From owner-freebsd-security@FreeBSD.ORG Sun Jan 18 04:14:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFD8B16A4CF; Sun, 18 Jan 2004 04:14:14 -0800 (PST) Received: from smtp17.singnet.com.sg (smtp17.singnet.com.sg [165.21.6.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A34443D2F; Sun, 18 Jan 2004 04:14:13 -0800 (PST) (envelope-from spades@galaxynet.org) Received: from bryanuptrvb0jc (bb-203-125-28-11.singnet.com.sg [203.125.28.11])i0ICEBXU011138; Sun, 18 Jan 2004 20:14:11 +0800 Message-ID: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> From: "Spades" To: Date: Sun, 18 Jan 2004 20:14:29 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-security@freebsd.org Subject: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Spades List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 12:14:16 -0000 hi all, i got flooded by these msgs like 1000+ lines, any idea? my kernel is dated Nov-30 FreeBSD 4.9-stable # tail -f /var/log/messages Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 to 00:50:0f:4f:c0:00 on rl0 Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 to 00:04:5a:49:eb:74 on rl0 Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 to 00:50:0f:4f:c0:00 on rl0 Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 to 00:04:5a:49:eb:74 on rl0 Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 to 00:50:0f:4f:c0:00 on rl0 thanks and regards, John From owner-freebsd-security@FreeBSD.ORG Sun Jan 18 05:56:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A217416A4CE for ; Sun, 18 Jan 2004 05:56:33 -0800 (PST) Received: from blowfish.cyberdoom.org (ip212-226-145-17.adsl.eunet.fi [212.226.145.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B2E743D53 for ; Sun, 18 Jan 2004 05:56:23 -0800 (PST) (envelope-from dan.airinen@cyberdoom.org) Received: from daemon.cyberdoom.org (daemon.cyberdoom.org [212.226.145.19]) by blowfish.cyberdoom.org (Postfix) with ESMTP id 793326180E; Sun, 18 Jan 2004 15:56:20 +0200 (EET) Received: from daemon.cyberdoom.org (daemon.cyberdoom.org [212.226.145.19]) by daemon.cyberdoom.org (8.12.10/8.12.9) with ESMTP id i0IDuLNU064394; Sun, 18 Jan 2004 15:56:21 +0200 (EET) (envelope-from dan.airinen@cyberdoom.org) Date: Sun, 18 Jan 2004 15:56:21 +0200 (EET) From: Dan Airinen Sender: dan.airinen@cyberdoom.org To: Spades In-Reply-To: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> Message-ID: <20040118155142.Y64385@daemon.cyberdoom.org> References: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dan.airinen@cyberdoom.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 13:56:33 -0000 Hi, you might want to check that you dont have a two machines/devices in your network sharing the same IP-address. Of course there is a possibility of some one doing sniffing in your network. On Sun, 18 Jan 2004, Spades wrote: > hi all, i got flooded by these msgs like 1000+ lines, any idea? > my kernel is dated Nov-30 FreeBSD 4.9-stable > > # tail -f /var/log/messages > Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > to 00:50:0f:4f:c0:00 on rl0 > Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 > to 00:04:5a:49:eb:74 on rl0 > Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > to 00:50:0f:4f:c0:00 on rl0 > Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 > to 00:04:5a:49:eb:74 on rl0 > Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > to 00:50:0f:4f:c0:00 on rl0 > > thanks and regards, > > John > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sun Jan 18 07:35:17 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0709C16A4CE for ; Sun, 18 Jan 2004 07:35:17 -0800 (PST) Received: from lazir.toya.net.pl (lazir.toya.net.pl [217.113.224.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 62EAC43D31 for ; Sun, 18 Jan 2004 07:35:15 -0800 (PST) (envelope-from airot@lazir.toya.net.pl) Received: (qmail 5904 invoked by uid 791); 18 Jan 2004 15:35:12 -0000 Date: Sun, 18 Jan 2004 16:35:12 +0100 From: Maciej Cetler To: Spades Message-ID: <20040118153512.GA23872@lazir.toya.net.pl> References: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> User-Agent: Mutt/1.5.5.1+cvs20040105i cc: freebsd-security@freebsd.org Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 15:35:17 -0000 On Sun, Jan 18, 2004 at 08:14:29PM +0800, Spades wrote: > hi all, i got flooded by these msgs like 1000+ lines, any idea? > my kernel is dated Nov-30 FreeBSD 4.9-stable > > # tail -f /var/log/messages > Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > to 00:50:0f:4f:c0:00 on rl0 > Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 > to 00:04:5a:49:eb:74 on rl0 > Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > to 00:50:0f:4f:c0:00 on rl0 > Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 > to 00:04:5a:49:eb:74 on rl0 > Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > to 00:50:0f:4f:c0:00 on rl0 looks like someone is using tools like ettercap. airot From owner-freebsd-security@FreeBSD.ORG Sun Jan 18 08:00:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF6E916A4CE for ; Sun, 18 Jan 2004 08:00:03 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83F5B43D4C for ; Sun, 18 Jan 2004 08:00:00 -0800 (PST) (envelope-from jan.muenther@nruns.com) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1AiFLB-0000JO-00; Sun, 18 Jan 2004 16:59:57 +0100 Received: from [212.202.65.44] (helo=ergo.nruns.com) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1AiFLB-0004oW-00; Sun, 18 Jan 2004 16:59:57 +0100 Received: by ergo.nruns.com (Postfix, from userid 1001) id 3A542588; Sun, 18 Jan 2004 16:47:17 +0100 (CET) Date: Sun, 18 Jan 2004 16:47:17 +0100 From: jan.muenther@nruns.com To: Maciej Cetler Message-ID: <20040118154717.GB1490@ergo.nruns.com> References: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> <20040118153512.GA23872@lazir.toya.net.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040118153512.GA23872@lazir.toya.net.pl> User-Agent: Mutt/1.4i X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:9a8a46f2b40f7808f7699def63624ac2 cc: freebsd-security@freebsd.org Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 16:00:04 -0000 > > looks like someone is using tools like ettercap. It could either be that - ARP cache poisoning - or some sort of clustering software which uses changing MAC addresses (seen that). From owner-freebsd-security@FreeBSD.ORG Sun Jan 18 10:44:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B5AA16A4CE for ; Sun, 18 Jan 2004 10:44:03 -0800 (PST) Received: from ybbsmtp04.mail.yahoo.co.jp (ybbsmtp04.mail.yahoo.co.jp [210.81.151.172]) by mx1.FreeBSD.org (Postfix) with SMTP id 8F67443D2F for ; Sun, 18 Jan 2004 10:43:59 -0800 (PST) (envelope-from ayakokiko@ybb.ne.jp) Received: from unknown (HELO gorgon.near.this) (219.11.234.11 with poptime) by ybbsmtp04.mail.yahoo.co.jp with SMTP; 18 Jan 2004 18:43:58 -0000 X-Apparently-From: Received: from ghost.near.this (ghost.near.this [10.0.3.9]) by gorgon.near.this (Postfix) with ESMTP id B67077F81; Mon, 19 Jan 2004 03:43:53 +0900 (JST) Received: by ghost.near.this (Postfix, from userid 100) id 5C9F31932C; Mon, 19 Jan 2004 03:43:52 +0900 (JST) Date: Mon, 19 Jan 2004 03:43:50 +0900 From: horio shoichi To: Spades In-Reply-To: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> References: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> X-Mailer: Sylpheed version 0.9.8claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <20040118.184351.3b20743ee03ef7d3.10.0.3.9@bugsgrief.net> cc: freebsd-security@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 18:44:03 -0000 On Sun, 18 Jan 2004 20:14:29 +0800 "Spades" wrote: > hi all, i got flooded by these msgs like 1000+ lines, any idea? > my kernel is dated Nov-30 FreeBSD 4.9-stable > > # tail -f /var/log/messages > Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > to 00:50:0f:4f:c0:00 on rl0 > Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 > to 00:04:5a:49:eb:74 on rl0 > Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > to 00:50:0f:4f:c0:00 on rl0 > Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 > to 00:04:5a:49:eb:74 on rl0 > Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > to 00:50:0f:4f:c0:00 on rl0 > > thanks and regards, > > John > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > # sysctl net.link.ether.inet.log_arp_wrong_iface=1 should mask the messages. horio shoichi From owner-freebsd-security@FreeBSD.ORG Sun Jan 18 11:19:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1FCC16A4CE; Sun, 18 Jan 2004 11:19:24 -0800 (PST) Received: from vulcan.blacksburg.net (vulcan.blacksburg.net [66.208.157.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2277243D1F; Sun, 18 Jan 2004 11:19:21 -0800 (PST) (envelope-from mlevans@blacksburg.net) X-Envelope-From: mlevans@blacksburg.net Received: from p0ts1.blacksburg.net (pluto.blacksburg.net [66.208.157.5]) i0IJJJDW018829; Sun, 18 Jan 2004 14:19:20 -0500 (EST) (envelope-from mlevans@blacksburg.net) Message-Id: <5.1.0.14.0.20040118141604.07e86c80@pop.blacksburg.net> X-Sender: mlevans@pop.blacksburg.