organization: JEAH Communications, LLC MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A colleague sent me a very vague e-mail, telling me that I should 'disable SSHD now' because of a 'private exploit being circulated since Saturday'. Anyone know anything about this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 17:17:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail28.sdc1.sfba.home.com (femail28.sdc1.sfba.home.com [24.254.60.18]) by hub.freebsd.org (Postfix) with ESMTP id 0EFBC37B419; Wed, 28 Nov 2001 17:17:50 -0800 (PST) Received: from cl3112948a ([24.250.242.36]) by femail28.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20011129011749.CRSV19113.femail28.sdc1.sfba.home.com@cl3112948a>; Wed, 28 Nov 2001 17:17:49 -0800 Message-ID: <000d01c17873$5a84a860$24f2fa18@mdsn1.wi.home.com> Reply-To: "Chris Byrnes" From: "Chris Byrnes" To: Subject: sshd exploit? Date: Wed, 28 Nov 2001 19:15:35 -0600 Organization: JEAH Communications, LLC MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A colleague sent me a very vague e-mail, telling me that I should 'disable SSHD now' because of a 'private exploit being circulated since Saturday'. Anyone know anything about this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 19:40:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from pdn.net (pdn.net [206.139.32.1]) by hub.freebsd.org (Postfix) with ESMTP id ADBD037B416 for ; Wed, 28 Nov 2001 19:40:24 -0800 (PST) Received: from 001 (host-209-214-179-166.flo.bellsouth.net [209.214.179.166]) by pdn.net (8.8.7/8.8.7+Anti-Spam) with SMTP id WAA18358; Wed, 28 Nov 2001 22:40:14 -0500 Message-ID: <007201c17887$c7ac4b00$0100000a@001> From: "00" To: "Chris Byrnes" , Subject: Re: sshd exploit? Date: Wed, 28 Nov 2001 22:41:44 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, your friend is right, I'm not sure of the specifics, but I have a copy of the exploit and it has only been released in binary form. OpenBSD's OpenSSH team or no other SSH development group has yet to make a formal statement, most likely due to the fact they don't know what the vunerability is as of yet so they don't want to spark a fire. The vunerability is a great threat because it is remote and root compromisable. The exploit scans a listing of addresses, and when it find a host it just drops to a rootshell. -----Original Message----- From: Chris Byrnes To: security@freebsd.org Date: Wednesday, November 28, 2001 4:23 PM Subject: sshd exploit? >A colleague sent me a very vague e-mail, telling me that I should 'disable >SSHD now' because of a 'private exploit being circulated since Saturday'. > >Anyone know anything about this? > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 19:50:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id 45E7F37B417 for ; Wed, 28 Nov 2001 19:50:15 -0800 (PST) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id fAT3o2p52379; Wed, 28 Nov 2001 20:50:03 -0700 (MST) Message-ID: <3C05B053.C43AC84E@fpsn.net> Date: Wed, 28 Nov 2001 20:49:39 -0700 From: Colin Faber X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: 00 Cc: Chris Byrnes , security@FreeBSD.ORG Subject: Re: sshd exploit? References: <007201c17887$c7ac4b00$0100000a@001> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Does this expliot effect all sshd's or can it be stopped with wrappers 00 wrote: > > Yes, your friend is right, I'm not sure of the specifics, but I have a copy > of the exploit and it has only been released in binary form. OpenBSD's > OpenSSH team or no other SSH development group has yet to make a formal > statement, most likely due to the fact they don't know what the vunerability > is as of yet so they don't want to spark a fire. The vunerability is a > great threat because it is remote and root compromisable. The exploit scans > a listing of addresses, and when it find a host it just drops to a > rootshell. > -----Original Message----- > From: Chris Byrnes > To: security@freebsd.org > Date: Wednesday, November 28, 2001 4:23 PM > Subject: sshd exploit? > > >A colleague sent me a very vague e-mail, telling me that I should 'disable > >SSHD now' because of a 'private exploit being circulated since Saturday'. > > > >Anyone know anything about this? > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 20:28:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id BF70A37B41A for ; Wed, 28 Nov 2001 20:28:48 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5099066B27; Wed, 28 Nov 2001 20:28:48 -0800 (PST) Date: Wed, 28 Nov 2001 20:28:48 -0800 From: Kris Kennaway To: 00 Cc: Chris Byrnes , security@freebsd.org Subject: Re: sshd exploit? Message-ID: <20011128202848.C51646@xor.obsecurity.org> References: <007201c17887$c7ac4b00$0100000a@001> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="GZVR6ND4mMseVXL/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <007201c17887$c7ac4b00$0100000a@001>; from x2s500y@sekurity.net on Wed, Nov 28, 2001 at 10:41:44PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --GZVR6ND4mMseVXL/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Nov 28, 2001 at 10:41:44PM -0500, 00 wrote: > Yes, your friend is right, I'm not sure of the specifics, but I have a copy > of the exploit and it has only been released in binary form. OpenBSD's > OpenSSH team or no other SSH development group has yet to make a formal > statement, most likely due to the fact they don't know what the vunerability > is as of yet so they don't want to spark a fire. The vunerability is a > great threat because it is remote and root compromisable. The exploit scans > a listing of addresses, and when it find a host it just drops to a > rootshell. Please forward a copy to security-officer@FreeBSD.org. We've only seen an exploit for the old vulnerability in OpenSSH 2.2.0, which obviously isn't that exciting :) Kris --GZVR6ND4mMseVXL/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8Bbl/Wry0BWjoQKURAkYdAKDebf3NZ2dJrLhCPtKGrVV3Z98g2QCfUo2o 1suwdQyv2r+pK67/ZBzS2NE= =QjSG -----END PGP SIGNATURE----- --GZVR6ND4mMseVXL/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 21: 1:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 1C12B37B417 for ; Wed, 28 Nov 2001 21:01:17 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA29130; Wed, 28 Nov 2001 22:00:58 -0700 (MST) Message-Id: <4.3.2.7.2.20011128220001.0465ccc0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 28 Nov 2001 22:00:54 -0700 To: "00" , "Chris Byrnes" , From: Brett Glass Subject: Re: sshd exploit? In-Reply-To: <007201c17887$c7ac4b00$0100000a@001> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:41 PM 11/28/2001, 00 wrote: >Yes, your friend is right, I'm not sure of the specifics, but I have a copy >of the exploit and it has only been released in binary form. OpenBSD's >OpenSSH team or no other SSH development group has yet to make a formal >statement, most likely due to the fact they don't know what the vunerability >is as of yet so they don't want to spark a fire. The vunerability is a >great threat because it is remote and root compromisable. The exploit scans >a listing of addresses, and when it find a host it just drops to a >rootshell. On which versions of SSH or OpenSSH has this been tested? We may need to shut down a series of hosts if this is for real and not just an ugly rumor. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 21: 5: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from a.synk.dsgx.org (lx.client0.dsgx.org [66.47.107.99]) by hub.freebsd.org (Postfix) with ESMTP id 9F34937B405 for ; Wed, 28 Nov 2001 21:05:03 -0800 (PST) Received: from hacko (200-158-34-63.dsl.telesp.net.br [200.158.34.63]) by a.synk.dsgx.org (8.11.3/8.11.3/SuSE Linux 8.11.1-0.5) with SMTP id fAT66lh23175 for ; Thu, 29 Nov 2001 00:06:47 -0600 Message-ID: <009501c17893$b99415a0$0200a8c0@mdrjr.net> From: "Mauro Dias" To: Subject: sshd exploit Date: Thu, 29 Nov 2001 03:07:20 -0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0092_01C17882.F5636CE0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0092_01C17882.F5636CE0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I readed the message about the sshd exploit i have a binary copy of this exploit. it's exploits ssh versions: ssh-1.2.26 ssh-1.2.27 OpenSSH-2.2.0p1 If have there more vunarabilites in sshd i don't known. Best Regards, Mauro Dias Ribeiro Junior ------=_NextPart_000_0092_01C17882.F5636CE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I readed the message about the sshd=20 exploit
i have a binary copy of this = exploit.
it's exploits ssh = versions:
ssh-1.2.26
ssh-1.2.27
OpenSSH-2.2.0p1
 
 
If have there more vunarabilites in = sshd i don't=20 known.
 
 
Best Regards,
Mauro Dias Ribeiro=20 Junior
------=_NextPart_000_0092_01C17882.F5636CE0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 21:17:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.westmarsh.com (orion.westmarsh.com [193.195.76.57]) by hub.freebsd.org (Postfix) with ESMTP id 2CB4F37B405 for ; Wed, 28 Nov 2001 21:17:11 -0800 (PST) Received: from orion.westmarsh.com (mailgate.westmarsh.com [193.195.76.50]) by mailgate.westmarsh.com (8.11.6/8.11.6) with SMTP id fAT5GwX84561 for ; Thu, 29 Nov 2001 05:16:58 GMT (envelope-from Pierre.Dampure@westmarsh.com) Date: Thu, 29 Nov 2001 05:16:58 +0000 From: "Pierre Y. Dampure" To: security@freebsd.org Subject: Re: sshd exploit? Message-Id: <20011129051658.38f45da5.Pierre.Dampure@westmarsh.com> In-Reply-To: <4.3.2.7.2.20011128220001.0465ccc0@localhost> References: <007201c17887$c7ac4b00$0100000a@001> <4.3.2.7.2.20011128220001.0465ccc0@localhost> Organization: Westmarsh eServices X-Mailer: Sylpheed version 0.6.1 (GTK+ 1.2.10; i386--freebsd4.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 28 Nov 2001 22:00:54 -0700, Brett Glass wrote: > > On which versions of SSH or OpenSSH has this been tested? We may need to > shut down a series of hosts if this is for real and not just an ugly > rumor. > The URL below links to a related mail on the OpenSSH developers list: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100696253318793&w=2 Hope this helps, PYD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 21:18:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 7613F37B405 for ; Wed, 28 Nov 2001 21:18:50 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA29372; Wed, 28 Nov 2001 22:18:32 -0700 (MST) Message-Id: <4.3.2.7.2.20011128221259.04665720@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 28 Nov 2001 22:18:29 -0700 To: "Mauro Dias" , From: Brett Glass Subject: Re: sshd exploit In-Reply-To: <009501c17893$b99415a0$0200a8c0@mdrjr.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:07 PM 11/28/2001, Mauro Dias wrote: >I readed the message about the sshd exploit >i have a binary copy of this exploit. >it's exploits ssh versions: >ssh-1.2.26 >ssh-1.2.27 >OpenSSH-2.2.0p1 I wonder if this is the same exploit mentioned by Dittrich and CERT -- the CRC32 compensation attack detector overflow in SSH1. If so, you can probably patch the hole temporarily by disabling version 1 of the protocol. You can then upgrade to eliminate the hole. 3.0.1p1 is said to be immune. It's what I've run ever since I first heard about the vulnerability. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 21:52:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id EB5A737B422 for ; Wed, 28 Nov 2001 21:52:32 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id fAT5qCY65573; Wed, 28 Nov 2001 21:52:12 -0800 (PST) (envelope-from jan@caustic.org) Date: Wed, 28 Nov 2001 21:52:12 -0800 (PST) From: "f.johan.beisser" X-X-Sender: To: Brett Glass Cc: Mauro Dias , Subject: Re: sshd exploit In-Reply-To: <4.3.2.7.2.20011128221259.04665720@localhost> Message-ID: <20011128214925.P16958-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 28 Nov 2001, Brett Glass wrote: > If so, you can probably patch the hole temporarily by disabling > version 1 of the protocol. You can then upgrade to eliminate the hole. > 3.0.1p1 is said to be immune. It's what I've run ever since I first heard > about the vulnerability. the former isn't really a good option since most people use ssh1 clients, and wouldn't have access to their machines. how long have you known of it? frankly, this is the first i've heard about it, let alone the exploit binary. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 22: 2:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 8088E37B417 for ; Wed, 28 Nov 2001 22:02:45 -0800 (PST) Received: from dialup-209.247.138.241.dial1.sanjose1.level3.net ([209.247.138.241] helo=blossom.cjclark.org) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 169KHU-0004kX-00; Wed, 28 Nov 2001 22:02:44 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAT5jfh06206; Wed, 28 Nov 2001 21:45:41 -0800 (PST) (envelope-from cjc) Date: Wed, 28 Nov 2001 21:45:41 -0800 From: "Crist J. Clark" To: klik Cc: Danny , freebsd-security@FreeBSD.ORG Subject: Re: Ipfw + bpf interaction Message-ID: <20011128214541.J3985@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <000e01c17834$5cf1d670$020144c0@danny> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from klik@unstable.org on Wed, Nov 28, 2001 at 01:30:56PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 01:30:56PM -0500, klik wrote: > Put those deny statments before your divert rule It shouldn't make a difference unless the incoming HTTP connections are being redirected. > On Wed, 28 Nov 2001, Danny wrote: > > > Date: Wed, 28 Nov 2001 12:44:36 -0500 > > From: Danny > > To: freebsd-security@freebsd.org > > Subject: Ipfw + bpf interaction > > > > > > I've been experimenting with ipfw to horde off the hundreds of attempted > > http requests per day (primarily all from @home customers) which I > > suspect to be part of some lingering worm/ddos. My question is if a > > connection attempt will still be recorded by clog(8) if the source IP is > > blocked by ipfw? There is nothing wrong. The bpf(4) device sees packets before they are processed and blocked by ipfw(8). [snip] > > The rule seems to be added to ipfw's rule set, which for my box is as > > follows: > > > > 00050 1915738 1315695882 divert 8668 ip from any to any via ep1 > > 00100 3360 1384342 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 00400 1596 65772 deny log logamount 500 ip from > > another.bad.host to my.ip.address > > 00500 0 0 deny log logamount 500 ip from > > 67.161.0.0/16 to my.ip.address > > 65535 3795144 2623014796 allow ip from any to any However, if you are seeing these in the clog(8)s, you should also be seeing them later blocked. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 22: 2:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 6636237B419 for ; Wed, 28 Nov 2001 22:02:47 -0800 (PST) Received: from dialup-209.247.138.241.dial1.sanjose1.level3.net ([209.247.138.241] helo=blossom.cjclark.org) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 169KHQ-0004kX-00; Wed, 28 Nov 2001 22:02:41 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAT5cK106169; Wed, 28 Nov 2001 21:38:20 -0800 (PST) (envelope-from cjc) Date: Wed, 28 Nov 2001 21:38:20 -0800 From: "Crist J. Clark" To: Eric Anderson Cc: Rasputin , "Stephen T. Shipley" , security@FreeBSD.ORG Subject: Re: crypted remote backup Message-ID: <20011128213820.I3985@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200111270147.fAR1lDk16602@e-shipley.com> <20011128101048.A25860@shikima.mine.nu> <3C04EEF9.D10C1B41@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C04EEF9.D10C1B41@centtech.com>; from anderson@centtech.com on Wed, Nov 28, 2001 at 08:04:41AM -0600 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 08:04:41AM -0600, Eric Anderson wrote: > What I have been doing is croning a script (as root) that > tarballs the right stuff, and then scp the file as another > user ("backup" in my case) to another box. This way I'm not > logging in as root to copy a file over the net, and I don't > have to have sshd set up to allow root logins at all. There is no reason that root on the local machine (the one with the tarball) can't log into the remote box as another user. #!/bin/sh tar czf backup.tgz your_backup_files .. scp backup.tgz backup@remote-machine:backup.tgz -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 22: 4:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id F04C337B427 for ; Wed, 28 Nov 2001 22:04:28 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id XAA29970; Wed, 28 Nov 2001 23:04:05 -0700 (MST) Message-Id: <4.3.2.7.2.20011128225341.04672880@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 28 Nov 2001 23:04:02 -0700 To: "f.johan.beisser" From: Brett Glass Subject: Re: sshd exploit Cc: Mauro Dias , In-Reply-To: <20011128214925.P16958-100000@localhost> References: <4.3.2.7.2.20011128221259.04665720@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:52 PM 11/28/2001, f.johan.beisser wrote: >how long have you known of it? frankly, this is the first i've heard about >it, let alone the exploit binary. I reposted a report by Dave Dittrich to this list about two weeks ago. CERT has also had it on its Web page for a while now. To sum it up in a few sentences: Old versions of SSH have been hacked through the SSHv1 protocol, and the vulnerable code was adopted by OpenSSH, so older versions of that are vulnerable too. My recommendation: compile and install OpenSSH 3.0.1p1. Or, if you need some of the special integration that's been done in the Ports Collection, use the latest version that's there (2.9.something the last time I looked). FreeBSD 4.4-RELEASE shipped with OpenSSH 2.3.0, which may be OK (I'm not sure just when they fixed the problem). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 22: 8:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 9590B37B423 for ; Wed, 28 Nov 2001 22:08:11 -0800 (PST) Received: from dialup-209.247.138.241.dial1.sanjose1.level3.net ([209.247.138.241] helo=blossom.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 169KMi-0007aJ-00; Wed, 28 Nov 2001 22:08:10 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAT683J06441; Wed, 28 Nov 2001 22:08:03 -0800 (PST) (envelope-from cjc) Date: Wed, 28 Nov 2001 22:08:02 -0800 From: "Crist J. Clark" To: WebSec WebSec Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011128220802.K3985@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from secure21st@hotmail.com on Wed, Nov 28, 2001 at 03:48:08PM +0000 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 03:48:08PM +0000, WebSec WebSec wrote: [snip] > This is an ignorant response. To "smash a stack" you need at a minimum a > connection to the machine. Nope. > The most you can do without a connection is to > run a DOS. I do not see how it is possible to smash the stack by playing > with queuing. Do a little reading sir or at least show how it can be done > in theory... we will take to the next step :) No need for a theoretical treatment. It can be done. Here's a URL for an exploit for the NTP overflow from earlier this year. http://downloads.securityfocus.com/vulnerabilities/exploits/ntpd-exp.c Here is a piece of the inline documentation, /* ntpd remote root exploit / babcia padlina ltd. */ /* * Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable * to remote buffer overflow attack. It occurs when building response for * a query with large readvar argument. In almost all cases, ntpd is running * with superuser privileges, allowing to gain REMOTE ROOT ACCESS to timeserver. * * Althought it's a normal buffer overflow, exploiting it is much harder. * Destination buffer is accidentally damaged, when attack is performed, so * shellcode can't be larger than approx. 70 bytes. This proof of concept code * uses small execve() shellcode to run /tmp/sh binary. Full remote attack * is possible. * * NTP is stateless UDP based protocol, so all malicious queries can be * spoofed. This was a rather big deal when it broke so I wouldn't be calling other people who _know_ you can exploit a buffer overflow with one packet "ignorant." -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 23:28: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 1C97C37B41E for ; Wed, 28 Nov 2001 23:28:03 -0800 (PST) Received: (qmail 6461 invoked by uid 1000); 29 Nov 2001 07:28:01 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Nov 2001 07:28:01 -0000 Date: Thu, 29 Nov 2001 01:28:01 -0600 (CST) From: Mike Silbersack To: Brett Glass Cc: "f.johan.beisser" , Mauro Dias , Subject: Re: sshd exploit In-Reply-To: <4.3.2.7.2.20011128225341.04672880@localhost> Message-ID: <20011129012235.U6446-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 28 Nov 2001, Brett Glass wrote: > At 10:52 PM 11/28/2001, f.johan.beisser wrote: > > >how long have you known of it? frankly, this is the first i've heard about > >it, let alone the exploit binary. > > I reposted a report by Dave Dittrich to this list about two weeks ago. CERT > has also had it on its Web page for a while now. To sum it up in a few > sentences: Old versions of SSH have been hacked through the SSHv1 protocol, > and the vulnerable code was adopted by OpenSSH, so older versions of that > are vulnerable too. > > My recommendation: compile and install OpenSSH 3.0.1p1. Or, if you need > some of the special integration that's been done in the Ports Collection, > use the latest version that's there (2.9.something the last time I looked). > FreeBSD 4.4-RELEASE shipped with OpenSSH 2.3.0, which may be OK (I'm not > sure just when they fixed the problem). > > --Brett The CRC bug was fixed in 2.3.0, which was merged into -stable before the release of freebsd 4.3. If 3.0.1's giving you any enhanced immunity, it's to a bug which has not yet been announced. If there _is_ a new bug, and it follows the decription in the url posted earlier in the thread, it's probably also SSHv1 related, and can be avoided by disabling protocol 1 support in sshd_config - I find it extremely unlikely that SSH.com and OpenSSH coders made the same mistake in independantly created sshv2 implementations. But, that's only if... I seem to doubt that there's a new bug, given the lack of proof. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 23:36:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 7882037B405 for ; Wed, 28 Nov 2001 23:36:25 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2683266B27; Wed, 28 Nov 2001 23:36:25 -0800 (PST) Date: Wed, 28 Nov 2001 23:36:25 -0800 From: Kris Kennaway To: Brett Glass Cc: Mauro Dias , security@FreeBSD.ORG Subject: Re: sshd exploit Message-ID: <20011128233625.B53604@xor.obsecurity.org> References: <009501c17893$b99415a0$0200a8c0@mdrjr.net> <4.3.2.7.2.20011128221259.04665720@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="LpQ9ahxlCli8rRTG" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20011128221259.04665720@localhost>; from brett@lariat.org on Wed, Nov 28, 2001 at 10:18:29PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --LpQ9ahxlCli8rRTG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 28, 2001 at 10:18:29PM -0700, Brett Glass wrote: > At 10:07 PM 11/28/2001, Mauro Dias wrote: > =20 > >I readed the message about the sshd exploit > >i have a binary copy of this exploit. > >it's exploits ssh versions: > >ssh-1.2.26 > >ssh-1.2.27 > >OpenSSH-2.2.0p1 >=20 > I wonder if this is the same exploit mentioned by Dittrich and CERT -- > the CRC32 compensation attack detector overflow in SSH1. No, this one was fixed way back in 2.3.0, the version after 2.2.0p1 (notice the strange similarity with version numbers above). ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc --- An integer overflow may allow arbitrary remote users to obtain root permissions on the server running sshd. This is due to a coding mistake in code intended to work around a protocol flaw in the SSH1 protocol. This vulnerability was corrected in OpenSSH 2.3.0, which was committed to FreeBSD 4.2-STABLE on 2000-12-05. --- > If so, you can probably patch the hole temporarily by disabling=20 > version 1 of the protocol. You can then upgrade to eliminate the hole. > 3.0.1p1 is said to be immune. It's what I've run ever since I first heard= =20 > about the vulnerability. I think there's terrible confusion here about the problem; the old 2.2.0 vulnerability was discussed again recently by Dittrich, which seems to have confused a lot of people into thinking it's a new vulnerability. The rumours which are currently rampant of an actual new exploit have yet to be confirmed, AFAIK. Kris --LpQ9ahxlCli8rRTG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8BeV4Wry0BWjoQKURAl3iAKDHTb7ELB3N9cIrKxn2SERq7qlvJgCgz6yh APxhlhcpD6+j9ZZWjdrz5Fk= =Wy2u -----END PGP SIGNATURE----- --LpQ9ahxlCli8rRTG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 28 23:40: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 7FD6037B41A for ; Wed, 28 Nov 2001 23:39:48 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 09D8766B27; Wed, 28 Nov 2001 23:39:48 -0800 (PST) Date: Wed, 28 Nov 2001 23:39:47 -0800 From: Kris Kennaway To: Brett Glass Cc: "f.johan.beisser" , Mauro Dias , security@FreeBSD.ORG Subject: Re: sshd exploit Message-ID: <20011128233947.C53604@xor.obsecurity.org> References: <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="DIOMP1UsTsWJauNi" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20011128225341.04672880@localhost>; from brett@lariat.org on Wed, Nov 28, 2001 at 11:04:02PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --DIOMP1UsTsWJauNi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 28, 2001 at 11:04:02PM -0700, Brett Glass wrote: > At 10:52 PM 11/28/2001, f.johan.beisser wrote: >=20 > >how long have you known of it? frankly, this is the first i've heard abo= ut > >it, let alone the exploit binary. >=20 > I reposted a report by Dave Dittrich to this list about two weeks ago. CE= RT > has also had it on its Web page for a while now. To sum it up in a few > sentences: Old versions of SSH have been hacked through the SSHv1 protoco= l, > and the vulnerable code was adopted by OpenSSH, so older versions of that > are vulnerable too. >=20 > My recommendation: compile and install OpenSSH 3.0.1p1. Or, if you need= =20 > some of the special integration that's been done in the Ports Collection,= =20 > use the latest version that's there (2.9.something the last time I looked= ). > FreeBSD 4.4-RELEASE shipped with OpenSSH 2.3.0, which may be OK (I'm not > sure just when they fixed the problem). Not so much with the Flying Fists of Fud, please Brett. If you'd actually read the CERT advisory you'd see quite clearly that it was fixed over a year ago. Dittrich's analysis also says clearly at the top: On October 6, 2001, intruders originating from network blocks in the Netherlands used an exploit for the crc32 compensation attack detector vulnerability to remotely compromise a Red Hat Linux system on the UW network running OpenSSH 2.1.1. This vulnerability is described in CERT Vulnerability note VU#945216: i.e. old, old, boring, old. Kris --DIOMP1UsTsWJauNi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8BeZDWry0BWjoQKURAix/AKCEIQxXSIYiH2b2QCMTu58swzGxJwCglqvF X2l1+5yf3FltP7UQgy0C4lE= =q0F9 -----END PGP SIGNATURE----- --DIOMP1UsTsWJauNi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 7: 5:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from out4.mx.nwbl.wi.voyager.net (out4.mx.nwbl.wi.voyager.net [169.207.1.77]) by hub.freebsd.org (Postfix) with ESMTP id 37AD637B438 for ; Thu, 29 Nov 2001 07:05:21 -0800 (PST) Received: from shell.core.com (IDENT:2525@shell.voyager.net [169.207.1.89]) by out4.mx.nwbl.wi.voyager.net (8.11.1/8.11.1) with ESMTP id fATF5FU76304 for ; Thu, 29 Nov 2001 09:05:15 -0600 (CST) Received: from localhost (jslivko@localhost) by shell.core.com (8.11.6/8.11.6/1.3) with ESMTP id fATF5FL19517 for ; Thu, 29 Nov 2001 09:05:15 -0600 (CST) X-Authentication-Warning: shell.core.com: jslivko owned process doing -bs Date: Thu, 29 Nov 2001 09:05:15 -0600 (CST) From: "Jonathan M. Slivko" To: Subject: Security Books about FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I am interested in finding out if there are any current books out (aside from the Handbook) about securing FreeBSD. If so, can you give me some names of them? Any help would be appreciated. \|||/ (o o) /-----------------------------ooO-(_)-Ooo----------------------------\ | Jonathan M. Slivko E-Mail: jslivko@core.com | | IRC Nick: optix` Backup: jslivko@voyageri.net | | AIM/AOL: JMSNY2001 Web : http://www.voyageri.net/ | |--------------------------------------------------------------------| | "History teaches us that days like this are best spent in bed" | \--------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 10:49: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 6524B37B405 for ; Thu, 29 Nov 2001 10:48:55 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA07577; Thu, 29 Nov 2001 11:48:32 -0700 (MST) Message-Id: <4.3.2.7.2.20011129113349.04722900@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 29 Nov 2001 11:46:50 -0700 To: Kris Kennaway From: Brett Glass Subject: Re: sshd exploit Cc: "f.johan.beisser" , Mauro Dias , security@FreeBSD.ORG In-Reply-To: <20011128233947.C53604@xor.obsecurity.org> References: <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:39 AM 11/29/2001, Kris Kennaway wrote: >Not so much with the Flying Fists of Fud, please Brett. If you'd >actually read the CERT advisory you'd see quite clearly that it was >fixed over a year ago. I've read the CERT advisory and also Dittrich's paper. The fact that a vulnerability was fixed in recent versions of the software does not mean that we should be unconcerned. >Dittrich's analysis also says clearly at the top: > >On October 6, 2001, intruders originating from network blocks in the >Netherlands used an exploit for the crc32 compensation attack detector >vulnerability to remotely compromise a Red Hat Linux system on the UW >network running OpenSSH 2.1.1. This vulnerability is described in >CERT Vulnerability note VU#945216: > >i.e. old, old, boring, old. I've noticed that there's a tendency, among people who keep on the cutting edge, either to forget that there are likely to be a very large number of people running older and/or unpatched systems or to sneer at those people. We should not do that. One of the strengths of BSD UNIX is that it's appliance-like; you can install it and it JUST RUNS. We shouldn't mock people who take advantage of that strength and may not have heard that they have a need to install a patch or upgrade. In short, the vulnerability may be old, but it's not boring. The effects of an automatic exploit could be devastating. What's more, we do not know whether the binary exploit that's now being distributed across the Net is for this or some other vulnerability. As Security Officer, have you run the exploit against 4.4-RELEASE to see how it behaves and if 4.4-RELEASE is immune? This is important, since without a disassembly we do not know whether the exploit attacks this vulnerability or a different (possibly related?) one. We also do not know if the claimed fix was fully effective against all possible exploits. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 10:59: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.megabusqueda.com (mail.mercantil.com [200.14.114.7]) by hub.freebsd.org (Postfix) with ESMTP id E3F8337B416 for ; Thu, 29 Nov 2001 10:59:02 -0800 (PST) Received: from sysadmin [1.1.3.108] by mail.megabusqueda.com with ESMTP (SMTPD32-6.06) id A59C21800BE; Thu, 29 Nov 2001 15:59:40 -0300 From: "Administrator" To: Subject: Active.FrrBSD.Firewall Date: Thu, 29 Nov 2001 15:59:40 -0300 Organization: Mercantil.Com Message-ID: <000001c17907$ff89d6c0$6c030101@sysadmin> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C178EE.DA3C9EC0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C178EE.DA3C9EC0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit how to implement active firewall for block "port scan" or other no permited port??? PD: grax... ------=_NextPart_000_0001_01C178EE.DA3C9EC0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Mensaje
how to = implement=20 active firewall for block "port scan" or other no permited=20 port???
 
