From owner-freebsd-security@FreeBSD.ORG Sun Feb 8 23:32:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FC8A16A4CE for ; Sun, 8 Feb 2004 23:32:39 -0800 (PST) Received: from mail.jpbv.nl (asd-rzbg-2a57.mxs.adsl.euronet.nl [212.129.170.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8168043D1F for ; Sun, 8 Feb 2004 23:32:38 -0800 (PST) (envelope-from R.v.Gogh@kappe-int.com) Received: by HNTS-04 with Internet Mail Service (5.5.2657.72) id <1Q6C8W4C>; Mon, 9 Feb 2004 08:32:37 +0100 Message-ID: <0FDD52D38220D611B7CC0004763B3744F80826@HNTS-04> From: "Gogh, Ruben van" To: "'freebsd-security@freebsd.org'" Date: Mon, 9 Feb 2004 08:32:36 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Subject: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2004 07:32:39 -0000 Hey Guys, a brand new week so lets try again. I'll try to be so complete as possible so that I wont receive freebsd-handbook-questions as reply. Last friday I upgraded to 4.8-RELEASE-p15. As usual I set IPFIREWALL to default accept in my kernel config file. config & make weren't complaining so, installed the kernel, reboot and there it was: >IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled Output of ipfw show: 65535 0 0 deny ip from any to any There are no such thing as settings in rc.conf like firewall_type="closed" or what so ever. When I boot up with the older kernel it use default to accept... I triple checked the config file for the right settings. And, as I did config && make depend && make install the system wasn't complaing about a thing. Another rebuild didn't work out so... I reviewed /usr/src/UPDATING but there's no such thing as dropping IPFIREWALL_DEFAULT_TO_ACCEPT. And! I have this problem also on another 4.8-RELEASE-p15 box... So, is this a true bug or what? Regards, Ruben ******************************************** The information in this e-mail is personal and may contain confidential and/or priveliged material. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, any use, disclosure, copying, distribution or action taken on it is prohibited. If you have received this communication in error please notify us by e-mail and then delete the e-mail and all attachments. ******************************************** From owner-freebsd-security@FreeBSD.ORG Mon Feb 9 01:11:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1DA716A4CE for ; Mon, 9 Feb 2004 01:11:32 -0800 (PST) Received: from tele.imt.com.ua (unknown [212.109.43.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id E509E43D1F for ; Mon, 9 Feb 2004 01:11:31 -0800 (PST) (envelope-from ant@imt.com.ua) Received: from tele.imt.com.ua (localhost [127.0.0.1]) by tele.imt.com.ua (8.12.8p2/8.12.8) with ESMTP id i199BRD9033522 for ; Mon, 9 Feb 2004 11:11:29 +0200 (EET) (envelope-from ant@imt.com.ua) Received: from localhost (ant@localhost)i199BQlX033519 for ; Mon, 9 Feb 2004 11:11:27 +0200 (EET) (envelope-from ant@imt.com.ua) X-Authentication-Warning: tele.imt.com.ua: ant owned process doing -bs Date: Mon, 9 Feb 2004 11:11:25 +0200 (EET) From: Andriy Tkachuk To: freebsd-security@freebsd.org In-Reply-To: <0FDD52D38220D611B7CC0004763B3744F80826@HNTS-04> Message-ID: <20040209105800.T33433@tele.imt.com.ua> References: <0FDD52D38220D611B7CC0004763B3744F80826@HNTS-04> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2004 09:11:33 -0000 just for experiment, try: cd /usr/src make buildkernel KERNCONF= && make installkernel KERNCONF= > config & make weren't complaining so, installed the kernel, reboot and there > it was: ... > I triple checked the config file for the right settings. And, as I did > config && make depend && make install the system > wasn't complaing about a thing. did you ever make clean? anyway this is true: you are using the old style of kernel rebuilding. On my mind the new one is more convenient, so I don't know why people fight with old one - habit? :) just do as is written in handbook and then say what is not true in it regards From owner-freebsd-security@FreeBSD.ORG Mon Feb 9 01:22:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 004D916A4CE for ; Mon, 9 Feb 2004 01:22:08 -0800 (PST) Received: from tele.imt.com.ua (unknown [212.109.43.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFFA543D1D for ; Mon, 9 Feb 2004 01:22:06 -0800 (PST) (envelope-from ant@imt.com.ua) Received: from tele.imt.com.ua (localhost [127.0.0.1]) by tele.imt.com.ua (8.12.8p2/8.12.8) with ESMTP id i199M3D9033593 for ; Mon, 9 Feb 2004 11:22:05 +0200 (EET) (envelope-from ant@imt.com.ua) Received: from localhost (ant@localhost)i199M3Ua033590 for ; Mon, 9 Feb 2004 11:22:03 +0200 (EET) (envelope-from ant@imt.com.ua) X-Authentication-Warning: tele.imt.com.ua: ant owned process doing -bs Date: Mon, 9 Feb 2004 11:22:03 +0200 (EET) From: Andriy Tkachuk To: freebsd-security@freebsd.org In-Reply-To: <20040209105800.T33433@tele.imt.com.ua> Message-ID: <20040209111434.G33433@tele.imt.com.ua> References: <0FDD52D38220D611B7CC0004763B3744F80826@HNTS-04> <20040209105800.T33433@tele.imt.com.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2004 09:22:08 -0000 sorry: i just checked handbook and there is written that there is two ways: new and traditional. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html So: you failed in traditional, anyway it's interesting if there will be the same result with the new way. On Mon, 9 Feb 2004, Andriy Tkachuk wrote: > just for experiment, try: > > cd /usr/src > make buildkernel KERNCONF= && make installkernel KERNCONF= > > > config & make weren't complaining so, installed the kernel, reboot and there > > it was: > ... > > I triple checked the config file for the right settings. And, as I did > > config && make depend && make install the system > > wasn't complaing about a thing. > > did you ever make clean? anyway this is true: you are using the old style > of kernel rebuilding. On my mind the new one is more convenient, so I don't > know why people fight with old one - habit? :) > > just do as is written in handbook and then say what is not true in it > > regards From owner-freebsd-security@FreeBSD.ORG Mon Feb 9 01:23:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3FFD16A4CE for ; Mon, 9 Feb 2004 01:23:59 -0800 (PST) Received: from server.vk2pj.dyndns.org (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17B7743D2F for ; Mon, 9 Feb 2004 01:23:59 -0800 (PST) (envelope-from peterjeremy@optushome.com.au) Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1])i199NlPf053717; Mon, 9 Feb 2004 20:23:47 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.12.10/8.12.10/Submit) id i199NlT9053711; Mon, 9 Feb 2004 20:23:47 +1100 (EST) (envelope-from peter) Date: Mon, 9 Feb 2004 20:23:47 +1100 From: Peter Jeremy To: "Gogh, Ruben van" Message-ID: <20040209092347.GA43158@server.vk2pj.dyndns.org> References: <0FDD52D38220D611B7CC0004763B3744F80826@HNTS-04> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0FDD52D38220D611B7CC0004763B3744F80826@HNTS-04> User-Agent: Mutt/1.4.1i cc: "'freebsd-security@freebsd.org'" Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2004 09:23:59 -0000 On Mon, Feb 09, 2004 at 08:32:36AM +0100, Gogh, Ruben van wrote: >Last friday I upgraded to 4.8-RELEASE-p15. As usual I set IPFIREWALL to >default accept in my kernel config file. >config & make weren't complaining so, installed the kernel, reboot and there >it was: >>IP packet filtering initialized, divert disabled, rule-based forwarding >enabled, default to deny, logging disabled >Output of ipfw show: >65535 0 0 deny ip from any to any This means IPFIREWALL_DEFAULT_TO_ACCEPT is not defined when /sys/netinet/ip_fw.c is compiled. Do you have "options INCLUDE_CONFIG_FILE"? If so, does "options IPFIREWALL_DEFAULT_TO_ACCEPT" show up in your kernel? Does /usr/obj/usr/src/sys/<>/opt_ipfw.h or /sys/compile/<>/opt_ipfw.h include the lines: #define IPFIREWALL 1 #define IPFIREWALL_DEFAULT_TO_ACCEPT 1 Does the kernelname in your dmesg.boot match your expected config? Have you wiped /usr/obj[/usr/src/sys/<>] or /sys/compile and re-built the kernel? Have you tried wiping /usr/src[/sys], re-extracting/cvsuping and re-building? >THERE are no such thing as settings in rc.conf like firewall_type="closed" >or what so ever. When I boot up with the older kernel it use default to >accept... What version is this kernel? >I triple checked the config file for the right settings. And, as I did >config && make depend && make install the system >wasn't complaing about a thing. I gather from this that you are using the "old" kernel build strategy. You are aware that this is missing a step: Neither "make depend" nor "make install" actually compiles the kernel. You need to do a "make" in between. Peter From owner-freebsd-security@FreeBSD.ORG Mon Feb 9 02:25:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B09C416A4CE for ; Mon, 9 Feb 2004 02:25:34 -0800 (PST) Received: from ns.tern.ru (mail.tern.ru [195.210.170.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 970C243D1D for ; Mon, 9 Feb 2004 02:25:33 -0800 (PST) (envelope-from freebsd@tern.ru) Received: from mail.tern.ru (mail.tern.ru [192.168.1.140]) by ns.tern.ru (X/X) with ESMTP id i19AQSYj065312 for ; Mon, 9 Feb 2004 13:26:29 +0300 X-Spam-Filter: check_local@ns.tern.ru by digitalanswers.org Received: from mail.tern.ru (localhost.tern.ru [127.0.0.1]) by mail.tern.ru (X/X) with ESMTP id i19AS6H6069491 for ; Mon, 9 Feb 2004 13:28:06 +0300 (MSK) Received: (from root@localhost) by mail.tern.ru (X/X) id i19AS6CR069489 for freebsd-security@freebsd.org.VIRCHECK; Mon, 9 Feb 2004 13:28:06 +0300 (MSK) Received: from snork.tern.ru (snork.tern.ru [192.168.1.133]) by mail.tern.ru (X/X) with ESMTP id i19AS4H6069461; Mon, 9 Feb 2004 13:28:05 +0300 (MSK) Date: Mon, 9 Feb 2004 13:27:37 +0300 From: freebsd@tern.ru Organization: Tern X-Priority: 3 (Normal) Message-ID: <445120208.20040209132737@tern.ru> To: Peter Pentchev In-Reply-To: <20040206111051.GB724@straylight.m.ringlet.net> References: <614479869.20040206131706@tern.ru> <20040206103833.GD4848@straylight.m.ringlet.net> <1424875954.20040206134618@tern.ru> <20040206111051.GB724@straylight.m.ringlet.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re[2]: ipfw question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Alexandre Krasnov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2004 10:25:34 -0000 It's funny. This (your) variant: ipfw add count from IP1 not to { IP2,IP3 } was accepted by ipfw but resulted in (was rewritten by ipfw as) the rule: ipfw add count from IP1 to not IP2,IP3 So, I guess that my initial ipfw add count from IP1 to not IP2,IP3 should be what I was looking for. Thank you for your reply. Indeed not to { IP2,IP3 } is more clear sentence from the point of human logic then the one used by ipfw :) Alex. PP> On Fri, Feb 06, 2004 at 01:46:18PM +0300, freebsd@tern.ru wrote: PP> [actually, I wrote] >> PP> Could you try >> PP> ipfw add count from IP1 to not { IP2,IP3 } >> >> Definitely I tried it already before writing to group. It does not >> work. >> Here is the exact error message for this try: >> ipfw: hostname ``'' unknown PP> Er, sorry, my mistake; could you try 'not to' instead of 'to not'? :) PP> G'luck, PP> Peter From owner-freebsd-security@FreeBSD.ORG Tue Feb 10 12:48:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6089E16A4CE for ; Tue, 10 Feb 2004 12:48:04 -0800 (PST) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B00543D1D for ; Tue, 10 Feb 2004 12:48:04 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.10/8.12.10) with ESMTP id i1AKlv8Q071981 for ; Tue, 10 Feb 2004 15:47:57 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net ([192.168.43.27]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id i1AKlxBs041769 for ; Tue, 10 Feb 2004 15:48:00 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040210154335.04a3c9f8@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Tue, 10 Feb 2004 15:47:28 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new Subject: Longest known unpatched FreeBSD security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2004 20:48:04 -0000 Does anyone know off hand what the longest known serious security issue (i.e. remote compromise) has been with FreeBSD that went unpatched ? e.g. security hole is reported to security-officer@FreeBSD.org. X days later, fix and advisory committed. What has been the largest X ? My jaw dropped when I saw http://www.eeye.com/html/Research/Upcoming/index.html ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 00:49:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0437C16A4CE for ; Wed, 11 Feb 2004 00:49:41 -0800 (PST) Received: from nbh-gw.newchem.ru (platan.newchem.ru [81.3.149.