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 18 Jan 2004 14:19:17 -0500 To: freebsd-security@freebsd.org From: Lyle Evans Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-questions@freebsd.org Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 19:19:25 -0000 At 07:14 AM 01/18/04, you wrote: >hi all, i got flooded by these msgs like 1000+ lines, any idea? >my kernel is dated Nov-30 FreeBSD 4.9-stable > ># tail -f /var/log/messages >Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 >to 00:50:0f:4f:c0:00 on rl0 >Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 >to 00:04:5a:49:eb:74 on rl0 >Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 >to 00:50:0f:4f:c0:00 on rl0 >Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 >to 00:04:5a:49:eb:74 on rl0 >Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 >to 00:50:0f:4f:c0:00 on rl You have a Linksys and Cisco device fighting over a IP address either they both think they own the address or one or maybe both are proxy arping for the address. The fields 00:04:5a:49:eb:74 & 00:50:0f:4f:c0:00 are the ethernet address of the Linksys and Cisco devices respectively. Regards, Lyle Evans evansl@rackears.com rackmount brackets for many networking and ISP equipment chassises http://www.rackears.com From owner-freebsd-security@FreeBSD.ORG Sun Jan 18 12:56:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4190F16A4CE; Sun, 18 Jan 2004 12:56:24 -0800 (PST) Received: from 82-41-27-158.cable.ubr04.edin.blueyonder.co.uk (82-41-27-158.cable.ubr04.edin.blueyonder.co.uk [82.41.27.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 368F943D41; Sun, 18 Jan 2004 12:56:21 -0800 (PST) (envelope-from andrew@cream.org) Received: from cream.org (spatula.flat [192.168.0.2]) by myriad.flat (Postfix) with ESMTP id 61EC9C2; Sun, 18 Jan 2004 19:49:03 +0000 (GMT) Message-ID: <400AF2F7.60702@cream.org> Date: Sun, 18 Jan 2004 20:56:23 +0000 From: Andrew Boothman User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: horio shoichi References: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> <20040118.184351.3b20743ee03ef7d3.10.0.3.9@bugsgrief.net> In-Reply-To: <20040118.184351.3b20743ee03ef7d3.10.0.3.9@bugsgrief.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 20:56:24 -0000 horio shoichi wrote: >>hi all, i got flooded by these msgs like 1000+ lines, any idea? >>my kernel is dated Nov-30 FreeBSD 4.9-stable >> >># tail -f /var/log/messages >>Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 >>to 00:50:0f:4f:c0:00 on rl0 >>Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 >>to 00:04:5a:49:eb:74 on rl0 >>Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 >>to 00:50:0f:4f:c0:00 on rl0 >>Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 >>to 00:04:5a:49:eb:74 on rl0 >>Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 >>to 00:50:0f:4f:c0:00 on rl0 > > > # sysctl net.link.ether.inet.log_arp_wrong_iface=1 > > should mask the messages. Shouldn't that be net.link.ether.inet.log_arp_movements ? myriad# sysctl -d net.link.ether.inet.log_arp_movements net.link.ether.inet.log_arp_movements: log arp replies from MACs different than the one in the cache I get these messages about 10/day on an interface that's connected to a cable modem network (Blueyonder in the UK). I've just set this sysctl to see if it stops these messages for me. Andrew From owner-freebsd-security@FreeBSD.ORG Sat Jan 17 13:29:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B252716A4CE for ; Sat, 17 Jan 2004 13:29:06 -0800 (PST) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id B705743D2F for ; Sat, 17 Jan 2004 13:29:05 -0800 (PST) (envelope-from sam@errno.com) Received: from 66.127.85.91 ([66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.9) with ESMTP id i0HLT4HQ054140 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Sat, 17 Jan 2004 13:29:05 -0800 (PST) (envelope-from sam@errno.com) From: Sam Leffler Organization: Errno Consulting To: Mike Tancsa , Date: Sat, 17 Jan 2004 13:33:26 -0800 User-Agent: KMail/1.5.3 References: <6.0.1.1.0.20040116122719.05c75910@209.112.4.2> <6.0.1.1.0.20040116134753.03e16c08@209.112.4.2> In-Reply-To: <6.0.1.1.0.20040116134753.03e16c08@209.112.4.2> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200401171333.26083.sam@errno.com> X-Mailman-Approved-At: Mon, 19 Jan 2004 02:15:11 -0800 cc: security@freebsd.org Subject: Re: HiFn / FAST_IPSEC question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jan 2004 21:29:06 -0000 On Friday 16 January 2004 10:48 am, Mike Tancsa wrote: > I am more curious about what happens if you try 194 sessions on one or 65 > on the other, not why one is rated lower than the other. > When you try to allocate the SPI it will fail because you won't be able to create a crypto session (this is FAST_IPSEC only). The right thing to do (probably) is to fallback to s/w crypto but I don't believe the existing crypto framework is smart enough. Sam From owner-freebsd-security@FreeBSD.ORG Sun Jan 18 08:08:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 091CC16A4CE for ; Sun, 18 Jan 2004 08:08:42 -0800 (PST) Received: from mx1-b.inoc.net (mx1-b.inoc.net [64.246.131.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id D34C343D4C for ; Sun, 18 Jan 2004 08:08:39 -0800 (PST) (envelope-from doon@inoc.net) Received: from doon.labratsoftware.home (24.25.150.43 [24.25.150.43]) by mx1-b.inoc.net (build v4.0.9) with ESMTP id 5038588 for multiple; Sun, 18 Jan 2004 11:08:38 -0500 From: Patrick Muldoon Organization: INOC To: Maciej Cetler , Spades Date: Sun, 18 Jan 2004 11:07:32 -0500 User-Agent: KMail/1.5.4 References: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> <20040118153512.GA23872@lazir.toya.net.pl> In-Reply-To: <20040118153512.GA23872@lazir.toya.net.pl> X-Powered-By: FreeBSD MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_I9qCAn0XlpFD6SV"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200401181107.36732.doon@inoc.net> X-Mailman-Approved-At: Mon, 19 Jan 2004 02:15:11 -0800 cc: freebsd-security@freebsd.org Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 16:08:42 -0000 --Boundary-02=_I9qCAn0XlpFD6SV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 18 January 2004 10:35 am, Maciej Cetler wrote: > On Sun, Jan 18, 2004 at 08:14:29PM +0800, Spades wrote: > > hi all, i got flooded by these msgs like 1000+ lines, any idea? > > my kernel is dated Nov-30 FreeBSD 4.9-stable > > > > # tail -f /var/log/messages > > Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from > > 00:04:5a:49:eb:74 to 00:50:0f:4f:c0:00 on rl0 > > Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from > > 00:50:0f:4f:c0:00 to 00:04:5a:49:eb:74 on rl0 > > Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from > > 00:04:5a:49:eb:74 to 00:50:0f:4f:c0:00 on rl0 > > Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from > > 00:50:0f:4f:c0:00 to 00:04:5a:49:eb:74 on rl0 > > Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from > > 00:04:5a:49:eb:74 to 00:50:0f:4f:c0:00 on rl0 > > looks like someone is using tools like ettercap. > > airot is .1 your gateway? =20 00:50:0f is a Cisco Adaptor 00:04:5a is a linksys Adaptor What type of network are you on? IE is this your network? or is a say a=20 cablemodem network? =20 check out http://www.dslreports.com/forum/remark,8225369~mode=3Dflat, which= is=20 basically about this same issue and perhaps might shed some light on the=20 problem. =20 If they where both Cisco Nic's it could be HSRP? Hope that helps, =2DPatrick =2D-=20 Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C micro$oft: "where do you want to go today?"=20 linux: "where do you want to go tomorrow?"=20 BSD: "are you guys coming, or what?" --Boundary-02=_I9qCAn0XlpFD6SV Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBACq9IYGp9wTcNdSwRAmh9AJ9EAamCOsFqLjpdJRQ0foAhOtJVxwCeLmkh qrrrc21gDWCygqBqfCT0174= =QxzU -----END PGP SIGNATURE----- --Boundary-02=_I9qCAn0XlpFD6SV-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 20 07:10:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDC6C16A4FF for ; Tue, 20 Jan 2004 07:10:45 -0800 (PST) Received: from reversedhell.net (reversedhell.net [216.240.143.80]) by mx1.FreeBSD.org (Postfix) with SMTP id C2E4C43D83 for ; Tue, 20 Jan 2004 07:07:08 -0800 (PST) (envelope-from aanton@reversedhell.net) Received: (qmail 17431 invoked from network); 20 Jan 2004 15:08:59 -0000 Received: from unknown (HELO reversedhell.net) (81.196.32.25) by ns1.1plan.net with SMTP; 20 Jan 2004 15:08:59 -0000 Message-ID: <400D4426.1040302@reversedhell.net> Date: Tue, 20 Jan 2004 17:07:18 +0200 From: Anton Alin-Adrian User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6b) Gecko/20031212 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: short analysys of qmail integer overflow bug - let there be light X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2004 15:10:45 -0000 Hey folks. There are rumors out there that setting /var/qmail/control/databytes to a reasonable value (for example 16384 = 16MB) will prevent the possibility of exploitation regarding the integer overflow in function blast(). That is not true. This is how blast() is called: void smtp_data() { int hops; unsigned long qp; char *qqx; if (!seenmail) { err_wantmail(); return; } if (!rcptto.len) { err_wantrcpt(); return; } seenmail = 0; if (databytes) bytestooverflow = databytes + 1; if (qmail_open(&qqt) == -1) { err_qqt(); return; } qp = qmail_qp(&qqt); out("354 go ahead\r\n"); received(&qqt,"SMTP",local,remoteip,remotehost,remoteinfo,fakehelo); blast(&hops); hops = (hops >= MAXHOPS); if (hops) qmail_fail(&qqt); qmail_from(&qqt,mailfrom.s); qmail_put(&qqt,rcptto.s,rcptto.len); qqx = qmail_close(&qqt); if (!