 
 
PD:=20 grax...
 
------=_NextPart_000_0001_01C178EE.DA3C9EC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 11: 6:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id 5E8D237B416 for ; Thu, 29 Nov 2001 11:06:50 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id fATJ6h470358; Thu, 29 Nov 2001 11:06:43 -0800 (PST) (envelope-from jan@caustic.org) Date: Thu, 29 Nov 2001 11:06:43 -0800 (PST) From: "f.johan.beisser" X-X-Sender: To: Brett Glass Cc: Kris Kennaway , Mauro Dias , Subject: Re: sshd exploit In-Reply-To: <4.3.2.7.2.20011129113349.04722900@localhost> Message-ID: <20011129105830.G16958-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 29 Nov 2001, Brett Glass wrote: > What's more, we do not know whether the binary exploit that's now being > distributed across the Net is for this or some other vulnerability. > As Security Officer, have you run the exploit against 4.4-RELEASE to > see how it behaves and if 4.4-RELEASE is immune? This is important, since > without a disassembly we do not know whether the exploit attacks this > vulnerability or a different (possibly related?) one. We also do not know > if the claimed fix was fully effective against all possible exploits. i've run the binary against 4.2-RELEASE to 4.4-RELEASE. in each case the attack failed. -- jan -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 11:26:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts15-srv.bellnexxia.net (tomts15.bellnexxia.net [209.226.175.3]) by hub.freebsd.org (Postfix) with ESMTP id E1ED337B41C for ; Thu, 29 Nov 2001 11:26:07 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.190.39]) by tomts15-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011129192607.KQWF14865.tomts15-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Thu, 29 Nov 2001 14:26:07 -0500 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id 63ACF1AA2; Thu, 29 Nov 2001 14:29:23 -0500 (EST) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 032C020ACB; Thu, 29 Nov 2001 14:27:32 -0500 (EST) Date: Thu, 29 Nov 2001 14:27:32 -0500 From: The Anarcat To: Brett Glass Cc: Jay Keller , freebsd-security@FreeBSD.ORG Subject: OT: package management (was: Re: Updating ssh) Message-ID: <20011129192731.GA513@shall.anarcat.dyndns.org> Mail-Followup-To: Brett Glass , Jay Keller , freebsd-security@FreeBSD.ORG References: <4.3.2.7.2.20011128151923.041d0710@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="huq684BweRXVnRxX" Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20011128151923.041d0710@localhost> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline [Picking a random message to answer] I must admit that while I agree that the distinction between /usr and /usr/local must be kept, there is a problem with the way the base system is laid out from installation. We have no record of base system installed files as we have for third party packages. And there is a solution: we have a package management suite, we should use it to package the base system. It might not be simple, it might not be desirable by some people, but I think it is inevitable. If it is not done with the 4.x serie w/ the current package tools, it will be done in the 5.x serie with the next generation pacakge tools, since it will be the way the system get installed then. The problem with switching the current system to using package tools is that they are not complete. They lack the proper capabilities to have smooth upgrades, undos and such. The next generation tools will address (and already do!) these issues. If everything is then packaged this way, /usr and /usr/local are simply implementation details. Anyone up for the task of packaging /usr/src? a. --huq684BweRXVnRxX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwGjCMACgkQttcWHAnWiGe//wCbBFbMQckxTDVy5l5H1qFsxhht oBEAnArCaZ4+Hmvj4i4pt8bKWu84zr4Q =h2AQ -----END PGP SIGNATURE----- --huq684BweRXVnRxX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 11:34:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 64A1137B419 for ; Thu, 29 Nov 2001 11:34:47 -0800 (PST) Received: by gw.nectar.com (Postfix, from userid 1001) id 8DEC62F; Thu, 29 Nov 2001 13:34:46 -0600 (CST) Date: Thu, 29 Nov 2001 13:34:46 -0600 From: "Jacques A. Vidrine" To: Brett Glass Cc: Kris Kennaway , "f.johan.beisser" , Mauro Dias , security@FreeBSD.ORG Subject: Re: sshd exploit Message-ID: <20011129133446.A23161@hellblazer.nectar.com> References: <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <20011128233947.C53604@xor.obsecurity.org> <4.3.2.7.2.20011129113349.04722900@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20011129113349.04722900@localhost>; from brett@lariat.org on Thu, Nov 29, 2001 at 11:46:50AM -0700 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 29, 2001 at 11:46:50AM -0700, Brett Glass wrote: > As Security Officer, have you run the exploit against 4.4-RELEASE to > see how it behaves and if 4.4-RELEASE is immune? As a member of the FreeBSD Security Officer team, I have worked with both the TESO and x2 exploits. Neither work against any version of OpenSSH later than 2.2.0, which includes 4.4-RELEASE. Both programs attack the CRC detector. This doesn't prove that there is not yet another exploit program that does, but so far we have only rumours. > This is important, since > without a disassembly we do not know whether the exploit attacks this > vulnerability or a different (possibly related?) one. Who says we don't have a disassembly? Anyway, one doesn't need one to determine what the exploit does when run, or how it affects arbitrary versions of OpenSSH. > We also do not know > if the claimed fix was fully effective against all possible exploits. We can never know that about this fix or any other, of course. -- Jacques A. Vidrine http://www.nectar.com/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 11:49:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from kdmail.netcologne.de (kdmail.netcologne.de [194.8.194.80]) by hub.freebsd.org (Postfix) with ESMTP id 6958237B417 for ; Thu, 29 Nov 2001 11:49:37 -0800 (PST) Received: from emre.de ([213.168.117.190]) by kdmail.netcologne.de (Post.Office MTA v3.5.3 release 223 ID# 127-61375U6500L550S0V35) with ESMTP id de for ; Thu, 29 Nov 2001 20:49:34 +0100 Message-ID: <3C0692F1.2040904@emre.de> Date: Thu, 29 Nov 2001 20:56:33 +0100 From: Emre Bastuz User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:0.9.2) Gecko/20010726 Netscape6/6.1 X-Accept-Language: de-DE MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: sshd: rcvd big packet ? Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I just noticed a lot of messages in /var/log/messages that look like this: Nov 26 15:28:17 myhost sshd[19978]: channel 1: rcvd big packet 31535, maxpack 16384 After doing some research on google, I found out that this is some kind of indicator for the sshd crc32 attack. Anyone can confirm this ? Just a couple of days ago I have updated sshd to 3.0, just as a precaution. How are chances my box has been compromised ? I´m running snort 1.8.1 on this box - the IDS did not leave any attack alerts ? Hmmmm ... I´ll do some investigating and hope one of you guys can give me some hint what the messages might mean. Regards, Emre -- Emre Bastuz info@emre.de http://www.emre.de UIN: 561260 PGP Key ID: 0xAFAC77FD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 13:54:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 0CD1F37B405 for ; Thu, 29 Nov 2001 13:54:39 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA10065; Thu, 29 Nov 2001 14:54:12 -0700 (MST) Message-Id: <4.3.2.7.2.20011129145159.00afd050@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 29 Nov 2001 14:52:27 -0700 To: The Anarcat From: Brett Glass Subject: Re: OT: package management (was: Re: Updating ssh) Cc: Jay Keller , freebsd-security@FreeBSD.ORG In-Reply-To: <20011129192731.GA513@shall.anarcat.dyndns.org> References: <4.3.2.7.2.20011128151923.041d0710@localhost> <4.3.2.7.2.20011128151923.041d0710@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:27 PM 11/29/2001, The Anarcat wrote: >I must admit that while I agree that the distinction between /usr and >/usr/local must be kept, there is a problem with the way the base system >is laid out from installation. > >We have no record of base system installed files as we have for third >party packages. > >And there is a solution: we have a package management suite, we should >use it to package the base system. I really do like this idea. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 13:56:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 66A1037B41A for ; Thu, 29 Nov 2001 13:56:10 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA10136; Thu, 29 Nov 2001 14:55:43 -0700 (MST) Message-Id: <4.3.2.7.2.20011129145328.00afde60@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 29 Nov 2001 14:53:58 -0700 To: "Jacques A. Vidrine" From: Brett Glass Subject: Re: sshd exploit Cc: Kris Kennaway , "f.johan.beisser" , Mauro Dias , security@FreeBSD.ORG In-Reply-To: <20011129133446.A23161@hellblazer.nectar.com> References: <4.3.2.7.2.20011129113349.04722900@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <20011128233947.C53604@xor.obsecurity.org> <4.3.2.7.2.20011129113349.04722900@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:34 PM 11/29/2001, Jacques A. Vidrine wrote: >As a member of the FreeBSD Security Officer team, I have worked with >both the TESO and x2 exploits. Neither work against any version of >OpenSSH later than 2.2.0, which includes 4.4-RELEASE. Both programs >attack the CRC detector. This is good to know! It's the first I've heard of tests actually being performed. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 13:57: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe45.pav1.hotmail.com [64.4.30.17]) by hub.freebsd.org (Postfix) with ESMTP id 21E1B37B405 for ; Thu, 29 Nov 2001 13:56:54 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 29 Nov 2001 13:56:54 -0800 X-Originating-IP: [216.95.234.92] From: "jack xiao" To: Subject: the version of KAME Date: Thu, 29 Nov 2001 16:51:58 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_014E_01C178F6.28992E60" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Message-ID: X-OriginalArrivalTime: 29 Nov 2001 21:56:54.0023 (UTC) FILETIME=[C1C9D970:01C17920] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_014E_01C178F6.28992E60 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I cam across a version mismatch problem. So I am wondering the verion of = KAME in FreeBSD4.2 release. Any ideas will be appreciated. Thanks. Jack ------=_NextPart_000_014E_01C178F6.28992E60 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
 
I cam across a version mismatch = problem. So I am=20 wondering the verion of KAME in FreeBSD4.2 release. Any ideas will be=20 appreciated.
 
Thanks.
 