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57BDB43D31 for ; Wed, 11 Feb 2004 00:49:40 -0800 (PST) (envelope-from illich@newchem.ru) Received: from 127.0.0.1 ([192.168.204.4]) by nbh-gw.newchem.ru (8.12.10/8.12.10) with ESMTP id i1B8ncFg072449 for ; Wed, 11 Feb 2004 11:49:38 +0300 (MSK) (envelope-from illich@newchem.ru) X-AntiVirus: Checked by Dr.Web [version: 4.31, engine: 4.31, virus records: 45906, updated: 10.02.2004] Date: Wed, 11 Feb 2004 11:49:38 +0300 From: Illia Baidakov X-Mailer: The Bat! (v1.62q) Personal X-Priority: 3 (Normal) Message-ID: <1227359974.20040211114938@newchem.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Kernel log output meaning X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Illia Baidakov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 08:49:41 -0000 Hello security, This output I've received from conventional cron daily job: [...] gw.nbh.ru kernel log messages: > Limiting closed port RST response from 201 to 200 packets per second [...] where fxp0 is an external interface. What could involve such a messages? In /var/log/messages the above strings was prepended by string: Feb 10 13:24:29 gw /kernel: ipfw: limit 100 reached on entry 10800 current ipfw #10800 entry says: 10800 1204 52976 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0 /var/log/security at this time shows many strings looking like this: Feb 10 13:24:29 gw /kernel: ipfw: 10800 Deny TCP 11.22.33.44:1376 172.29.249.249:7 out via fxp0 11.22.33.44 is my fxp0 iface address. I do not think I have tried to initiate such a connections purposely. Possibly by playing whith spamassassin?.. Remember, I had failed attempt to download its source from its website somewhere at that time. (The second downloading attempt has successed.) -- Thanks in advance, Illia Baidakov. From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 01:29:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A864616A4CF for ; Wed, 11 Feb 2004 01:29:50 -0800 (PST) Received: from redix.it (host49-169.pool8172.interbusiness.it [81.72.169.49]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C81A43D1D for ; Wed, 11 Feb 2004 01:29:49 -0800 (PST) (envelope-from roberto@redix.it) Received: (qmail 10260 invoked by uid 72); 11 Feb 2004 09:29:46 -0000 Received: from 192.168.0.77 (SquirrelMail authenticated user roberto) by mail.redix.it with HTTP; Wed, 11 Feb 2004 10:29:46 +0100 (CET) Message-ID: <1093.192.168.0.77.1076491786.squirrel@mail.redix.it> Date: Wed, 11 Feb 2004 10:29:46 +0100 (CET) From: roberto@redix.it To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 09:29:50 -0000 I've read about securelevel in the mailing list archive, and found some pitfalls (and seems to me to be discarded soon). But According to me, the following configuration should offer a good security: - mount root fs read only at boot; - set securelevel to 3; - do not permit to unmount/remount roots fs read-write (now it is possible by means of "mount -uw /"); - the only way to make change at the file system is to reboot in single user, before the securelevel is set to 3, and make the changes needed (this means the administrator should use only the console); Any comments about? Bye, Roberto From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 01:55:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1658D16A4CE for ; Wed, 11 Feb 2004 01:55:47 -0800 (PST) Received: from istanbul.enderunix.org (freefall.marmara.edu.tr [193.140.143.23]) by mx1.FreeBSD.org (Postfix) with SMTP id 4BD3543D1F for ; Wed, 11 Feb 2004 01:55:44 -0800 (PST) (envelope-from ismail@istanbul.enderunix.org) Received: (qmail 47251 invoked by uid 1003); 12 Feb 2004 09:54:05 -0000 Date: Thu, 12 Feb 2004 11:54:05 +0200 From: Ismail YENIGUL To: roberto@redix.it Message-ID: <20040212095405.GA47173@EnderUNIX.ORG> References: <1093.192.168.0.77.1076491786.squirrel@mail.redix.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1093.192.168.0.77.1076491786.squirrel@mail.redix.it> cc: freebsd-security@freebsd.org Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 09:55:47 -0000 Hi Did you look at securelevel manual # man securelevel regards On Wed, Feb 11, 2004 at 10:29:46AM +0100, roberto@redix.it wrote: > > I've read about securelevel in the mailing list archive, and found some > pitfalls (and seems to me to be discarded soon). > > But According to me, the following configuration should offer a good > security: > > - mount root fs read only at boot; > - set securelevel to 3; > - do not permit to unmount/remount roots fs read-write (now it is possible > by means of "mount -uw /"); > - the only way to make change at the file system is to reboot in single > user, before the securelevel is set to 3, and make the changes needed > (this means the administrator should use only the console); > > Any comments about? > > Bye, > Roberto > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Ismail YENIGUL http://www.acikkod.com - Acikkod Yayinlari http://www.EnderUNIX.org GnuPG Key: http://yenigul.net/ismail.gpg It takes longer to lose 'x' number of pounds than to gain 'x' number of pounds. From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 02:01:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70B1416A4CE for ; Wed, 11 Feb 2004 02:01:34 -0800 (PST) Received: from redix.it (host49-169.pool8172.interbusiness.it [81.72.169.49]) by mx1.FreeBSD.org (Postfix) with SMTP id 8D2AA43D1D for ; Wed, 11 Feb 2004 02:01:33 -0800 (PST) (envelope-from roberto@redix.it) Received: (qmail 13370 invoked by uid 72); 11 Feb 2004 10:01:30 -0000 Received: from 192.168.0.77 (SquirrelMail authenticated user roberto) by mail.redix.it with HTTP; Wed, 11 Feb 2004 11:01:30 +0100 (CET) Message-ID: <1124.192.168.0.77.1076493690.squirrel@mail.redix.it> In-Reply-To: <20040212095405.GA47173@EnderUNIX.ORG> References: <1093.192.168.0.77.1076491786.squirrel@mail.redix.it> <20040212095405.GA47173@EnderUNIX.ORG> Date: Wed, 11 Feb 2004 11:01:30 +0100 (CET) From: roberto@redix.it To: "Ismail YENIGUL" User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal cc: freebsd-security@freebsd.org Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 10:01:34 -0000 > Hi > Did you look at securelevel manual > # man securelevel > regards Yes, I did. But I do not understand what you means: could you explain? regards Roberto From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 02:18:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3F5316A4CE for ; Wed, 11 Feb 2004 02:18:47 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id C38FA43D1D for ; Wed, 11 Feb 2004 02:18:47 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 8C4D45309; Wed, 11 Feb 2004 11:18:46 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 6CF68530C; Wed, 11 Feb 2004 11:18:39 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 534C433C68; Wed, 11 Feb 2004 11:18:39 +0100 (CET) To: Illia Baidakov References: <1227359974.20040211114938@newchem.ru> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Wed, 11 Feb 2004 11:18:39 +0100 In-Reply-To: <1227359974.20040211114938@newchem.ru> (Illia Baidakov's message of "Wed, 11 Feb 2004 11:49:38 +0300") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: freebsd-security@freebsd.org Subject: Re: Kernel log output meaning X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 10:18:48 -0000 Illia Baidakov writes: > Limiting closed port RST response from 201 to 200 packets per second someone is portscanning you. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 05:12:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7385916A4CE for ; Wed, 11 Feb 2004 05:12:54 -0800 (PST) Received: from redix.it (host49-169.pool8172.interbusiness.it [81.72.169.49]) by mx1.FreeBSD.org (Postfix) with SMTP id 22B5C43D1D for ; Wed, 11 Feb 2004 05:12:53 -0800 (PST) (envelope-from roberto@redix.it) Received: (qmail 21002 invoked by uid 72); 11 Feb 2004 13:12:46 -0000 Received: from 192.168.0.77 (SquirrelMail authenticated user roberto) by mail.redix.it with HTTP; Wed, 11 Feb 2004 14:12:46 +0100 (CET) Message-ID: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it> Date: Wed, 11 Feb 2004 14:12:46 +0100 (CET) From: roberto@redix.it To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 13:12:54 -0000 I want to discuss securelevel and whether it's a good or bad thing. Now, I do not need help to get it working (but never say never ...). I'll try to explain my idea. Suppose I'm trying to setup a packet-filtering firewall based on FreeBSD, and I want to harden it (I heard about TrustedBSD, but here I want to speach about securelevel). I made the assumption that the console (of my BSD) is in a safe place, so I can exclude any hack from it. It should be the only place where the administrator can access the O.S. with securelevel disabled (i.e.=0, by means of a single user mode). In normal condition, O.S. is running on securelevel=3 so nobody can: - kernel module connot be loaded or unloaded; - packet filtering rules connot be altered; - /dev/mem and kmem cannot be write; - immutable and sys flags cannot be turned off; In addition (this is my idea), suppose to configured the root filesystem read-only and there is no way to change this (remount it rw) when securelevel is == 3. Could this configuration be considered secure, according to you? There are any weakness of securelevel still present? Any comments are welcome... Regards, Roberto From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 05:30:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C972B16A4CF for ; Wed, 11 Feb 2004 05:30:45 -0800 (PST) Received: from snootles.jimz.net (snootles.jimz.net [69.55.224.