*qqx) { acceptmessage(qp); return; } if (hops) { out("554 too many hops, this message is looping (#5.4.6)\r\n"); return; } if (databytes) if (!bytestooverflow) { out("552 sorry, that message size exceeds my databytes limit (#5.3.4)\r\n"); return; } if (*qqx == 'D') out("554 "); else out("451 "); out(qqx + 1); out("\r\n"); } So you see, the input value is only checked against the databytes limit *after* the function blast() is called. The overflow resides in function blast(), thus even setting databytes to 1 (lowest possible value) will not prevent the overflow to happen. People should not comment a bug without reading the code. (not from this mailing list). The simplest way to fix is to define pos variable as unsigned int instead of int, in the blast() function. What happens in blast()? Here what happens: Input is read byte by byte, and if input byte != '\n', then pos is incremented. This is a neverending loop, without any logical tests. Thus, pos gets an "upper-bounds overflow" and becomes negative (because it is a signed integer). If it is defined as unsigned, it simply becomes 0, and keeps being incremented in a neverending circle loop, untill the first '\n' is met. This renders any hack attack useless. DOS is possible, but DOS is possible in many other more effective ways. It's the way of the Internet protocols. This is the original blast() function: void blast(hops) int *hops; { char ch; int state; int flaginheader; /* my comment here: unsigned int pos */ int pos; /* number of bytes since most recent \n, if fih */ int flagmaybex; /* 1 if this line might match RECEIVED, if fih */ int flagmaybey; /* 1 if this line might match \r\n, if fih */ int flagmaybez; /* 1 if this line might match DELIVERED, if fih */ state = 1; *hops = 0; flaginheader = 1; pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; for (;;) { substdio_get(&ssin,&ch,1); if (flaginheader) { if (pos < 9) { if (ch != "delivered"[pos]) if (ch != "DELIVERED"[pos]) flagmaybez = 0; if (flagmaybez) if (pos == 8) ++*hops; if (pos < 8) if (ch != "received"[pos]) if (ch != "RECEIVED"[pos]) flagmaybex = 0; if (flagmaybex) if (pos == 7) ++*hops; if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0; if (flagmaybey) if (pos == 1) flaginheader = 0; } ++pos; if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; } } switch(state) { case 0: if (ch == '\n') straynewline(); if (ch == '\r') { state = 4; continue; } break; case 1: /* \r\n */ if (ch == '\n') straynewline(); if (ch == '.') { state = 2; continue; } if (ch == '\r') { state = 4; continue; } state = 0; break; case 2: /* \r\n + . */ if (ch == '\n') straynewline(); if (ch == '\r') { state = 3; continue; } state = 0; break; case 3: /* \r\n + .\r */ if (ch == '\n') return; put("."); put("\r"); if (ch == '\r') { state = 4; continue; } state = 0; break; case 4: /* + \r */ if (ch == '\n') { state = 1; break; } if (ch != '\r') { put("\r"); state = 0; } } put(&ch); } } One can see that pos is later used as an index for memory location. And that's all folks. :) I say it is exploitable. Just an opinion. Cheers to all, Alin-Adrian Anton. Below there is a small rfc821 line too long implementing patch: --- qmail-smtpd.c.orig Mon Jun 15 13:53:16 1998 +++ qmail-smtpd.c Mon Jan 19 23:29:35 2004 @@ -1,3 +1,15 @@ +/* +* This is a patched version of qmail, implementing RFC 821 regarding text line limitations. +* Developed by Alin-Adrian Anton (aanton@reversedhell.net,burebista@lasting.ro) +* +* You may remove this banner if it annoys you. This patch is public domain, for the +* benefit of the community. +* +* It also fixes an integer overflow in the blast() function. + NOTE: it implements the most relaxed RFC821, as it is specified there. +*/ + + #include "sig.h" #include "readwrite.h" #include "stralloc.h" @@ -48,7 +60,6 @@ void die_control() { out("421 unable to read controls (#4.3.0)\r\n"); flush(); _exit(1); } void die_ipme() { out("421 unable to figure out my IP addresses (#4.3.0)\r\n"); flush(); _exit(1); } void straynewline() { out("451 See http://pobox.com/~djb/docs/smtplf.html.\r\n"); flush(); _exit(1); } - void err_bmf() { out("553 sorry, your envelope sender is in my badmailfrom list (#5.7.1)\r\n"); } void err_nogateway() { out("553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)\r\n"); } void err_unimpl() { out("502 unimplemented (#5.5.1)\r\n"); } @@ -58,7 +69,7 @@ void err_noop() { out("250 ok\r\n"); } void err_vrfy() { out("252 send some mail, i'll try my best\r\n"); } void err_qqt() { out("451 qqt failure (#4.3.0)\r\n"); } - +void err_longline() { out("500 Line too long, please read RFC 821.\r\n"); flush(); _exit(1); } stralloc greeting = {0}; @@ -293,10 +304,46 @@ void blast(hops) int *hops; { + +/* +*RFC 821 August 1982 +* Simple Mail Transfer Protocol +* +* text line +* +* The maximum total length of a text line including the +* is 1000 characters (but not counting the leading +* dot duplicated for transparency). +* +* recipients buffer +* +* The maximum total number of recipients that must be +* buffered is 100 recipients. +* +* +* **************************************************** +* * * +* * TO THE MAXIMUM EXTENT POSSIBLE, IMPLEMENTATION * +* * TECHNIQUES WHICH IMPOSE NO LIMITS ON THE LENGTH * +* * OF THESE OBJECTS SHOULD BE USED. * +* * * +* **************************************************** +* +* Errors due to exceeding these limits may be reported by using +* the reply codes, for example: +* +* 500 Line too long. +* +* 501 Path too long +* +* 552 Too many recipients. +* +* 552 Too much mail data. +*/ char ch; int state; int flaginheader; - int pos; /* number of bytes since most recent \n, if fih */ + unsigned int pos; /* number of bytes since most recent \n, if fih */ int flagmaybex; /* 1 if this line might match RECEIVED, if fih */ int flagmaybey; /* 1 if this line might match \r\n, if fih */ int flagmaybez; /* 1 if this line might match DELIVERED, if fih */ @@ -317,7 +364,8 @@ if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0; if (flagmaybey) if (pos == 1) flaginheader = 0; } - ++pos; + if (++pos>65535-1) err_longline(); /* will bail out nicely with err 500 */ + if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; } } switch(state) { From owner-freebsd-security@FreeBSD.ORG Tue Jan 20 10:43:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 314F116A4CE for ; Tue, 20 Jan 2004 10:43:45 -0800 (PST) Received: from kestrel.alerce.com (kestrel.alerce.com [209.182.219.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id E956743D69 for ; Tue, 20 Jan 2004 10:43:30 -0800 (PST) (envelope-from hartzell@kestrel.alerce.com) Received: from rosebud.alerce.com (rosebud.lbl.gov [131.243.193.115]) (authenticated bits=128) by kestrel.alerce.com (8.12.10/8.12.10) with ESMTP id i0KIhRLN075946 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Jan 2004 10:43:28 -0800 (PST) (envelope-from hartzell@kestrel.alerce.com) Received: from rosebud.alerce.com (localhost [127.0.0.1]) by rosebud.alerce.com (8.12.9p2/8.12.9) with ESMTP id i0KIhQb2000335 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Jan 2004 10:43:27 -0800 (PST) (envelope-from hartzell@rosebud.alerce.com) Received: (from hartzell@localhost) by rosebud.alerce.com (8.12.9p2/8.12.9/Submit) id i0KIhPSh000332; Tue, 20 Jan 2004 10:43:25 -0800 (PST) (envelope-from hartzell) From: George Hartzell MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16397.30413.488274.236361@rosebud.alerce.com> Date: Tue, 20 Jan 2004 10:43:25 -0800 To: hartzell@kestrel.alerce.com In-Reply-To: <16388.28960.595527.20394@rosebud.alerce.com> References: <16388.28960.595527.20394@rosebud.alerce.com> X-Mailer: VM 7.14 under 21.4 (patch 14) "Reasonable Discussion" XEmacs Lucid X-Virus-Scanned: ClamAV version 'clamd / ClamAV version devel-20031103', clamav-milter version '0.60n' cc: freebsd-security@freebsd.org Subject: Re: IPSEC btwn stable and Linksys BEFVP41 stopped working. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hartzell@kestrel.alerce.