Jack
------=_NextPart_000_014E_01C178F6.28992E60-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 13:59: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 16E0C37B41A for ; Thu, 29 Nov 2001 13:58:54 -0800 (PST) Received: from pir by moek.pir.net with local (Exim) id 169ZCn-0000EO-00 for freebsd-security@FreeBSD.ORG; Thu, 29 Nov 2001 16:58:53 -0500 Date: Thu, 29 Nov 2001 16:58:52 -0500 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: OT: package management (was: Re: Updating ssh) Message-ID: <20011129165852.D26664@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <4.3.2.7.2.20011128151923.041d0710@localhost> <4.3.2.7.2.20011128151923.041d0710@localhost> <20011129192731.GA513@shall.anarcat.dyndns.org> <4.3.2.7.2.20011129145159.00afd050@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20011129145159.00afd050@localhost>; from brett@lariat.org on Thu, Nov 29, 2001 at 02:52:27PM -0700 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass probably said: > At 12:27 PM 11/29/2001, The Anarcat wrote: > >And there is a solution: we have a package management suite, we should > >use it to package the base system. > I really do like this idea. So do a lot of people, but in every one of the (many) times this has come up before no one has stepped forward to put the work into cataloging all the files in the base systems and creating the package information. This has been hashed through a dozen times with no resolution and is no longer appropriate for -security, hmm ? P. -- pir pir-sig@pir.net pir-sig@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 14: 7:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from cheer.mahoroba.org (flets-f0022.kamome.or.jp [211.8.127.22]) by hub.freebsd.org (Postfix) with ESMTP id 1287B37B419 for ; Thu, 29 Nov 2001 14:07:37 -0800 (PST) Received: from peace.mahoroba.org (IDENT:nALaM/LeXMFwVsVD7XWcWun/XZLg6zx34xjZR7azpJISd8W2897nrNaq4mypxtlZ@peace.mahoroba.org [IPv6:3ffe:505:2:0:200:f8ff:fe05:3eae]) (user=ume mech=CRAM-MD5 bits=0) by cheer.mahoroba.org (8.12.1/8.12.1) with ESMTP/inet6 id fATM7TLf027408; Fri, 30 Nov 2001 07:07:32 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Fri, 30 Nov 2001 07:07:28 +0900 (JST) Message-Id: <20011130.070728.85387951.ume@mahoroba.org> To: jack_xiao99@hotmail.com Cc: security@FreeBSD.ORG Subject: Re: the version of KAME From: Hajimu UMEMOTO In-Reply-To: References: X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT X-Mailer: xcite1.38> Mew version 2.1 on Emacs 21.1 / Mule 5.0 =?iso-2022-jp?B?KBskQjgtTFobKEIp?= Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, >>>>> On Thu, 29 Nov 2001 16:51:58 -0500 >>>>> "jack xiao" said: jack_xiao99> I cam across a version mismatch problem. So I am wondering the verion of KAME in FreeBSD4.2 release. Any ideas will be appreciated. You can see by typing net.inet6.ip6.kame_version. Here is mine: ume@cheer:128> uname -a FreeBSD cheer.mahoroba.org 4.4-RELEASE FreeBSD 4.4-RELEASE #0: Sun Sep 16 23:48:16 JST 2001 ume@cheer.mahoroba.org:/usr/obj/usr/src/sys/CHEER i386 ume@cheer:129> sysctl net.inet6.ip6.kame_version net.inet6.ip6.kame_version: 20010528/FreeBSD -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 14:58:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.qubic.net (qubic.net [166.90.54.137]) by hub.freebsd.org (Postfix) with ESMTP id 7C60537B416 for ; Thu, 29 Nov 2001 14:58:31 -0800 (PST) Received: from subman (R12-110.intnet.mu [202.123.12.110]) by www.qubic.net (8.9.3/8.9.3) with SMTP id OAA09233; Thu, 29 Nov 2001 14:58:21 -0800 Message-Id: <3.0.5.32.20011130025506.008447c0@iname.com> X-Sender: nntp@iname.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 30 Nov 2001 02:55:06 +0400 To: Emre Bastuz , security@FreeBSD.ORG From: SM Subject: Re: sshd: rcvd big packet ? In-Reply-To: <3C0692F1.2040904@emre.de> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 20:56 29-11-2001 +0100, Emre Bastuz wrote: >I=B4m running snort 1.8.1 on this box - the IDS did not leave any attack alerts ? From the Snort 1.8.2 rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flags:A+; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1324; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1325; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; content:"|FF FF FF FF 00 00|"; offset:8; depth:14; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1327; rev:1;) Regards, -sm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 15:13: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 1757E37B405 for ; Thu, 29 Nov 2001 15:12:59 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E16D166B27; Thu, 29 Nov 2001 15:12:58 -0800 (PST) Date: Thu, 29 Nov 2001 15:12:58 -0800 From: Kris Kennaway To: jack xiao Cc: security@FreeBSD.ORG Subject: Re: the version of KAME Message-ID: <20011129151258.A58656@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jack_xiao99@hotmail.com on Thu, Nov 29, 2001 at 04:51:58PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 29, 2001 at 04:51:58PM -0500, jack xiao wrote: > Hi, >=20 > I cam across a version mismatch problem. So I am wondering the verion of = KAME in FreeBSD4.2 release. Any ideas will be appreciated. Don't ask off-topic questions on -security. Kris --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8BsD6Wry0BWjoQKURAlffAKDefjeed4MPhZG3n26TI3gJztZyQACgotKN XMh7sg6aPeRF+/VVYf/+Dso= =LEZj -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 15:22:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP2.MC.VANDERBILT.EDU (mcsmtp2.mc.Vanderbilt.Edu [160.129.50.78]) by hub.freebsd.org (Postfix) with ESMTP id 50B2137B405 for ; Thu, 29 Nov 2001 15:22:55 -0800 (PST) Subject: root group membership To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.6a January 17, 2001 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Thu, 29 Nov 2001 17:20:31 -0600 X-MIMETrack: Serialize by Router on MCSMTP2.MC.vanderbilt.edu/VUMC/Vanderbilt(Release 5.0.6a |January 17, 2001) at 11/29/2001 05:14:05 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FreeBSD 4.4 release /etc/group files: # $FreeBSD: src/etc/group,v 1.19 1999/08/27 23:23:41 peter Exp $ # wheel:*:0:root daemon:*:1:daemon kmem:*:2:root sys:*:3:root tty:*:4:root operator:*:5:root mail:*:6: bin:*:7: news:*:8: man:*:9: games:*:13: staff:*:20:root guest:*:31:root Are root memberships here nomal, or have I been hacked ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 15:27:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from jochem.dyndns.org (cc40670-a.groni1.gr.nl.home.com [217.120.131.23]) by hub.freebsd.org (Postfix) with ESMTP id C0EC537B416 for ; Thu, 29 Nov 2001 15:27:25 -0800 (PST) Received: (from jochem@localhost) by jochem.dyndns.org (8.11.6/8.11.6) id fATNRK626382; Fri, 30 Nov 2001 00:27:20 +0100 (CET) (envelope-from jochem) Date: Fri, 30 Nov 2001 00:27:20 +0100 From: Jochem Kossen To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: root group membership Message-ID: <20011130002720.A26367@jochem.dyndns.org> Mail-Followup-To: George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Thu, Nov 29, 2001 at 05:20:31PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 29, 2001 at 05:20:31PM -0600, George.Giles@mcmail.vanderbilt.edu wrote: > FreeBSD 4.4 release /etc/group files: > > # $FreeBSD: src/etc/group,v 1.19 1999/08/27 23:23:41 peter Exp $ > # > wheel:*:0:root > daemon:*:1:daemon > kmem:*:2:root > sys:*:3:root > tty:*:4:root > operator:*:5:root > mail:*:6: > bin:*:7: > news:*:8: > man:*:9: > games:*:13: > staff:*:20:root > guest:*:31:root > > Are root memberships here nomal, or have I been hacked ? > Seems normal to me -- Jochem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 15:33: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 6576C37B405 for ; Thu, 29 Nov 2001 15:32:53 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id 8EDC213651; Thu, 29 Nov 2001 18:32:52 -0500 (EST) Date: Thu, 29 Nov 2001 18:32:52 -0500 From: Chris Faulhaber To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: root group membership Message-ID: <20011129183252.A7718@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 29, 2001 at 05:20:31PM -0600, George.Giles@mcmail.vanderbilt.ed= u wrote: > FreeBSD 4.4 release /etc/group files: >=20 > # $FreeBSD: src/etc/group,v 1.19 1999/08/27 23:23:41 peter Exp $ > # > wheel:*:0:root > daemon:*:1:daemon > kmem:*:2:root > sys:*:3:root > tty:*:4:root > operator:*:5:root > mail:*:6: > bin:*:7: > news:*:8: > man:*:9: > games:*:13: > staff:*:20:root > guest:*:31:root >=20 > Are root memberships here nomal, or have I been hacked ? >=20 Looks correct: http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/group?rev=3D1.19.2.1 --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjwGxaMACgkQObaG4P6BelAlTgCcDw6xpPEcU5yCryTscS2alnjB As8An23ad/Qmonq9qhCGy+Fqth9Ehylr =sfh5 -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 15:40:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id EF85837B419 for ; Thu, 29 Nov 2001 15:40:42 -0800 (PST) Received: (from root@localhost) by mail.wlcg.com (8.11.6/8.11.6) id fATNegY56460; Thu, 29 Nov 2001 18:40:42 -0500 (EST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id fATNefN56453; Thu, 29 Nov 2001 18:40:41 -0500 (EST) (envelope-from rsimmons@wlcg.com) X-Authentication-Warning: mail.wlcg.com: rsimmons owned process doing -bs Date: Thu, 29 Nov 2001 18:40:36 -0500 (EST) From: Rob Simmons To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: root group membership In-Reply-To: Message-ID: <20011129183907.Y47090-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Please read the group(5) man page. You file shows that the root user is member of those other groups. If you had other users in the wheel group, you might have a problem. Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 29 Nov 2001 George.Giles@mcmail.vanderbilt.edu wrote: > FreeBSD 4.4 release /etc/group files: > > # $FreeBSD: src/etc/group,v 1.19 1999/08/27 23:23:41 peter Exp $ > # > wheel:*:0:root > daemon:*:1:daemon > kmem:*:2:root > sys:*:3:root > tty:*:4:root > operator:*:5:root > mail:*:6: > bin:*:7: > news:*:8: > man:*:9: > games:*:13: > staff:*:20:root > guest:*:31:root > > Are root memberships here nomal, or have I been hacked ? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8Bsd5v8Bofna59hYRAyf1AJ9klfQCvsNoJzknYdu/Z+8HpxMcyQCfRCTt EX43FhRu7n1X/XlP67jk2MI= =vcaa -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 18:45:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 0A64137B41A for ; Thu, 29 Nov 2001 18:45:22 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8550A66B27; Thu, 29 Nov 2001 18:45:21 -0800 (PST) Date: Thu, 29 Nov 2001 18:45:21 -0800 From: Kris Kennaway To: Brett Glass Cc: Kris Kennaway , "f.johan.beisser" , Mauro Dias , security@FreeBSD.ORG Subject: Lack of evidence for new SSH vulnerability Message-ID: <20011129184521.B66815@xor.obsecurity.org> References: <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <20011128233947.C53604@xor.obsecurity.org> <4.3.2.7.2.20011129113349.04722900@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IrhDeMKUP4DT/M7F" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20011129113349.04722900@localhost>; from brett@lariat.org on Thu, Nov 29, 2001 at 11:46:50AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IrhDeMKUP4DT/M7F Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 29, 2001 at 11:46:50AM -0700, Brett Glass wrote: > At 12:39 AM 11/29/2001, Kris Kennaway wrote: >=20 > >Not so much with the Flying Fists of Fud, please Brett. If you'd > >actually read the CERT advisory you'd see quite clearly that it was > >fixed over a year ago. >=20 > I've read the CERT advisory and also Dittrich's paper. The fact > that a vulnerability was fixed in recent versions of the software > does not mean that we should be unconcerned. Your email described how you upgraded to the latest version of OpenSSH because you weren't sure whether the version currently in FreeBSD was affected by the vulnerability described in the CERT and Dittrich reports. That indicates you had no clue what was going on since both documents quite clearly refer to versions of OpenSSH which were included in FreeBSD a year ago, the CERT advisory explicitly states when the problem was fixed (a year ago), and links to the FreeBSD advisory which also says clearly that we fixed it a year ago. > >Dittrich's analysis also says clearly at the top: > > > >On October 6, 2001, intruders originating from network blocks in the > >Netherlands used an exploit for the crc32 compensation attack detector > >vulnerability to remotely compromise a Red Hat Linux system on the UW > >network running OpenSSH 2.1.1. This vulnerability is described in > >CERT Vulnerability note VU#945216: > > > >i.e. old, old, boring, old. >=20 > In short, the vulnerability may be old, but it's not boring. The effects= =20 > of an automatic exploit could be devastating. If you're concerned that people can't read the advisories we release in a timely fashion, then a reasonable solution would be to send email saying: ----- Heads up! If you haven't upgraded your 4.2-RELEASE (or earlier) systems yet, you need to do so because people have started exploiting the version of SSH which was included in that. This vulnerability was announced by FreeBSD in February 2001 and is described in the advisory located at ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc If you've upgraded since then, you're fine. ----- There's a lot of hysteria floating around about a "new ssh exploit"; your message was feeding that hysteria because it contained incorrect statements about the known facts, and so I was trying to dispel it. The hysteria seems to be based on the following chain of events: 1) Dave Dittrich writes about how an OpenSSH 2.1.1 box was exploited using the vulnerability published and fixed a year ago 2) CERT update their advisory for the vulnerability published and fixed a year ago (I don't know what; probably additional details from Dittrich, or maybe in response to #3) 3) An exploit for the vulnerability published and fixed a year ago is circulated. The exploit only mentions working against versions vulnerable to the old problem (2.2.0p1 and earlier), but many people assume it is effective against current versions since it's only making the rounds now. This is compounded by the fact that the exploit is being circulated in a poorly documented, encrypted, binary-only form, which makes its function and scope mysterious. 4) People send emails suggesting that 2.9 is still vulnerable to the 2.2.0p1 bug, based on misunderstanding of 1), 2) and 3) 5) Kris gets annoyed > What's more, we do not know whether the binary exploit that's now being= =20 > distributed across the Net is for this or some other vulnerability. > As Security Officer, have you run the exploit against 4.4-RELEASE to > see how it behaves and if 4.4-RELEASE is immune? The only details I've received about this "new" exploit fall into three classes: a) Rumours that 2.9 is vulnerable to a root exploit, with no substantiating evidence. See #4 above for probable explanation. b) Copies of the exploit for 2.2.0p1 (I've received 5 so far mostly from people who think it's a 2.9 exploit). See #3 above for probable explanation. c) Evidence that people are actively trying to exploit the 2.2.0p1 (CRC) vulnerability. Evidence of failure against newer versions which are believed to be not vulnerable to it anyway. I have not been able to get this exploit to anything against the current FreeBSD version of OpenSSH (2.9), consistent with the hypothesis that it is, in fact, an exploit for the 2.2.0p1 bug fixed a year ago. > This is important, since without a disassembly we do not know > whether the exploit attacks this vulnerability or a different > (possibly related?) one. We also do not know if the claimed fix was > fully effective against all possible exploits. Those who reviewed the fix believe it to be effective. There's no evidence to the contrary. I've seen no evidence of an OpenSSH 2.9 vulnerability; if anyone can provide some, please forward it to security-officer@FreeBSD.org. If you're paranoid, disable your SSH daemons or take whatever other action you feel to be appropriate; if you're not, we'll tell you as soon as we know of any actual security problem in FreeBSD. That's all I have to say about this matter until then. Kris --IrhDeMKUP4DT/M7F Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8BvLAWry0BWjoQKURAiGjAKDy4ibW3eu7mN5uWdu3mroEiRWQKwCg0k7z PyZ/vmiMPtABNEs9dkxcCRQ= =nW69 -----END PGP SIGNATURE----- --IrhDeMKUP4DT/M7F-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 21:13:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 68E2537B41A for ; Thu, 29 Nov 2001 21:13:06 -0800 (PST) Received: (qmail 28286 invoked by uid 0); 30 Nov 2001 05:13:04 -0000 Received: from p3ee20a89.dip.t-dialin.net (HELO mail.gsinet.sittig.org) (62.226.10.137) by mail.gmx.net (mp011-rz3) with SMTP; 30 Nov 2001 05:13:04 -0000 Received: (qmail 56988 invoked from network); 30 Nov 2001 02:42:42 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 30 Nov 2001 02:42:42 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id fATJ4hF48883 for freebsd-security@freebsd.org; Thu, 29 Nov 2001 20:04:43 +0100 (CET) (envelope-from sittig) Date: Thu, 29 Nov 2001 20:04:43 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: ipf return-rst Message-ID: <20011129200441.D21918@shell.gsinet.sittig.org> Mail-Followup-To: freebsd-security@freebsd.org References: <3C056986.163131B9@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C056986.163131B9@centtech.com>; from anderson@centtech.com on Wed, Nov 28, 2001 at 04:47:34PM -0600 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 16:47 -0600, Eric Anderson wrote: > > I'm trying to figure out why my return-rst lines aren't > working. Here's a sample of a line: > block return-rst in quick on xl0 proto tcp from any to > my.ext.ip/32 port = 23 flags S/SA Is your my.ext.ip static? If it isn't, I suggest using 0.0.0.0/32 as the IP spec and invocing "ipf -y" in your linkup script. Are you the only filter in the path? Have you tried this locally in a network completely under your control? Check it with the lo0 interface and your internal NIC first to make sure. > Both block the connection, but timeout instead of giving the > "Connection refused" line. Is this some kind of application retry? Did you use something like netcat as a frontend and did you check by running tcpdump? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 21:13:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 8AD0E37B405 for ; Thu, 29 Nov 2001 21:13:06 -0800 (PST) Received: (qmail 28295 invoked by uid 0); 30 Nov 2001 05:13:05 -0000 Received: from p3ee20a89.dip.t-dialin.net (HELO mail.gsinet.sittig.org) (62.226.10.137) by mail.gmx.net (mp011-rz3) with SMTP; 30 Nov 2001 05:13:05 -0000 Received: (qmail 56989 invoked from network); 30 Nov 2001 02:42:43 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 30 Nov 2001 02:42:43 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id fATJ4S248879 for freebsd-security@FreeBSD.ORG; Thu, 29 Nov 2001 20:04:28 +0100 (CET) (envelope-from sittig) Date: Thu, 29 Nov 2001 20:04:28 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: Updating ssh Message-ID: <20011129200427.C21918@shell.gsinet.sittig.org> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <4.3.2.7.2.20011128151923.041d0710@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20011128151923.041d0710@localhost>; from brett@lariat.org on Wed, Nov 28, 2001 at 03:26:40PM -0700 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 15:26 -0700, Brett Glass wrote: > > This reflects a common problem in FreeBSD. When you install a port or > compile a newer version of an application which is included in the base > install, it usually goes into /usr/local, so the system keeps on using > the old version (which is ahead of the newer one in the path). What's > more, the configuration files are often required to be in different > places. [ ... ] > > Perhaps FreeBSD should put these things in /usr/local from the get-go? How sick is the idea of having some mailwrapper alike for those program suites (ssh, perl, named, cc, who else?) while keeping the actual programs in some libexec directory (the base system versions) or /usr/local (the ports)? So that the executable always can be found in the one and only known and persistent location (/usr/bin) while the "redirection mess" at installation or update time is reduced to a port's "make install" and editing just *one* config file (the wrapper conf). The only downside I can see is increased complexity (the company(id?) of flexibility, I guess ...) and increased chances for somebody of those who didn't like mailwrapper to begin with screaming "bloat!" ... The other approach -- installing ports in a location where base components reside -- will always be troublesome. An "make installworld" will clobber the installed port. While "make install" of a port with a destination in /usr/bin will clobber base components. In my book editing config files is the most natural way of administering a UNIX box and changing behaviour. :) Not compiling certain base components by means of NO* in make.conf seems to be just a bonus and time saving option. BTW: Those who are familiar with and like replacing base components with executables from the ports collection are still free to replace the wrappers. :> virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 21:51:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 3C6D637B417 for ; Thu, 29 Nov 2001 21:51:11 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA16771; Thu, 29 Nov 2001 22:50:48 -0700 (MST) Message-Id: <4.3.2.7.2.20011129214449.052ded50@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 29 Nov 2001 21:56:32 -0700 To: Kris Kennaway From: Brett Glass Subject: Re: Lack of evidence for new SSH vulnerability Cc: "f.johan.beisser" , Mauro Dias , security@FreeBSD.ORG In-Reply-To: <20011129184521.B66815@xor.obsecurity.org> References: <4.3.2.7.2.20011129113349.04722900@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <20011128233947.C53604@xor.obsecurity.org> <4.3.2.7.2.20011129113349.04722900@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:45 PM 11/29/2001, Kris Kennaway wrote: >Your email described how you upgraded to the latest version of OpenSSH >because you weren't sure whether the version currently in FreeBSD was >affected by the vulnerability described in the CERT and Dittrich >reports. That indicates you had no clue what was going on since both >documents quite clearly refer to versions of OpenSSH which were >included in FreeBSD a year ago, the CERT advisory explicitly >states when the problem was fixed (a year ago), and links to the >FreeBSD advisory which also says clearly that we fixed it a year ago. I knew exactly what was going on, Kris, and think I acted appropriately. The fact that FreeBSD 4.4 (which incorporates 2.3.0) was explicitly mentioned in Dittrich's paper, and that the exploit was being talked about again after a year's time, raised concerns that perhaps an exploit for newer versions had been found. Perhaps my upgrades to 3.0.1p1 were unnecessary except on my older machines, but I'm glad I did them anyway. I might have clobbered other bugs or security holes in the process -- and if there ARE new exploits, I'll have less chance of being hit. Can't be too careful these days; the disclosure-to-automated-exploit window is getting VERY short. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 29 23:31: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from madeline.boneyard.lawrence.ks.us (madeline.boneyard.lawrence.ks.us [24.124.26.25]) by hub.freebsd.org (Postfix) with ESMTP id 500D437B419 for ; Thu, 29 Nov 2001 23:30:59 -0800 (PST) Received: from madeline.boneyard.lawrence.ks.us (madeline.boneyard.lawrence.ks.us [24.124.26.25]) by madeline.boneyard.lawrence.ks.us (8.11.1/8.11.1) with ESMTP id fAU7UwP99480 for ; Fri, 30 Nov 2001 01:30:58 -0600 (CST) (envelope-from bsd-sec@boneyard.lawrence.ks.us) Date: Fri, 30 Nov 2001 01:30:57 -0600 (CST) From: To: freebsd-security@freebsd.org Subject: Re: sshd exploit In-Reply-To: <20011129012235.U6446-100000@achilles.silby.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 29 Nov 2001, Mike Silbersack wrote: > > The CRC bug was fixed in 2.3.0, which was merged into -stable before the > release of freebsd 4.3. If 3.0.1's giving you any enhanced immunity, it's > to a bug which has not yet been announced. > > If there _is_ a new bug, and it follows the decription in the url posted > earlier in the thread, it's probably also SSHv1 related, and can be [...] Perhaps so. However, at the univeristy department where I work, RH Linux lab machines running both 2.5.x and 2.9.x versions of OpenSSH were indeed compromised while running ssh version 1. The only other services with externally available ports were portmap and syslogd. As a precautionary measure, SSHv1 has been disabled. Fortunately, for our situation, the ssh.com folks offer free site licenses for their Win32 client, so we are not suffering from the a lack of a v2 client. Though I appreciate the innocent-until-proven- broken angle, I believe that my experiences, as well as those of other admins that do not have the time/knowledge resources for catching, identifying and describing such an attack, should not be discounted as paranoid delusions. As the SSH suite of protocols are the main-stay of many systems that are forced to exist in an "open" (flat/broadcast) environment, it is worthwhile to err on the side of caution and encourage others in the same situation to do the same. Our FreeBSD/alpha servers were not compromised; however, I am certain that more credit can be given to the architecture of the hardware than to bug-free code at this point. I have had this sort of discussion with a few other departmental *NIX administrators on campus. I would dearly love to be able to provide irrefutable evidence of my claim. All I can offer is that I am not so in love with my job as to spend 3 of my 4 days of Thanksgiving break up at the university recovering workstations unneccesarily. $3.50 There ya go. Take it or leave it. Regards, Stephen Stephen Spencer | | "Come down off the cross. | We can use the wood..." | T. Waits To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 0:19:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from primus.vsservices.com (primus.vsservices.com [63.66.136.75]) by hub.freebsd.org (Postfix) with ESMTP id 80F3837B405 for ; Fri, 30 Nov 2001 00:19:31 -0800 (PST) Received: from prime.vsservices.com (conr-adsl-dhcp-26-38.txucom.net [209.34.26.38]) by primus.vsservices.com (8.11.3/8.11.3) with SMTP id fATMtO134377 for ; Thu, 29 Nov 2001 14:55:24 -0800 (PST) (envelope-from gclarkii@vsservices.com) Content-Type: text/plain; charset="iso-8859-1" From: GB Clark II To: freebsd-security@FreeBSD.ORG Subject: Re: OT: package management (was: Re: Updating ssh) Date: Thu, 29 Nov 2001 16:55:25 -0600 X-Mailer: KMail [version 1.2] References: <4.3.2.7.2.20011128151923.041d0710@localhost> <4.3.2.7.2.20011129145159.00afd050@localhost> <20011129165852.D26664@pir.net> In-Reply-To: <20011129165852.D26664@pir.net> MIME-Version: 1.0 Message-Id: <0111291655250B.13219@prime.vsservices.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday 29 November 2001 15:58, you wrote: > Brett Glass probably said: > > At 12:27 PM 11/29/2001, The Anarcat wrote: > > >And there is a solution: we have a package management suite, we should > > >use it to package the base system. > > > > I really do like this idea. > > So do a lot of people, but in every one of the (many) times this has > come up before no one has stepped forward to put the work into > cataloging all the files in the base systems and creating the package > information. > > This has been hashed through a dozen times with no resolution and is > no longer appropriate for -security, hmm ? > > P. Hello, This sounds like a good way for me to get re-involved with the project. Can anyone point me towards email or something that describes the packages we need? Thanks, GB Developer alumni -- GB Clark II | Roaming FreeBSD Admin gclarkii@VSServices.COM | General Geek CTHULU for President - Why choose the lesser of two evils? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 0:33:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from c007.snv.cp.net (c007-h000.c007.snv.cp.net [209.228.33.206]) by hub.freebsd.org (Postfix) with SMTP id 54B0537B417 for ; Fri, 30 Nov 2001 00:33:28 -0800 (PST) Received: (cpmta 8995 invoked from network); 30 Nov 2001 00:33:27 -0800 Received: from 64.195.103.89 (HELO boethius.telocity.com) by smtp.telocity.com (209.228.33.206) with SMTP; 30 Nov 2001 00:33:27 -0800 X-Sent: 30 Nov 2001 08:33:27 GMT Received: by boethius.telocity.com (Postfix, from userid 1000) id AD80A1E78; Fri, 30 Nov 2001 02:33:26 -0600 (CST) Date: Fri, 30 Nov 2001 02:33:26 -0600 From: Anthony Kim To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: root group membership Message-ID: <20011130083326.GA60551@boethius.telocity.com> Mail-Followup-To: George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 29, 2001, George.Giles@mcmail.vanderbilt.edu wrote: > FreeBSD 4.4 release /etc/group files: > > # $FreeBSD: src/etc/group,v 1.19 1999/08/27 23:23:41 peter Exp $ > # > wheel:*:0:root > daemon:*:1:daemon > kmem:*:2:root > sys:*:3:root > tty:*:4:root > operator:*:5:root > mail:*:6: > bin:*:7: > news:*:8: > man:*:9: > games:*:13: > staff:*:20:root > guest:*:31:root > > Are root memberships here nomal, or have I been hacked ? $ grep root /etc/group Fresh install on stable: wheel:*:0:root,anthony kmem:*:2:root sys:*:3:root tty:*:4:root operator:*:5:root staff:*:20:root guest:*:31:root root memberships look ok to me. -- "Le motd juste." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 0:49: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from greg.cex.ca (h24-207-26-100.dlt.dccnet.com [24.207.26.100]) by hub.freebsd.org (Postfix) with SMTP id B7DBD37B405 for ; Fri, 30 Nov 2001 00:49:00 -0800 (PST) Received: (qmail 9129 invoked by uid 1001); 30 Nov 2001 08:49:10 -0000 Date: Fri, 30 Nov 2001 00:49:10 -0800 From: Greg White To: freebsd-security@freebsd.org Subject: Re: sshd exploit Message-ID: <20011130004910.A9082@greg.cex.ca> Mail-Followup-To: freebsd-security@freebsd.org References: <20011129012235.U6446-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bsd-sec@boneyard.lawrence.ks.us on Fri, Nov 30, 2001 at 01:30:57AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri Nov 11/30/01, 2001 at 01:30:57AM -0600, bsd-sec@boneyard.lawrence.ks.us wrote: > On Thu, 29 Nov 2001, Mike Silbersack wrote: > > > > > The CRC bug was fixed in 2.3.0, which was merged into -stable before the > > release of freebsd 4.3. If 3.0.1's giving you any enhanced immunity, it's > > to a bug which has not yet been announced. > > > > If there _is_ a new bug, and it follows the decription in the url posted > > earlier in the thread, it's probably also SSHv1 related, and can be > [...] > > Perhaps so. However, at the univeristy department where I work, RH Linux lab > machines running both 2.5.x and 2.9.x versions of OpenSSH were indeed > compromised while running ssh version 1. The only other services with > externally available ports were portmap and syslogd. Am I the only one who sees portmap and syslogd as more likely to exploit than ssh? I mean, come on, look at the security histories, here... -- Greg White To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 0:53:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.98.60]) by hub.freebsd.org (Postfix) with ESMTP id 20C8E37B416 for ; Fri, 30 Nov 2001 00:53:14 -0800 (PST) Received: from localhost (kheuer@localhost) by gwdu60.gwdg.de (8.11.6/8.11.6) with ESMTP id fAU8rDQ55205 for ; Fri, 30 Nov 2001 09:53:13 +0100 (CET) (envelope-from kheuer@gwdu60.gwdg.de) Date: Fri, 30 Nov 2001 09:53:13 +0100 (CET) From: Konrad Heuer To: freebsd-security@freebsd.org Subject: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd) Message-ID: <20011130095138.F55193-100000@gwdu60.gwdg.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, it seems so. Best regards Konrad Heuer Personal Bookmarks: Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=D6ttingen http://www.freebsd.org Am Fa=DFberg, D-37077 G=D6ttingen http://www.daemonnews.o= rg Deutschland (Germany) kheuer@gwdu60.gwdg.de ---------- Forwarded message ---------- Date: Thu, 29 Nov 2001 14:27:44 -0500 From: X-Force To: alert@iss.net Subject: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerabilit= y Resent-Date: Fri, 30 Nov 2001 09:45:55 +0100 (CET) Resent-From: Konrad Heuer Resent-To: Resent-Subject: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert November 29, 2001 WU-FTPD Heap Corruption Vulnerability Synopsis: Internet Security Systems (ISS) X-Force has learned of the public release of a proof of concept exploit for a vulnerability in Washington University's FTP daemon (WU-FTPD). This FTP daemon is packaged as a part of many Linux distributions. This vulnerability, which was originally reported in April 2001, may allow remote attackers who are able to login to the FTP service to execute arbitrary commands on a target system without any specific knowledge of that host. Affected Versions: Washington University wu-ftpd 2.6.1: - - Caldera OpenLinux Server 3.1, OpenLinux Workstation 3.1 - - Cobalt Qube 1.0 - - Conectiva Linux 7.0, 6.0 - - MandrakeSoft Corporate Server 1.0.1 - - MandrakeSoft Mandrake Linux 8.1, 8.0 ppc, 8.0, 7.2, 7.1, 7.0, 6.1, 6.0 - - Red Hat Linux 7.2 noarch, 7.2 ia64, 7.2 i686, 7.2 i586, 7.2 i386, 7.2 athlon, 7.2 alpha - - Red Hat Linux 7.1 noarch, 7.1 ia64, 7.1 i686, 7.1 i586, 7.1 i386, 7.1 alpha - - Red Hat Linux 7.0 sparc, 7.0 i386, 7.0 alpha - - Turbolinux TL Workstation 6.1 - - Turbolinux 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0 - - WireX Immunix OS 7.0-Beta, 7.0 Washington University wu-ftpd 2.6.0: - - Cobalt Qube 1.0 - - Conectiva Linux 5.1, 5.0, 4.2, 4.1, 4.0es, 4.0 - - Debian Linux 2.2 sparc, 2.2 powerpc, 2.2 arm, 2.2 alpha, 2.2 68k, 2.2 - - Red Hat Linux 6.2 sparc, 6.2 i386, 6.2 alpha - - Red Hat Linux 6.1 sparc, 6.1 i386, 6.1 alpha - - Red Hat Linux 6.0 sparc, 6.0 i386, 6.0 alpha - - Red Hat Linux 5.2 sparc, 5.2 i386, 5.2 alpha - - SuSE Linux 6.4ppc, 6.4alpha, 6.4 - - SuSE Linux 6.3 ppc, 6.3 alpha, 6.3 - - SuSE Linux 6.2 - - SuSE Linux 6.1 alpha, 6.1 - - Turbolinux 4.0 - - WireX Immunix OS 6.2 Washington University wu-ftpd 2.5.0: - - Caldera eDesktop 2.4, eServer 2.3.1, eServer 2.3 - - Caldera OpenLinux 2.4, OpenLinux Desktop 2.3 - - Red Hat Linux 6.0 sparc, 6.0 i386, 6.0 alpha Description: The WU-FTPD daemon allows users to transfer files to and from the system running the service, using the File Transport Protocol (FTP). Many popular Linux distributions are shipped with WU-FTPD running by default. A vulnerability exists that may allow attackers to execute arbitrary code with the privileges of the FTP daemon (most often root), resulting in a complete system compromise. The attacker must be able to successfully login to the service with any account (including anonymous) in order to perform the exploit. This vulnerability is caused by the failure of the "globbing" code to signal errors on specially crafted expressions, resulting in a corruption of heap memory, which may be exploited by attackers to overwrite an arbitrary location in memory. The term "globbing" refers to the action taken by the glob() function, which is implemented in glibc library. WU-FTPD implements its own version of glob(). The glob() function is responsible for interpreting user-supplied filenames and returning valid pathnames. The glob() function interprets special metacharacters such as the asterisk (*) or "wildcard" character when returning valid pathnames. Other metacharacters (including ? [ ] { } ~ ') are also incorrectly interpreted by the glob() function. The vulnerability exists as a result of improper handling of these metacharacters in the WU-FTPD glob() implementation. Recommendations: ISS X-Force recommends that all system administrators disable the FTP service if it is not explicitly required. Patches for this vulnerability are being made available. Contact your vendor for more information. X- Force further recommends that administrators disable "anonymous" access to critical FTP servers if the feature is not required. ISS X-Force will provide detection and assessment support for this vulnerability in upcoming X-Press Updates for RealSecure Network Sensor and Internet Scanner. Detection support for this attack will also be added in a future update for BlackICE products. Additional Information: This vulnerability was initially discovered by Matt Power. The issue was confirmed and investigated further by Luciano Notarfrancesco and Juan Pablo Martinez Kuhn of Core Security Technologies: http://www.corest.com The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2001-0550 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org, which standardizes names for security problems. ISS X-Force Database, http://xforce.iss.net/static/7611.php ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBPAaL/TRfJiV99eG9AQHpaAQAsl86+pGc/rjlTG/VhDv28IJO+IgSORq4 55zaa4RuZ6y8KBDHkyweCsFT3Jf4J4dJwBbrIJXFP+2S4NokWxTSt3zrnQwRMzRp u4+y2y0TfgQWwAQPXVeMaCKGZ39kmVqfhi++I3QesRYC4LVuKJYtWM8snOM75ZTk fKCuStDNppo=3D =3DbVGu -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 1: 3:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id D145037B405 for ; Fri, 30 Nov 2001 01:03:06 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id fAU936u74353 for ; Fri, 30 Nov 2001 01:03:06 -0800 (PST) (envelope-from jan@caustic.org) Date: Fri, 30 Nov 2001 01:03:06 -0800 (PST) From: "f.johan.beisser" X-X-Sender: To: Subject: OPIE and ssh Message-ID: <20011130010137.C16958-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org dumb question, but.. has anyone gotten OPIE to work with ssh? i'm not sure if any work's been done on pam_opie in a while, the last i saw it was only working under linux, and porting it over to *BSD is outside of my skills.. although, i'm considering giving it a shot.. thoughts, anyone? -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 1:39:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 8E6A537B405 for ; Fri, 30 Nov 2001 01:39:46 -0800 (PST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.6/8.11.6) id fAU9dds16865; Fri, 30 Nov 2001 01:39:39 -0800 (PST) (envelope-from emechler) Date: Fri, 30 Nov 2001 01:39:39 -0800 From: Erick Mechler To: bsd-sec@boneyard.lawrence.ks.us Cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd exploit Message-ID: <20011130013939.Q67199@techometer.net> References: <20011129012235.U6446-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bsd-sec@boneyard.lawrence.ks.us on Fri, Nov 30, 2001 at 01:30:57AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: > The CRC bug was fixed in 2.3.0, which was merged into -stable before the :: > release of freebsd 4.3. If 3.0.1's giving you any enhanced immunity, it's :: > to a bug which has not yet been announced. :: > :: > If there _is_ a new bug, and it follows the decription in the url posted :: > earlier in the thread, it's probably also SSHv1 related, and can be :: [...] :: :: Perhaps so. However, at the univeristy department where I work, RH Linux lab :: machines running both 2.5.x and 2.9.x versions of OpenSSH were indeed :: compromised while running ssh version 1. [snip] This is, and someone correct me if I'm wrong, not what everyone else's experience has been with the crc32 attack in SSHv1. According to all reports I've read, including the long, detailed message sent by the Security Officer to this same list entitled "Lack of evidence for new SSH vulnerability" a few hours before yours, this bug was fixed in 2.3.0. Instead of attempting to cause more panic, care to send us more info? Did the cracked boxes exhibit the same characteristics as those described in Dittrich's analysis? Can anybody else on this list either verify or deny the claims made here? Stephen, please don't think I'm picking on you, I just want to make sure that we're not all talking about the same exploit. Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 2:12:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id A196B37B417 for ; Fri, 30 Nov 2001 02:12:33 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 5D96F1DA7; Fri, 30 Nov 2001 00:45:49 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id fAUABcQ06897; Fri, 30 Nov 2001 11:11:38 +0100 Date: Fri, 30 Nov 2001 11:11:38 +0100 From: Krzysztof Zaraska To: "Konrad Heuer" Cc: freebsd-security@freebsd.org Subject: Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd) Message-Id: <20011130111138.7a26b526.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <20011130095138.F55193-100000@gwdu60.gwdg.de> References: <20011130095138.F55193-100000@gwdu60.gwdg.de> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 30 Nov 2001 09:53:13 +0100 (CET) Konrad Heuer wrote: > Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, it > seems so. The advisory by Dave Ahmad/Securityfocus.com (see BUGTRAQ archives) says that you can check if you are vulnerable by logging into FTP server and doing ftp> ls ~{ if this segfaults, you are vulnerable. I don't have any machine running wu-ftpd at hand, unfortunately. The diffs from Red Hat patch were already published on this list. Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 5: 4:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from sr1.terra.com.br (sr1.terra.com.br [200.176.3.16]) by hub.freebsd.org (Postfix) with ESMTP id 5946237B426 for ; Fri, 30 Nov 2001 05:04:03 -0800 (PST) Received: from srv9-sao.terra.com.br (srv9-sao.terra.com.br [200.176.3.37]) by sr1.terra.com.br (Postfix) with ESMTP id 2543F2B813 for ; Fri, 30 Nov 2001 11:04:03 -0200 (GMT+2) Received: from ia.com.br (200-158-62-124.dsl.telesp.net.br [200.158.62.124]) by srv9-sao.terra.com.br (Postfix) with ESMTP id CF92EC87A7 for ; Fri, 30 Nov 2001 11:04:01 -0200 (GMT+2) Message-ID: <267269-220011153013153480@ia.com.br> X-EM-Version: 6, 0, 1, 0 X-EM-Registration: #00F06206106618006920 X-Priority: 3 From: "Fernanda" To: "security@freebsd.org" Subject: Sites feitos para gerar negócios Date: Fri, 30 Nov 2001 11:15:03 -0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_84815C5ABAF209EF376268C8" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_NextPart_84815C5ABAF209EF376268C8 Content-type: text/plain; charset="US-ASCII" Quarta, 28 de Novembro de 2001 - Newsletter 87/2001 Sites para empresas de Recursos Humanos O segmento de Recursos Humanos desde o inicio das aplicações comerciais da Internet mundial, é consagrado como um dos temas de sucesso da Web. Existem milhares de sites espalhados por todo o mundo, cujos conteúdos são voltados a Recursos Humanos, desenvolvimento profissional, banco de currículos, vagas e informações pertinentes à Carreira. No Brasil, empresas como Catho, Manager, Curriex, Grupo Prime, Curriculum.com, Empregos.com, Bumeran, dentre outras já fazem parte do mercado de RH online. E a sua empresa? Já possui um website com qualidade e que gere resultados aos seus negócios? A Interart é especializada em desenvolvimento de websites profissionais, tendo como foco principal o atendimento a empresas de recursos humanos. Estamos com preços e condições de pagamento especiaisaté o dia 07/12/2001 ! Ligue agora mesmo para nós e agende uma reunião em sua empresa! Telefax: (11) 3868-3892 ou acesse o formulário de contato de nosso site em: http://www.ia.com.br/contato.htm Veja alguns sites de RH desenvolvidos pela Interart: - Curriex - www.curriex.com.br - Grupo Prime - www.grupoprime.com.br - Servsul - www.servsul.com.br - Marca RH - www.marcarh.com.br - Servcompany - www.servcompany.com.br Lycos muda visual atrás de anunciantes A Terra Lycos inaugurou, nesta segunda-feira, o novo visual do portal Lycos... Número de usuários AOLA sobe para 1,15 mi O braço para a América Latina do provedor America Online não tem... Cresce quitação de cartão de crédito na web Os serviços que permitem aos consumidores ver e pagar suas contas... Telefônica faz parceria com Creci para criar novo portal imobiliário A Telefônica e o Conselho Regional de Corretores de Imóveis do Estado de São Paulo (Creci-SP)... Interart lança produto exclusivo para divulgar sites na web Openclick é um produto exclusivo na Internet brasileira que... Newsletter Interart. Para cancelar seu recebimento, coloque seu e-mail no campo abaixo. ------=_NextPart_84815C5ABAF209EF376268C8 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable
 = =
= Sites para empresas de Recursos Humanos
O segmento de Recursos Humanos desde o inicio das aplica=E7=F5es comerci= ais da Internet mundial, =E9 consagrado como um dos temas de sucesso da We= b=2E