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 8492F43D1D for ; Wed, 11 Feb 2004 05:30:45 -0800 (PST) (envelope-from jim@jimz.net) Received: (qmail 59507 invoked from network); 11 Feb 2004 13:30:42 -0000 Received: from unknown (HELO ?141.211.183.93?) (jamesez@141.211.183.93) by snootles.jimz.net with (RC4-SHA encrypted) SMTP; 11 Feb 2004 13:30:42 -0000 Mime-Version: 1.0 (Apple Message framework v612) In-Reply-To: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it> References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <79D6F861-5C96-11D8-A225-000A95DA58FE@jimz.net> Content-Transfer-Encoding: 7bit From: Jim Zajkowski Date: Wed, 11 Feb 2004 08:30:36 -0500 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.612) X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on snootles.jimz.net X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.61 Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 13:30:46 -0000 On Feb 11, 2004, at 8:12 AM, roberto@redix.it wrote: > Could this configuration be considered secure, according to you? There's no way to determine that without some consideration of the threats you are facing. Security considerations against simple attacks (e.g., kiddies) are a lot different than considerations against industrial espionage, against discovery by the secret police, and against very smart government spies. What are you protecting? From whom? At what cost? --Jim From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 05:57:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA25E16A4CE for ; Wed, 11 Feb 2004 05:57:07 -0800 (PST) Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E93643D31 for ; Wed, 11 Feb 2004 05:57:07 -0800 (PST) (envelope-from patpro@patpro.net) Received: from [192.168.0.1] (cassandre [192.168.0.1]) by boleskine.patpro.net (Postfix) with ESMTP id 751A7145; Wed, 11 Feb 2004 14:57:06 +0100 (CET) In-Reply-To: <79D6F861-5C96-11D8-A225-000A95DA58FE@jimz.net> References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it> <79D6F861-5C96-11D8-A225-000A95DA58FE@jimz.net> Mime-Version: 1.0 (Apple Message framework v612) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Message-Id: <2CAA7A5D-5C9A-11D8-ADF8-0030654D97EC@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Wed, 11 Feb 2004 14:57:05 +0100 To: Liste FreeBSD-security X-Mailer: Apple Mail (2.612) Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 13:57:08 -0000 On 11 f=E9vr. 2004, at 14:30, Jim Zajkowski wrote: >> Could this configuration be considered secure, according to you? > > There's no way to determine that without some consideration of the=20 > threats you are facing. Security considerations against simple=20 > attacks (e.g., kiddies) are a lot different than considerations=20 > against industrial espionage, against discovery by the secret police,=20= > and against very smart government spies. > > What are you protecting? =46rom whom? At what cost? the cost is, to me, the more relevant point because every aspects of a=20= security policy has a cost or can be seen as a cost. Security is : time that you spend to setup =3D cost time that you spend for maintenance =3D cost increased complexity on the workflow (user teaching, admin = training,=20 more delay) =3D cost less time for disaster recovery =3D negative cost protecting valuable data/info =3D negative cost When you sum all this, you should get a negative total cost, if not=20 then your security policy is probably overkill. I guess if I would want a perfect secure system I would start with a=20 bootable CD as main filesystem, with, why not, union filesystems at=20 some mount point for more flexibility. patpro --=20 je cherche un poste d'admin-sys Mac/UNIX (ou une jeune et jolie femme riche) http://patpro.net/cv.php From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 06:28:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA40316A4CE for ; Wed, 11 Feb 2004 06:28:30 -0800 (PST) Received: from redix.it (host49-169.pool8172.interbusiness.it [81.72.169.49]) by mx1.FreeBSD.org (Postfix) with SMTP id 430C643D2F for ; Wed, 11 Feb 2004 06:28:29 -0800 (PST) (envelope-from roberto@redix.it) Received: (qmail 23538 invoked by uid 72); 11 Feb 2004 14:28:25 -0000 Received: from 192.168.0.77 (SquirrelMail authenticated user roberto) by mail.redix.it with HTTP; Wed, 11 Feb 2004 15:28:25 +0100 (CET) Message-ID: <1275.192.168.0.77.1076509705.squirrel@mail.redix.it> In-Reply-To: <402A3118.7070905@hfbk-hamburg.de> References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it> <402A3118.7070905@hfbk-hamburg.de> Date: Wed, 11 Feb 2004 15:28:25 +0100 (CET) From: roberto@redix.it To: "tilo KREMER" User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal cc: freebsd-security@freebsd.org Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 14:28:30 -0000 > > you do not need to go single user to change it. just remove the > securelevel lines from /etc/rc.conf and reboot. > > greetings, > tilo > As said, the root filesystem is read-only and the command "mount -uw /" should be in disabled when securelevel==3, in my ideal kernel. Actually the command "mount -uw /" will succeded when the securelevel==3, but supposing should be not so difficult to change the FreeBSD kernel, this (securelevel+readonly filesystem) could address the weakness of securelevel+non-read-only filesystem. Regards Roberto From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 07:02:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFAAD16A4CE for ; Wed, 11 Feb 2004 07:02:50 -0800 (PST) Received: from redix.it (host49-169.pool8172.interbusiness.it [81.72.169.49]) by mx1.FreeBSD.org (Postfix) with SMTP id 5CBE243D39 for ; Wed, 11 Feb 2004 07:02:49 -0800 (PST) (envelope-from roberto@redix.it) Received: (qmail 24968 invoked by uid 72); 11 Feb 2004 15:02:46 -0000 Received: from 192.168.0.77 (SquirrelMail authenticated user roberto) by mail.redix.it with HTTP; Wed, 11 Feb 2004 16:02:45 +0100 (CET) Message-ID: <1287.192.168.0.77.1076511765.squirrel@mail.redix.it> In-Reply-To: <79D6F861-5C96-11D8-A225-000A95DA58FE@jimz.net> References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it> <79D6F861-5C96-11D8-A225-000A95DA58FE@jimz.net> Date: Wed, 11 Feb 2004 16:02:45 +0100 (CET) From: roberto@redix.it To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 15:02:50 -0000 > > On Feb 11, 2004, at 8:12 AM, roberto@redix.it wrote: > >> Could this configuration be considered secure, according to you? > > There's no way to determine that without some consideration of the > threats you are facing. Security considerations against simple attacks > (e.g., kiddies) are a lot different than considerations against > industrial espionage, against discovery by the secret police, and > against very smart government spies. > > What are you protecting? From whom? At what cost? > > --Jim > You are right: I agree with you that security consideration can be different depending on what to protect, from whom etc. And even a sigle machine implementing a packet-filter is only a little part of a firewall architecture. But my discussion is trying to address the weakness I red about securelevel into the mailing list archive. Could securelevel+readonly file system result in a more secure O.S.? Regards Roberto _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 07:13:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0A6916A4DD for ; Wed, 11 Feb 2004 07:13:16 -0800 (PST) Received: from redix.it (host49-169.pool8172.interbusiness.it [81.72.169.49]) by mx1.FreeBSD.org (Postfix) with SMTP id 2996543D2F for ; Wed, 11 Feb 2004 07:13:12 -0800 (PST) (envelope-from roberto@redix.it) Received: (qmail 25615 invoked by uid 72); 11 Feb 2004 15:13:05 -0000 Received: from 192.168.0.77 (SquirrelMail authenticated user roberto) by mail.redix.it with HTTP; Wed, 11 Feb 2004 16:13:05 +0100 (CET) Message-ID: <1293.192.168.0.77.1076512385.squirrel@mail.redix.it> In-Reply-To: References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it> Date: Wed, 11 Feb 2004 16:13:05 +0100 (CET) From: roberto@redix.it To: "Nigel Houghton" User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal cc: freebsd-security@freebsd.org Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 15:13:17 -0000 > > Change the "console" line in /etc/ttys from "secure" to "insecure", that > will make your administrator enter the root password when booting to > single user. > > When using securelevel, you might also want to use a script to set the > immutable flag on various parts of the file system. > > There's also much more to securing a box than just using securelevel. > 1- OK I've already set console to insecure, I do not like the single user mode offer a shell without password. 2- But instead of set the immutable flags over several files, seems to me more simple (and not error prone) to set the root file system read-only (simple to do) and to find a way it could not be remounted rw while securelevel == 3! 3- OK agree with you: there's also much more to securing a box than just using securelevel, but using a securelevel+readonly file system, is a step foreward in security? Regards Roberto From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 07:24:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F49016A4CE for ; Wed, 11 Feb 2004 07:24:14 -0800 (PST) Received: from redix.it (host49-169.pool8172.interbusiness.it [81.72.169.49]) by mx1.FreeBSD.org (Postfix) with SMTP id E2FEA43D1D for ; Wed, 11 Feb 2004 07:24:07 -0800 (PST) (envelope-from roberto@redix.it) Received: (qmail 26169 invoked by uid 72); 11 Feb 2004 15:24:02 -0000 Received: from 192.168.0.77 (SquirrelMail authenticated user roberto) by mail.redix.it with HTTP; Wed, 11 Feb 2004 16:24:02 +0100 (CET) Message-ID: <1295.192.168.0.77.1076513042.squirrel@mail.redix.it> In-Reply-To: <2CAA7A5D-5C9A-11D8-ADF8-0030654D97EC@patpro.net> References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it><79D6F861-5C96-11D8-A225-000A95DA58FE@jimz.net> <2CAA7A5D-5C9A-11D8-ADF8-0030654D97EC@patpro.net> Date: Wed, 11 Feb 2004 16:24:02 +0100 (CET) From: roberto@redix.it To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 15:24:14 -0000 > On 11 févr. 2004, at 14:30, Jim Zajkowski wrote: > >>> Could this configuration be considered secure, according to you? >> >> There's no way to determine that without some consideration of the >> threats you are facing. Security considerations against simple >> attacks (e.g., kiddies) are a lot different than considerations >> against industrial espionage, against discovery by the secret police, >> and against very smart government spies. >> >> What are you protecting? From whom? At what cost? > > > the cost is, to me, the more relevant point because every aspects of a > security policy has a cost or can be seen as a cost. > Security is : > time that you spend to setup = cost > time that you spend for maintenance = cost > increased complexity on the workflow (user teaching, admin training, > more delay) = cost > less time for disaster recovery = negative cost > protecting valuable data/info = negative cost > > When you sum all this, you should get a negative total cost, if not > then your security policy is probably overkill. > > I guess if I would want a perfect secure system I would start with a > bootable CD as main filesystem, with, why not, union filesystems at > some mount point for more flexibility. > > > patpro > -- > je cherche un poste d'admin-sys Mac/UNIX > (ou une jeune et jolie femme riche) > http://patpro.net/cv.php > Yes I agree with you: a secure system should be read-only fs, but to overcome the drawbacks of a CDROM, I can use a standard hardisk with a read-only file system while securelevel==3. The writable file system should be available in single user mode only on console. Regards Roberto _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 07:35:22 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 452F116A4CE for ; Wed, 11 Feb 2004 07:35:22 -0800 (PST) Received: from snootles.jimz.net (snootles.jimz.net [69.55.224.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 157D243D1D for ; Wed, 11 Feb 2004 07:35:22 -0800 (PST) (envelope-from jim@jimz.net) Received: (qmail 4279 invoked from network); 11 Feb 2004 15:35:09 -0000 Received: from unknown (HELO ?141.211.183.93?) (jamesez@141.211.183.93) by snootles.jimz.net with (RC4-SHA encrypted) SMTP; 11 Feb 2004 15:35:09 -0000 Mime-Version: 1.0 (Apple Message framework v612) In-Reply-To: <1295.192.168.0.77.1076513042.squirrel@mail.redix.it> References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it><79D6F861-5C96-11D8-A225-000A95DA58FE@jimz.net> <2CAA7A5D-5C9A-11D8-ADF8-0030654D97EC@patpro.net> <1295.192.168.0.77.1076513042.squirrel@mail.redix.it> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Jim Zajkowski Date: Wed, 11 Feb 2004 10:35:07 -0500 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.612) X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on snootles.jimz.net X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.61 Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 15:35:22 -0000 On Feb 11, 2004, at 10:24 AM, roberto@redix.it wrote: > Yes I agree with you: a secure system should be read-only fs, but to > overcome the drawbacks of a CDROM, I can use a standard hardisk with a > read-only file system while securelevel==3. The writable file system > should be available in single user mode only on console. If I figure out how to make your filesystem remount read-write without a reboot, the game is over. Running off a CD with a server which has a drive which cannot write discs, it doesn't much matter if I figured out how to change the RO mount or not, since the media itself cannot be written to [1]. Defense in depth. --Jim [1] I suppose those flash-IDE thingamabobs that have a switch to toggle to read-only work just as well here too. From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 07:48:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5636C16A4CE for ; Wed, 11 Feb 2004 07:48:13 -0800 (PST) Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06E1B43D1D for ; Wed, 11 Feb 2004 07:48:13 -0800 (PST) (envelope-from patpro@patpro.net) Received: from [192.168.0.1] (cassandre [192.168.0.1]) by boleskine.patpro.net (Postfix) with ESMTP id 775B519F for ; Wed, 11 Feb 2004 16:48:12 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v612) In-Reply-To: References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it><79D6F861-5C96-11D8-A225-000A95DA58FE@jimz.net> <2CAA7A5D-5C9A-11D8-ADF8-0030654D97EC@patpro.net> <1295.192.168.0.77.1076513042.squirrel@mail.redix.