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2004 18:43:45 -0000 I have a bit more information, and a quick question. I set up a 5.2 Release system, with a current copy of the racoon port, and had exactly the symptoms that I've described in my previous post (and excerpted below). I'm not sure where to look next. Any suggestions? And is -security the best list to discuss this, or should I try -questions or -mobile? g. George Hartzell writes: > > Hi, > > I have been using IPsec to communicate between a laptop that tracks > -stable and a Linksys BEFVP41 router. > > I only use it infrequently, but it's been working great. My setup is > as described in http://grapeape.alerce.com/linksys-ipsec/article.html > (which I am planning to submit to the handbook when it's done). > > I'm no longer able to make an ipsec connection, and I can't put my > finger on anything that's changed. The most obvious candidate is the > move from 4.8 to 4.9. > [...] > > And when I have a ping running that should be going over the tunnel, > the Linksys logs this: > > 2004-01-13 13:36:51 **IKE incoming packet dropped : unknown peer ! > 2004-01-13 13:36:51 Received: IP=64.1.164.95 I_Cookie=[3a 7d e0 36 00 b9 ca 1e ] R_Cookie=[00 00 00 00 00 00 00 00 ] > > All of the examples of packets w/ I_cookies I could find by googling > also had values for the R_cookie field..... > > Does this ring any bells for anyone. Can someone point me in a useful > direction? From owner-freebsd-security@FreeBSD.ORG Tue Jan 20 12:24:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9635116A4CE for ; Tue, 20 Jan 2004 12:24:26 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE6A343D31 for ; Tue, 20 Jan 2004 12:24:24 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 78EC01FF9A6; Tue, 20 Jan 2004 21:24:22 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id DF6851FF931; Tue, 20 Jan 2004 21:24:20 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id F1420153AA; Tue, 20 Jan 2004 20:22:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id E6B5415380; Tue, 20 Jan 2004 20:22:32 +0000 (UTC) Date: Tue, 20 Jan 2004 20:22:32 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: George Hartzell In-Reply-To: <16397.30413.488274.236361@rosebud.alerce.com> Message-ID: References: <16388.28960.595527.20394@rosebud.alerce.com> <16397.30413.488274.236361@rosebud.alerce.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: freebsd-security@freebsd.org Subject: Re: IPSEC btwn stable and Linksys BEFVP41 stopped working. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2004 20:24:26 -0000 On Tue, 20 Jan 2004, George Hartzell wrote: > I have a bit more information, and a quick question. > > I set up a 5.2 Release system, known to be buggy for IPSEC (not for FAST_IPSEC): http://lists.freebsd.org/pipermail/freebsd-current/2004-January/thread.html#18084 > with a current copy of the racoon port, Do you have 20040116a ? 20040114a is known to have endian bugs I think: http://www.securityfocus.com/archive/1/350025/2004-01-14/2004-01-20/0 -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-security@FreeBSD.ORG Tue Jan 20 13:19:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82C1716A4CE for ; Tue, 20 Jan 2004 13:19:06 -0800 (PST) Received: from kestrel.alerce.com (kestrel.alerce.com [209.182.219.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF60143D41 for ; Tue, 20 Jan 2004 13:18:58 -0800 (PST) (envelope-from hartzell@kestrel.alerce.com) Received: from rosebud.alerce.com (rosebud.lbl.gov [131.243.193.115]) (authenticated bits=128) by kestrel.alerce.com (8.12.10/8.12.10) with ESMTP id i0KLItLN078107 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Jan 2004 13:18:55 -0800 (PST) (envelope-from hartzell@kestrel.alerce.com) Received: from rosebud.alerce.com (localhost [127.0.0.1]) by rosebud.alerce.com (8.12.9p2/8.12.9) with ESMTP id i0KLIsb2000432 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Jan 2004 13:18:55 -0800 (PST) (envelope-from hartzell@rosebud.alerce.com) Received: (from hartzell@localhost) by rosebud.alerce.com (8.12.9p2/8.12.9/Submit) id i0KLIqOi000429; Tue, 20 Jan 2004 13:18:52 -0800 (PST) (envelope-from hartzell) From: George Hartzell MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16397.39740.745527.827490@rosebud.alerce.com> Date: Tue, 20 Jan 2004 13:18:52 -0800 To: "Bjoern A. Zeeb" In-Reply-To: References: <16388.28960.595527.20394@rosebud.alerce.com> <16397.30413.488274.236361@rosebud.alerce.com> X-Mailer: VM 7.14 under 21.4 (patch 14) "Reasonable Discussion" XEmacs Lucid X-Virus-Scanned: ClamAV version 'clamd / ClamAV version devel-20031103', clamav-milter version '0.60n' cc: freebsd-security@freebsd.org Subject: Re: IPSEC btwn stable and Linksys BEFVP41 stopped working. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hartzell@kestrel.alerce.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2004 21:19:06 -0000 Bjoern A. Zeeb writes: > On Tue, 20 Jan 2004, George Hartzell wrote: > > > I have a bit more information, and a quick question. > > > > I set up a 5.2 Release system, > > known to be buggy for IPSEC (not for FAST_IPSEC): > http://lists.freebsd.org/pipermail/freebsd-current/2004-January/thread.html#18084 Would this also bother a 4.9 system? > > > with a current copy of the racoon port, > > Do you have 20040116a ? > > 20040114a is known to have endian bugs I think: > http://www.securityfocus.com/archive/1/350025/2004-01-14/2004-01-20/0 I'll check evening. The -stable system is still using racoon-20030711a_1, which is the port that's been working fine up until what-ever happened. g. From owner-freebsd-security@FreeBSD.ORG Tue Jan 20 15:19:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E10B16A4CE for ; Tue, 20 Jan 2004 15:19:25 -0800 (PST) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0C2343D53 for ; Tue, 20 Jan 2004 15:19:19 -0800 (PST) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id E4CC46E; Tue, 20 Jan 2004 17:19:18 -0600 (CST) Date: Tue, 20 Jan 2004 17:19:18 -0600 From: Tillman Hodgson To: security at FreeBSD Message-ID: <20040120231918.GS24105@seekingfire.com> References: <20040114134215.GA21307@sheol.localdomain> <20040114180931.GA17074@miracle.mongers.org> <20040114182154.GA22444@sheol.localdomain> <20040114182755.GX50342@horsey.gshapiro.net> <44oet5mivk.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FK65GREB+Evh/hTL" Content-Disposition: inline In-Reply-To: <44oet5mivk.fsf@be-well.ilk.org> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers User-Agent: Mutt/1.5.5.1i Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2004 23:19:25 -0000 --FK65GREB+Evh/hTL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 15, 2004 at 08:38:55AM -0500, Lowell Gilbert wrote: > Gregory Neil Shapiro writes: > > I use: > >=20 > > mtree -K sha1digest -c -X mtree.exclude -p / > mtree.out > > Although I am sure there is a better way to do it with mtree, to > > see if something has changed, I repeat the process and diff the > > output. >=20 > That would be=20 > mtree < mtree.out > to have mtree do it itself. I just now tried this: [root@athena ~/landmine]# ls -l total 41746 -rw-r--r-- 1 root wheel 46 Jan 20 14:58 mtree.exclude -rw-r--r-- 1 root wheel 42713965 Jan 20 16:19 mtree.out [root@athena ~/landmine]# mtree < mtree.out mtree: line 270131: unknown keyword Burg I'm fairly certain that that's not the intended result ;-) That line, BTW, is just a file name with a space in it: link=3D/opt/SC3U/buildings/Den Burg Bruges.bld Am I missing somethign fairly simple? -T --=20 "Getting a SCSI chain working is perfectly simple if you remember that there must be exactly three terminations: one on one end of the cable, one on the far end, and the goat, terminated over the SCSI chain with a silver-handled knife whilst burning *black* candles." - Anthony DeBoer --FK65GREB+Evh/hTL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFADbd2Dwp/vIKK/HsRAuYyAJ4uV3PNxZFMS2Lhv2GzKmS3HPxp1ACbBiru pM1YL6Y8pMSgp3n/2BV2ibw= =/8hv -----END PGP SIGNATURE----- --FK65GREB+Evh/hTL-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 20 16:40:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 845BB16A4CE for ; Tue, 20 Jan 2004 16:40:30 -0800 (PST) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D27543D2D for ; Tue, 20 Jan 2004 16:40:29 -0800 (PST) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from be-well.no-ip.com ([66.30.196.44]) by comcast.net (sccrmhc11) with ESMTP id <2004012100402801100j8i0ve>; Wed, 21 Jan 2004 00:40:28 +0000 Received: by be-well.no-ip.com (Postfix, from userid 1147) id 36AEEF; Tue, 20 Jan 2004 19:40:28 -0500 (EST) Sender: lowell@be-well.ilk.org To: freebsd-security@freebsd.org References: <20040114134215.GA21307@sheol.localdomain> <20040114180931.GA17074@miracle.mongers.org> <20040114182154.GA22444@sheol.localdomain> <20040114182755.GX50342@horsey.gshapiro.net> <44oet5mivk.fsf@be-well.ilk.org> <20040120231918.GS24105@seekingfire.com> From: Lowell Gilbert Date: 20 Jan 2004 19:40:28 -0500 In-Reply-To: <20040120231918.GS24105@seekingfire.com> Message-ID: <447jzmcewz.fsf@be-well.ilk.org> Lines: 40 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 00:40:30 -0000 Tillman Hodgson writes: > On Thu, Jan 15, 2004 at 08:38:55AM -0500, Lowell Gilbert wrote: > > Gregory Neil Shapiro writes: > > > I use: > > > > > > mtree -K sha1digest -c -X mtree.exclude -p / > mtree.out > > > > Although I am sure there is a better way to do it with mtree, to > > > see if something has changed, I repeat the process and diff the > > > output. > > > > That would be > > mtree < mtree.out > > to have mtree do it itself. > > I just now tried this: > > [root@athena ~/landmine]# ls -l > total 41746 > -rw-r--r-- 1 root wheel 46 Jan 20 14:58 mtree.exclude > -rw-r--r-- 1 root wheel 42713965 Jan 20 16:19 mtree.out > [root@athena ~/landmine]# mtree < mtree.out > mtree: line 270131: unknown keyword Burg > > I'm fairly certain that that's not the intended result ;-) > > That line, BTW, is just a file name with a space in it: > > link=/opt/SC3U/buildings/Den Burg Bruges.bld > > Am I missing somethign fairly simple? Hmm. I've never had this problem, and when I try to trigger it deliberately, I find that my mtree specification has the spaces in the filenames escaped. e.g., foo\040bar\040baz \ From owner-freebsd-security@FreeBSD.ORG Tue Jan 20 16:47:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4781516A4CE for ; Tue, 20 Jan 2004 16:47:30 -0800 (PST) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BD2E43D39 for ; Tue, 20 Jan 2004 16:47:29 -0800 (PST) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id 95A8E155; Tue, 20 Jan 2004 18:47:28 -0600 (CST) Date: Tue, 20 Jan 2004 18:47:28 -0600 From: Tillman Hodgson To: freebsd-security@freebsd.org Message-ID: <20040121004728.GV24105@seekingfire.com> References: <20040114134215.GA21307@sheol.localdomain> <20040114180931.GA17074@miracle.mongers.org> <20040114182154.GA22444@sheol.localdomain> <20040114182755.GX50342@horsey.gshapiro.net> <44oet5mivk.fsf@be-well.ilk.org> <20040120231918.GS24105@seekingfire.com> <447jzmcewz.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <447jzmcewz.fsf@be-well.ilk.org> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers User-Agent: Mutt/1.5.5.1i Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 00:47:30 -0000 On Tue, Jan 20, 2004 at 07:40:28PM -0500, Lowell Gilbert wrote: > Hmm. I've never had this problem, and when I try to trigger it > deliberately, I find that my mtree specification has the spaces in the > filenames escaped. > > e.g., > foo\040bar\040baz \ Interesting. I'm using -STABLE as of Jan 7/04 on this box ... is your mtree by any chance from -CURRENT? -T -- The ultimate question: Why does life exist? The answer: For life's sake. - ANONYMOUS, thought to be of Zensunni origin From owner-freebsd-security@FreeBSD.ORG Tue Jan 20 20:22:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 006AF16A4D6; Tue, 20 Jan 2004 20:22:31 -0800 (PST) Received: from iwmail.xpdial.com (iwgate.xpdial.com [68.156.89.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAC3243D39; Tue, 20 Jan 2004 20:22:28 -0800 (PST) (envelope-from mark@s-wit.net) Received: from [24.73.52.111] by iwmail.xpdial.com (ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.4.1)); Tue, 20 Jan 2004 23:26:10 -0500 Message-ID: <00dd01c3dfd6$2a7e1fd0$65a8a8c0@toshibauser> From: "Mark" To: "horio shoichi" , "Spades" References: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> <20040118.184351.3b20743ee03ef7d3.10.0.3.9@bugsgrief.net> Date: Tue, 20 Jan 2004 23:22:17 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-security@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 04:22:31 -0000 But what causes them ? I get them too. > On Sun, 18 Jan 2004 20:14:29 +0800 > "Spades" wrote: > > hi all, i got flooded by these msgs like 1000+ lines, any idea? > > my kernel is dated Nov-30 FreeBSD 4.9-stable > > > > # tail -f /var/log/messages > > Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > > to 00:50:0f:4f:c0:00 on rl0 > > Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 > > to 00:04:5a:49:eb:74 on rl0 > > Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > > to 00:50:0f:4f:c0:00 on rl0 > > Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00 > > to 00:04:5a:49:eb:74 on rl0 > > Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74 > > to 00:50:0f:4f:c0:00 on rl0 > > > > thanks and regards, > > > > John > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > > # sysctl net.link.ether.inet.log_arp_wrong_iface=1 > > should mask the messages. > > > > horio shoichi > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Jan 20 22:00:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2563D16A4CE; Tue, 20 Jan 2004 22:00:12 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id A493C43D31; Tue, 20 Jan 2004 22:00:10 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id D50CE1FF91D; Wed, 21 Jan 2004 07:00:08 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id 262E01FF90C; Wed, 21 Jan 2004 07:00:07 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id C8799153AA; Wed, 21 Jan 2004 05:53:54 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id BDBB015380; Wed, 21 Jan 2004 05:53:54 +0000 (UTC) Date: Wed, 21 Jan 2004 05:53:54 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: Mark In-Reply-To: <00dd01c3dfd6$2a7e1fd0$65a8a8c0@toshibauser> Message-ID: References: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> <20040118.184351.3b20743ee03ef7d3.10.0.3.9@bugsgrief.net> <00dd01c3dfd6$2a7e1fd0$65a8a8c0@toshibauser> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: freebsd-security@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 06:00:12 -0000 On Tue, 20 Jan 2004, Mark wrote: > But what causes them ? I get them too. one host, two NICs same braodcast domain ? -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-security@FreeBSD.ORG Wed Jan 21 06:59:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 243E316A4CE for ; Wed, 21 Jan 2004 06:59:52 -0800 (PST) Received: from sage-one.net (adsl-65-71-135-137.dsl.crchtx.swbell.net [65.71.135.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3DE143D2F for ; Wed, 21 Jan 2004 06:59:50 -0800 (PST) (envelope-from jackstone@sage-one.net) Received: from sagea (sagea.sage-american [10.0.0.3]) by sage-one.net (8.12.8p2/8.12.8) with SMTP id i0LExmIA011256; Wed, 21 Jan 2004 08:59:49 -0600 (CST) (envelope-from jackstone@sage-one.net) Message-Id: <3.0.5.32.20040121085949.01e93e00@10.0.0.10> X-Sender: jackstone@10.0.0.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 21 Jan 2004 08:59:49 -0600 To: "Bjoern A. Zeeb" , Mark From: "Jack L. Stone" In-Reply-To: References: <00dd01c3dfd6$2a7e1fd0$65a8a8c0@toshibauser> <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> <20040118.184351.3b20743ee03ef7d3.10.0.3.9@bugsgrief.net> <00dd01c3dfd6$2a7e1fd0$65a8a8c0@toshibauser> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, hits=-4.7 required=4.5 tests=AWL,BAYES_00 autolearn=ham version=2.61-sage_one.rules_v3.1 X-Spam-Checker-Version: SpamAssassin 2.61-sage_one.rules_v3.1 (1.212.2.1-2003-12-09-exp) on sage-one.net cc: freebsd-security@freebsd.org Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 14:59:52 -0000 At 05:53 AM 1.21.2004 +0000, Bjoern A. Zeeb wrote: >On Tue, 20 Jan 2004, Mark wrote: > >> But what causes them ? I get them too. > >one host, two NICs same braodcast domain ? > >-- >Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Also, when NICs are switched around, especially if on a gateway machine. We just experienced this maddening issue. We moved a HD clone from one GW machine to another and it took a long time for any of the other machines to resolve the new NIC MAC and thus peppered with those arp messages. When we also moved the old NIC over as well, the problems ALL stopped instantly. It eliminated the need for the arp cache to catch up to the switching of the MACs which is cached along with the IPs. All of the machines then settled down. So, now with a CISCO and several switches involved, we now know the move the HD AND the NIC.... BTW, the Windows machines never did resolve the new NIC MAC after several hours, but the FBSD's did within about an hour. Lesson learned. Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net jackstone@sage-one.net From owner-freebsd-security@FreeBSD.ORG Wed Jan 21 13:38:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47A3316A4CE for ; Wed, 21 Jan 2004 13:38:35 -0800 (PST) Received: from web60809.mail.yahoo.com (web60809.mail.yahoo.com [216.155.196.72]) by mx1.FreeBSD.org (Postfix) with SMTP id 27B3A43D1F for ; Wed, 21 Jan 2004 13:38:34 -0800 (PST) (envelope-from richard_bejtlich@yahoo.com) Message-ID: <20040121213833.57935.qmail@web60809.mail.yahoo.com> Received: from [68.84.6.72] by web60809.mail.yahoo.com via HTTP; Wed, 21 Jan 2004 13:38:33 PST Date: Wed, 21 Jan 2004 13:38:33 -0800 (PST) From: Richard Bejtlich To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: interface bonding X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 21:38:35 -0000 Hello, On 9 Jan 04 I posted a method for bonding interfaces using netgraph for purposes of sniffing tap outputs as a single virtual interface. Unfortunately, the method I posted creates two copies of every packet. I have used the following to successfully collect only one copy of packets sent from the two TX streams of a network tap: #!