Existem milhares de sites espalhados por todo o mundo, cujos = conte=FAdos s=E3o voltados a Recursos Humanos, desenvolvimento profissiona= l, banco de
curr=EDculos, vagas e informa=E7=F5es pertinentes =E0 Carre= ira=2E

No Brasil, empresas como Catho, Manager, Curriex, Grupo Pri= me, Curriculum=2Ecom, Empregos=2Ecom, Bumeran, dentre outras j=E1 fazem pa= rte do mercado de RH online=2E

E a sua empresa? J=E1 possui um = website com qualidade e que gere resultados aos seus neg=F3cios?
<= br>A Interart =E9 especializada em desenvolvimento de websites profissionais, tendo= como foco principal o atendimento a empresas de recursos humanos=2E

Estamos com pre=E7os e condi=E7=F5es de pagamento esp= eciais at=E9 o dia 07/12/2001 !

Ligue agora mesm= o para n=F3s e agende uma reuni=E3o em sua empresa! Telefax: (11) 3868-389= 2 ou acesse o formul=E1rio de contato de nosso site em:
http://www=2Eia=2Ecom=2Ebr/contato=2E= htm
 Quarta, 28 de Novembro= de 2001 -  Newsletter 87/2001
Veja alguns sites de RH desenvolvidos pela Interart:

- C= urriex - www=2Ecurriex=2Ecom=2E= br
- Grupo Prime - w= ww=2Egrupoprime=2Ecom=2Ebr
- Servsul - www=2Eservsul=2Ecom=2Ebr
- Marca RH - www=2Emarcarh=2Ecom=2Ebr
- Servcompa= ny - www=2Eservcompany=2Ec= om=2Ebr
 
 
Lycos muda visu= al atr=E1s de anunciantes
 
 
A Terra Lycos = inaugurou, nesta segunda-feira, o novo visual do portal Lycos=2E=2E=2E=
 
 
<= font face=3D'Verdana, Arial, Helvetica, sans-serif'>N=FAmero de usu=E1rios= AOLA sobe para 1,15 mi
 
 
O bra=E7o para a Am= =E9rica Latina do provedor America Online n=E3o tem=2E=2E=2E
 
 
Cresce quita=E7=E3o de cart=E3o de= cr=E9dito na web
 
 
Os servi=E7os que per= mitem aos consumidores ver e pagar suas contas=2E=2E=2E
 = ;
&n= bsp;
Telef=F4nica faz parceria com Creci par= a criar novo portal imobili=E1rio
 
 
A Tel= ef=F4nica e o Conselho Regional de Corretores de Im=F3veis do Estado de S=E3= o Paulo (Creci-SP)=2E=2E=2E
 
 
Interart lan=E7a produto exclusivo para divulgar sites na web
 
 
Openclick =E9 um produto exclusivo na Inter= net brasileira que=2E=2E=2E
 
 
=

Newsletter Interart=2E Para c= ancelar seu recebimento, coloque seu e-mail no campo abaixo=2E
=
 
------=_NextPart_84815C5ABAF209EF376268C8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 5: 5:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from sr3.terra.com.br (sr3.terra.com.br [200.176.3.18]) by hub.freebsd.org (Postfix) with ESMTP id 0D59D37B41D for ; Fri, 30 Nov 2001 05:04:55 -0800 (PST) Received: from srv9-sao.terra.com.br (srv9-sao.terra.com.br [200.176.3.37]) by sr3.terra.com.br (Postfix) with ESMTP id 459F215AECA for ; Fri, 30 Nov 2001 11:04:54 -0200 (GMT+2) Received: from ia.com.br (200-158-62-124.dsl.telesp.net.br [200.158.62.124]) by srv9-sao.terra.com.br (Postfix) with ESMTP id 6E8D3C87EF for ; Fri, 30 Nov 2001 11:04:52 -0200 (GMT+2) Message-ID: <1248571-2200111530131554400@ia.com.br> X-EM-Version: 6, 0, 1, 0 X-EM-Registration: #00F06206106618006920 X-Priority: 3 From: "Fernanda" To: "freebsd-security@freebsd.org" Subject: Sites feitos para gerar negócios Date: Fri, 30 Nov 2001 11:15:54 -0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_84815C5ABAF209EF376268C8" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_NextPart_84815C5ABAF209EF376268C8 Content-type: text/plain; charset="US-ASCII" Quarta, 28 de Novembro de 2001 - Newsletter 87/2001 Sites para empresas de Recursos Humanos O segmento de Recursos Humanos desde o inicio das aplicações comerciais da Internet mundial, é consagrado como um dos temas de sucesso da Web. Existem milhares de sites espalhados por todo o mundo, cujos conteúdos são voltados a Recursos Humanos, desenvolvimento profissional, banco de currículos, vagas e informações pertinentes à Carreira. No Brasil, empresas como Catho, Manager, Curriex, Grupo Prime, Curriculum.com, Empregos.com, Bumeran, dentre outras já fazem parte do mercado de RH online. E a sua empresa? Já possui um website com qualidade e que gere resultados aos seus negócios? A Interart é especializada em desenvolvimento de websites profissionais, tendo como foco principal o atendimento a empresas de recursos humanos. Estamos com preços e condições de pagamento especiaisaté o dia 07/12/2001 ! Ligue agora mesmo para nós e agende uma reunião em sua empresa! Telefax: (11) 3868-3892 ou acesse o formulário de contato de nosso site em: http://www.ia.com.br/contato.htm Veja alguns sites de RH desenvolvidos pela Interart: - Curriex - www.curriex.com.br - Grupo Prime - www.grupoprime.com.br - Servsul - www.servsul.com.br - Marca RH - www.marcarh.com.br - Servcompany - www.servcompany.com.br Lycos muda visual atrás de anunciantes A Terra Lycos inaugurou, nesta segunda-feira, o novo visual do portal Lycos... Número de usuários AOLA sobe para 1,15 mi O braço para a América Latina do provedor America Online não tem... Cresce quitação de cartão de crédito na web Os serviços que permitem aos consumidores ver e pagar suas contas... Telefônica faz parceria com Creci para criar novo portal imobiliário A Telefônica e o Conselho Regional de Corretores de Imóveis do Estado de São Paulo (Creci-SP)... Interart lança produto exclusivo para divulgar sites na web Openclick é um produto exclusivo na Internet brasileira que... Newsletter Interart. Para cancelar seu recebimento, coloque seu e-mail no campo abaixo. ------=_NextPart_84815C5ABAF209EF376268C8 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable
 = =
= Sites para empresas de Recursos Humanos
O segmento de Recursos Humanos desde o inicio das aplica=E7=F5es comerci= ais da Internet mundial, =E9 consagrado como um dos temas de sucesso da We= b=2E

Existem milhares de sites espalhados por todo o mundo, cujos = conte=FAdos s=E3o voltados a Recursos Humanos, desenvolvimento profissiona= l, banco de
curr=EDculos, vagas e informa=E7=F5es pertinentes =E0 Carre= ira=2E

No Brasil, empresas como Catho, Manager, Curriex, Grupo Pri= me, Curriculum=2Ecom, Empregos=2Ecom, Bumeran, dentre outras j=E1 fazem pa= rte do mercado de RH online=2E

E a sua empresa? J=E1 possui um = website com qualidade e que gere resultados aos seus neg=F3cios?
<= br>A Interart =E9 especializada em desenvolvimento de websites profissionais, tendo= como foco principal o atendimento a empresas de recursos humanos=2E

Estamos com pre=E7os e condi=E7=F5es de pagamento esp= eciais at=E9 o dia 07/12/2001 !