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Wed, 11 Feb 2004 16:48:11 +0100 To: Liste FreeBSD-security X-Mailer: Apple Mail (2.612) Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 15:48:13 -0000 On 11 f=E9vr. 2004, at 16:35, Jim Zajkowski wrote: > [1] I suppose those flash-IDE thingamabobs that have a switch to=20 > toggle to read-only work just as well here too. would be nice to have such features on hard drives, CD-ROM size is=20 quite small, and I'm not sure one can boot a live OS from a DVD=20 (requiring a DVD burner to create the booting medium). patpro --=20 je cherche un poste d'admin-sys Mac/UNIX (ou une jeune et jolie femme riche) http://patpro.net/cv.php= From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 08:42:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77FBC16A4CF for ; Wed, 11 Feb 2004 08:42:19 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0A8643D2F for ; Wed, 11 Feb 2004 08:42:16 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i1BGfvDL075655; Wed, 11 Feb 2004 11:41:57 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i1BGfu7N075652; Wed, 11 Feb 2004 11:41:57 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Wed, 11 Feb 2004 11:41:56 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Mike Tancsa In-Reply-To: <6.0.3.0.0.20040210154335.04a3c9f8@209.112.4.2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Longest known unpatched FreeBSD security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 16:42:19 -0000 On Tue, 10 Feb 2004, Mike Tancsa wrote: > Does anyone know off hand what the longest known serious security issue > (i.e. remote compromise) has been with FreeBSD that went unpatched ? > e.g. security hole is reported to security-officer@FreeBSD.org. X days > later, fix and advisory committed. What has been the largest X ? > > My jaw dropped when I saw > http://www.eeye.com/html/Research/Upcoming/index.html I don't have any statistics on-hand, but advisories typically work in one of two ways: (1) The problem is brough tto the attention of the security-officer or security-team in a manner that iehter prohibits, or does not require, coordination with other vendors. You'll often see a week or two for fixes to be developed, and then maybe a week or so while advisories are generated, updates built, branches tested, etc. If it happens during a release cycle, you might see an additional delay of a week so that tags down down at the right time, etc. Delays are almost always coordinated with the reporter of the vulnerabilty, although I think we've improved substantially due to increasing staffing on security-team. However, some reporters want only minimal advance knowledge of the vulnerability, and so will require it to be directly handled by security-officer. (2) The problem is brought to our attention in a manner which requires coordination with other vendors providing the software or component -- this can introduce additional delays in the advisory cycle. In the past, we've seen coordination delays of up to (or maybe exceeding) a month. For example, CERT will aften schedule advisory releases three weeks or more past initial notification. I seem to recall one IP stack issue across many vendors that actually tooks several months to resolve. Delays also depend on the nature of the vulnerability -- sometimes a vulnerability is reported along with a fix, and sometimes it's simply a problem that needs to be fixed. Sometimes the fixes for vulnerabilities are clear (change buffer handling), but sometimes they are complex denial of service issues that affect interoperability with other systems (i.e., NFS/RPC/TCP problems). Obviously, nobody wants delays, but between available resources to fix problems (sometimes imposed by outside parties), coordination with vendors and reporters, and the inveitably complex nature of security vulnerabilities, things sometimes do take a lot longer than we'd like :-(. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 09:30:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AED316A4CE for ; Wed, 11 Feb 2004 09:30:02 -0800 (PST) Received: from web60407.mail.yahoo.com (web60407.mail.yahoo.com [216.109.118.190]) by mx1.FreeBSD.org (Postfix) with SMTP id C11BA43D2F for ; Wed, 11 Feb 2004 09:30:01 -0800 (PST) (envelope-from twigles@yahoo.com) Message-ID: <20040211172958.8439.qmail@web60407.mail.yahoo.com> Received: from [68.5.51.136] by web60407.mail.yahoo.com via HTTP; Wed, 11 Feb 2004 09:29:58 PST Date: Wed, 11 Feb 2004 09:29:58 -0800 (PST) From: twig les To: Patrick Proniewski , Liste FreeBSD-security In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 17:30:02 -0000 --- Patrick Proniewski wrote: > On 11 févr. 2004, at 16:35, Jim Zajkowski wrote: > > > [1] I suppose those flash-IDE thingamabobs that have a > switch to > > toggle to read-only work just as well here too. > > would be nice to have such features on hard drives, CD-ROM > size is > quite small, and I'm not sure one can boot a live OS from a > DVD > (requiring a DVD burner to create the booting medium). > > patpro There was a blurb on this in the 3rd Ed. of Practical Unix & Internet Sec. Basically they opined that hard drives with a physical switch for read-only would be neat in some circumstances since you can still write to a read-only fs if you can get to the raw device. If anyone has a link to a drive that has that I'd be interested to see. ===== ----------------------------------------------------------- With a few exceptions, secrecy is deeply incompatible with democracy and with science. --Carl Sagan ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 09:36:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2425016A4CE for ; Wed, 11 Feb 2004 09:36:52 -0800 (PST) Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D0D343D1F for ; Wed, 11 Feb 2004 09:36:52 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 1AqyI7-0003Xz-00 for freebsd-security@freebsd.org; Wed, 11 Feb 2004 12:36:51 -0500 Date: Wed, 11 Feb 2004 12:36:51 -0500 From: Peter Radcliffe To: Liste FreeBSD-security Message-ID: <20040211173651.GC4282@pir.net> Mail-Followup-To: Liste FreeBSD-security References: <20040211172958.8439.qmail@web60407.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040211172958.8439.qmail@web60407.mail.yahoo.com> User-Agent: Mutt/1.4.1i X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 17:36:52 -0000 twig les probably said: > There was a blurb on this in the 3rd Ed. of Practical Unix & > Internet Sec. Basically they opined that hard drives with a > physical switch for read-only would be neat in some > circumstances since you can still write to a read-only fs if you > can get to the raw device. If anyone has a link to a drive that > has that I'd be interested to see. I've seen quite a few drives with a jumper setting for RO, documented as read only, or "write protect". Picking up a random disk on my desk (a Sun branded seagate ST39102LC, scsi LVD/SE disk) it has a jumper labelled "WRITE PROTECT". P. -- pir From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 09:55:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8C9116A4CE for ; Wed, 11 Feb 2004 09:55:07 -0800 (PST) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 560BD43D1D for ; Wed, 11 Feb 2004 09:55:07 -0800 (PST) (envelope-from mdg@secureworks.net) Received: (qmail 4318 invoked from network); 11 Feb 2004 17:51:59 -0000 Received: from unknown (HELO HOST-192-168-8-8.internal.secureworks.net) (63.239.86.253) by mail.secureworks.net with SMTP; 11 Feb 2004 17:51:59 -0000 Date: Wed, 11 Feb 2004 12:55:06 -0500 (EST) From: Matthew George X-X-Sender: mdg@localhost To: twig les In-Reply-To: <20040211172958.8439.qmail@web60407.mail.yahoo.com> Message-ID: <20040211125137.G30841@localhost> References: <20040211172958.8439.qmail@web60407.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Liste FreeBSD-security Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 17:55:07 -0000 On Wed, 11 Feb 2004, twig les wrote: > circumstances since you can still write to a read-only fs if you > can get to the raw device. If anyone has a link to a drive that securelevel 2 precludes this: 2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. -- Matthew George SecureWorks Technical Operations From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 10:02:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 407EA16A4CE for ; Wed, 11 Feb 2004 10:02:46 -0800 (PST) Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id E427543D1F for ; Wed, 11 Feb 2004 10:02:45 -0800 (PST) (envelope-from patpro@patpro.net) Received: from [192.168.0.1] (cassandre [192.168.0.1]) by boleskine.patpro.net (Postfix) with ESMTP id 85E3437 for ; Wed, 11 Feb 2004 19:02:45 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v612) In-Reply-To: <20040211173651.GC4282@pir.net> References: <20040211172958.8439.qmail@web60407.mail.yahoo.com> <20040211173651.GC4282@pir.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Message-Id: <7DB909A7-5CBC-11D8-ADF8-0030654D97EC@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Wed, 11 Feb 2004 19:02:44 +0100 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.612) Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 18:02:46 -0000 On 11 f=E9vr. 2004, at 18:36, Peter Radcliffe wrote: > twig les probably said: >> There was a blurb on this in the 3rd Ed. of Practical Unix & >> Internet Sec. Basically they opined that hard drives with a >> physical switch for read-only would be neat in some >> circumstances since you can still write to a read-only fs if you >> can get to the raw device. If anyone has a link to a drive that >> has that I'd be interested to see. > > I've seen quite a few drives with a jumper setting for RO, documented > as read only, or "write protect". > > Picking up a random disk on my desk (a Sun branded seagate ST39102LC, > scsi LVD/SE disk) it has a jumper labelled "WRITE PROTECT". after a really quick look to Seagate's web site, it looks like only=20 SCSI drives have such a write protect feature. (S)ATA drives don't have these settings. patpro --=20 je cherche un poste d'admin-sys Mac/UNIX (ou une jeune et jolie femme riche) http://patpro.net/cv.php From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 10:30:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D65D616A505 for ; Wed, 11 Feb 2004 10:30:05 -0800 (PST) Received: from gigatrex.com (saraswati.gigatrex.com [64.5.48.159]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1925743D48 for ; Wed, 11 Feb 2004 10:30:05 -0800 (PST) (envelope-from piechota@argolis.org) Received: (qmail 3583 invoked from network); 11 Feb 2004 18:29:50 -0000 Received: from unknown (HELO cithaeron.argolis.org) (138.88.199.18) by saraswati.gigatrex.com with AES256-SHA encrypted SMTP; 11 Feb 2004 18:29:50 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) i1BIU1Ha031641; Wed, 11 Feb 2004 13:30:01 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)i1BIU126031638; Wed, 11 Feb 2004 13:30:01 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 11 Feb 2004 13:30:00 -0500 (EST) From: Matt Piechota To: twig les In-Reply-To: <20040211172958.8439.qmail@web60407.mail.yahoo.com> Message-ID: <20040211132921.X24782@cithaeron.argolis.org> References: <20040211172958.8439.qmail@web60407.