/bin/sh # sf2 and sf3 are real interfaces which receive tap # outputs; ngeth0 is created by ngctl # ng_ether must be loaded so netgraph can "see" the # real interfaces sf2 and sf3 kldload ng_ether # bring up the real interfaces ifconfig sf2 promisc -arp up ifconfig sf3 promisc -arp up # create ngeth0 and bind sf2 and sf3 to it ngctl mkpeer . eiface hook ether ngctl mkpeer ngeth0: one2many lower one ngctl connect sf2: ngeth0:lower lower many0 ngctl connect sf3: ngeth0:lower lower many1 # bring up ngeth0 for sniffing duties ifconfig ngeth0 -arp up -- Sorry for the confusion earlier. I appreciate any comments on how to improve this method. Please check my 9 Jan post to see the setup which created the dual packets. Sincerely, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus From owner-freebsd-security@FreeBSD.ORG Wed Jan 21 14:42:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A9B716A4CE for ; Wed, 21 Jan 2004 14:42:10 -0800 (PST) Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9816143D55 for ; Wed, 21 Jan 2004 14:42:08 -0800 (PST) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 239CC2078; Wed, 21 Jan 2004 23:42:05 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id C57155878; Wed, 21 Jan 2004 23:42:05 +0100 (CET) Date: Wed, 21 Jan 2004 23:42:05 +0100 (CET) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: "Devon H. O'Dell" In-Reply-To: <40016769.3030202@sitetronics.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: "freebsd-security@freebsd.org" Subject: Re: BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 22:42:10 -0000 On Sun, 11 Jan 2004, Devon H. O'Dell wrote: > I seem to remember seeing somewhere (on this list/on the web -- don't > remember) that there was some ``Snort-like'' software that was > available under the BSD license. Unfortunately, I'm unable to find any > information about such software. Was I dreaming, or can anybody else > jog my memory? :) That one maybe: http://www.icir.org/vern/bro.html // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // http://mops.uci.agh.edu.pl/~kzaraska/ * http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem From owner-freebsd-security@FreeBSD.ORG Thu Jan 22 00:33:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3A2516A4CE; Thu, 22 Jan 2004 00:33:30 -0800 (PST) Received: from wind.select-servers.com (spec1.alterahosting.com [69.56.159.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48A0443D54; Thu, 22 Jan 2004 00:33:29 -0800 (PST) (envelope-from school@radical.no) Received: from [195.196.97.247] (helo=COMPUTER12) by wind.select-servers.com with smtp (Exim 4.20) id 1AjaHH-0000Ij-TK; Thu, 22 Jan 2004 02:33:28 -0600 Message-ID: <004901c3e0c3$15f1f990$0bbba8c0@kenneth.local> From: "Kenneth Sundby" To: , References: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> <20040118.184351.3b20743ee03ef7d3.10.0.3.9@bugsgrief.net> <00dd01c3dfd6$2a7e1fd0$65a8a8c0@toshibauser> Date: Thu, 22 Jan 2004 09:38:16 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - wind.select-servers.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - radical.no Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 08:33:31 -0000 From: "Jack L. Stone" > BTW, the Windows machines never did resolve the new NIC MAC after several > hours, but the FBSD's did within about an hour. Lesson learned. You can use "arp -d *" to delete the arp cache on windows. Kenneth Sundby From owner-freebsd-security@FreeBSD.ORG Thu Jan 22 01:13:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A042C16A4CE for ; Thu, 22 Jan 2004 01:13:08 -0800 (PST) Received: from phantom.cris.net (phantom.cris.net [212.110.130.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5175E43D39 for ; Thu, 22 Jan 2004 01:13:05 -0800 (PST) (envelope-from ru@FreeBSD.org.ua) Received: from phantom.cris.net (ru@localhost [127.0.0.1]) by phantom.cris.net (8.12.10/8.12.10) with ESMTP id i0M9Doem023102; Thu, 22 Jan 2004 11:13:50 +0200 (EET) (envelope-from ru@FreeBSD.org.ua) Received: (from ru@localhost) by phantom.cris.net (8.12.10/8.12.10/Submit) id i0M9DoYu023097; Thu, 22 Jan 2004 11:13:50 +0200 (EET) (envelope-from ru) Date: Thu, 22 Jan 2004 11:13:49 +0200 From: Ruslan Ermilov To: Richard Bejtlich Message-ID: <20040122091349.GF21710@FreeBSD.org.ua> References: <20040121213833.57935.qmail@web60809.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lHGcFxmlz1yfXmOs" Content-Disposition: inline In-Reply-To: <20040121213833.57935.qmail@web60809.mail.yahoo.com> User-Agent: Mutt/1.5.5.1i cc: freebsd-security@freebsd.org Subject: Re: interface bonding X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 09:13:08 -0000 --lHGcFxmlz1yfXmOs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 21, 2004 at 01:38:33PM -0800, Richard Bejtlich wrote: > Hello, >=20 > On 9 Jan 04 I posted a method for bonding interfaces > using netgraph for purposes of sniffing tap outputs as > a single virtual interface. Unfortunately, the method > I posted creates two copies of every packet. >=20 > I have used the following to successfully collect only > one copy of packets sent from the two TX streams of a > network tap: >=20 > #!/bin/sh > # sf2 and sf3 are real interfaces which receive tap=20 > # outputs; ngeth0 is created by ngctl >=20 > # ng_ether must be loaded so netgraph can "see" the=20 > # real interfaces sf2 and sf3 > kldload ng_ether >=20 > # bring up the real interfaces > ifconfig sf2 promisc -arp up > ifconfig sf3 promisc -arp up >=20 > # create ngeth0 and bind sf2 and sf3 to it > ngctl mkpeer . eiface hook ether > ngctl mkpeer ngeth0: one2many lower one > ngctl connect sf2: ngeth0:lower lower many0 > ngctl connect sf3: ngeth0:lower lower many1 >=20 > # bring up ngeth0 for sniffing duties > ifconfig ngeth0 -arp up >=20 > -- >=20 > Sorry for the confusion earlier. I appreciate any > comments on how to improve this method. Please check > my 9 Jan post to see the setup which created the dual > packets. >=20 This seems to work, too. I believe that duplication you observe with the old method where you've attached ng_eiface node instead of ng_ether node may have to do with a bug I've fixed month ago in src/sys/netgraph/ng_eiface.c,v 1.4.2.6, in RELENG_4. Can you check if using this revision and the old method solves the duplication? Cheers, --=20 Ruslan Ermilov FreeBSD committer ru@FreeBSD.org --lHGcFxmlz1yfXmOs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAD5RNUkv4P6juNwoRAkaKAKCByeC6VL9LF0KhhkLSpC4Hh1tCSgCffshy vVqP15URBFwSUmkQTp8MPTY= =UWyw -----END PGP SIGNATURE----- --lHGcFxmlz1yfXmOs-- From owner-freebsd-security@FreeBSD.ORG Thu Jan 22 14:02:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D9D516A4CE for ; Thu, 22 Jan 2004 14:02:06 -0800 (PST) Received: from muse.calarts.edu (muse.calarts.edu [198.182.157.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1146943D3F for ; Thu, 22 Jan 2004 14:02:04 -0800 (PST) (envelope-from karyn@calarts.edu) Received: from klw (dhcp4176.calarts.edu [65.165.174.254]) by muse.calarts.edu (8.11.7p1+Sun/8.10.2) with SMTP id i0MM2OS19051 for ; Thu, 22 Jan 2004 14:02:24 -0800 (PST) Message-Id: <3.0.1.32.20040122140044.024783ac@muse.calarts.edu> X-Sender: karyn@muse.calarts.edu X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Thu, 22 Jan 2004 14:00:44 -0800 To: freebsd-security@freebsd.org From: Karyn Williams Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: log messages to a specific file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 22:02:06 -0000 I am trying to configure syslog.conf to send messages from one of my hosts to a select file for that host. The host is currently sending messages to the syslog server and they are being logged but I would like to have all the messages from this host go to a separate file. FreeBSD 4.9-RELEASE # $FreeBSD: src/etc/syslog.conf,v 1.13.2.4 2003/05/12 13:59:23 yar Exp $ # # Spaces ARE valid field separators in this file. However, # other *nix-like systems still insist on using tabs as field # separators. If you are sharing this file between systems, you # may want to use only tabs as field separators here. # Consult the syslog.conf(5) manpage. *.err;kern.debug;auth.notice;mail.crit /dev/console *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages +caioa.calarts.edu*.* /var/log/caioa.log <------- this is the line I need help with security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs cron.* /var/log/cron *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log #console.info /var/log/console.log # uncomment this to enable logging of all log messages to /var/log/all.log # touch /var/log/all.log and chmod it to mode 600 before it will work *.