Ligue agora mesm= o para n=F3s e agende uma reuni=E3o em sua empresa! Telefax: (11) 3868-389= 2 ou acesse o formul=E1rio de contato de nosso site em:
http://www=2Eia=2Ecom=2Ebr/contato=2E= htm
 Quarta, 28 de Novembro= de 2001 -  Newsletter 87/2001
Veja alguns sites de RH desenvolvidos pela Interart:

- C= urriex - www=2Ecurriex=2Ecom=2E= br
- Grupo Prime - w= ww=2Egrupoprime=2Ecom=2Ebr
- Servsul - www=2Eservsul=2Ecom=2Ebr
- Marca RH - www=2Emarcarh=2Ecom=2Ebr
- Servcompa= ny - www=2Eservcompany=2Ec= om=2Ebr
 
 
Lycos muda visu= al atr=E1s de anunciantes
 
 
A Terra Lycos = inaugurou, nesta segunda-feira, o novo visual do portal Lycos=2E=2E=2E=
 
 
<= font face=3D'Verdana, Arial, Helvetica, sans-serif'>N=FAmero de usu=E1rios= AOLA sobe para 1,15 mi
 
 
O bra=E7o para a Am= =E9rica Latina do provedor America Online n=E3o tem=2E=2E=2E
 
 
Cresce quita=E7=E3o de cart=E3o de= cr=E9dito na web
 
 
Os servi=E7os que per= mitem aos consumidores ver e pagar suas contas=2E=2E=2E
 = ;
&n= bsp;
Telef=F4nica faz parceria com Creci par= a criar novo portal imobili=E1rio
 
 
A Tel= ef=F4nica e o Conselho Regional de Corretores de Im=F3veis do Estado de S=E3= o Paulo (Creci-SP)=2E=2E=2E
 
 
Interart lan=E7a produto exclusivo para divulgar sites na web
 
 
Openclick =E9 um produto exclusivo na Inter= net brasileira que=2E=2E=2E
 
 
=

Newsletter Interart=2E Para c= ancelar seu recebimento, coloque seu e-mail no campo abaixo=2E
=
 