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Liste FreeBSD-security Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 18:30:35 -0000 On Wed, 11 Feb 2004, twig les wrote: > There was a blurb on this in the 3rd Ed. of Practical Unix & > Internet Sec. Basically they opined that hard drives with a > physical switch for read-only would be neat in some > circumstances since you can still write to a read-only fs if you > can get to the raw device. If anyone has a link to a drive that > has that I'd be interested to see. I know I've seen on some old Seagate SCSI drives I have at home. I'll check on it when I get there. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 10:36:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 581CA16A4CE for ; Wed, 11 Feb 2004 10:36:09 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9D3643D1D for ; Wed, 11 Feb 2004 10:36:08 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA14143; Wed, 11 Feb 2004 11:36:00 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20040211113527.051bbdb8@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 11 Feb 2004 11:35:59 -0700 To: Andriy Tkachuk , freebsd-security@freebsd.org From: Brett Glass In-Reply-To: <20040209111434.G33433@tele.imt.com.ua> References: <0FDD52D38220D611B7CC0004763B3744F80826@HNTS-04> <20040209105800.T33433@tele.imt.com.ua> <20040209111434.G33433@tele.imt.com.ua> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 18:36:09 -0000 At 02:22 AM 2/9/2004, Andriy Tkachuk wrote: >So: you failed in traditional, anyway it's interesting if >there will be the same result with the new way. I've looked at the Makefiles, and don't see any reason why there would be a difference. --Brett From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 23:12:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C8F516A4CE; Wed, 11 Feb 2004 23:12:32 -0800 (PST) Received: from pear.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64CF843D1D; Wed, 11 Feb 2004 23:12:32 -0800 (PST) (envelope-from lists-freebsd@silverwraith.com) Received: from avleen by pear.silverwraith.com with local (Exim 4.30; FreeBSD) id 1ArB1T-000KK5-3o; Wed, 11 Feb 2004 23:12:31 -0800 Date: Wed, 11 Feb 2004 23:12:31 -0800 From: Avleen Vig To: Robert Watson Message-ID: <20040212071230.GI54091@silverwraith.com> References: <6.0.3.0.0.20040210154335.04a3c9f8@209.112.4.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.5.1i cc: freebsd-security@freebsd.org Subject: Re: Longest known unpatched FreeBSD security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2004 07:12:32 -0000 On Wed, Feb 11, 2004 at 11:41:56AM -0500, Robert Watson wrote: > (2) The problem is brought to our attention in a manner which requires > coordination with other vendors providing the software or component -- > this can introduce additional delays in the advisory cycle. In the > past, we've seen coordination delays of up to (or maybe exceeding) a > month. For example, CERT will aften schedule advisory releases three > weeks or more past initial notification. I seem to recall one IP > stack issue across many vendors that actually tooks several months to > resolve. Just out of curiousity Robert, which IP stack issue was this? From owner-freebsd-security@FreeBSD.ORG Thu Feb 12 04:08:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 547C616A4CE for ; Thu, 12 Feb 2004 04:08:38 -0800 (PST) Received: from smtp.hotbox.ru (smtp.hotbox.ru [80.68.244.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EEF043D1F for ; Thu, 12 Feb 2004 04:08:37 -0800 (PST) (envelope-from beastden@fromru.com) Received: from localhost (mail.sutrade.ru [195.68.128.70] (may be forged)) (authenticated bits=0) by smtp.hotbox.ru (8.12.9/8.12.9) with ESMTP id i1CC52mE027541 for ; Thu, 12 Feb 2004 15:05:05 +0300 (MSK) (envelope-from beastden@fromru.com) Date: Thu, 12 Feb 2004 15:08:36 +0300 From: Beast X-Mailer: The Bat! (v2.00.6) CD5BF9353B3B7091 X-Priority: 3 (Normal) Message-ID: <153617301828.20040212150836@fromru.com> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Beast List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2004 12:08:38 -0000 I'm sorry but it's just a test. From owner-freebsd-security@FreeBSD.ORG Thu Feb 12 10:49:51 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CEF316A4CE for ; Thu, 12 Feb 2004 10:49:51 -0800 (PST) Received: from web25102.mail.ukl.yahoo.com (web25102.mail.ukl.yahoo.com [217.12.10.50]) by mx1.FreeBSD.org (Postfix) with SMTP id 816A543D2F for ; Thu, 12 Feb 2004 10:49:50 -0800 (PST) (envelope-from teppic11@yahoo.co.uk) Message-ID: <20040212184949.78816.qmail@web25102.mail.ukl.yahoo.com> Received: from [82.47.145.208] by web25102.mail.ukl.yahoo.com via HTTP; Thu, 12 Feb 2004 18:49:49 GMT Date: Thu, 12 Feb 2004 18:49:49 +0000 (GMT) From: =?iso-8859-1?q?Stefano=20Busti?= To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Dubious ifconfig / tcpdump behaviour X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2004 18:49:51 -0000 Hi, I have a FreeBSD 4.8 box connected to the net which until recently hasn't had any problems. Today DNS lookups mysteriously stopped working (the box has tinydns & dnscache installed to handle dns requests). I noticed some strange things while checking the problem with tcpdump. Tcpdump appears not to show any traffic whatsoever on either my external interface or internal lan interface, this despite the fact I was successfully pinging hosts over both interfaces from a different console while checking the traffic. I do get notified about promiscuous mode being enabled and disabled as normal, and a message at the end saying that packets were successfully received by the kernel. I just don't see the actual packets. Tcpdump had always worked fine before, and still works normally on the loopback interface. Also I seem to be unable to disable either of the affected interfaces with ifconfig, whereas in the past I never had a problem doing this. Requests to bring either interface down are silently ignored. Does anyone have an idea what the cause could be? Have I overlooked some obvious configuration issue, or might tcpdump, ifconfig or any system routines they call have been compromised? Sadly I hadn't installed an intrusion detector such as tripwire previously, and system logs don't _appear_ to show evidence of any compromise. ___________________________________________________________ BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk From owner-freebsd-security@FreeBSD.ORG Thu Feb 12 11:20:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C384B16A4CE for ; Thu, 12 Feb 2004 11:20:35 -0800 (PST) Received: from web25104.mail.ukl.yahoo.com (web25104.mail.ukl.yahoo.com [217.12.10.52]) by mx1.FreeBSD.org (Postfix) with SMTP id 4F4F143D1D for ; Thu, 12 Feb 2004 11:20:35 -0800 (PST) (envelope-from teppic11@yahoo.co.uk) Message-ID: <20040212192034.91861.qmail@web25104.mail.ukl.yahoo.com> Received: from [82.47.145.208] by web25104.mail.ukl.yahoo.com via HTTP; Thu, 12 Feb 2004 19:20:34 GMT Date: Thu, 12 Feb 2004 19:20:34 +0000 (GMT) From: =?iso-8859-1?q?Teppic?= To: freebsd-security@freebsd.org In-Reply-To: <20040212184949.78816.qmail@web25102.mail.ukl.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Dubious ifconfig / tcpdump behaviour X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2004 19:20:35 -0000 I wrote: > [ snip ifconfig / tcpdump report ] On further investigation the tcpdump problem was simply caused by tcpdump blocking due to dns not working properly, and the ifconfig problem by me misreading the output of ifconfig. Apologies... ___________________________________________________________ BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk From owner-freebsd-security@FreeBSD.ORG Fri Feb 13 06:25:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57D1E16A4CE for ; Fri, 13 Feb 2004 06:25:03 -0800 (PST) Received: from mx2.trusecure.com (mx2.trusecure.com [208.251.192.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29A4243D1D for ; Fri, 13 Feb 2004 06:25:03 -0800 (PST) (envelope-from jbarnes@trusecure.com) Received: by mx2.trusecure.com (Postfix, from userid 1006) id 02798C9227; Fri, 13 Feb 2004 09:25:00 -0500 (EST) Received: from VAMAIL01.corp.trusecure.net (vamail01.corp.trusecure.net [172.19.1.52]) by mx2.trusecure.com (Postfix) with ESMTP id B7D49C920F for ; Fri, 13 Feb 2004 09:25:00 -0500 (EST) Received: from exchange01.mscore.trusecure.net (exchange01.corp.trusecure.net [172.19.1.50]) (8.12.10/maybe_its_not_even_really_Sendmail....) with ESMTP id i1DEP05B010859 for ; Fri, 13 Feb 2004 09:25:00 -0500 (EST) Received: by exchange01.corp.trusecure.net with Internet Mail Service (5.5.2653.19) id <153AV17K>; Fri, 13 Feb 2004 09:25:02 -0500 Message-ID: From: "Barnes, John" To: "'freebsd-security@freebsd.org'" Date: Fri, 13 Feb 2004 09:25:01 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Subject: XFree86 Font Information File Buffer Overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 14:25:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Has anyone see this alert? http://www.securityfocus.com/archive/1/353352 It seems to work on Linux, but when I tried the proof of concept on 4.3.0,1 running 5.2 RELEASE, I couldn't get the X server to core dump or segmentation fault. So, it seems likely to me that FreeBSD is not vulnerable to this. Any other thoughts on this matter? John Barnes TruSecure -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQCzePZuhTuCp6UG8EQJ9IACg3lY365GZicwVXTRtK26bnrVGcMYAoMjp vwPcKAfyyjeUu5R6HbjHxbKn =jW3K -----END PGP SIGNATURE----- *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. *********************************************************************** From owner-freebsd-security@FreeBSD.ORG Fri Feb 13 06:35:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D193D16A4CF; Fri, 13 Feb 2004 06:35:20 -0800 (PST) Received: from smtp14.singnet.com.sg (smtp14.singnet.com.sg [165.21.6.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 433B943D1D; Fri, 13 Feb 2004 06:35:20 -0800 (PST) (envelope-from spades@galaxynet.org) Received: from bryanuptrvb0jc (bb-203-125-28-129.singnet.com.sg [203.125.28.129])i1DEZI2w009046; Fri, 13 Feb 2004 22:35:18 +0800 Message-ID: <022001c3f23e$9b4b3fc0$fa10fea9@bryanuptrvb0jc> From: "Spades" To: Date: Fri, 13 Feb 2004 22:35:20 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-security@freebsd.org Subject: Re: SYN Attacks - how i cant stop it X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Spades List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 14:35:21 -0000 Hi, I got this error when i tried to type for some of those. "sysctl: unknown oid...." any idea.. my server seems to be very lagged, where else the network connection seems fine, i think BSD itself as my other redhat box is fine. What else can i do to get optimum protection. Thanks. ----- Original Message ----- From: "Per Engelbrecht" To: Cc: Sent: Saturday, February 07, 2004 5:58 PM Subject: Re: SYN Attacks - how i cant stop it > Hi, > > > > all nights. Check this. > > > > Feb 6 11:54:24 TCP: port scan detected [port 6667] from > > 212.165.80.117 [ports 63432,63453,63466,63499,63522,...] > > Feb 6 11:58:09 TCP: port scan mode expired for 212.165.80.117 - > > > > It's hard to get rid of shit-heads like this - I'm talking about the > person doing this attac, that is. > You send a looong output of a log, but no info on your system or any > adjustments you have made (or not made) on your system i.e. kernel > (options), sysctl (tweaks) and ipfw (rules). > If the problem is out-of-bandwith (and your system already has been > optimized) then the only real solution is more 'pipe' a.k.a the > Microsoft-solution. > So fare I've only been guessing, but here is what I normally do with my > setup. I'm not telling you that this is the solution! just