* /var/log/all.log # uncomment this to enable logging to a remote loghost named loghost #*.* @loghost The file /var/log/caioa.log exists and is 600. I got the syntax off a web page, but it is not working for me and I don't see anything in the man page that expalins how to do it. Any help would really be appreciated. Thanks. -- Karyn Williams, CNE Network Services Manager California Institute of the Arts karyn@calarts.edu http://www.calarts.edu/network From owner-freebsd-security@FreeBSD.ORG Thu Jan 22 17:12:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0316B16A4CE for ; Thu, 22 Jan 2004 17:12:53 -0800 (PST) Received: from web60809.mail.yahoo.com (web60809.mail.yahoo.com [216.155.196.72]) by mx1.FreeBSD.org (Postfix) with SMTP id 1FADB43D4C for ; Thu, 22 Jan 2004 17:12:49 -0800 (PST) (envelope-from richard_bejtlich@yahoo.com) Message-ID: <20040122223509.5387.qmail@web60809.mail.yahoo.com> Received: from [68.84.6.72] by web60809.mail.yahoo.com via HTTP; Thu, 22 Jan 2004 14:35:09 PST Date: Thu, 22 Jan 2004 14:35:09 -0800 (PST) From: Richard Bejtlich To: Darren Reed In-Reply-To: <200401220613.i0M6D65O010493@caligula.anu.edu.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: interface bonding X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2004 01:12:53 -0000 --- Darren Reed wrote: > I'm curious, can you use netgraph, like this or > similar, to make > sf2/sf3 redundant interfaces on the same LAN ? > (Load balancing > traffic in/out of an NFS server, say.) > > Darren Hi Darren, I think that's the real purpose behind ng_one2many: http://www.freebsd.org/cgi/man.cgi?query=ng_one2many&apropos=0&sektion=0&manpath=FreeBSD+4.9-stable&format=html My interest has always been combining tap transmit outputs, so I haven't tried it. I do plan to test Ruslan's new code that addresses the double-packet issue, once I have the time to work with my 4-stable box. Sincerely, Richard http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ From owner-freebsd-security@FreeBSD.ORG Thu Jan 22 22:36:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB37816A4CE for ; Thu, 22 Jan 2004 22:36:10 -0800 (PST) Received: from mgr2.xmission.com (mgr2.xmission.com [198.60.22.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB6C843D1D for ; Thu, 22 Jan 2004 22:36:08 -0800 (PST) (envelope-from glewis@eyesbeyond.com) Received: from [198.60.22.208] (helo=mx2.xmission.com) by mgr2.xmission.com with esmtp (Exim 3.35 #1) id 1AjuvI-0005zl-02; Thu, 22 Jan 2004 23:36:08 -0700 Received: from [207.135.128.145] (helo=misty.eyesbeyond.com) by mx2.xmission.com with esmtp (Exim 4.22) id 1AjuvG-0003yW-SI; Thu, 22 Jan 2004 23:36:07 -0700 Received: from misty.eyesbeyond.com (localhost.eyesbeyond.com [127.0.0.1]) i0N6a3N2054302; Thu, 22 Jan 2004 23:36:04 -0700 (MST) (envelope-from glewis@eyesbeyond.com) Received: (from glewis@localhost) by misty.eyesbeyond.com (8.12.10/8.12.10/Submit) id i0N6a12w054301; Thu, 22 Jan 2004 23:36:01 -0700 (MST) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Thu, 22 Jan 2004 23:36:01 -0700 From: Greg Lewis To: Karyn Williams Message-ID: <20040123063601.GA54262@misty.eyesbeyond.com> References: <3.0.1.32.20040122140044.024783ac@muse.calarts.edu> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <3.0.1.32.20040122140044.024783ac@muse.calarts.edu> User-Agent: Mutt/1.4.1i Content-Type: text/plain; charset=us-ascii X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on mx2.xmission.com X-Spam-Level: X-Spam-Status: No, hits=-4.9 required=8.0 tests=BAYES_00 autolearn=no version=2.61 X-SA-Exim-Mail-From: glewis@eyesbeyond.com X-SA-Exim-Version: 3.1 (built Wed Aug 20 09:38:54 PDT 2003) X-SA-Exim-Scanned: Yes cc: freebsd-security@freebsd.org Subject: Re: log messages to a specific file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2004 06:36:11 -0000 On Thu, Jan 22, 2004 at 02:00:44PM -0800, Karyn Williams wrote: > I am trying to configure syslog.conf to send messages from one of my hosts > to a select file for that host. The host is currently sending messages to > the syslog server and they are being logged but I would like to have all > the messages from this host go to a separate file. FreeBSD 4.9-RELEASE > > # $FreeBSD: src/etc/syslog.conf,v 1.13.2.4 2003/05/12 13:59:23 yar Exp $ > # > # Spaces ARE valid field separators in this file. However, > # other *nix-like systems still insist on using tabs as field > # separators. If you are sharing this file between systems, you > # may want to use only tabs as field separators here. > # Consult the syslog.conf(5) manpage. > *.err;kern.debug;auth.notice;mail.crit /dev/console > *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err > /var/log/messages > +caioa.calarts.edu*.* /var/log/caioa.log > <------- this is the line I need help with Looking at the syslog.conf man page, I would guess you need to put two lines like this at the end of your file: +caioa.calarts.edu *.* /var/log/caioa.log If those two lines aren't at the end then you need to reset the hostname specification with a +* line immediately following those two lines. Note this is all just looking at the man page, I haven't tried it :). > security.* /var/log/security > auth.info;authpriv.info /var/log/auth.log > mail.info /var/log/maillog > lpr.info /var/log/lpd-errs > cron.* /var/log/cron > *.emerg * > # uncomment this to log all writes to /dev/console to /var/log/console.log > #console.info /var/log/console.log > # uncomment this to enable logging of all log messages to /var/log/all.log > # touch /var/log/all.log and chmod it to mode 600 before it will work > *.* /var/log/all.log > # uncomment this to enable logging to a remote loghost named loghost > #*.* @loghost > > The file /var/log/caioa.log exists and is 600. I got the syntax off a web > page, but it is not working for me and I don't see anything in the man page > that expalins how to do it. Look at the paragraph which starts "A program specification is a line...". Further on in that paragraph it mentions hostname specifications. It would probably be worthwhile putting a host example in the EXAMPLES section too. -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Fri Jan 23 01:11:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9C4816A4CE for ; Fri, 23 Jan 2004 01:11:43 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFC2D43D49 for ; Fri, 23 Jan 2004 01:11:37 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.30; FreeBSD) id 1AjxIV-000Nvb-Fr for freebsd-security@freebsd.org; Fri, 23 Jan 2004 17:08:15 +0800 Message-Id: <6.0.1.1.2.20040123170720.02a693d0@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Fri, 23 Jan 2004 17:15:37 +0800 To: freebsd-security@freebsd.org From: Ganbold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: keyboard activity logging in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2004 09:11:43 -0000 Hi, I would like to log all keyboard activities in all ttys in my FreeBSD 5.2 box. Is there anyway to do it? I read the watch man page and it seems like I should run watch with tty as many times as number of ttys. Am I right? Also is it possible to do the log in invisible way? The main reason is to log all commands typed in shell and tty and send the log to the remote server. How can I accomplish that? Any helps and directions are greatly appreciated. thanks in advance, Ganbold From owner-freebsd-security@FreeBSD.ORG Fri Jan 23 01:17:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A05B16A4CE for ; Fri, 23 Jan 2004 01:17:10 -0800 (PST) Received: from mail.modwest.com (marshall.modwest.com [216.129.251.