------=_NextPart_84815C5ABAF209EF376268C8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 5:18:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id 29F1437B41A for ; Fri, 30 Nov 2001 05:18:44 -0800 (PST) Received: (from root@localhost) by portal.eltex.ru (8.11.6/8.11.3) id fAUDIST13786; Fri, 30 Nov 2001 16:18:28 +0300 (MSK) (envelope-from ark@eltex.ru) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by portal.eltex.ru (8.11.6/8.11.3av) with SMTP id fAUDIDa12215; Fri, 30 Nov 2001 16:18:14 +0300 (MSK) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Fri, 30 Nov 2001 16:07:31 +0300 Received: from undisclosed-intranet-sender id smtpdk28905; Fri Nov 30 16:07:14 2001 Date: Fri, 30 Nov 2001 16:10:45 +0300 Message-Id: <200111301310.QAA13314@paranoid.eltex.ru> In-Reply-To: <4.3.2.7.2.20011129214449.052ded50@localhost> from "Brett Glass " Organization: "Klingon Imperial Intelligence Service" Subject: Re: Lack of evidence for new SSH vulnerability To: brett@lariat.org Cc: security@FreeBSD.ORG X-Virus-Scanned: by Eltex TC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Speaking on risks associated with sshd these days, my current opinion is considering sshd as one of probable weak points. I recommend everyone not to accept ssh connections from untrusted/unknown hosts at least. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBPAeFUqH/mIJW9LeBAQEMhQP9HB1uVR6b2QwOe+OCRwa++E5ANqRCp9RH 4/puMK360SRZoVgN+OdvWs7O0Z/zh8CVFXOmVSbsmkKFVa0YczwaXMwy8zzB2XEr B/O9f8CsT/lGCK5uPYFGDrW0G9F53pksVRXyaFZoyIHCnNS+pOrP5b1PGpI4+/dZ qNHPVQhgQu4= =p8B6 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 5:59:20 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 608) id 3A59F37B41B; Fri, 30 Nov 2001 05:59:11 -0800 (PST) From: "Jonathan M. Bresler" To: freebsd-security@freebsd.org Cc: owner-freebsd-security@FreeBSD.ORG, postmaster@FreeBSD.ORG In-reply-to: <20011129170118.E26664@pir.net> (message from Peter Radcliffe on Thu, 29 Nov 2001 17:01:18 -0500) Subject: Re: [MAILER-DAEMON@mx-s0.dreamwiz.com: Returned mail: see transcript for details] References: <20011129170118.E26664@pir.net> Message-Id: <20011130135911.3A59F37B41B@hub.freebsd.org> Date: Fri, 30 Nov 2001 05:59:11 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i have removed the problem address from the mailing lists. please let me know if you get any other bounces. jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 6:57:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtpzilla5.xs4all.nl (smtpzilla5.xs4all.nl [194.109.127.141]) by hub.freebsd.org (Postfix) with ESMTP id AF4AB37B417 for ; Fri, 30 Nov 2001 06:57:28 -0800 (PST) Received: from list1.xs4all.nl (list1.xs4all.nl [194.109.6.52]) by smtpzilla5.xs4all.nl (8.12.0/8.12.0) with ESMTP id fAUEvS20061303 for ; Fri, 30 Nov 2001 15:57:28 +0100 (CET) Received: (from root@localhost) by list1.xs4all.nl (8.9.3/8.9.3) id PAA21959; Fri, 30 Nov 2001 15:57:27 +0100 (CET) From: "Oskar van Eeden" To: freebsd-security@freebsd.org X-Via: imploder /usr/local/lib/mail/news2mail/news2mail at list1.xs4all.nl Subject: Mounting an ext2fs on FreeBSD 4.3-STABLE Date: Fri, 30 Nov 2001 15:55:51 +0100 Organization: XS4ALL Internet BV Message-ID: <9u86ok$75j$1@news1.xs4all.nl> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there, I'd like to mount an ext2fs on my FreeBSD system. I recompiled my kernel with option EXT2FS and everything seems fine. When i try to mount with `mount -t ext2fs /ad1s2 /opt` i get the following message in /var/log/messages: Nov 30 00:07:44 vaneeden /kernel: ext2fs: #ad/0x3000a: wrong magic number 0 (expected 0xef53) This seems strange to me, so i tried to run e2fsck to fix this problem. The following was prompted: ---------------------------------------------------------------------------- ---------------------- root@vaneeden:/% e2fsck /dev/ad1s2 e2fsck 1.22, 22-Jun-2001 for EXT2 FS 0.5b, 95/08/09 Couldn't find ext2 superblock, trying backup blocks... e2fsck: Bad magic number in super-block while trying to open /dev/ad1s2 The superblock could not be read or does not describe a correct ext2 filesystem. If the device is valid and it really contains an ext2 filesystem (and not swap or ufs or something else), then the superblock is corrupt, and you might try running e2fsck with an alternate superblock: e2fsck -b 8193 ---------------------------------------------------------------------------- ------------------------ So i ran `e2fsck -b 8193 /dev/ad1s2`, but i was getting the same message. I've read every man/doc that has something to do with ext2fs etc. _and_ I searched the whole internet for people having this very same problem, but there where pratically none. Can please some help me out (and for you dutch guys, lul maar nederlands...). Mail me at oskar@vaneeden.nu. Thanks in advance. (by the way: ad1: 25965MB [56272/15/63] at ata0-slave UDMA33) Regards, Oskar van Eeden To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 7: 4:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtpzilla2.xs4all.nl (smtpzilla2.xs4all.nl [194.109.127.138]) by hub.freebsd.org (Postfix) with ESMTP id EBE7037B405 for ; Fri, 30 Nov 2001 07:04:18 -0800 (PST) Received: from list1.xs4all.nl (list1.xs4all.nl [194.109.6.52]) by smtpzilla2.xs4all.nl (8.12.0/8.12.0) with ESMTP id fAUF4HCP052725 for ; Fri, 30 Nov 2001 16:04:17 +0100 (CET) Received: (from root@localhost) by list1.xs4all.nl (8.9.3/8.9.3) id QAA26013; Fri, 30 Nov 2001 16:04:16 +0100 (CET) From: "Oskar van Eeden" To: freebsd-security@freebsd.org X-Via: imploder /usr/local/lib/mail/news2mail/news2mail at list1.xs4all.nl Subject: Re: Mounting an ext2fs on FreeBSD 4.3-STABLE Date: Fri, 30 Nov 2001 16:02:37 +0100 Organization: XS4ALL Internet BV Message-ID: <9u875c$9f6$1@news1.xs4all.nl> In-Reply-To: <9u86ok$75j$1@news1.xs4all.nl> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Oopz, sorry wrong list! "Oskar van Eeden" wrote in message news:list.freebsd.security#9u86ok$75j$1@news1.xs4all.nl... > Hi there, > > I'd like to mount an ext2fs on my FreeBSD system. I recompiled my kernel > with option EXT2FS and everything seems fine. When i try to mount with > `mount -t ext2fs /ad1s2 /opt` i get the following message in > /var/log/messages: > > Nov 30 00:07:44 vaneeden /kernel: ext2fs: #ad/0x3000a: wrong magic number 0 > (expected 0xef53) > > This seems strange to me, so i tried to run e2fsck to fix this problem. The > following was prompted: > -------------------------------------------------------------------------- -- > ---------------------- > root@vaneeden:/% e2fsck /dev/ad1s2 > e2fsck 1.22, 22-Jun-2001 for EXT2 FS 0.5b, 95/08/09 > Couldn't find ext2 superblock, trying backup blocks... > e2fsck: Bad magic number in super-block while trying to open /dev/ad1s2 > > The superblock could not be read or does not describe a correct ext2 > filesystem. If the device is valid and it really contains an ext2 > filesystem (and not swap or ufs or something else), then the superblock > is corrupt, and you might try running e2fsck with an alternate superblock: > e2fsck -b 8193 > -------------------------------------------------------------------------- -- > ------------------------ > > So i ran `e2fsck -b 8193 /dev/ad1s2`, but i was getting the same message. > I've read every man/doc that has something to do with ext2fs etc. _and_ I > searched the whole internet for people having this very same problem, but > there where pratically none. Can please some help me out (and for you dutch > guys, lul maar nederlands...). Mail me at oskar@vaneeden.nu. Thanks in > advance. > > (by the way: ad1: 25965MB [56272/15/63] at ata0-slave > UDMA33) > > Regards, > > Oskar van Eeden > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 7:16:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by hub.freebsd.org (Postfix) with ESMTP id 9F17237B41B for ; Fri, 30 Nov 2001 07:16:16 -0800 (PST) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.11.3/8.11.3) with ESMTP id fAUFGBY66566 for ; Fri, 30 Nov 2001 09:16:14 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200111301516.fAUFGBY66566@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Stock ftpd Date: Fri, 30 Nov 2001 09:16:11 -0600 From: "Martin G. McCormick" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am asking this question just to be safe. Is the ftp daemon which is part of the normal FreeBSD distribution based on wuftpd? In other words, my ftp server identifies as 220 hostname FTP server (Version 6.00LS) ready. Do I need to replace it? Martin McCormick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 7:29:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.san.ru (ns.san.ru [213.242.32.17]) by hub.freebsd.org (Postfix) with ESMTP id B25DD37B419 for ; Fri, 30 Nov 2001 07:29:17 -0800 (PST) Received: (from vlad@localhost) by ns.san.ru (8.11.6/8.11.6) id fAUFTFp73152 for freebsd-security@freebsd.org; Fri, 30 Nov 2001 18:29:15 +0300 (MSK) (envelope-from vlad) Date: Fri, 30 Nov 2001 18:29:15 +0300 From: Vlad Martynov To: freebsd-security@freebsd.org Subject: Re: Stock ftpd Message-ID: <20011130182915.A73088@ns.san.ru> References: <200111301516.fAUFGBY66566@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111301516.fAUFGBY66566@dc.cis.okstate.edu>; from martin@dc.cis.okstate.edu on Fri, Nov 30, 2001 at 09:16:11AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! On Fri, Nov 30, 2001 at 09:16:11AM -0600, Martin G. McCormick wrote: > I am asking this question just to be safe. Is the ftp > daemon which is part of the normal FreeBSD distribution based on > wuftpd? In other words, my ftp server identifies as > > 220 hostname FTP server (Version 6.00LS) ready. > > Do I need to replace it? Yes. Use /usr/ports/ftp/wu-ftpd or /usr/ports/ftp/proftpd. > Martin McCormick SY, Vlad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 7:46:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 4323137B416 for ; Fri, 30 Nov 2001 07:46:13 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id 7788013653; Fri, 30 Nov 2001 10:46:12 -0500 (EST) Date: Fri, 30 Nov 2001 10:46:12 -0500 From: Chris Faulhaber To: "Martin G. McCormick" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Stock ftpd Message-ID: <20011130104612.B58425@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , "Martin G. McCormick" , freebsd-security@FreeBSD.ORG References: <200111301516.fAUFGBY66566@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="b5gNqxB1S1yM7hjW" Content-Disposition: inline In-Reply-To: <200111301516.fAUFGBY66566@dc.cis.okstate.edu> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --b5gNqxB1S1yM7hjW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 30, 2001 at 09:16:11AM -0600, Martin G. McCormick wrote: > I am asking this question just to be safe. Is the ftp > daemon which is part of the normal FreeBSD distribution based on > wuftpd? In other words, my ftp server identifies as No, the FreeBSD FTP server is based on the original BSD FTP server and has no real relation to wu-ftpd. >=20 > 220 hostname FTP server (Version 6.00LS) ready. >=20 > Do I need to replace it? >=20 No. If you need more functionality, you may want to review the security history of the alternatives before deciding. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --b5gNqxB1S1yM7hjW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjwHqcMACgkQObaG4P6BelCtHgCgn8pYFIeY5okA8dQ3xaHgXzqv 8UYAnRME620dZmzahxZu4IszjBPzQyus =nZQ2 -----END PGP SIGNATURE----- --b5gNqxB1S1yM7hjW-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 7:47:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from batty.netvision.be (batty.be.ubizen.com [212.113.70.10]) by hub.freebsd.org (Postfix) with ESMTP id 00F1937B416 for ; Fri, 30 Nov 2001 07:47:24 -0800 (PST) Received: (from uucp@localhost) by batty.netvision.be (8.8.5/8.8.2) id QAA03997 for ; Fri, 30 Nov 2001 16:47:23 +0100 Received: from UNKNOWN(10.0.0.108), claiming to be "amaya.be.ubizen.com" via SMTP by batty.netvision.be, id smtpda03986; Fri Nov 30 15:47:20 2001 Received: (qmail 17314 invoked from network); 30 Nov 2001 15:47:20 -0000 Received: from unknown (HELO ubi.be.ubizen.com) (10.0.0.10) by amaya.be.ubizen.com with SMTP; 30 Nov 2001 15:47:19 -0000 Received: from ubizen.com ([10.0.50.65]) by ubi.be.ubizen.com (Netscape Messaging Server 4.1) with ESMTP id GNMEIV00.T2X; Fri, 30 Nov 2001 16:47:19 +0100 Message-ID: <3C07AA28.90CBDCF@ubizen.com> Date: Fri, 30 Nov 2001 16:47:52 +0100 From: Niels Heinen X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Vlad Martynov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Stock ftpd References: <200111301516.fAUFGBY66566@dc.cis.okstate.edu> <20011130182915.A73088@ns.san.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Sanitizer: Out Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Vlad Martynov wrote: > > Hi! > > On Fri, Nov 30, 2001 at 09:16:11AM -0600, Martin G. McCormick wrote: > > I am asking this question just to be safe. Is the ftp > > daemon which is part of the normal FreeBSD distribution based on > > wuftpd? In other words, my ftp server identifies as > > > > 220 hostname FTP server (Version 6.00LS) ready. > > > > Do I need to replace it? > Yes. Use /usr/ports/ftp/wu-ftpd or /usr/ports/ftp/proftpd. > > > Martin McCormick > SY, Vlad > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Has the wu-ftpd port already been fixed from the new globbing bug ? Otherwise proftp might be a better choice ;-) Kind regards, Niels Heinen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 8: 8:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id B192837B405 for ; Fri, 30 Nov 2001 08:08:28 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA11173; Fri, 30 Nov 2001 08:08:15 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda11168; Fri Nov 30 08:07:56 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id fAUG7oY61778; Fri, 30 Nov 2001 08:07:50 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdy61769; Fri Nov 30 08:07:43 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id fAUG7hX94656; Fri, 30 Nov 2001 08:07:43 -0800 (PST) Message-Id: <200111301607.fAUG7hX94656@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdW94640; Fri Nov 30 08:06:50 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Vlad Martynov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Stock ftpd In-reply-to: Your message of "Fri, 30 Nov 2001 18:29:15 +0300." <20011130182915.A73088@ns.san.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 30 Nov 2001 08:06:50 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20011130182915.A73088@ns.san.ru>, Vlad Martynov writes: > Hi! > > On Fri, Nov 30, 2001 at 09:16:11AM -0600, Martin G. McCormick wrote: > > I am asking this question just to be safe. Is the ftp > > daemon which is part of the normal FreeBSD distribution based on > > wuftpd? In other words, my ftp server identifies as > > > > 220 hostname FTP server (Version 6.00LS) ready. > > > > Do I need to replace it? > Yes. Use /usr/ports/ftp/wu-ftpd or /usr/ports/ftp/proftpd. Both of these ftp daemons have had security advisories published about them. Wu-ftpd usually has an advisory published about it about once every four months. If you're concerned about security, wu-ftpd is especially the one not to use. I can't even recall when an advisory was last published about the BSD ftpd. Was there even one? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 8:14: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 69AB837B41F for ; Fri, 30 Nov 2001 08:14:03 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA22893; Fri, 30 Nov 2001 09:13:46 -0700 (MST) Message-Id: <4.3.2.7.2.20011130084920.042827e0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 30 Nov 2001 09:01:25 -0700 To: , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: sshd exploit In-Reply-To: References: <20011129012235.U6446-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:30 AM 11/30/2001, bsd-sec@boneyard.lawrence.ks.us wrote: >Perhaps so. However, at the univeristy department where I work, RH Linux lab >machines running both 2.5.x and 2.9.x versions of OpenSSH were indeed >compromised while running ssh version 1. The only other services with >externally available ports were portmap and syslogd. Interesting. Any way we can do a postmortem analysis to determine whether sshd was the weak link? While I wouldn't suggest that people panic, I am concerned about intrusions even though all of my FreeBSD boxen are now running 3.0.1p1. We have several people with SSHv1 clients who send and receive e-mail from the road via port forwarding. We need to keep a secure (at least as much as the protocol allows) SSHv1 server running. So, we're doing VERBOSE logging and watching for suspicious activity. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 8:23:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 6EC3537B419 for ; Fri, 30 Nov 2001 08:23:20 -0800 (PST) Received: from boredom (dickie.ST.HMC.Edu [134.173.59.94]) by odin.ac.hmc.edu (8.11.0/8.11.0) with SMTP id fAUGNK807834 for ; Fri, 30 Nov 2001 08:23:20 -0800 Message-ID: <000a01c179bb$2ac73c70$5e3bad86@boredom> From: "Jeff Jirsa" Cc: References: <200111301607.fAUG7hX94656@cwsys.cwsent.com> Subject: Re: Stock ftpd Date: Fri, 30 Nov 2001 08:22:12 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I can't even recall when an advisory was last published about the BSD > ftpd. Was there even one? > ftpd + glob, april 2001 ? ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:33.ftpd-glob .v1.1.asc - Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 8:27:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by hub.freebsd.org (Postfix) with ESMTP id BEC5137B41C for ; Fri, 30 Nov 2001 08:27:12 -0800 (PST) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.11.3/8.11.3) with ESMTP id fAUGRCY72742 for ; Fri, 30 Nov 2001 10:27:12 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200111301627.fAUGRCY72742@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Stock ftpd Date: Fri, 30 Nov 2001 10:27:12 -0600 From: "Martin G. McCormick" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks to all of you. I guess I can relax a bit, anyway. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 8:29:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 11E1237B416 for ; Fri, 30 Nov 2001 08:29:29 -0800 (PST) Received: from schulte-laptop.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by clink.schulte.org (Postfix) with ESMTP id 9B1552440B; Fri, 30 Nov 2001 10:29:27 -0600 (CST) Message-Id: <5.1.0.14.0.20011130102546.03aafc08@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 30 Nov 2001 10:29:18 -0600 To: Cy Schubert - ITSD Open Systems Group , Vlad Martynov From: Christopher Schulte Subject: Re: Stock ftpd Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200111301607.fAUG7hX94656@cwsys.cwsent.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:06 AM 11/30/2001 -0800, Cy Schubert - ITSD Open Systems Group wrote: >I can't even recall when an advisory was last published about the BSD >ftpd. Was there even one? Even FreeBSD ftpd is not immune: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:33.ftpd-glob.v1.1.asc Let's not start the usual, "USE MY FAVORITE FTPD, xxxxx" response. Just like any any other public service, you should know the history of the code you're using, as well as the multiple alternatives available should a problem arise or you wish to take possible proactive action. Be aware, have an IDS, and make backups. :-) >Regards, Phone: (250)387-8437 >Cy Schubert Fax: (250)387-5766 >Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca >Open Systems Group, ITSD >Ministry of Management Services >Province of BC --c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 9: 4: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (o1gw.nanolink.com [217.75.134.6]) by hub.freebsd.org (Postfix) with SMTP id 8852437B417 for ; Fri, 30 Nov 2001 09:04:00 -0800 (PST) Received: (qmail 41839 invoked by uid 1000); 30 Nov 2001 15:45:08 -0000 Date: Fri, 30 Nov 2001 17:45:08 +0200 From: Peter Pentchev To: Niels Heinen Cc: Vlad Martynov , freebsd-security@FreeBSD.ORG Subject: Re: Stock ftpd Message-ID: <20011130174508.A2056@straylight.oblivion.bg> Mail-Followup-To: Niels Heinen , Vlad Martynov , freebsd-security@FreeBSD.ORG References: <200111301516.fAUFGBY66566@dc.cis.okstate.edu> <20011130182915.A73088@ns.san.ru> <3C07AA28.90CBDCF@ubizen.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C07AA28.90CBDCF@ubizen.com>; from niels.heinen@ubizen.com on Fri, Nov 30, 2001 at 04:47:52PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Nov 30, 2001 at 04:47:52PM +0100, Niels Heinen wrote: > Vlad Martynov wrote: > > > > Hi! > > > > On Fri, Nov 30, 2001 at 09:16:11AM -0600, Martin G. McCormick wrote: > > > I am asking this question just to be safe. Is the ftp > > > daemon which is part of the normal FreeBSD distribution based on > > > wuftpd? In other words, my ftp server identifies as > > > > > > 220 hostname FTP server (Version 6.00LS) ready. > > > > > > Do I need to replace it? > > Yes. Use /usr/ports/ftp/wu-ftpd or /usr/ports/ftp/proftpd. As somebody else also pointed out, NO, the FTP server in the base system is NOT in any way based on wu-ftpd. You are perfectly safe using the base system ftpd. > > > Martin McCormick > > SY, Vlad > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > Has the wu-ftpd port already been fixed from the new globbing bug ? > Otherwise proftp might be a better choice ;-) The wu-ftpd port was fixed at Wed Nov 28 10:52:26 2001 UTC, about two days ago. Later, at Fri Nov 30 06:24:54 2001 UTC (about 9 hours ago), Andrey Chernov incorporated the vendor patch from the wu-ftpd authors. Both of these pieces of information were obtained by looking at http://cvsweb.FreeBSD.org/ :) G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 10: 1:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 1688A37B416 for ; Fri, 30 Nov 2001 10:01:10 -0800 (PST) Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1]) by horsey.gshapiro.net (8.12.2.Beta1/8.12.2.Beta1) with ESMTP id fAUI18ni095710 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Fri, 30 Nov 2001 10:01:08 -0800 (PST) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.2.Beta1/8.12.2.Beta1/Submit) id fAUI18D3095707; Fri, 30 Nov 2001 10:01:08 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15367.51556.94034.892901@horsey.gshapiro.net> Date: Fri, 30 Nov 2001 10:01:08 -0800 From: Gregory Neil Shapiro To: "f.johan.beisser" Cc: Subject: Re: OPIE and ssh In-Reply-To: <20011130010137.C16958-100000@localhost> References: <20011130010137.C16958-100000@localhost> X-Mailer: VM 6.96 under 21.5 (beta3) "asparagus" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org jan> has anyone gotten OPIE to work with ssh? Yep, use it every day. All I did was: cd /etc rm skeykeys ln -s opiekeys skeykeys keyinit gshapiro I also build S/Key with MD5 with this in my /etc/make.conf: # Make MD5 version of libskey .if ${.CURDIR} == "/usr/src/lib/libskey" CFLAGS+= -DMD5 .endif My ~/.ssh/config contains (among other things): # Defaults Host * StrictHostKeyChecking yes To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 12:19:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-66-67-16-161.stny.rr.com [66.67.16.161]) by hub.freebsd.org (Postfix) with ESMTP id 74FC337B43A for ; Fri, 30 Nov 2001 12:19:44 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.6/8.11.4) with ESMTP id fAUKJOO40725; Fri, 30 Nov 2001 15:19:25 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Fri, 30 Nov 2001 15:19:24 -0500 (EST) From: Matt Piechota To: Brett Glass Cc: The Anarcat , Jay Keller , Subject: Re: OT: package management (was: Re: Updating ssh) In-Reply-To: <4.3.2.7.2.20011129145159.00afd050@localhost> Message-ID: <20011130151834.Q40720-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 29 Nov 2001, Brett Glass wrote: > >And there is a solution: we have a package management suite, we should > >use it to package the base system. > > I really do like this idea. I don't know if we'd want to do the entire system this way, but the more optional stuff would be nice (named, sendmail, etc). -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 12:39: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 38A7737B417; Fri, 30 Nov 2001 12:39:01 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.190.39]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011130203900.ZFIJ9080.tomts7-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Fri, 30 Nov 2001 15:39:00 -0500 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id 89B531AAA; Fri, 30 Nov 2001 15:42:33 -0500 (EST) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 9B29720ADB; Fri, 30 Nov 2001 15:40:23 -0500 (EST) Date: Fri, 30 Nov 2001 15:40:23 -0500 From: The Anarcat To: freebsd-binup@freebsd.org Cc: Brett Glass , Matt Piechota , Jay Keller Subject: Re: OT: package management (was: Re: Updating ssh) Message-ID: <20011130204022.GA581@shall.anarcat.dyndns.org> Reply-To: freebsd-binup@freebsd.org References: <4.3.2.7.2.20011129145159.00afd050@localhost> <20011130151834.Q40720-100000@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline In-Reply-To: <20011130151834.Q40720-100000@cithaeron.argolis.org> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [I should have moved this to -binup some time ago, but here we go.] On Ven nov 30, 2001 at 03:19:24pm -0500, Matt Piechota wrote: > On Thu, 29 Nov 2001, Brett Glass wrote: >=20 > > >And there is a solution: we have a package management suite, we should > > >use it to package the base system. > > > > I really do like this idea. >=20 > I don't know if we'd want to do the entire system this way, but the more > optional stuff would be nice (named, sendmail, etc). On the contrary, I think the whole system should be this way. A few advantages: 1- transparancy: we have a single install procedure for 3rd party and base apps 2- consistency: we can check the consistency of the system using the package's checksums 3- ease of upgrade: binary upgrade become a trivial matter 4- external distribution: seperate binary packages allow us to distribute stuff such as ftpd as seperate distinct packages Any disavantages? a. --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: Pour information voir http://www.gnupg.org iEYEARECAAYFAjwH7rUACgkQttcWHAnWiGebPACfb/P6Q7u1Egcq/ApiJlVPRabH POcAoKLei8svmOEvqzGgJ8F4PEn0iebL =tfPv -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 15:52:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id A43B537B405 for ; Fri, 30 Nov 2001 15:52:05 -0800 (PST) Received: by mail1.zer0.org (Postfix, from userid 1001) id 8461F239A08; Fri, 30 Nov 2001 15:52:05 -0800 (PST) Date: Fri, 30 Nov 2001 15:52:05 -0800 From: Gregory Sutter To: Konrad Heuer Cc: freebsd-security@freebsd.org Subject: Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd) Message-ID: <20011130155205.E96703@klapaucius.zer0.org> References: <20011130095138.F55193-100000@gwdu60.gwdg.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qFgkTsE6LiHkLPZw" Content-Disposition: inline In-Reply-To: <20011130095138.F55193-100000@gwdu60.gwdg.de> User-Agent: Mutt/1.3.22.1i Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qFgkTsE6LiHkLPZw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2001-11-30 09:53 +0100, Konrad Heuer wrote: >=20 > Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, it > seems so. Given wu-ftpd's history, it is just a terrible idea to run it=20 anywhere on any platform.=20 But maybe that's just me. Greg --=20 Gregory S. Sutter Fnord. mailto:gsutter@zer0.org=20 http://www.zer0.org/~gsutter/=20 hkp://wwwkeys.pgp.net/0x845DFEDD --qFgkTsE6LiHkLPZw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQE8CBulIBUx1YRd/t0RAsekAKCHB8/zFNZQWV5V2qHYUoDk99yS3QCeMKDE a1zJ+sOzdvtIAMmscLIOFdQ= =wO2a -----END PGP SIGNATURE----- --qFgkTsE6LiHkLPZw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 19:10:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from bunning.skiltech.com (bunning.skiltech.com [216.235.79.240]) by hub.freebsd.org (Postfix) with ESMTP id 6FFB537B417; Fri, 30 Nov 2001 19:10:52 -0800 (PST) Received: (from minter@localhost) by bunning.skiltech.com (8.11.6/8.11.6) id fB13ApP36937; Fri, 30 Nov 2001 22:10:51 -0500 (EST) (envelope-from minter) Date: Fri, 30 Nov 2001 22:10:51 -0500 (EST) From: "H. Wade Minter" X-X-Sender: minter@bunning.skiltech.com To: Gregory Neil Shapiro Cc: "f.johan.beisser" , Subject: Re: OPIE and ssh In-Reply-To: <15367.51556.94034.892901@horsey.gshapiro.net> Message-ID: <20011130220948.T36907-100000@bunning.skiltech.