adwises! > > Kernel; > options SC_DISABLE_REBOOT > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPDIVERT > options IPFILTER > options IPFILTER_LOG > options IPSTEALTH (don't touch the ttl/can't see the wall) > options TCP_DROP_SYNFIN (drop tcp packet with syn+fin/scanner) > options RANDOM_IP_ID (hard to do calculate ip frekv. number) > options DUMMYNET (e.g. 40% for web, 30% for mail and so on) > options DEVICE_POLLING (can't do this short and not with SMP) > options HZ=1000 (can't do this short and not with SMP) > > Sysctl; > kern.ipc.somaxconn=1024 #this is set high! > kern.ipc.nmbclusters=65536 #this is set high! > kern.polling.enable=1 #remember kernel options > kern.polling.user_frac=50>90 #remember kernel options > net.xorp.polling=1 > net.xorp.poll_burst=10 > net.xorp.poll_in_trap=3 > (if you use dynamic rules in ipfw [stateful] you can tweak this) > net.inet.ip.fw.dyn_ack_lifetime=200 #shorte timeout on connection > net.inet.ip.fw.dyn_syn_lifetime=20 > net.inet.ip.fw.dyn_fin_lifetime=20 > net.inet.ip.fw.dyn_rst_lifetime=5 > net.inet.ip.fw.dyn_short_lifetime=10 #longer timeout for e.g. icmp > net.inet.ip.fw.dyn_max=1500 #higher number of dynamic rules > net.inet.ip.fw.dyn_count: #count of number of dynamic rules > > ipfw; > There's a zillion ways to set it up. start with a few rules regarding > lo0 and icmp. Then use stateful inspection and dynamic rules for the > rest of the wall. > > ... and by the way, I could see that a few of the scan came from RIPE > ranges. Do some digging and report it! > Even if the boxes are use without the owners awareness, you can [we all > can] bring this part to an end. > > respectfully > /per > per@xterm.dk > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri Feb 13 07:26:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50C1916A53A for ; Fri, 13 Feb 2004 07:26:09 -0800 (PST) Received: from mail.1plan.net (ns1.1plan.net [216.240.143.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 23AE043D1D for ; Fri, 13 Feb 2004 07:26:09 -0800 (PST) (envelope-from aanton@reversedhell.net) Received: (qmail 4234 invoked by uid 98); 13 Feb 2004 15:29:33 -0000 Received: from aanton@reversedhell.net by cp by uid 101 with qmail-scanner-1.20 (clamscan: 0.65. Clear:RC:1(81.196.32.25):SA:0(0.0/4.7):. Processed in 0.491042 secs); 13 Feb 2004 15:29:33 -0000 X-Spam-Status: No, hits=0.0 required=4.7 X-Qmail-Scanner-Mail-From: aanton@reversedhell.net via cp X-Qmail-Scanner: 1.20 (Clear:RC:1(81.196.32.25):SA:0(0.0/4.7):. Processed in 0.491042 secs) Received: from unknown (HELO reversedhell.net) (81.196.32.25) by ns1.1plan.net with SMTP; 13 Feb 2004 15:29:32 -0000 Message-ID: <402CECD8.7020906@reversedhell.net> Date: Fri, 13 Feb 2004 17:27:20 +0200 From: Anton Alin-Adrian User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6b) Gecko/20031212 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <022001c3f23e$9b4b3fc0$fa10fea9@bryanuptrvb0jc> In-Reply-To: <022001c3f23e$9b4b3fc0$fa10fea9@bryanuptrvb0jc> X-Enigmail-Version: 0.83.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: SYN Attacks - how i cant stop it X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 15:26:10 -0000 Spades wrote: > Hi, > > I got this error when i tried to type for some of those. > "sysctl: unknown oid...." any idea.. > > my server seems to be very lagged, where else > the network connection seems fine, i think BSD > itself as my other redhat box is fine. > > What else can i do to get optimum protection. > > Thanks. > > ----- Original Message ----- > From: "Per Engelbrecht" > To: > Cc: > Sent: Saturday, February 07, 2004 5:58 PM > Subject: Re: SYN Attacks - how i cant stop it > > > >>Hi, >> >> >> >>>all nights. Check this. >>> >>>Feb 6 11:54:24 TCP: port scan detected [port 6667] from >>>212.165.80.117 [ports 63432,63453,63466,63499,63522,...] >>>Feb 6 11:58:09 TCP: port scan mode expired for 212.165.80.117 - >> >> >> >> >>It's hard to get rid of shit-heads like this - I'm talking about the >>person doing this attac, that is. >>You send a looong output of a log, but no info on your system or any >>adjustments you have made (or not made) on your system i.e. kernel >>(options), sysctl (tweaks) and ipfw (rules). >>If the problem is out-of-bandwith (and your system already has been >>optimized) then the only real solution is more 'pipe' a.k.a the >>Microsoft-solution. >>So fare I've only been guessing, but here is what I normally do with my >>setup. I'm not telling you that this is the solution! just adwises! >> >>Kernel; >>options SC_DISABLE_REBOOT >>options IPFIREWALL >>options IPFIREWALL_VERBOSE >>options IPFIREWALL_VERBOSE_LIMIT=100 >>options IPDIVERT >>options IPFILTER >>options IPFILTER_LOG >>options IPSTEALTH (don't touch the ttl/can't see the wall) >>options TCP_DROP_SYNFIN (drop tcp packet with syn+fin/scanner) >>options RANDOM_IP_ID (hard to do calculate ip frekv. number) >>options DUMMYNET (e.g. 40% for web, 30% for mail and so on) >>options DEVICE_POLLING (can't do this short and not with SMP) >>options HZ=1000 (can't do this short and not with SMP) >> >>Sysctl; >>kern.ipc.somaxconn=1024 #this is set high! >>kern.ipc.nmbclusters=65536 #this is set high! >>kern.polling.enable=1 #remember kernel options >>kern.polling.user_frac=50>90 #remember kernel options >>net.xorp.polling=1 >>net.xorp.poll_burst=10 >>net.xorp.poll_in_trap=3 >>(if you use dynamic rules in ipfw [stateful] you can tweak this) >>net.inet.ip.fw.dyn_ack_lifetime=200 #shorte timeout on connection >>net.inet.ip.fw.dyn_syn_lifetime=20 >>net.inet.ip.fw.dyn_fin_lifetime=20 >>net.inet.ip.fw.dyn_rst_lifetime=5 >>net.inet.ip.fw.dyn_short_lifetime=10 #longer timeout for e.g. icmp >>net.inet.ip.fw.dyn_max=1500 #higher number of dynamic rules >>net.inet.ip.fw.dyn_count: #count of number of dynamic rules >> >>ipfw; >>There's a zillion ways to set it up. start with a few rules regarding >>lo0 and icmp. Then use stateful inspection and dynamic rules for the >>rest of the wall. >> >>... and by the way, I could see that a few of the scan came from RIPE >>ranges. Do some digging and report it! >>Even if the boxes are use without the owners awareness, you can [we all >>can] bring this part to an end. >> >>respectfully >>/per >>per@xterm.dk >> >> >> >> >>_______________________________________________ Most important, you did turn on syncookies, did you not? FreeBSD is pretty immune to syn floods. As for out of bandwidth, this has to do with your uplink and how much you pay for your traffic. root# sysctl net.inet.tcp.syncookies If it is not set to one, then do: root# sysctl net.inet.tcp.syncookies=1 Also edit /etc/sysctl.conf to contain net.inet.tcp.syncookies=1. A reboot would clear the tcp stack. You can't reboot remotely if kernel securelevel is enabled in /etc/rc.conf. If you don't have firewall support compiled in the kernel, kldload ipfw. Might be a good lesson to mirror back all incoming syn packets from the attacker's IP to him. To port 80, or 22, or to some any other open port. You can do that easely with ipfw. -- Alin-Adrian Anton Reversed Hell Networks GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E From owner-freebsd-security@FreeBSD.ORG Fri Feb 13 07:31:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5E8816A4CE for ; Fri, 13 Feb 2004 07:31:44 -0800 (PST) Received: from diaspar.rdsnet.ro (diaspar.rdsnet.ro [213.157.165.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1252F43D1F for ; Fri, 13 Feb 2004 07:31:44 -0800 (PST) (envelope-from dudu@diaspar.rdsnet.ro) Received: (qmail 36613 invoked by uid 89); 13 Feb 2004 15:31:44 -0000 Received: from unknown (HELO diaspar.rdsnet.ro) (dudu@diaspar.rdsnet.ro@213.157.165.224) by 0 with AES256-SHA encrypted SMTP; 13 Feb 2004 15:31:44 -0000 Date: Fri, 13 Feb 2004 17:31:42 +0200 From: Vlad Galu To: freebsd-security@freebsd.org Message-Id: <20040213173142.32e8fed0.dudu@diaspar.rdsnet.ro> In-Reply-To: <402CECD8.7020906@reversedhell.net> References: <022001c3f23e$9b4b3fc0$fa10fea9@bryanuptrvb0jc> <402CECD8.7020906@reversedhell.net> X-Mailer: Sylpheed version 0.9.9 (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Signature=_Fri__13_Feb_2004_17_31_42_+0200_hHZILkkFbkMTsSpS" Subject: Re: SYN Attacks - how i cant stop it X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 15:31:45 -0000 --Signature=_Fri__13_Feb_2004_17_31_42_+0200_hHZILkkFbkMTsSpS Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit Anton Alin-Adrian writes: |Spades wrote: |> Hi, |> |> I got this error when i tried to type for some of those. |> "sysctl: unknown oid...." any idea.. |> |> my server seems to be very lagged, where else |> the network connection seems fine, i think BSD |> itself as my other redhat box is fine. |> |> What else can i do to get optimum protection. |> |> Thanks. |> |> ----- Original Message ----- |> From: "Per Engelbrecht" |> To: |> Cc: |> Sent: Saturday, February 07, 2004 5:58 PM |> Subject: Re: SYN Attacks - how i cant stop it |> |> |> |>>Hi, |>> |>> |>> |>>>all nights. Check this. |>>> |>>>Feb 6 11:54:24 TCP: port scan detected [port 6667] from |>>>212.165.80.117 [ports 63432,63453,63466,63499,63522,...] |>>>Feb 6 11:58:09 TCP: port scan mode expired for 212.165.80.117 - |>> |>> |>> |>> |>>It's hard to get rid of shit-heads like this - I'm talking about the |>>person doing this attac, that is. |>>You send a looong output of a log, but no info on your system or any |>>adjustments you have made (or not made) on your system i.e. kernel |>>(options), sysctl (tweaks) and ipfw (rules). |>>If the problem is out-of-bandwith (and your system already has been |>>optimized) then the only real solution is more 'pipe' a.k.a the |>>Microsoft-solution. |>>So fare I've only been guessing, but here is what I normally do with |my>>setup. I'm not telling you that this is the solution! just adwises! |>> |>>Kernel; |>>options SC_DISABLE_REBOOT |>>options IPFIREWALL |>>options IPFIREWALL_VERBOSE |>>options IPFIREWALL_VERBOSE_LIMIT=100 |>>options IPDIVERT |>>options IPFILTER |>>options IPFILTER_LOG |>>options IPSTEALTH (don't touch the ttl/can't see the wall) |>>options TCP_DROP_SYNFIN (drop tcp packet with syn+fin/scanner) |>>options RANDOM_IP_ID (hard to do calculate ip frekv. number) |>>options DUMMYNET (e.g. 40% for web, 30% for mail and so on) |>>options DEVICE_POLLING (can't do this short and not with SMP) |>>options HZ=1000 (can't do this short and not with SMP) |>> |>>Sysctl; |>>kern.ipc.somaxconn=1024 #this is set high! |>>kern.ipc.nmbclusters=65536 #this is set high! |>>kern.polling.enable=1 #remember kernel options |>>kern.polling.user_frac=50>90 #remember kernel options |>>net.xorp.polling=1 |>>net.xorp.poll_burst=10 |>>net.xorp.poll_in_trap=3 |>>(if you use dynamic rules in ipfw [stateful] you can tweak this) |>>net.inet.ip.fw.dyn_ack_lifetime=200 #shorte timeout on connection |>>net.inet.ip.fw.dyn_syn_lifetime=20 |>>net.inet.ip.fw.dyn_fin_lifetime=20 |>>net.inet.ip.fw.dyn_rst_lifetime=5 |>>net.inet.ip.fw.dyn_short_lifetime=10 #longer timeout for e.g. icmp |>>net.inet.ip.fw.dyn_max=1500 #higher number of dynamic rules |>>net.inet.ip.fw.dyn_count: #count of number of dynamic rules |>> |>>ipfw; |>>There's a zillion ways to set it up. start with a few rules regarding |>>lo0 and icmp. Then use stateful inspection and dynamic rules for the |>>rest of the wall. |>> |>>... and by the way, I could see that a few of the scan came from RIPE |>>ranges. Do some digging and report it! |>>Even if the boxes are use without the owners awareness, you can [we |all>>can] bring this part to an end. |>> |>>respectfully |>>/per |>>per@xterm.dk |>> |>> |>> |>> |>>_______________________________________________ | |Most important, you did turn on syncookies, did you not? | |FreeBSD is pretty immune to syn floods. As for out of bandwidth, this |has to do with your uplink and how much you pay for your traffic. | |root# sysctl net.inet.tcp.syncookies | |If it is not set to one, then do: |root# sysctl net.inet.tcp.syncookies=1 | |Also edit /etc/sysctl.conf to contain net.inet.tcp.syncookies=1. Or better use the syncache. For further information, check out http://people.freebsd.org/~jlemon/ It has proven to be more efficient, at least in my experiments. | |A reboot would clear the tcp stack. You can't reboot remotely if kernel | |securelevel is enabled in /etc/rc.conf. | |If you don't have firewall support compiled in the kernel, kldload |ipfw. | |Might be a good lesson to mirror back all incoming syn packets from the | |attacker's IP to him. To port 80, or 22, or to some any other open |port. You can do that easely with ipfw. | | | | | |-- |Alin-Adrian Anton |Reversed Hell Networks |GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F |FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E |_______________________________________________ |freebsd-security@freebsd.org mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-security |To unsubscribe, send any mail to |"freebsd-security-unsubscribe@freebsd.org" | | |!DSPAM:402ced06489111327621125! | | | ---- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. --Signature=_Fri__13_Feb_2004_17_31_42_+0200_hHZILkkFbkMTsSpS Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFALO3gP5WtpVOrzpcRAq2YAJ9yq7qymfT/WSm1iMZW7kYbdYpUagCgl4hb kpK9NTy8LO1b/mhltyOaNUE= =OEH0 -----END PGP SIGNATURE----- --Signature=_Fri__13_Feb_2004_17_31_42_+0200_hHZILkkFbkMTsSpS-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 13 08:32:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85CA316A4CE for ; Fri, 13 Feb 2004 08:32:01 -0800 (PST) Received: from mail.1plan.net (ns1.1plan.net [216.240.143.