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 122FD43D2D for ; Fri, 23 Jan 2004 01:17:09 -0800 (PST) (envelope-from Shes@virtualdesire.org) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.modwest.com (Postfix) with ESMTP id 7ADDE40F5004; Fri, 23 Jan 2004 02:17:08 -0700 (MST) Received: from mail.modwest.com ([127.0.0.1]) by localhost (marshall.modwest.com [127.0.0.1]) (amavisd-new) with ESMTP id 21828-08; Fri, 23 Jan 2004 02:17:08 -0000 (MST) Received: from modwest.com (gunsight.modwest.com [216.129.251.23]) by mail.modwest.com (Postfix) with SMTP id E5FAA40F72C2; Fri, 23 Jan 2004 02:17:07 -0700 (MST) Received: from 62.202.1.66 (SquirrelMail authenticated user shes) by my.modwest.com with HTTP; Fri, 23 Jan 2004 10:17:08 +0100 (CET) Message-ID: <20651.62.202.1.66.1074849428.squirrel@my.modwest.com> Date: Fri, 23 Jan 2004 10:17:08 +0100 (CET) From: "Yoan Talagrand" To: In-Reply-To: <6.0.1.1.2.20040123170720.02a693d0@202.179.0.80> References: <6.0.1.1.2.20040123170720.02a693d0@202.179.0.80> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.10) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by amavisd-new amavisd-new-20020630 cc: freebsd-security@freebsd.org Subject: Re: keyboard activity logging in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2004 09:17:10 -0000 Hi Ganbold, This issue have been recently discuted here, I suggest you to browse the archives of the last 2 months. Best regards, Yoan Talagrand > Hi, > > I would like to log all keyboard activities in all ttys in my FreeBSD > 5.2 box. Is there anyway to do it? I read the watch man page and it > seems like I should run watch with tty as many times as number of ttys. > Am I right? Also is it possible to do the log in invisible way? > The main reason is to log all commands typed in shell and tty and send > the log to the remote server. > How can I accomplish that? > Any helps and directions are greatly appreciated. > > thanks in advance, > > Ganbold > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri Jan 23 01:47:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1305116A4CE for ; Fri, 23 Jan 2004 01:47:01 -0800 (PST) Received: from mx1.webspacesolutions.com (ns1.webspacesolutions.com [216.74.11.68]) by mx1.FreeBSD.org (Postfix) with SMTP id 8E11843D49 for ; Fri, 23 Jan 2004 01:46:57 -0800 (PST) (envelope-from nick@webspacesolutions.com) Received: (qmail 10246 invoked by uid 507); 23 Jan 2004 09:31:58 -0000 Received: from nick@webspacesolutions.com by ns1.webspacesolutions.com by uid 504 with qmail-scanner-1.20rc1 (clamuko: 0.65. spamassassin: 2.55. Clear:RC:1:. Processed in 0.057927 secs); 23 Jan 2004 09:31:58 -0000 Received: from 24-205-247-185.ata-cres.charterpipeline.net (HELO beastie) (24.205.247.185) by mx1.webspacesolutions.com with SMTP; 23 Jan 2004 09:31:58 -0000 From: "Nick Twaddell" To: Date: Fri, 23 Jan 2004 01:47:23 -0800 Organization: Web Space Solutions MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcPhldpM1M2B1ZVJRaawiT3Zr5pRhA== X-Qmail-Scanner-Message-ID: <107485031863610241@ns1.webspacesolutions.com> Message-Id: <20040123094657.8E11843D49@mx1.FreeBSD.org> Subject: ipfw + named problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2004 09:47:02 -0000 Ok, I am really stumped on this one. I setup ipfw with all my rules. Everything works great except for dns. If I do nslookup I get -su-2.05b# nslookup yahoo.com Server: localhost.webspacesolutions.com Address: 127.0.0.1 *** localhost.webspacesolutions.com can't find yahoo.com: Non-existent host/domain This is what I have in my ipfw.rules add 00310 allow tcp from any to any 53 out via de0 setup keep-state add 00311 allow udp from any to any 53 out via de0 keep-state What am I missing?? Thanks Nick From owner-freebsd-security@FreeBSD.ORG Fri Jan 23 01:52:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3EEE16A4CE for ; Fri, 23 Jan 2004 01:52:19 -0800 (PST) Received: from mx1.webspacesolutions.com (ns1.webspacesolutions.com [216.74.11.68]) by mx1.FreeBSD.org (Postfix) with SMTP id 6A28A43D3F for ; Fri, 23 Jan 2004 01:52:18 -0800 (PST) (envelope-from nick@webspacesolutions.com) Received: (qmail 10687 invoked by uid 507); 23 Jan 2004 09:37:19 -0000 Received: from nick@webspacesolutions.com by ns1.webspacesolutions.com by uid 504 with qmail-scanner-1.20rc1 (clamuko: 0.65. spamassassin: 2.55. Clear:RC:1:. Processed in 0.038144 secs); 23 Jan 2004 09:37:19 -0000 Received: from 24-205-247-185.ata-cres.charterpipeline.net (HELO beastie) (24.205.247.185) by mx1.webspacesolutions.com with SMTP; 23 Jan 2004 09:37:19 -0000 From: "Nick Twaddell" To: "'Gogh, Ruben van'" , Date: Fri, 23 Jan 2004 01:52:44 -0800 Organization: Web Space Solutions MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <0FDD52D38220D611B7CC0004763B37448F0156@HNTS-04> Thread-Index: AcPhlCgPWODzik3zSZWQ3Hdf/y/brAAAl6gQ X-Qmail-Scanner-Message-ID: <107485063963610678@ns1.webspacesolutions.com> Message-Id: <20040123095218.6A28A43D3F@mx1.FreeBSD.org> Subject: RE: ipfw + named problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2004 09:52:20 -0000 :P I got it fixed, I had a little typos in my rules. It's late! Nick -----Original Message----- From: Gogh, Ruben van [mailto:R.v.Gogh@kappe-int.com] Sent: Friday, January 23, 2004 1:49 AM To: 'Nick Twaddell' Cc: 'security@freebsd.org' Subject: RE: ipfw + named problem Are you sure you have a hints file for bind ? ;-) Regards, Ruben van Gogh -----Oorspronkelijk bericht----- Van: Nick Twaddell [mailto:nick@webspacesolutions.com] Verzonden: vrijdag 23 januari 2004 10:47 Aan: security@freebsd.org Onderwerp: ipfw + named problem Ok, I am really stumped on this one. I setup ipfw with all my rules. Everything works great except for dns. If I do nslookup I get -su-2.05b# nslookup yahoo.com Server: localhost.webspacesolutions.com Address: 127.0.0.1 *** localhost.webspacesolutions.com can't find yahoo.com: Non-existent host/domain This is what I have in my ipfw.rules add 00310 allow tcp from any to any 53 out via de0 setup keep-state add 00311 allow udp from any to any 53 out via de0 keep-state What am I missing?? Thanks Nick _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ******************************************** The information in this e-mail is personal and may contain confidential and/or priveliged material. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, any use, disclosure, copying, distribution or action taken on it is prohibited. If you have received this communication in error please notify us by e-mail and then delete the e-mail and all attachments. ******************************************** From owner-freebsd-security@FreeBSD.ORG Fri Jan 23 01:54:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECFF716A4CE for ; Fri, 23 Jan 2004 01:54:57 -0800 (PST) Received: from redqueen.elvandar.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0D9443D3F for ; Fri, 23 Jan 2004 01:54:56 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: "Freebsd-Security@Freebsd. Org" Date: Fri, 23 Jan 2004 10:55:32 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at elvandar.org Message-Id: <20040123095455.D68FB2B4D89@redqueen.elvandar.org> Subject: FW: [Freebsd-security] ipfw + named problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2004 09:54:58 -0000 forgot this addr. -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: Remko Lodder [mailto:remko@elvandar.org] Verzonden: vrijdag 23 januari 2004 10:53 Aan: Nick Twaddell Onderwerp: RE: [Freebsd-security] ipfw + named problem did you tcpdump the packets so that you can follow his tail and see where the packets are not routed anymore? perhaps another filter is in place somewhere? what does your logging say, can you log with ipfw ? (i don't know ipfw sorry ;-) ) perhaps you can add more logrules to follow the blocks and these explicit accepts? cheers -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: freebsd-security-bounces@lists.elvandar.org [mailto:freebsd-security-bounces@lists.elvandar.org]Namens Nick Twaddell Verzonden: vrijdag 23 januari 2004 10:47 Aan: security@freebsd.org Onderwerp: [Freebsd-security] ipfw + named problem Ok, I am really stumped on this one. I setup ipfw with all my rules. Everything works great except for dns. If I do nslookup I get -su-2.05b# nslookup yahoo.com Server: localhost.webspacesolutions.com Address: 127.0.0.1 *** localhost.webspacesolutions.com can't find yahoo.com: Non-existent host/domain This is what I have in my ipfw.rules add 00310 allow tcp from any to any 53 out via de0 setup keep-state add 00311 allow udp from any to any 53 out via de0 keep-state What am I missing?? Thanks Nick _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ Freebsd-security mailing list Freebsd-security@lists.elvandar.org http://lists.elvandar.org/mailman/listinfo/freebsd-security From owner-freebsd-security@FreeBSD.ORG Fri Jan 23 02:13:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B26E16A4CE for ; Fri, 23 Jan 2004 02:13:46 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B8A843D53 for ; Fri, 23 Jan 2004 02:13:45 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.30; FreeBSD) id 1AjyJr-000LL4-Ph; Fri, 23 Jan 2004 10:13:43 +0000 Date: Fri, 23 Jan 2004 10:13:43 +0000 From: Jez Hancock To: ganbold@micom.mng.net Message-ID: <20040123101343.GD81453@users.munk.nu> Mail-Followup-To: ganbold@micom.mng.net, freebsd-security@freebsd.org References: <6.0.1.1.2.20040123170720.02a693d0@202.179.0.80> <20651.62.202.1.66.1074849428.squirrel@my.modwest.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20651.62.202.1.66.1074849428.squirrel@my.modwest.com> User-Agent: Mutt/1.4.1i Sender: Jez Hancock cc: freebsd-security@freebsd.org Subject: Re: keyboard activity logging in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2004 10:13:46 -0000 On Fri, Jan 23, 2004 at 10:17:08AM +0100, Yoan Talagrand wrote: > Hi Ganbold, > This issue have been recently discuted here, I suggest you to browse the > archives of the last 2 months. This thread in particular: http://marc.theaimsgroup.com/?t=107342322900001&r=1&w=2 -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - Another FreeBSD Diary http://ipfwstats.sf.net/ - ipfw peruser traffic logging