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 30 Nov 2001, Gregory Neil Shapiro wrote: > Yep, use it every day. All I did was: > > cd /etc > rm skeykeys > ln -s opiekeys skeykeys > keyinit gshapiro > > My ~/.ssh/config contains (among other things): > > # Defaults > Host * > StrictHostKeyChecking yes Is there anything else that needs to be done? I've been interested in playing around with S/Key or OPIE, but when I tried those steps, I still get a normal password prompt when I SSH in: bash-2.04$ slogin kenbridge minter@kenbridge's password: Thanks, Wade -- Do your part in the fight against injustice. Free Dmitry Sklyarov! http://www.freesklyarov.org/ Fight the DMCA! http://www.anti-dmca.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 20:29:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail4.tor.primus.ca (mx-backup.primus.ca [216.254.136.135]) by hub.freebsd.org (Postfix) with ESMTP id 7D5DB37B416 for ; Fri, 30 Nov 2001 20:29:45 -0800 (PST) Received: from dialin-133-19.hamilton.primus.ca ([209.90.133.19]) by mail4.tor.primus.ca with esmtp (Exim 2.11 #1) id 16A1m3-00034Q-07; Fri, 30 Nov 2001 23:29:12 -0500 Date: Fri, 30 Nov 2001 23:29:48 -0500 (EST) From: Jason Hunt X-X-Sender: leth@lethargic.dyndns.org To: Krzysztof Zaraska Cc: Konrad Heuer , Subject: Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd) In-Reply-To: <20011130111138.7a26b526.kzaraska@student.uci.agh.edu.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am running an older 4.4-STABLE which was last cvsup'd probably in late July, and a newer 4.4-STABLE from mid-November, both of which are not vulnerable. On Fri, 30 Nov 2001, Krzysztof Zaraska wrote: > On Fri, 30 Nov 2001 09:53:13 +0100 (CET) Konrad Heuer wrote: > > > Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, > it > > seems so. > The advisory by Dave Ahmad/Securityfocus.com (see BUGTRAQ archives) says > that you can check if you are vulnerable by logging into FTP server and > doing > ftp> ls ~{ > if this segfaults, you are vulnerable. > > I don't have any machine running wu-ftpd at hand, unfortunately. > > The diffs from Red Hat patch were already published on this list. > > Regards, > Krzysztof > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 22: 3:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 4B64A37B419 for ; Fri, 30 Nov 2001 22:03:55 -0800 (PST) Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1]) by horsey.gshapiro.net (8.12.2.Beta1/8.12.2.Beta1) with ESMTP id fB163rni002369 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Fri, 30 Nov 2001 22:03:53 -0800 (PST) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.2.Beta1/8.12.2.Beta1/Submit) id fB163qPl002366; Fri, 30 Nov 2001 22:03:52 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15368.29384.520956.692867@horsey.gshapiro.net> Date: Fri, 30 Nov 2001 22:03:52 -0800 From: Gregory Neil Shapiro To: "H. Wade Minter" Cc: "f.johan.beisser" , Subject: Re: OPIE and ssh In-Reply-To: <20011130220948.T36907-100000@bunning.skiltech.com> References: <15367.51556.94034.892901@horsey.gshapiro.net> <20011130220948.T36907-100000@bunning.skiltech.com> X-Mailer: VM 6.96 under 21.5 (beta3) "asparagus" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org minter> Is there anything else that needs to be done? I've been interested in minter> playing around with S/Key or OPIE, but when I tried those steps, I still minter> get a normal password prompt when I SSH in: minter> bash-2.04$ slogin kenbridge minter> minter@kenbridge's password: No, that's all I recall doing. Just to clarify my steps: These are done on the server (where you are ssh'ing to) >> cd /etc >> rm skeykeys >> ln -s opiekeys skeykeys >> keyinit gshapiro These are done on the client (where you are ssh'ing from): >> My ~/.ssh/config contains (among other things): >> >> # Defaults >> Host * >> StrictHostKeyChecking yes Also, newer versions of the ssh client let's you specify the order of the mechanisms: PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password) The default for this option is: ``publickey, password, keyboard-interactive'' keyboard-interactive is the S/Key method. You may want to change your order to publickey,keyboard-interactive,password. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 23:29:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181172.resnet.ucsb.edu (R181172.resnet.ucsb.edu [128.111.181.172]) by hub.freebsd.org (Postfix) with ESMTP id E7F6F37B405 for ; Fri, 30 Nov 2001 23:29:45 -0800 (PST) Received: from localhost (mudman@localhost) by R181172.resnet.ucsb.edu (8.11.6/8.11.6) with ESMTP id fB17XCB00772 for ; Fri, 30 Nov 2001 23:33:12 -0800 (PST) (envelope-from mudman@R181172.resnet.ucsb.edu) Date: Fri, 30 Nov 2001 23:33:12 -0800 (PST) From: Dave To: Subject: options USER_LDT Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I really have no clue what the kernel option: options USER_LDT means, except this rugged definition I found in LINT (paraphrase): "Allow applications running in user space to manipulate the Local Descriptor Table (LDT)" Since it didn't come in the GENERIC (FBSD 4.4 REL), I'm assuming that someone, somewhere, thought it would be a good idea to have this disabled by default and maybe it was meant to be added in only by people who know what they are doing. Is there a security risk by allowing programs to access the Local Descriptor Table? (I'm not sure what the LDT is, but if it was off for a reason I wouldn't want to challenge the decisions of those more informed than myself. If it wasn't for an efficiency judgement, it could of been for a security judgement) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 30 23:33:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from d150h247.resnet.uconn.edu (d150h247.resnet.uconn.edu [137.99.150.247]) by hub.freebsd.org (Postfix) with SMTP id BC35937B416 for ; Fri, 30 Nov 2001 23:33:09 -0800 (PST) Received: (qmail 52962 invoked by uid 1001); 1 Dec 2001 07:32:10 -0000 Date: Sat, 1 Dec 2001 02:32:10 -0500 From: "Peter C. Lai" To: Dave Cc: freebsd-security@freebsd.org Subject: Re: options USER_LDT Message-ID: <20011201023210.A52949@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mudman@R181172.resnet.ucsb.edu on Fri, Nov 30, 2001 at 11:33:12PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org IT's for the linux emulation module. Some linux ELF binaries require this to run. On Fri, Nov 30, 2001 at 11:33:12PM -0800, Dave wrote: > > I really have no clue what the kernel option: > options USER_LDT > > means, except this rugged definition I found in LINT (paraphrase): > "Allow applications running in user space to manipulate the Local > Descriptor Table (LDT)" > > Since it didn't come in the GENERIC (FBSD 4.4 REL), I'm assuming that > someone, somewhere, thought it would be a good idea to have this disabled > by default and maybe it was meant to be added in only by people who know > what they are doing. > > Is there a security risk by allowing programs to access the Local > Descriptor Table? (I'm not sure what the LDT is, but if it was off for a > reason I wouldn't want to challenge the decisions of those more informed > than myself. If it wasn't for an efficiency judgement, it could of been > for a security judgement) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 203.206.3784 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 3:26:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [212.182.115.12]) by hub.freebsd.org (Postfix) with ESMTP id CCB1937B405 for ; Sat, 1 Dec 2001 03:26:16 -0800 (PST) Received: (from root@localhost) by mailhost.freebsd.lublin.pl (8.11.6/8.11.4) id fB1BQ5J74325; Sat, 1 Dec 2001 12:26:05 +0100 (CET) (envelope-from venglin@freebsd.lublin.pl) Received: from there (IDENT:venglin@clitoris.czuby.net [212.182.126.2]) by mailhost.freebsd.lublin.pl (8.11.6/8.11.4av) with SMTP id fB1BPjf74314; Sat, 1 Dec 2001 12:25:55 +0100 (CET) (envelope-from venglin@freebsd.lublin.pl) Message-Id: <200112011125.fB1BPjf74314@mailhost.freebsd.lublin.pl> Content-Type: text/plain; charset="iso-8859-2" From: Przemyslaw Frasunek Organization: czuby.net To: Konrad Heuer , freebsd-security@freebsd.org Subject: Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd) Date: Sat, 1 Dec 2001 12:25:44 +0100 X-Mailer: KMail [version 1.3.1] References: <20011130095138.F55193-100000@gwdu60.gwdg.de> In-Reply-To: <20011130095138.F55193-100000@gwdu60.gwdg.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday 30 November 2001 09:53, Konrad Heuer wrote: > Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, it > seems so. actually, wu-ftpd on FreeBSD is vulnerable, but phk-malloc design prevents from exploiting this. typical scenario of exploitation on linux box is: - attacker populates heap with pointers to proctitle buf by calling few times 'STAT ~{ptrptrptrptr' - after that, attacker does 'STAT {~' which calls two times blockfree() in ftpglob() and malicious 'ptr' is passed to free() - in proctitle buf there is a fake malloc chunk, pointing to syslog() GOT entry and shellcode, also located in proctitle buf - free() when trying to deallocate fake chunk overwrites pointer to syslog() function and then segfaults - segfault sighandler calls syslog() and shellcode is executed as you can see, exploitation of this vulnerability isn't so simple. after spending long hours with gdb, looks like it's exploitable only on dlmalloc from glibc. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 6:19: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from pineapple.theshop.net (pineapple.theshop.net [208.128.7.7]) by hub.freebsd.org (Postfix) with ESMTP id 5BCDD37B416 for ; Sat, 1 Dec 2001 06:19:03 -0800 (PST) Received: from bsdprophet.org (cherry46.theshop.net [63.67.33.111]) by pineapple.theshop.net (8.12.0/8.12.0) with ESMTP id fB1EMJw1025605; Sat, 1 Dec 2001 08:22:20 -0600 (CST) Message-ID: <3C08E711.A4B08098@bsdprophet.org> Date: Sat, 01 Dec 2001 08:20:01 -0600 From: scott X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Dave Cc: freebsd-security@FreeBSD.ORG Subject: Re: options USER_LDT References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dave wrote: > > I really have no clue what the kernel option: > options USER_LDT > > means, except this rugged definition I found in LINT (paraphrase): > "Allow applications running in user space to manipulate the Local > Descriptor Table (LDT)" > > Since it didn't come in the GENERIC (FBSD 4.4 REL), I'm assuming that > someone, somewhere, thought it would be a good idea to have this disabled > by default and maybe it was meant to be added in only by people who know > what they are doing. > > Is there a security risk by allowing programs to access the Local > Descriptor Table? (I'm not sure what the LDT is, but if it was off for a > reason I wouldn't want to challenge the decisions of those more informed > than myself. If it wasn't for an efficiency judgement, it could of been > for a security judgement) Yes there is a security risk. Here read all about it: http://www.phrack.org/show.php?p=51&a=9 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 6:45: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id E020137B433 for ; Sat, 1 Dec 2001 06:44:24 -0800 (PST) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.6/8.11.6) with ESMTP id fB1Eh4Y36182 for ; Sat, 1 Dec 2001 15:43:04 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: security@freebsd.org Subject: philosophical question... From: Poul-Henning Kamp Date: Sat, 01 Dec 2001 15:43:04 +0100 Message-ID: <36180.1007217784@critter.freebsd.dk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It seems like phkmalloc saved us in the wuftpd case. I cannot 100% say that one couldn't subvert it, but it would be a LOT harder to arrange things just right with phkmalloc. It certainly does not seem feasible to write a sure-fire-on-any-system exploit since the order and size of malloc(3) calls will have to be controlled. But this brought back memories of an old idea of mine: Back in 1996 I considered adding a bit of randomness to some of the layout decisions in phkmalloc to improve benchmark quality. As the layout changes from time to time the RAM/cache will become less determinstic. According to statistics the mean will probably stay the same but the stddev will increase, so in some small way the benchmarks would be more honest I guess. At the time I filed this away for future consideration and here it is again... Therefore, question(s) to the list: Would it, from a security point of view, make sense to add a bit of dithering to phkmalloc's layout in order to frustrate attacks which "know where things are in RAM" ? The randomness used would have to be something very cheap, and cannot involve filedescriptors, so something as simple as the bits in the PID of the process or similar. Would the use of weak entropy negate any positive effect ? Would it inconvenience debugging that malloc(3) becomes non deterministic in its layout ? Would the increased uncertainty on program run-time be good or bad ? Poul-Henning -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 7:37:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 5C2E337B416 for ; Sat, 1 Dec 2001 07:37:09 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id MAA99892; Sat, 1 Dec 2001 12:35:56 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Sat, 1 Dec 2001 12:35:56 -0300 From: Fernando Schapachnik To: peter.lai@uconn.edu Cc: Dave , freebsd-security@FreeBSD.ORG Subject: Re: options USER_LDT Message-ID: <20011201123556.A99486@ns1.via-net-works.net.ar> References: <20011201023210.A52949@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20011201023210.A52949@cowbert.2y.net>; from sirmoo@cowbert.2y.net on Sat, Dec 01, 2001 at 02:32:10AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, Peter C. Lai escribió: > IT's for the linux emulation module. Some linux ELF binaries > require this to run. The only use of it that I know is Wine, the Windows emulator. Regards. Fernando P. Schapachnik VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 8: 0:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 6AC0437B41C for ; Sat, 1 Dec 2001 08:00:33 -0800 (PST) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id QAA10432 for ; Sat, 1 Dec 2001 16:00:32 GMT Date: Sat, 1 Dec 2001 16:00:32 +0000 (GMT) From: rik@rikrose.net X-Sender: rik@pkl.net To: freebsd-security@FreeBSD.ORG Subject: Re: options USER_LDT In-Reply-To: <3C08E711.A4B08098@bsdprophet.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 1 Dec 2001, scott wrote: > Dave wrote: > > I really have no clue what the kernel option: > > options USER_LDT > > > > Is there a security risk by allowing programs to access the Local > > Descriptor Table? (I'm not sure what the LDT is, but if it was off for a > > Yes there is a security risk. > Here read all about it: > http://www.phrack.org/show.php?p=51&a=9 /* ** This code is a simple example of bypassing Integrity checking ** systems in FreeBSD 2.2. It has been tested in 2.2.1, and ** believed to work (although not tested) in 3.0. Uhm. A little old, isn't it? Can anyone confirm that USER_LDT is still dangerous? -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 8:42:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 36A5937B42B; Sat, 1 Dec 2001 08:42:28 -0800 (PST) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id JAA09819; Sat, 1 Dec 2001 09:42:14 -0700 (MST) Date: Sat, 1 Dec 2001 09:42:14 -0700 (MST) From: Brett Glass Message-Id: <200112011642.JAA09819@lariat.org> To: phk@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: philosophical question... In-Reply-To: <36180.1007217784@critter.freebsd.dk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Would it inconvenience debugging that malloc(3) becomes non > deterministic in its layout ? > Would the increased uncertainty on program run-time be > good or bad ? It could make reproduction of problems more difficult. So, if it goes in, I'd like a switch to turn it off.... Maybe a sysctl. But there's a more serious philosophical issue here. Isn't shuffling the heap to avoid attacks really a form of "security via obscurity?" --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 8:59:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 9B20C37B405; Sat, 1 Dec 2001 08:59:56 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA17706; Sat, 1 Dec 2001 08:59:16 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17703; Sat Dec 1 08:59:07 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id fB1Gx2p75407; Sat, 1 Dec 2001 08:59:02 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdY75404; Sat Dec 1 08:58:40 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id fB1Gwep07621; Sat, 1 Dec 2001 08:58:40 -0800 (PST) Message-Id: <200112011658.fB1Gwep07621@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdKa7610; Sat Dec 1 08:57:59 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Brett Glass Cc: phk@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: philosophical question... In-reply-to: Your message of "Sat, 01 Dec 2001 09:42:14 MST." <200112011642.JAA09819@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 01 Dec 2001 08:57:59 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <200112011642.JAA09819@lariat.org>, Brett Glass writes: > > Would it inconvenience debugging that malloc(3) becomes non > > deterministic in its layout ? > > > Would the increased uncertainty on program run-time be > > good or bad ? > > It could make reproduction of problems more difficult. So, if > it goes in, I'd like a switch to turn it off.... Maybe a > sysctl. > > But there's a more serious philosophical issue here. Isn't > shuffling the heap to avoid attacks really a form of > "security via obscurity?" Defence through depth. Every little bit helps. I think we should do this. I suppose we could have a malloc.conf bit to turn this feature off (on by default). Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 9:16:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.noos.fr (claudel.noos.net [212.198.2.83]) by hub.freebsd.org (Postfix) with ESMTP id EB39537B405 for ; Sat, 1 Dec 2001 09:16:45 -0800 (PST) Received: (qmail 34585184 invoked by uid 0); 1 Dec 2001 16:53:31 -0000 Received: from unknown (HELO noos.fr) ([195.132.176.225]) (envelope-sender ) by 212.198.2.83 (qmail-ldap-1.03) with SMTP for ; 1 Dec 2001 16:53:31 -0000 Message-ID: <3C0903C1.9010108@noos.fr> Date: Sat, 01 Dec 2001 17:22:25 +0100 From: Extended Laurent Fabre User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: fr-fr MIME-Version: 1.0 Cc: security@FreeBSD.ORG Subject: Re: philosophical question... References: <200112011642.JAA09819@lariat.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Seems like an OpenBSD feature :P But from a security point of view, if an attacker can guess the random seed, i can't see the protection offered... It will just raise the number of brute force attacks... No ? Brett Glass wrote: >>Would it inconvenience debugging that malloc(3) becomes non >>deterministic in its layout ? >> > >>Would the increased uncertainty on program run-time be >>good or bad ? >> > > It could make reproduction of problems more difficult. So, if > it goes in, I'd like a switch to turn it off.... Maybe a > sysctl. > > But there's a more serious philosophical issue here. Isn't > shuffling the heap to avoid attacks really a form of > "security via obscurity?" > > --Brett Glass > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 9:31:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from oxmail.ox.ac.uk (oxmail3.ox.ac.uk [129.67.1.180]) by hub.freebsd.org (Postfix) with ESMTP id E8E2237B416 for ; Sat, 1 Dec 2001 09:31:40 -0800 (PST) Received: from dhcp212.wadham.ox.ac.uk ([163.1.164.212] helo=piii600.wadham.ox.ac.uk) by oxmail.ox.ac.uk with esmtp (Exim 3.12 #1) id 16ADzH-0002rV-03 for security@FreeBSD.ORG; Sat, 01 Dec 2001 17:31:39 +0000 Reply-To: cperciva@sfu.ca Message-Id: <5.0.2.1.1.20011201171925.035156f8@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sat, 01 Dec 2001 17:31:37 +0000 To: security@FreeBSD.ORG From: Colin Percival Subject: Re: philosophical question... In-Reply-To: <3C0903C1.9010108@noos.fr> References: <200112011642.JAA09819@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 17:22 01/12/2001 +0100, Extended Laurent Fabre wrote: >Seems like an OpenBSD feature :P > >But from a security point of view, if an attacker can guess >the random seed, i can't see the protection offered... >It will just raise the number of brute force attacks... I think that a certain amount of protection is given by the fact that an exploit which fails as a result of malloc being nondeterministic would have a good chance of crashing the daemon being attacked. Brute force attacks are hard when each faliure has a chance of making further attempts impossible. ;) Another interesting consideration is that making malloc nondeterministic could make other bugs visible. Still, I have to agree that this sounds pretty OpenBSDish... looking at the BSDs as a whole I'd say it would make sense for this to be added into OpenBSD first and ported to FreeBSD once it has proved itself. Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 10:47:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from d150h247.resnet.uconn.edu (d150h247.resnet.uconn.edu [137.99.150.247]) by hub.freebsd.org (Postfix) with SMTP id D91AC37B405 for ; Sat, 1 Dec 2001 10:47:29 -0800 (PST) Received: (qmail 56764 invoked by uid 1001); 1 Dec 2001 18:46:22 -0000 Date: Sat, 1 Dec 2001 13:46:22 -0500 From: "Peter C. Lai" To: Fernando Schapachnik Cc: peter.lai@uconn.edu, Dave , freebsd-security@FreeBSD.ORG Subject: Re: options USER_LDT Message-ID: <20011201134622.A56753@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20011201023210.A52949@cowbert.2y.net> <20011201123556.A99486@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20011201123556.A99486@ns1.via-net-works.net.ar>; from fschapachnik@vianetworks.com.ar on Sat, Dec 01, 2001 at 12:35:56PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I need it to run among other things, xmovie from ports, so no, it's not limited to Wine. On Sat, Dec 01, 2001 at 12:35:56PM -0300, Fernando Schapachnik wrote: > En un mensaje anterior, Peter C. Lai escribió: > > IT's for the linux emulation module. Some linux ELF binaries > > require this to run. > > The only use of it that I know is Wine, the Windows emulator. > > Regards. > > > Fernando P. Schapachnik > VIA NET.WORKS ARGENTINA S.A. > fschapachnik@vianetworks.com.ar > Tel.: (54-11) 4323-3381 -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 203.206.3784 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 10:53: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 5212737B405 for ; Sat, 1 Dec 2001 10:53:03 -0800 (PST) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 868592DDB3F; Sat, 1 Dec 2001 12:53:02 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id fB1Ir2E57945; Sat, 1 Dec 2001 12:53:02 -0600 (CST) (envelope-from hawkeyd) Date: Sat, 1 Dec 2001 12:53:02 -0600 (CST) Message-Id: <200112011853.fB1Ir2E57945@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 0.9.8a Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <20011201023210.A52949_cowbert.2y.net@ns.sol.net> <20011201123556.A99486_ns1.via-net-works.net.ar@ns.sol.net> In-Reply-To: <20011201123556.A99486_ns1.via-net-works.net.ar@ns.sol.net> From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: options USER_LDT X-Original-Newsgroups: sol.lists.freebsd.security To: fschapachnik@vianetworks.com.ar, security@freebsd.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <20011201123556.A99486_ns1.via-net-works.net.ar@ns.sol.net>, fschapachnik@vianetworks.com.ar writes: > En un mensaje anterior, Peter C. Lai escribió: >> IT's for the linux emulation module. Some linux ELF binaries >> require this to run. > > The only use of it that I know is Wine, the Windows emulator. mplayer requires it, too. > Regards. > Fernando P. Schapachnik Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 11: 5:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id C949B37B405 for ; Sat, 1 Dec 2001 11:05:18 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id fB1J5Fu12216; Sat, 1 Dec 2001 14:05:15 -0500 (EST) (envelope-from str) Date: Sat, 1 Dec 2001 14:05:15 -0500 (EST) From: Igor Roshchin Message-Id: <200112011905.fB1J5Fu12216@giganda.komkon.org> To: freebsd-security@FreeBSD.ORG, kheuer@gwdu60.gwdg.de, venglin@freebsd.lublin.pl Subject: Re: ISSalert: ISS Security Alert: WU-FTPD Heap Corruption Vulnerability (fwd) In-Reply-To: <200112011125.fB1BPjf74314@mailhost.freebsd.lublin.pl> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > From: Przemyslaw Frasunek > Date: Sat, 1 Dec 2001 12:25:44 +0100 > > On Friday 30 November 2001 09:53, Konrad Heuer wrote: > > Any opinions whether wu-ftpd on FreeBSD is vulnerable too? To my mind, it > > seems so. > > actually, wu-ftpd on FreeBSD is vulnerable, but phk-malloc design prevents > from exploiting this. typical scenario of exploitation on linux box is: > Actually, ;-) AFAICT, the wu-ftpd port has been patched by the maintainer (ache). AFAICT, Patches from Wu-FTPD were incorporated. In any case, thanks Przemyslaw for the detailed analysis. Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 11:37:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id B61B737B405 for ; Sat, 1 Dec 2001 11:37:04 -0800 (PST) Received: by mail1.zer0.org (Postfix, from userid 1001) id 94181239A06; Sat, 1 Dec 2001 11:37:04 -0800 (PST) Date: Sat, 1 Dec 2001 11:37:04 -0800 From: Gregory Sutter To: Colin Percival Cc: security@FreeBSD.ORG Subject: Re: philosophical question... Message-ID: <20011201113704.F96703@klapaucius.zer0.org> References: <200112011642.JAA09819@lariat.org> <5.0.2.1.1.20011201171925.035156f8@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="O98KdSgI27dgYlM5" Content-Disposition: inline In-Reply-To: <5.0.2.1.1.20011201171925.035156f8@popserver.sfu.ca> User-Agent: Mutt/1.3.22.1i Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --O98KdSgI27dgYlM5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2001-12-01 17:31 +0000, Colin Percival = wrote: > At 17:22 01/12/2001 +0100, Extended Laurent Fabre wrote: > >Seems like an OpenBSD feature :P > > > >But from a security point of view, if an attacker can guess > >the random seed, i can't see the protection offered... > >It will just raise the number of brute force attacks... >=20 > Still, I have to agree that this sounds pretty OpenBSDish... looking at= =20 > the BSDs as a whole I'd say it would make sense for this to be added into= =20 > OpenBSD first and ported to FreeBSD once it has proved itself. Aren't you both putting the cart before the horse? Just because OpenBSD bill themselves as particularly security-conscious doesn't mean that nobody else is allowed to improve security. I'd also much rather be targeted with a brute-force attack against my malloc than with the pinpoint accuracy that has compromised wu-ftpd and dlmalloc. Let's stop the empty rhetoric and concentrate on what can help improve FreeBSD security. Greg --=20 Gregory S. Sutter "I think not," said Descartes... mailto:gsutter@zer0.org and promptly disappeared. http://www.zer0.org/~gsutter/ =20 hkp://wwwkeys.pgp.net/0x845DFEDD =20 --O98KdSgI27dgYlM5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQE8CTFgIBUx1YRd/t0RAhrYAKCO0poV5KUbo8cVeUj+lYrExqMV4QCdH3qK dT9e3dp7SL8UhuIOpqvJqx0= =IaFb -----END PGP SIGNATURE----- --O98KdSgI27dgYlM5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 12:18:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from warez.scriptkiddie.org (uswest-dsl-142-38.cortland.com [209.162.142.38]) by hub.freebsd.org (Postfix) with ESMTP id 612BA37B405 for ; Sat, 1 Dec 2001 12:18:23 -0800 (PST) Received: from [192.168.69.11] (unknown [192.168.69.11]) by warez.scriptkiddie.org (Postfix) with ESMTP id EB84862D01 for ; Sat, 1 Dec 2001 12:18:22 -0800 (PST) Date: Sat, 1 Dec 2001 12:18:40 -0800 (PST) From: Lamont Granquist To: Subject: Re: philosophical question... In-Reply-To: <5.0.2.1.1.20011201171925.035156f8@popserver.sfu.ca> Message-ID: <20011201121426.L80261-100000@coredump.scriptkiddie.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 1 Dec 2001, Colin Percival wrote: > Still, I have to agree that this sounds pretty OpenBSDish... looking at > the BSDs as a whole I'd say it would make sense for this to be added into > OpenBSD first and ported to FreeBSD once it has proved itself. It seems like a good enough idea, I don't know why FreeBSD can't try it out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 15:18:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from hopi.hostsharing.net (hopi.hostsharing.net [66.70.34.150]) by hub.freebsd.org (Postfix) with ESMTP id AA5BD37B41E; Sat, 1 Dec 2001 15:18:36 -0800 (PST) Received: by hopi.hostsharing.net (Postfix, from userid 542) id 65A59980BD; Sun, 2 Dec 2001 00:17:45 +0100 (CET) Date: Sun, 2 Dec 2001 00:17:45 +0100 From: Noel Koethe To: ports@freebsd.org Cc: security@freebsd.org Subject: security problem mailman Message-ID: <20011202001745.A14848@hopi.hostsharing.