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 71A4243D2F for ; Fri, 13 Feb 2004 08:32:01 -0800 (PST) (envelope-from aanton@reversedhell.net) Received: (qmail 12022 invoked by uid 98); 13 Feb 2004 16:35:25 -0000 Received: from aanton@reversedhell.net by cp by uid 101 with qmail-scanner-1.20 (clamscan: 0.65. Clear:RC:1(81.196.32.25):SA:0(0.0/4.7):. Processed in 0.24286 secs); 13 Feb 2004 16:35:25 -0000 X-Spam-Status: No, hits=0.0 required=4.7 X-Qmail-Scanner-Mail-From: aanton@reversedhell.net via cp X-Qmail-Scanner: 1.20 (Clear:RC:1(81.196.32.25):SA:0(0.0/4.7):. Processed in 0.24286 secs) Received: from unknown (HELO reversedhell.net) (81.196.32.25) by ns1.1plan.net with SMTP; 13 Feb 2004 16:35:25 -0000 Message-ID: <402CFC4A.7020702@reversedhell.net> Date: Fri, 13 Feb 2004 18:33:14 +0200 From: Anton Alin-Adrian User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6b) Gecko/20031212 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: In-Reply-To: X-Enigmail-Version: 0.83.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: SYN Attacks - how i cant stop it X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 16:32:01 -0000 JJB wrote: > You talk about the net.inet.tcp.syncookies=1 knob, > how about an description on what it does and why you > are recommending using it. The net.inet.tcp.syncookies 'knob', if set to 1, enables syn cookies. Syn cookies were invented specifically for syn flood protection. A brief description of syncookies idea can be read here: http://cr.yp.to/syncookies.html > How would one go about mirroring back the attackers > syn packets to port 80 or 22? > Please describe this easy method of yours. > Mirroring back packets to the attacker is, first of all, a nasty thing. Secondly, it is only possible if the attacker's IP is known. If it is not known, then obviously it's not possible. Knowing the attacker's IP does not necessarly mean that he is performing the current attacks from that IP. Packet redirection with ipfw is done using divert sockets. One needs to have it compiled into the kernel. Divert sockets are also used by ipfw nat redirection. It's all in the man pages of ipfw. If the flood is severly intense (from the point of stack memory exhaution), it might be a good improvement to drop 5% of incoming SYN packets. This can also be done with ipfw, and is described in the manual pages. However, I don't think one would ever come to this. Asking the ISP to put the server behind a decent cisco router, and implement syn cookies on hardware devices, is the best protection. -- Alin-Adrian Anton Reversed Hell Networks GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E From owner-freebsd-security@FreeBSD.ORG Fri Feb 13 08:37:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1722516A4CE for ; Fri, 13 Feb 2004 08:37:33 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1DD743D1D for ; Fri, 13 Feb 2004 08:37:32 -0800 (PST) (envelope-from nectar@celabo.org) Received: by gw.celabo.org (Postfix, from userid 1001) id 7D8B4548A4; Fri, 13 Feb 2004 10:37:32 -0600 (CST) Date: Fri, 13 Feb 2004 10:37:32 -0600 From: "Jacques A. Vidrine" To: "Barnes, John" Message-ID: <20040213163732.GA73212@hellblazer.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , "Barnes, John" , "'freebsd-security@freebsd.org'" References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i cc: "'freebsd-security@freebsd.org'" Subject: Re: XFree86 Font Information File Buffer Overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 16:37:33 -0000 On Fri, Feb 13, 2004 at 09:25:01AM -0500, Barnes, John wrote: > Has anyone see this alert? > > http://www.securityfocus.com/archive/1/353352 See for information on the FreeBSD XFree86 package. > It seems to work on Linux, but when I tried the proof of concept on > 4.3.0,1 running 5.2 RELEASE, I couldn't get the X server to core dump > or segmentation fault. So, it seems likely to me that FreeBSD is not > vulnerable to this. Any other thoughts on this matter? I cannot speculate as to why ``the proof of concept'' didn't work for you. Likely an error in ``the proof of concept'', whatever it is. All versions of XFree86 on all platforms are vulnerable. Furthermore, it seems that many other X11R6-based servers are vulnerable, as the bug goes way back. It is a very simple `strcpy' buffer overflow. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Fri Feb 13 10:44:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF9CE16A4CE for ; Fri, 13 Feb 2004 10:44:00 -0800 (PST) Received: from mx2.trusecure.com (mx2.trusecure.com [208.251.192.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE39943D1F for ; Fri, 13 Feb 2004 10:44:00 -0800 (PST) (envelope-from jbarnes@trusecure.com) Received: by mx2.trusecure.com (Postfix, from userid 1006) id D20B9C920F; Fri, 13 Feb 2004 13:44:00 -0500 (EST) Received: from VAMAIL01.corp.trusecure.net (vamail01.corp.trusecure.net [172.19.1.52]) by mx2.trusecure.com (Postfix) with ESMTP id C2B7DC9206 for ; Fri, 13 Feb 2004 13:44:00 -0500 (EST) Received: from exchange01.mscore.trusecure.net (exchange01.corp.trusecure.net [172.19.1.50]) (8.12.10/maybe_its_not_even_really_Sendmail....) with ESMTP id i1DIhx5B001192 for ; Fri, 13 Feb 2004 13:43:59 -0500 (EST) Received: by exchange01.corp.trusecure.net with Internet Mail Service (5.5.2653.19) id <153AVJ7M>; Fri, 13 Feb 2004 13:44:00 -0500 Message-ID: From: "Barnes, John" To: "'freebsd-security@freebsd.org'" Date: Fri, 13 Feb 2004 13:43:59 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Subject: RE: XFree86 Font Information File Buffer Overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 18:44:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I misread a '1' for an 'l' on the exploit. X blows up quite handily now. John - -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org]On Behalf Of Barnes, John Sent: Friday, February 13, 2004 9:25 AM To: 'freebsd-security@freebsd.org' Subject: XFree86 Font Information File Buffer Overflow Has anyone see this alert? http://www.securityfocus.com/archive/1/353352 It seems to work on Linux, but when I tried the proof of concept on 4.3.0,1 running 5.2 RELEASE, I couldn't get the X server to core dump or segmentation fault. So, it seems likely to me that FreeBSD is not vulnerable to this. Any other thoughts on this matter? John Barnes TruSecure -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQC0a75uhTuCp6UG8EQKR1QCfZ7yY/aLPpEwaTUzfkHTx/4XLMHwAn1ZS wcYsrNt8WybW2w5wY0I/YUvr =+Jwe -----END PGP SIGNATURE----- *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. *********************************************************************** From owner-freebsd-security@FreeBSD.ORG Sat Feb 14 06:54:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C623416A4CF for ; Sat, 14 Feb 2004 06:54:30 -0800 (PST) Received: from mail.1plan.net (ns1.1plan.net [216.240.143.74]) by mx1.FreeBSD.org (Postfix) with SMTP id AE22C43D1F for ; Sat, 14 Feb 2004 06:54:30 -0800 (PST) (envelope-from aanton@reversedhell.net) Received: (qmail 46006 invoked by uid 98); 14 Feb 2004 14:57:56 -0000 Received: from aanton@reversedhell.net by cp by uid 101 with qmail-scanner-1.20 (clamscan: 0.65. Clear:RC:1(81.196.32.25):SA:0(0.0/4.7):. Processed in 2.18698 secs); 14 Feb 2004 14:57:56 -0000 X-Spam-Status: No, hits=0.0 required=4.7 X-Qmail-Scanner-Mail-From: aanton@reversedhell.net via cp X-Qmail-Scanner: 1.20 (Clear:RC:1(81.196.32.25):SA:0(0.0/4.7):. Processed in 2.18698 secs) Received: from unknown (HELO reversedhell.net) (81.196.32.25) by ns1.1plan.net with SMTP; 14 Feb 2004 14:57:54 -0000 Message-ID: <402E36EF.7060704@reversedhell.net> Date: Sat, 14 Feb 2004 16:55:43 +0200 From: Anton Alin-Adrian User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6b) Gecko/20031212 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: In-Reply-To: X-Enigmail-Version: 0.83.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: SYN Attacks - how i cant stop it X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2004 14:54:31 -0000 JJB wrote: > Very interesting reading about net.inet.tcp.syncookies 'knob'. > > > Thank you for such an curious and informative reply. > > I am running 4.9 and net.inet.tcp.syncookies=1 is the default. > > I am writing an 'Harding you FBSD system' article for the local > FBSD club, would you please review the following. > > Are my comments correct? Are there any other knobs I should include? > > I got the rc.conf securelevel ok as it from the man page. > > > #################################################################### > # > # The sysctl.conf file contains MIB's to change the default setting > # of internal options of the kernel at boot up time. These Mib's > # control how network packets are handled after IPFW or IPFILTER > # software applications firewall returns the packet to the kernel. > # Some of these MIB's may seem like they are doing the say thing, > # but because there is no FBSD provided documentation on the order > # these MIB's get control, they all get enabled here and we let the > # kernel do it's thing. > # > # NOTE: Some of these MIB's can also be set in rc.conf and or the > # Kernel source. This will not hurt anything. > # > #################################################################### > > #################################################################### > # Redirect attacks is the purposeful mass issuing of ICMP type 5 > packets. > # In a normal network, redirects to the end stations should not be > required. > # To defend against this type of attack both the sending and > accepting of > # redirect should be disabled". The first statement below enables > the MIB > # to drop all inbound icmp redirect packets without returning any > response. > # The second statement turns off the logging of redirect packets > because > # there in no limit and this could fill up your logs consuming your > whole > # hard drive. But there is no information about where the redirect > packets > # get logged. The last statement changes the FBSD default about > allowing > # redirects to be sent from this system to the internet from yes to > no. > # This option is ignored unless the host is routing IP packets, and > # should normally be enabled (=1) on all systems > # man icmp(4) and inet(4) and man ip(4) do not contain info about > these MIB. > # man sysctl(3) does have info on ip.redirect > > net.inet.icmp.drop_redirect=1 > net.inet.icmp.log_redirect=0 > net.inet.ip.redirect=0 > > > #################################################################### > # Source routing is another way for an attacker to try to reach non > routable > # addresses behind your box. It can also be used to probe for > information > # about your internal networks. These functions come enabled as part > of the > # standard FBSD core system. The following will disable them. > # man inet(4) and man ip(4) do not contain any information on these > MIBs. > > net.inet.ip.sourceroute=0 > net.inet.ip.accept_sourceroute=0 > > > #################################################################### > # This MIB only drops ICMP Echo requests which have a destination of > your > # broadcast address. For example, if your network is 10.10.0.1/24, > # (making your subnet mask 255.255.255.0) then your network > broadcast address > # is 10.10.0.255. When a host on your network needs to send a > message to all > # other hosts on the subnet (which happens more often than you may > think) it > # uses this address. Everyone listens on it. Hosts outside your > network have > # no reason to be sending packets to your broadcast address. This > MIB rejects > # all of the broadcast echo traffic from the outside world to your > network > # broadcast address. If this host is a firewall or gateway, it > should not > # propagate directed broadcasts originating from outside your > private network. > # The following statement sets the default to no, rejecting all > external > # broadcasts requests. > # man sysctl(3) has some info. > # man inet(4) and man icmp(4) do not contain any information on > these MIBs > > net.inet.icmp.bmcastecho=0 > > > #################################################################### > # To change the system behavior when connection requests are > received > # on TCP or UDP ports where there is no socket listening. The normal > # behavior, when a TCP SYN segment is received on a port where there > # is no socket accepting connections, is for the system to return a > # RST segment, and drop the connection. The requesting system will > # see this as a "Connection reset by peer". > # > # By turning the TCP black hole MIB on to a numeric value of one, > the > # incoming SYN segment is merely dropped, and no RST is sent, making > # the system appear as a blackhole. > # > # By setting the MIB value to two, any segment arriving on a closed > # port is dropped without returning a RST. > # This provides some degree of protection against stealth port > scans. > # The following enables this MIB. man tcp(4) and man udp(4) > blackhole(4) > # contain a little information on these MIBs > > net.inet.tcp.blackhole=2 > net.inet.udp.blackhole=1 > > > #################################################################### > # The log_in_vain MIB will provide you with logging of attempted > # connections to your box on any port which does not have a service > # running on it. For example, if you do not have DNS server on your > # computer and someone would try to access your computer through DNS > # port 53, you would see a message such as: Connection attempt to > # UDP yourIP:53 from otherIP:X (where X is some high port #) > displayed > # on the root console screen. This message also gets posted to > # /var/log/messages & /var/log/security.log. > # The following statements enable this function. > # man tcp(4) and man udp(4) contain a little information on these > MIBs > > net.inet.tcp.log_in_vain=1 > net.inet.udp.log_in_vain=1 > > > #################################################################### > # To defend against SYN attacks more commonly known as SYNFLOOD > attacks, > # the two queues which are targeted by this type of attack should > # have it's size increased so that the queues can withstand an > attack > # of low to moderate intensity with little to no effect on the > stability > # or availability of the system. FBSD maintains separate queues for > # inbound socket connection requests. One queue is for half-open > sockets > # (SYN received, SYN|ACK sent), the other queue for fully-open > sockets > # awaiting an accept() call from the application. > # The following statement increases the queue size from 128. > > kern.ipc.somaxconn=1024 > > > #################################################################### > # By allowing aged ARP entries to remain cached or lying around > # allows for the possibility of a hacker to create a resource > # exhaustion or performance degradation by filling the IP route > cache > # with bogus ARP entries. This in turn can be used as Denial of > # Service attack. To prevent this sort of problem the following > # statement shortens the amount of time an ARP will be cached > # from 1200 to 600 seconds. > > net.link.ether.inet.max_age=600 > > > ###################### end of sysctl > #################################### > > > The system logs default to being able to bind to an internal socket > which allows logs to be sent to some other system for recording. > If you are not doing that on purpose then this option should be > disabled using this statement in rc.conf. > > syslogd_flags="-ss" > > > > Kernel options. > > options TCP_DROP_SYNFIN # Adds support for ignoring TCP packets > # with SYN+FIN. This prevents nmap from > # identifying the TCP/IP stack, but > # breaks support for RFC1644 extensions > # & is not recommended for web servers > # behind the firewall. > The comments with this option are from the LINT kernel source word > for word. I have an Apache web server running on my gateway/firewall > box, and I use this option and can not see any thing wrong > happening. > > > Options ICMP_BANDLIM # Enables icmp error response bandwidth > # limiting. This will help protect from > # D.O.S. packet attacks. > > Options RANDOM_IP_ID # Causes the ID field in IP packets to be > # randomized instead of incremented by 1 > with > # each packet generated. This closes a > minor > # information leak which allows remote > # observers to determine the rate of packet # > generation on the machine by watching the # counter. > > Thanks for your help. > Syn cookies are "relatively" new to FreeBSD. "Long" time ago, FreeBSD had different protection for syn attacks (dropping of random SYN packets, progressively increasing as SYN flood increases). I use an ipfw pipe with dummynet kernel options, to limit icmp bandwidth. My 100 MB/s server, is forced to behave as a 128 Kbps ISDN link when dealing with ICMP packets,with a big enough buffer for queueing packets. This way, ICMP flood attacks are efficiently taken out, while not ignoring RFCS, and replying back to all ICMP traffic, in normal circumstances. Also I have a similar setup for UDP traffic, which limits it's bandwidth to 90% of all. This way TCP will always have a 10% room of our total bandwidth. Eventually, if all bandwidth is taken out by the flood, and the ISP does nothing about it, we're going to sink. If you write an article on FreeBSD security, there is *no way* to skip over the CERB Reality project. Check it at http://cerber.sourceforge.net/ . FreeBSD is pretty secure from head to toe.Without CERB, there's not really much to be done. All BSD fammily of packet filters are excellent. This is valid for all of the ipfw,ipfilter and openbsd pf suite. It's simply the most powerfull and complete level of security on unix. It is 10 times more powerfull than linux's grsecurity system, because it has the power of controlling syscalls. -- Alin-Adrian Anton Reversed Hell Networks GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E From owner-freebsd-security@FreeBSD.ORG Sat Feb 14 07:53:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB74E16A4CE for ; Sat, 14 Feb 2004 07:53:00 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id D544B43D1F for ; Sat, 14 Feb 2004 07:53:00 -0800 (PST) (envelope-from erschulz@comcast.net) Received: from 204.127.197.111 ([204.127.197.111]) by comcast.net (rwcrmhc11) with SMTP id <20040214155300013007n082e>; Sat, 14 Feb 2004 15:53:00 +0000 Received: from [24.0.202.208] by 204.127.197.111; Sat, 14 Feb 2004 15:52:59 +0000 From: erschulz@comcast.net To: freebsd-security@freebsd.org Date: Sat, 14 Feb 2004 15:52:59 +0000 Message-Id: <021420041552.16872.65e9@comcast.net> X-Mailer: AT&T Message Center Version 1 (Oct 27 2003) X-Authenticated-Sender: ZXJzY2h1bHpAY29tY2FzdC5uZXQ= Subject: Localhost traffic and ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2004 15:53:01 -0000 I seem to be stumped on this one. I have TCP packets destined to my external interface from 127.0.0.1 (Ack+Reset zero data) with source MAC of my default gateway and I can't seem to block this traffic. Snort picked up the traffic and I have confirmed with tcpdump. So I decided I needed to examine my anti-spoof rules. I already had this one deny ip from any to 127.0.0.0/8 in recv ${oif} This never triggered on this traffic so I figured it must be looking for a SYN before it would trigger. So I added the following: deny tcp from 127.0.0.1 to ${oif} tcpflags ack,rst This still didn't block the traffic. So, I added the following: deny ip from 127.0.0.0/8 to ${oif} And the packets are still not triggering any of these rules and I've moved them up to the top of the list just to be sure I hadn't made an order of precedence error. So, I'm open to ideas now. It is definitely coming in on my external interface, and its src MAC is definitely the MAC of my ISP's router. So, have I missed something? How do I drop these packets? Thx. From owner-freebsd-security@FreeBSD.ORG Sat Feb 14 22:57:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E426F16A4CE for ; Sat, 14 Feb 2004 22:57:28 -0800 (PST) Received: from cicero1.cybercity.dk (cicero1.cybercity.dk [212.242.40.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7BDF43D2D for ; Sat, 14 Feb 2004 22:57:28 -0800 (PST) (envelope-from fj@batmule.dk) Received: from prefect.unknown.dk (dag.batmule.dk [212.242.86.227]) by cicero1.cybercity.dk (Postfix) with ESMTP id B58EF7E3DF5; Sun, 15 Feb 2004 07:57:26 +0100 (CET) Received: from prefect.unknown.dk (localhost [127.0.0.1]) by prefect.unknown.dk (8.12.6/8.12.6) with ESMTP id i1F6vPCM058280; Sun, 15 Feb 2004 07:57:26 +0100 (CET) (envelope-from fj@prefect.unknown.dk) Received: (from fj@localhost) by prefect.unknown.dk (8.12.6/8.12.6/Submit) id i1F6vOQl058279; Sun, 15 Feb 2004 07:57:24 +0100 (CET) Date: Sun, 15 Feb 2004 07:57:24 +0100 From: Flemming Jacobsen To: erschulz@comcast.net Message-ID: <20040215065724.GA72019@prefect.unknown.dk> References: <021420041552.16872.65e9@comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <021420041552.16872.65e9@comcast.net> User-Agent: Mutt/1.4i X-Operating-System: FreeBSD 4.7-STABLE i386 X-PGPkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDCC399C7 cc: freebsd-security@freebsd.org Subject: Re: Localhost traffic and ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Feb 2004 06:57:29 -0000 erschulz@comcast.net wrote: > I seem to be stumped on this one. I have TCP packets > destined to my external interface from 127.0.0.1 (Ack+Reset > zero data) with source MAC of my default gateway and I > can't seem to block this traffic. > > Snort picked up the traffic and I have confirmed with > tcpdump. So I decided I needed to examine my anti-spoof > rules. I already had this one > > deny ip from any to 127.0.0.0/8 in recv ${oif} You probably want this as your first 3 rules: allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any Some say that the TCP stack already takes care of this, but I like these rules in my set - just to be 100% sure. About the rest of your question, you probably are blocking the traffic with your rules. Bpf which tcpdump and snort uses to snoop packets, picks up packets before your ipfw rules are applied, thus you see the full packet feed. Regards Flemming PS: Please insert linebreaks so your lines are no longer than 70-75 characters. -- Flemming Jacobsen Email: fj@batmule.dk ---=== If speed kills, Windows users may live forever. ===---