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.3.22i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, in the freebsd ports ist mailman 2.0.5 =46rom http://mail.python.org/pipermail/mailman-announce/2001-November/0000= 31.html " Hot on the heels of Mailman 2.0.7, I'm now releasing 2.0.8 which fixes several cross-site scripting security holes, and a few other minor bug fixes. More information on cross-site scripting exploits in general can be found at http://www.cert.org/advisories/CA-2000-02.html =2E... " see also http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00242.html http://mail.python.org/pipermail/mailman-announce/2001-November/000030.html it would be great if the port of mailman will be updated. Thank you. --=20 No=E8l K=F6the To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 15:21:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from tao.org.uk (genius.tao.org.uk [212.135.162.51]) by hub.freebsd.org (Postfix) with ESMTP id 6D1AA37B426; Sat, 1 Dec 2001 15:20:55 -0800 (PST) Received: by tao.org.uk (Postfix, from userid 100) id B9F3ACF; Sat, 1 Dec 2001 23:20:46 +0000 (GMT) Date: Sat, 1 Dec 2001 23:20:46 +0000 From: Josef Karthauser To: Noel Koethe Cc: ports@freebsd.org, security@freebsd.org Subject: Re: security problem mailman Message-ID: <20011201232046.A3129@tao.org.uk> References: <20011202001745.A14848@hopi.hostsharing.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011202001745.A14848@hopi.hostsharing.net>; from noel@koethe.net on Sun, Dec 02, 2001 at 12:17:45AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 02, 2001 at 12:17:45AM +0100, Noel Koethe wrote: >=20 > it would be great if the port of mailman will be updated. >=20 Have you mailed the maintainer: demon@FreeBSD.org. That's probably a good place to start. Joe --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwJZc4ACgkQXVIcjOaxUBaqRACeK3Dt8w7+ACP6qOX0UXMdxKaq C0AAmwd+07F5f+11OYqDt0t2eAGUsGxN =u9b9 -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 15:32: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail11.speakeasy.net (mail11.speakeasy.net [216.254.0.211]) by hub.freebsd.org (Postfix) with ESMTP id DF29437B419 for ; Sat, 1 Dec 2001 15:32:04 -0800 (PST) Received: (qmail 12312 invoked from network); 1 Dec 2001 23:32:45 -0000 Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender ) by mail11.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 1 Dec 2001 23:32:45 -0000 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Sat, 01 Dec 2001 15:32:03 -0800 (PST) From: John Baldwin To: Dave Subject: RE: options USER_LDT Cc: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 01-Dec-01 Dave wrote: > > I really have no clue what the kernel option: > options USER_LDT > > means, except this rugged definition I found in LINT (paraphrase): > "Allow applications running in user space to manipulate the Local > Descriptor Table (LDT)" > > Since it didn't come in the GENERIC (FBSD 4.4 REL), I'm assuming that > someone, somewhere, thought it would be a good idea to have this disabled > by default and maybe it was meant to be added in only by people who know > what they are doing. No, it's enabled by default, not disabled by default. > Is there a security risk by allowing programs to access the Local > Descriptor Table? (I'm not sure what the LDT is, but if it was off for a > reason I wouldn't want to challenge the decisions of those more informed > than myself. If it wasn't for an efficiency judgement, it could of been > for a security judgement) There shouldn't be, since each program has its own LDT if it uses the syscalls to set one up. It can't use the LDT to look outside of its own address space since the addresses that come out of the LDT still have to go through the page tables. -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 15:32: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail11.speakeasy.net (mail11.speakeasy.net [216.254.0.211]) by hub.freebsd.org (Postfix) with ESMTP id 02BCC37B417 for ; Sat, 1 Dec 2001 15:32:05 -0800 (PST) Received: (qmail 12319 invoked from network); 1 Dec 2001 23:32:46 -0000 Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender ) by mail11.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 1 Dec 2001 23:32:46 -0000 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <3C08E711.A4B08098@bsdprophet.org> Date: Sat, 01 Dec 2001 15:32:04 -0800 (PST) From: John Baldwin To: scott Subject: Re: options USER_LDT Cc: freebsd-security@FreeBSD.ORG, Dave Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 01-Dec-01 scott wrote: > Dave wrote: >> >> I really have no clue what the kernel option: >> options USER_LDT >> >> means, except this rugged definition I found in LINT (paraphrase): >> "Allow applications running in user space to manipulate the Local >> Descriptor Table (LDT)" >> >> Since it didn't come in the GENERIC (FBSD 4.4 REL), I'm assuming that >> someone, somewhere, thought it would be a good idea to have this disabled >> by default and maybe it was meant to be added in only by people who know >> what they are doing. >> >> Is there a security risk by allowing programs to access the Local >> Descriptor Table? (I'm not sure what the LDT is, but if it was off for a >> reason I wouldn't want to challenge the decisions of those more informed >> than myself. If it wasn't for an efficiency judgement, it could of been >> for a security judgement) > > Yes there is a security risk. > Here read all about it: > http://www.phrack.org/show.php?p=51&a=9 What in the _world_ does this have to do with _LDT_ (aka Local Descriptor Table). This is talking about making a LKM (Loadable Kernel Module) which is an entirely separate issue from LDT. I don't know of any security problems with LDT's, please stop spreading FUD. -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 15:32:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 2B87437B405 for ; Sat, 1 Dec 2001 15:32:40 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id fB1NWca31712; Sat, 1 Dec 2001 16:32:38 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost [127.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id fB1NWbM54552; Sat, 1 Dec 2001 16:32:37 -0700 (MST) (envelope-from imp@harmony.village.org) Message-Id: <200112012332.fB1NWbM54552@harmony.village.org> To: Dave Subject: Re: options USER_LDT Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 30 Nov 2001 23:33:12 PST." References: Date: Sat, 01 Dec 2001 16:32:37 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message Dave writes: : Is there a security risk by allowing programs to access the Local : Descriptor Table? No. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 15:34: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id C01A937B416 for ; Sat, 1 Dec 2001 15:33:55 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id fB1NXra31725; Sat, 1 Dec 2001 16:33:54 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost [127.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id fB1NXrM54579; Sat, 1 Dec 2001 16:33:53 -0700 (MST) (envelope-from imp@harmony.village.org) Message-Id: <200112012333.fB1NXrM54579@harmony.village.org> To: scott Subject: Re: options USER_LDT Cc: Dave , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sat, 01 Dec 2001 08:20:01 CST." <3C08E711.A4B08098@bsdprophet.org> References: <3C08E711.A4B08098@bsdprophet.org> Date: Sat, 01 Dec 2001 16:33:53 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <3C08E711.A4B08098@bsdprophet.org> scott writes: : Yes there is a security risk. : Here read all about it: : http://www.phrack.org/show.php?p=51&a=9 What does Loadable Kernel modules have to do with LDT? Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 15:34:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 5D4A737B419 for ; Sat, 1 Dec 2001 15:34:40 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id fB1NYda31735; Sat, 1 Dec 2001 16:34:39 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost [127.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id fB1NYcM54600; Sat, 1 Dec 2001 16:34:38 -0700 (MST) (envelope-from imp@harmony.village.org) Message-Id: <200112012334.fB1NYcM54600@harmony.village.org> To: rik@rikrose.net Subject: Re: options USER_LDT Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sat, 01 Dec 2001 16:00:32 GMT." References: Date: Sat, 01 Dec 2001 16:34:38 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message rik@rikrose.net writes: : /* : ** This code is a simple example of bypassing Integrity checking : ** systems in FreeBSD 2.2. It has been tested in 2.2.1, and : ** believed to work (although not tested) in 3.0. : : Uhm. A little old, isn't it? Can anyone confirm that USER_LDT is still : dangerous? Never was. This check is for loadable kernel modules, which is a completely different thing. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 15:56:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 7E14A37B417 for ; Sat, 1 Dec 2001 15:56:14 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id fB1NuCa31782; Sat, 1 Dec 2001 16:56:12 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost [127.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id fB1Nu7M54692; Sat, 1 Dec 2001 16:56:12 -0700 (MST) (envelope-from imp@harmony.village.org) Message-Id: <200112012356.fB1Nu7M54692@harmony.village.org> To: Vlad Martynov Subject: Re: Stock ftpd Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 30 Nov 2001 18:29:15 +0300." <20011130182915.A73088@ns.san.ru> References: <20011130182915.A73088@ns.san.ru> <200111301516.fAUFGBY66566@dc.cis.okstate.edu> Date: Sat, 01 Dec 2001 16:56:07 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20011130182915.A73088@ns.san.ru> Vlad Martynov writes: : Hi! : : On Fri, Nov 30, 2001 at 09:16:11AM -0600, Martin G. McCormick wrote: : > I am asking this question just to be safe. Is the ftp : > daemon which is part of the normal FreeBSD distribution based on : > wuftpd? In other words, my ftp server identifies as : > : > 220 hostname FTP server (Version 6.00LS) ready. : > : > Do I need to replace it? : Yes. Use /usr/ports/ftp/wu-ftpd or /usr/ports/ftp/proftpd. No, it is just fine. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 16: 0:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id DAB3B37B405 for ; Sat, 1 Dec 2001 16:00:09 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id fB2008a31806; Sat, 1 Dec 2001 17:00:08 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost [127.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id fB2008M54735; Sat, 1 Dec 2001 17:00:08 -0700 (MST) (envelope-from imp@harmony.village.org) Message-Id: <200112020000.fB2008M54735@harmony.village.org> To: Cy Schubert - ITSD Open Systems Group Subject: Re: Stock ftpd Cc: Vlad Martynov , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 30 Nov 2001 08:06:50 PST." <200111301607.fAUG7hX94656@cwsys.cwsent.com> References: <200111301607.fAUG7hX94656@cwsys.cwsent.com> Date: Sat, 01 Dec 2001 17:00:08 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <200111301607.fAUG7hX94656@cwsys.cwsent.com> Cy Schubert - ITSD Open Systems Group writes: : I can't even recall when an advisory was last published about the BSD : ftpd. Was there even one? There was the glob bug: FreeBSD-SA-01:33.ftpd-glob.v1.1.asc But the glob bug bit everyone. Other than that, I can't find an ftpd advisory against the stock FreeBSD ftpd. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 17: 6:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id DFD9537B416; Sat, 1 Dec 2001 17:06:35 -0800 (PST) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id MAA05359; Sun, 2 Dec 2001 12:06:32 +1100 Date: Sun, 2 Dec 2001 12:06:45 +1100 (EST) From: Bruce Evans X-X-Sender: To: John Baldwin Cc: Dave , Subject: RE: options USER_LDT In-Reply-To: Message-ID: <20011202120451.R6917-100000@gamplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 1 Dec 2001, John Baldwin wrote: > On 01-Dec-01 Dave wrote: > > > > I really have no clue what the kernel option: > > options USER_LDT > > > > means, except this rugged definition I found in LINT (paraphrase): > > "Allow applications running in user space to manipulate the Local > > Descriptor Table (LDT)" > > > > Since it didn't come in the GENERIC (FBSD 4.4 REL), I'm assuming that > > someone, somewhere, thought it would be a good idea to have this disabled > > by default and maybe it was meant to be added in only by people who know > > what they are doing. > > No, it's enabled by default, not disabled by default. Er, not in RELENG_4. It can only be enabled by default if it doesn't exist, as in -current :-). Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 17: 8:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 83D6537B405 for ; Sat, 1 Dec 2001 17:08:51 -0800 (PST) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id BAA05670 for ; Sun, 2 Dec 2001 01:08:49 GMT Date: Sun, 2 Dec 2001 01:08:49 +0000 (GMT) From: freebsd-security@rikrose.net X-Sender: rik@pkl.net To: security@FreeBSD.ORG Subject: Re: philosophical question... In-Reply-To: <5.0.2.1.1.20011201171925.035156f8@popserver.sfu.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 1 Dec 2001, Colin Percival wrote: > >Seems like an OpenBSD feature :P > Still, I have to agree that this sounds pretty OpenBSDish... looking at > the BSDs as a whole I'd say it would make sense for this to be added into > OpenBSD first and ported to FreeBSD once it has proved itself. Anyone mind if I start a discussion about encrypted swap? I know I had the option under OpenBSD (and yes, it was on), but I still don't understand the implications. At the lowest level, anyone who manages to get root on the box can't screw around with programs whose image and data has gone to swap, at least not in a non-fatal way, assuming theydon't know the seed for the random key for that block of memory (is it even done this way. this is my guess). However, there's still /dev/{k,}mem, etc, and I havent' put in the energy into thinking about it, aside from noticing it was missing. If it is deemed a vaguely sensible thing to do (by discussion on the list), could it be added to the "list of things to do" if it isn't already? I'm assuming the most sensible way to implement this is via a sysctl that become read-only, after the kernel is loaded, like hw.ata.atapi_dma. Anyway. Uhm. Is it sensible. If not, why not. Well, there is the argument about /dev/mem always being readble. I suppose as a security thing, this ought to be removed too... ACL's anyone? Well, this is far less coherent that I expected. responses? -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 17: 9:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail5.speakeasy.net (mail5.speakeasy.net [216.254.0.205]) by hub.freebsd.org (Postfix) with ESMTP id 9CA5737B416 for ; Sat, 1 Dec 2001 17:09:32 -0800 (PST) Received: (qmail 6682 invoked from network); 2 Dec 2001 01:09:31 -0000 Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender ) by mail5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 2 Dec 2001 01:09:31 -0000 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20011202120451.R6917-100000@gamplex.bde.org> Date: Sat, 01 Dec 2001 17:09:28 -0800 (PST) From: John Baldwin To: Bruce Evans Subject: RE: options USER_LDT Cc: freebsd-security@FreeBSD.ORG, Dave Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 02-Dec-01 Bruce Evans wrote: > On Sat, 1 Dec 2001, John Baldwin wrote: > >> On 01-Dec-01 Dave wrote: >> > >> > I really have no clue what the kernel option: >> > options USER_LDT >> > >> > means, except this rugged definition I found in LINT (paraphrase): >> > "Allow applications running in user space to manipulate the Local >> > Descriptor Table (LDT)" >> > >> > Since it didn't come in the GENERIC (FBSD 4.4 REL), I'm assuming that >> > someone, somewhere, thought it would be a good idea to have this disabled >> > by default and maybe it was meant to be added in only by people who know >> > what they are doing. >> >> No, it's enabled by default, not disabled by default. > > Er, not in RELENG_4. It can only be enabled by default if it doesn't exist, > as in -current :-). Ah, nm, I misread it thinking that the option was gone from 4.4 completely. To answer the original question then: it's not enabled by default most likely because when it was added as a new feature it was left as an option that was off by default so that any bugs it might have wouldn't bite people he didn't need it. > Bruce -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 17:48:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 5AF5137B416 for ; Sat, 1 Dec 2001 17:48:37 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id E390281D04; Sat, 1 Dec 2001 19:48:31 -0600 (CST) Date: Sat, 1 Dec 2001 19:48:31 -0600 From: Alfred Perlstein To: freebsd-security@rikrose.net Cc: security@FreeBSD.ORG Subject: Re: philosophical question... Message-ID: <20011201194831.Y46769@elvis.mu.org> References: <5.0.2.1.1.20011201171925.035156f8@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from freebsd-security@rikrose.net on Sun, Dec 02, 2001 at 01:08:49AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * freebsd-security@rikrose.net [011201 19:09] wrote: > On Sat, 1 Dec 2001, Colin Percival wrote: > > >Seems like an OpenBSD feature :P > > > Still, I have to agree that this sounds pretty OpenBSDish... looking at > > the BSDs as a whole I'd say it would make sense for this to be added into > > OpenBSD first and ported to FreeBSD once it has proved itself. > > Anyone mind if I start a discussion about encrypted swap? I know I had the > option under OpenBSD (and yes, it was on), but I still don't understand > the implications. The implication is that when a program that stores sensative information is swapped out to disk and the machine is rebooted or has the disk removed, the information can not be easily just lifted off the swap partition. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 21:37:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from berbee.com (berbee.com [205.173.176.16]) by hub.freebsd.org (Postfix) with ESMTP id 4721D37B416 for ; Sat, 1 Dec 2001 21:37:08 -0800 (PST) Received: from there (gbshkj@[66.188.124.51]) by berbee.com (8.11.2/8.11.2) with SMTP id fB25b7h01447 for ; Sat, 1 Dec 2001 23:37:07 -0600 Message-Id: <200112020537.fB25b7h01447@berbee.com> Content-Type: text/plain; charset="iso-8859-1" From: Rob Zietlow To: security@freebsd.org Subject: Cisco VPN & FreeBSD Date: Sat, 1 Dec 2001 23:36:52 -0600 X-Mailer: KMail [version 1.3.1] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone successfully gotten FreeBSD to connect up to a Cisco Altiga? We are using it at work and they have linux code which installs a kernel module. I have heard of Racoon, but when I asked the questions list, it had seemed that no one had connected up to an Altiga. Some links and howtos would be great, either how to configure racoon, or build the source code under linux emulation would be great. TIA Rob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 1 23:51:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailx5.chollian.net (mailx5.chollian.net [203.252.3.189]) by hub.freebsd.org (Postfix) with ESMTP id C129437B405 for ; Sat, 1 Dec 2001 23:51:12 -0800 (PST) Received: from delo ([211.170.67.220]) by mailx5.chollian.net (8.9.1a/8.9.1) with SMTP id QAA22733 for ; Sun, 2 Dec 2001 16:46:46 +0900 (KST) Message-Id: <200112020746.QAA22733@mailx5.chollian.net> From: =?ks_c_5601-1987?B?x++3zr/sxdo=?= To: freebsd-security@freebsd.org Subject: =?ks_c_5601-1987?B?wPzIrbn4yKMguau34bChwNQgte63zywguavBpsfRIMXryK0=?= Date: Sun, 02 Dec 2001 16:54:45 +0900 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0167_01C0F02A.93A54C00" X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0167_01C0F02A.93A54C00 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 wM7FzbPdILmrt+EgwPzIrbn4yKMgte63z7D6IMPWwPqwoSDA/MitseIgxse4xSDAzLqlxq4g ISAgICAgICAgICAgICAgIMD6yPEgx++3zr/sxdrAuyDAzL/rx8+/qSC/ub7gsKHA1MC7IMfP vcUgsO2wtLTUtem/obDUICCwqLvnwMcguLbAvcC7IMD8x8+w7cDaDQogwM7FzbPdv+sgVVNC IFBIT05FwLsgvLHC+Lz4ILi4uO2/oSDH0cfPv6kgw9bA+rChv6EgteW4s7TPtNkuICAgICAg DQogICAgDQogICAgDQogICANCiAgICAgICAgICAtILHiwbjAxyDAz7ndIMD8yK25+LfOuKYg sde067fOILvnv+vHz73HILz2IMDWvcC0z7TZLg0KICAgLSBVU0IgwM7FzcbkwMy9urfOIFBM VUcgJiBQTEFZuKYgwfa/+MfPuce3ziC8s8ShILnXILvnv+vAzCCwo8btICAgICAgICAtILvn v+615SDEq7XluKYgs7vA5cfPv6kgw9a788DHIMXryK0gwL3B+rfOIMDOxc2z3cD8yK0gsKG0 yQ0KICAgLSDF68itwfa/rMDMs6ogsvex6Cwgv6HE2sf2u/MswOLAvcDMILDFwMcgwM+53SDA r7yxwPzIrSC89sHYICAgICAgICAtILHiuru34SC/+SA0LDAwML/4wLi3ziC/rMDOLMSjsbgs sKHBtyy1v8ijyLi/+LCjILmrwabH0SAgxevIrQ0KICAgLSDA/LG5L73Ds7u/5LHdIDM5v/gs yN6068b5IMPWtOsgMjElLLG5wabA/MitIMPWtOsgOTUlt84gwPq3xQ0KICAgLSDA/Ly8sOgg MjMwsLOxuSDF68itILnXIMfYv9y/obytIMDatb8gt8651sDMILChtMkgICAgICAgDQogICAg DQq+xrehIMHWvNK3ziC/wLzFvK0gx6rB/MfRILDmx7Agx+C757/NIMfUsrIgsPi1v7G4uMW/ oSDC/L+pIMfPvcOx4iC52bb4tM+02S4NCiANCiCiuiBodHRwOi8vd3d3LmhlbGxvdGVsLmNv LmtyDQogDQogDQoNCiANCiANCiC43sDPvPa9xbDFus64piC/+MfPvcO46SAnvPa9xbDFus4n tvOw7SAgx6Wx4sfPv6kgurizu8HWvcOx4iC52bb4tM+02S4NCiANCiAgICCozyAgQ29weXJp Z2h0IDIwMDEgx++3zr/sxdogQWxsIHJpZ2h0cyByZXNlcnZlZC4g ------=_NextPart_000_0167_01C0F02A.93A54C00 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjx0aXRsZT7AzsXNs90guau34SDA/MitufjIoyC17rfPsPogw9bA +rChIMD8yK2x4iDGx7jFIMDMuqXGriAhPC90aXRsZT4NCjxtZXRhIGh0dHAtZXF1aXY9IkNv bnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PWV1Yy1rciI+DQo8c3R5 bGUgdHlwZT0idGV4dC9jc3MiPg0KPCEtLQ0KLmZvbnQgeyAgZm9udC1mYW1pbHk6ICKxvLiy IjsgZm9udC1zaXplOiA5cHQ7IGNvbG9yOiAjMzMzMzMzfQ0KLS0+DQo8L3N0eWxlPg0KPC9o ZWFkPg0KDQo8Ym9keSBiZ2NvbG9yPSIjRkZGRkZGIiB0ZXh0PSIjMDAwMDAwIiBsZWZ0bWFy Z2luPSIwIiB0b3BtYXJnaW49IjAiIG1hcmdpbndpZHRoPSIwIiBtYXJnaW5oZWlnaHQ9IjAi Pg0KPHRhYmxlIHdpZHRoPSI2NTAiIGJvcmRlcj0iMSIgY2VsbHNwYWNpbmc9IjAiIGNlbGxw YWRkaW5nPSIwIiBhbGlnbj0iY2VudGVyIiBib3JkZXJjb2xvcmxpZ2h0PSIjMDAwMDAwIiBi b3JkZXJjb2xvcmRhcms9ImZmZmZmZiI+DQogIDx0cj4gDQogICAgPHRkIGNsYXNzPSJmb250 IiBhbGlnbj0iY2VudGVyIiBiZ2NvbG9yPSIjRUZFRkVGIj4gDQogICAgICA8dGFibGUgd2lk dGg9IjY1MCIgYm9yZGVyPSIwIiBjZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiIGJn Y29sb3I9IiNGRkZGRkYiPg0KICAgICAgICA8dHI+IA0KICAgICAgICAgIDx0ZD48aW1nIHNy Yz0iaHR0cDovL3d3dy5oZWxsb3RlbC5jby5rci9oZWxsb3RlbG1haWwvaW1hZ2UvdG9wMS5q cGciIHdpZHRoPSIyMDUiIGhlaWdodD0iNjUiIGJvcmRlcj0iMCI+PC90ZD4NCiAgICAgICAg ICA8dGQ+PGltZyBzcmM9Imh0dHA6Ly93d3cuaGVsbG90ZWwuY28ua3IvaGVsbG90ZWxtYWls L2ltYWdlL3RvcDIuZ2lmIiB3aWR0aD0iMjE0IiBoZWlnaHQ9IjY1IiBib3JkZXI9IjAiPjwv dGQ+DQogICAgICAgICAgPHRkPjxpbWcgc3JjPSJodHRwOi8vd3d3LmhlbGxvdGVsLmNvLmty L2hlbGxvdGVsbWFpbC9pbWFnZS90b3AzLmdpZiIgd2lkdGg9IjIzMSIgaGVpZ2h0PSI2NSIg Ym9yZGVyPSIwIj48L3RkPg0KICAgICAgICA8L3RyPg0KICAgICAgICA8dHI+IA0KICAgICAg ICAgIDx0ZD48aW1nIHNyYz0iaHR0cDovL3d3dy5oZWxsb3RlbC5jby5rci9oZWxsb3RlbG1h aWwvaW1hZ2UvdG9wNC5qcGciIHdpZHRoPSIyMDUiIGhlaWdodD0iNjciIGJvcmRlcj0iMCI+ PC90ZD4NCiAgICAgICAgICA8dGQ+PGltZyBzcmM9Imh0dHA6Ly93d3cuaGVsbG90ZWwuY28u a3IvaGVsbG90ZWxtYWlsL2ltYWdlL3RvcDUuZ2lmIiB3aWR0aD0iMjE0IiBoZWlnaHQ9IjY3 IiBib3JkZXI9IjAiPjwvdGQ+DQogICAgICAgICAgPHRkPjxpbWcgc3JjPSJodHRwOi8vd3d3 LmhlbGxvdGVsLmNvLmtyL2hlbGxvdGVsbWFpbC9pbWFnZS90b3A2LmdpZiIgd2lkdGg9IjIz MSIgaGVpZ2h0PSI2NyIgYm9yZGVyPSIwIj48L3RkPg0KICAgICAgICA8L3RyPg0KICAgICAg ICA8dHIgYWxpZ249ImNlbnRlciI+IA0KICAgICAgICAgIDx0ZCBoZWlnaHQ9IjYwIiBjb2xz cGFuPSIzIiBjbGFzcz0iZm9udCI+wPrI8SDH77fOv+zF2sC7IMDMv+vHz7+pIL+5vuCwocDU wLsgx8+9xSCw7bC0tNS16b+hsNQgDQogICAgICAgICAgICCwqLvnwMcguLbAvcC7IMD8x8+w 7cDaPGJyPg0KICAgICAgICAgICAgwM7FzbPdv+sgVVNCIFBIT05FwLsgvLHC+Lz4ILi4uO2/ oSDH0cfPv6kgw9bA+rChv6EgteW4s7TPtNkuPC90ZD4NCiAgICAgICAgPC90cj4NCiAgICAg ICAgPHRyIGFsaWduPSJjZW50ZXIiPg0KICAgICAgICAgIDx0ZCBoZWlnaHQ9IjYwIiBjb2xz cGFuPSIzIiBjbGFzcz0iZm9udCI+PGEgaHJlZj0iaHR0cDovL3d3dy5oZWxsb3RlbC5jby5r ci8iIHRhcmdldD0iX2JsYW5rIj48aW1nIHNyYz0iaHR0cDovL3d3dy5oZWxsb3RlbC5jby5r ci9oZWxsb3RlbG1haWwvaW1hZ2UvZXZlbnQxLmdpZiIgd2lkdGg9IjE2MSIgaGVpZ2h0PSIx MjUiIGJvcmRlcj0iMCI+PGltZyBzcmM9Imh0dHA6Ly93d3cuaGVsbG90ZWwuY28ua3IvaGVs bG90ZWxtYWlsL2ltYWdlL2V2ZW50Mi5naWYiIHdpZHRoPSIxNjIiIGhlaWdodD0iMTI1IiBi b3JkZXI9IjAiPjxpbWcgc3JjPSJodHRwOi8vd3d3LmhlbGxvdGVsLmNvLmtyL2hlbGxvdGVs bWFpbC9pbWFnZS9ldmVudDMuZ2lmIiB3aWR0aD0iMTY0IiBoZWlnaHQ9IjEyNSIgYm9yZGVy PSIwIj48aW1nIHNyYz0iaHR0cDovL3d3dy5oZWxsb3RlbC5jby5rci9oZWxsb3RlbG1haWwv aW1hZ2UvZXZlbnQ0LmdpZiIgd2lkdGg9IjE2MyIgaGVpZ2h0PSIxMjUiIGJvcmRlcj0iMCI+ PC9hPjwvdGQ+DQogICAgICAgIDwvdHI+DQogICAgICA8L3RhYmxlPg0KICAgICAgPGJyPg0K ICAgICAgPHRhYmxlIHdpZHRoPSI2NTAiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNl bGxwYWRkaW5nPSIwIiBiZ2NvbG9yPSIjRkZGRkZGIj4NCiAgICAgICAgPHRyIGJnY29sb3I9 IiMwMDAwMDAiPiANCiAgICAgICAgICA8dGQgY29sc3Bhbj0iMyIgaGVpZ2h0PSIxIj4gDQog ICAgICAgICAgICA8ZGl2IGFsaWduPSJjZW50ZXIiPjwvZGl2Pg0KICAgICAgICAgIDwvdGQ+ DQogICAgICAgIDwvdHI+DQogICAgICAgIDx0cj4gDQogICAgICAgICAgPHRkIHdpZHRoPSIy MDAiIGFsaWduPSJjZW50ZXIiIHZhbGlnbj0idG9wIj48YnI+DQogICAgICAgICAgICA8YSBo cmVmPSJodHRwOi8vd3d3LmhlbGxvdGVsLmNvLmtyLyIgdGFyZ2V0PSJfYmxhbmsiPjxpbWcg c3JjPSJodHRwOi8vd3d3LmhlbGxvdGVsLmNvLmtyL2hlbGxvdGVsbWFpbC9pbWFnZS9nb29k cy5naWYiIHdpZHRoPSIxOTAiIGhlaWdodD0iMjMzIiBib3JkZXI9IjAiPjwvYT48L3RkPg0K ICAgICAgICAgIDx0ZCB3aWR0aD0iMSIgYmdjb2xvcj0iIzAwMDAwMCI+IA0KICAgICAgICAg ICAgPGRpdiBhbGlnbj0iY2VudGVyIj48L2Rpdj4NCiAgICAgICAgICA8L3RkPg0KICAgICAg ICAgIDx0ZCB3aWR0aD0iNDMwIiB2YWxpZ249InRvcCI+IA0KICAgICAgICAgICAgPHRhYmxl IHdpZHRoPSI0MzAiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIw IiBjbGFzcz0iZm9udCI+DQogICAgICAgICAgICAgIDx0cj4gDQogICAgICAgICAgICAgICAg PHRkPjxpbWcgc3JjPSJodHRwOi8vd3d3LmhlbGxvdGVsLmNvLmtyL2hlbGxvdGVsbWFpbC9p bWFnZS90dGwxLmdpZiIgd2lkdGg9IjI4NiIgaGVpZ2h0PSIyMSIgYm9yZGVyPSIwIj48L3Rk Pg0KICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICA8dHI+IA0KICAgICAgICAg ICAgICAgIDx0ZCBoZWlnaHQ9IjYwIj4gJm5ic3A7Jm5ic3A7LSCx4sG4wMcgwM+53SDA/Mit ufi3zrimILHXtOu3ziC757/rx8+9xyC89iDA1r3AtM+02S48YnI+DQogICAgICAgICAgICAg ICAgICAmbmJzcDsmbmJzcDstIFVTQiDAzsXNxuTAzL26t84gUExVRyAmYW1wOyBQTEFZuKYg wfa/+MfPuce3ziC8s8ShILnXILvnv+vAzCCwo8btPC90ZD4NCiAgICAgICAgICAgICAgPC90 cj4NCiAgICAgICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAgICA8dGQgaGVpZ2h0PSIy MCI+PGltZyBzcmM9Imh0dHA6Ly93d3cuaGVsbG90ZWwuY28ua3IvaGVsbG90ZWxtYWlsL2lt YWdlL3R0bDIuZ2lmIiB3aWR0aD0iMjg2IiBoZWlnaHQ9IjIxIiBib3JkZXI9IjAiPjwvdGQ+ DQogICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICAgIDx0cj4gDQogICAgICAgICAg ICAgICAgPHRkIGhlaWdodD0iNjAiPiAmbmJzcDsmbmJzcDstILvnv+615SDEq7XluKYgs7vA 5cfPv6kgw9a788DHIMXryK0gwL3B+rfOIMDOxc2z3cD8yK0gsKG0yTxicj4NCiAgICAgICAg ICAgICAgICAgICZuYnNwOyZuYnNwOy0gxevIrcH2v6zAzLOqILL3segsIL+hxNrH9rvzLMDi wL3AzCCwxcDHIMDPud0gwK+8scD8yK0gvPbB2DwvdGQ+DQogICAgICAgICAgICAgIDwvdHI+ DQogICAgICAgICAgICAgIDx0cj4gDQogICAgICAgICAgICAgICAgPHRkPjxpbWcgc3JjPSJo dHRwOi8vd3d3LmhlbGxvdGVsLmNvLmtyL2hlbGxvdGVsbWFpbC9pbWFnZS90dGwzLmdpZiIg d2lkdGg9IjI4NiIgaGVpZ2h0PSIyMSIgYm9yZGVyPSIwIj48L3RkPg0KICAgICAgICAgICAg ICA8L3RyPg0KICAgICAgICAgICAgICA8dHI+IA0KICAgICAgICAgICAgICAgIDx0ZCBoZWln aHQ9IjgwIj4gJm5ic3A7Jm5ic3A7LSCx4rq7t+Egv/kgNCwwMDC/+MC4t84gv6zAzizEo7G4 LLChwbcstb/Io8i4v/iwoyC5q8Gmx9EgDQogICAgICAgICAgICAgICAgICDF68itPGJyPg0K ICAgICAgICAgICAgICAgICAgJm5ic3A7Jm5ic3A7LSDA/LG5L73Ds7u/5LHdIDM5v/gsyN60 68b5IMPWtOsgMjElLLG5wabA/MitIMPWtOsgOTUlt84gwPq3xTxicj4NCiAgICAgICAgICAg ICAgICAgICZuYnNwOyZuYnNwOy0gwPy8vLDoIDIzMLCzsbkgxevIrSC51yDH2L/cv6G8rSDA 2rW/ILfOudbAzCCwobTJPC90ZD4NCiAgICAgICAgICAgICAgPC90cj4NCiAgICAgICAgICAg IDwvdGFibGU+DQogICAgICAgICAgPC90ZD4NCiAgICAgICAgPC90cj4NCiAgICAgICAgPHRy PiANCiAgICAgICAgICA8dGQgY29sc3Bhbj0iMyIgYWxpZ249ImNlbnRlciIgaGVpZ2h0PSIx IiBiZ2NvbG9yPSIjMDAwMDAwIj4gDQogICAgICAgICAgICA8ZGl2IGFsaWduPSJjZW50ZXIi PjwvZGl2Pg0KICAgICAgICAgIDwvdGQ+DQogICAgICAgIDwvdHI+DQogICAgICA8L3RhYmxl Pg0KICAgICAgPHA+vsa3oSDB1rzSt84gv8C8xbytIMeqwfzH0SCw5sewIMfgu+e/zSDH1LKy ILD4tb+xuLjFv6Egwvy/qSDHz73DseIgudm2+LTPtNkuPGJyPg0KICAgICAgICA8YnI+DQog ICAgICAgIDxhIGhyZWY9Imh0dHA6Ly93d3cuaGVsbG90ZWwuY28ua3IvIiB0YXJnZXQ9Il9i bGFuayI+orogPGI+aHR0cDovL3d3dy5oZWxsb3RlbC5jby5rcjwvYj48L2E+PGJyPg0KICAg ICAgPC9wPg0KICAgICAgPHA+IDxhIGhyZWY9Imh0dHA6Ly93d3cuaGVsbG90ZWwuY28ua3Iv IiB0YXJnZXQ9Il9ibGFuayI+PGltZyBzcmM9Imh0dHA6Ly93d3cuaGVsbG90ZWwuY28ua3Iv aGVsbG90ZWxtYWlsL2ltYWdlL2V2ZW50X2J0LmdpZiIgd2lkdGg9IjEzOSIgaGVpZ2h0PSIy NiIgYm9yZGVyPSIwIj48L2E+PGJyPg0KICAgICAgICA8YnI+DQogICAgICAgIDxicj4NCiAg ICAgICAgPGEgaHJlZj0ibWFpbHRvOnBhb0BoZWxsb3RlbC5jby5rciI+PGI+uN7Az7z2vcWw xbrOPC9iPjwvYT64piC/+MfPvcO46SAnvPa9xbDFus4ntvOw7SANCiAgICAgICAgx6Wx4sfP v6kgurizu8HWvcOx4iC52bb4tM+02S48YnI+DQogICAgICA8L3A+DQogICAgPC90ZD4NCiAg PC90cj4NCiAgPHRyPg0KICAgIDx0ZCBjbGFzcz0iZm9udCIgYWxpZ249ImNlbnRlciIgYmdj b2xvcj0iIzkxMDAwMyIgaGVpZ2h0PSIyNCI+PGZvbnQgY29sb3I9IiNGRkZGRkYiPqjPIA0K ICAgICAgQ29weXJpZ2h0IDIwMDEgx++3zr/sxdogQWxsIHJpZ2h0cyByZXNlcnZlZC48L2Zv bnQ+PC90ZD4NCiAgPC90cj4NCjwvdGFibGU+DQo8L2JvZHk+DQo8L2h0bWw+DQo= ------=_NextPart_000_0167_01C0F02A.93A54C00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message