From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 09:57:36 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1E9C1065676 for ; Mon, 5 Oct 2009 09:57:36 +0000 (UTC) (envelope-from db@danielbond.org) Received: from mail.nsn.no (mailtwo.nsn.no [62.89.38.161]) by mx1.freebsd.org (Postfix) with SMTP id 0EC688FC14 for ; Mon, 5 Oct 2009 09:57:35 +0000 (UTC) Received: (qmail 49950 invoked by uid 0); 5 Oct 2009 09:30:54 -0000 Received: from unknown (HELO ?172.16.3.90?) (85.95.44.187) by mail.nsn.no with SMTP; 5 Oct 2009 09:30:54 -0000 Message-Id: From: Daniel Bond To: Eric Williams In-Reply-To: <4AC7B690.1060607@gmail.com> Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-1--597563465" Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Mon, 5 Oct 2009 11:30:26 +0200 References: <20091003121830.GA15170@sorry.mine.nu> <4AC7B690.1060607@gmail.com> X-Pgp-Agent: GPGMail 1.2.0 (v56) X-Mailer: Apple Mail (2.936) Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 09:57:36 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-1--597563465 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Hi, as long as one uses good passwords, or disable authentication with passwords and only authorize using SSH-keys, you should be fine, if you can survive a little spam in your system logs. Personally I tend to either firewall the OpenSSH daemon, or leave it wide open. I don't really see the point in changing ports, as long as they are still publicly available. However, I'm concerned about the suggestion of using an unprivileged port (I see port 8080 suggested in earlier mails). If you really do need to use a unprivileged port, one solution could be rewrite the port-number with a NAT redirect, so NAT forwards to a privileged port. The reason for this, is that any local user is capable of binding to unprivileged ports. If for some reason, a local user/attacker is able to crash the OpenSSH daemon process, or bind to the socket before the sshd(8) does, the attacker can install an "evil sshd", to capture information about keys and passwords. Not all users care about host-key warnings. One workaround may be to create a special rule for sshd, with mac_portacl(4), so only sshd can bind to port 8080, or whatever. ( http://www.freebsd.org/doc/en/books/handbook/mac-portacl.html ). Best regards, Daniel Bond. On Oct 3, 2009, at 10:39 PM, Eric Williams wrote: > On 10/3/2009 7:18 AM, olli hauer wrote: >>>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>>> provides a >>>> reasonably useful list of ports NOT to choose for an obscure ssh >>>> port. >>> >>> In practice, you have no choice but to use someting like 443 or >>> 8080, >>> because corporate firewalls often block everything but a small >>> number >>> of >>> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >>> 8080 >>> go through a transparent proxy) >> >> This may work if the firewall does only port and no additional >> protocol >> filtering. For many products used in corporate envirion it is even >> possible to filter ssh v1, skype, stunnel, openvpn with a verry high >> success rate within the first packet's on the wire. >> >> In case for the ssh server take a look into this parameters >> - LoginGraceTime >> - MaxAuthTries >> - MaxSessions >> - MaxStartups > > The absolute best way to filter out the attacks is to disable > authentication methods other than public keys. Obviously this isn't > possible in all situations, but it's very effective. Most attack bots > will just disconnect when they attempt login, and it's almost > impossible > to crack a key and gain access. > --Apple-Mail-1--597563465 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) iEYEARECAAYFAkrJvM4ACgkQF4Ca8+3pySXOrACg3apmwq0s7SGa4Sp5nGC3AkOf QzkAn39BLrkhsQuHV7NDLG9roxOheicW =3PPK -----END PGP SIGNATURE----- --Apple-Mail-1--597563465-- From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 11:48:14 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5455D1065676 for ; Mon, 5 Oct 2009 11:48:14 +0000 (UTC) (envelope-from budiyt@gmail.com) Received: from mail-px0-f192.google.com (mail-px0-f192.google.com [209.85.216.192]) by mx1.freebsd.org (Postfix) with ESMTP id 2A6A58FC17 for ; Mon, 5 Oct 2009 11:48:13 +0000 (UTC) Received: by pxi30 with SMTP id 30so262714pxi.7 for ; Mon, 05 Oct 2009 04:48:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=h0fI0Hp1d9CZMTt15Lcvb6lV9nubaQsDYE7JBL4sl1o=; b=JhIcNclxA3kkygUxNyZYrk8BxDZG2wQGpT8huAYzOX/YTSb2toRMNq0v8ACXZ1t3UU i8xshpkFYvCKA13PYLzDnOxLmkqLafwEDKXXyfAUtTTxZo4aexFp0vj/idXdIRTUAGO/ LYFisGlHfC+TLTotmc7uqb0YumUmkt+xjU9yI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=mtMCW/GmHFSeeiz6FZT/CDQkIbpZeJozPcdf++ZMjKOflR8Iggt5W5L82A2Ktd0x3P jHYVbA6KHFjpOPziCvXk977qYbS+obM0+aWyDD81KBTWgmtvPzvhoBv+GHa5LG/3dbOm f32fphX52Q4KlPmMjbIrEfcE+uRj10M9exycU= MIME-Version: 1.0 Received: by 10.141.37.13 with SMTP id p13mr891254rvj.193.1254741805756; Mon, 05 Oct 2009 04:23:25 -0700 (PDT) In-Reply-To: <200910022012.n92KC4Tb003955@freefall.freebsd.org> References: <200910022012.n92KC4Tb003955@freefall.freebsd.org> Date: Mon, 5 Oct 2009 18:23:25 +0700 Message-ID: <4d4dc3640910050423i24d9ee19q967152458b449df6@mail.gmail.com> From: budsz To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:14.devfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 11:48:14 -0000 On Sat, Oct 3, 2009 at 3:12 AM, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-09:14.devfs =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0Security Advisory > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0The FreeBSD Project > > Topic: =A0 =A0 =A0 =A0 =A0Devfs / VFS NULL pointer race condition > > Category: =A0 =A0 =A0 core > Module: =A0 =A0 =A0 =A0 kern > Announced: =A0 =A0 =A02009-10-02 > Credits: =A0 =A0 =A0 =A0Przemyslaw Frasunek > Affects: =A0 =A0 =A0 =A0FreeBSD 6.x and 7.x > Corrected: =A0 =A0 =A02009-05-18 10:41:59 UTC (RELENG_7, 7.2-STABLE) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_7_2, 7.2-R= ELEASE-p4) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_7_1, 7.1-R= ELEASE-p8) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_6, 6.4-STA= BLE) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-R= ELEASE-p7) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-R= ELEASE-p13) > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. =A0 Background > > The device file system (devfs) provides access to system devices, such as > storage devices and serial ports, via the file system namespace. > > VFS is the Virtual File System, which abstracts file system operations in > the kernel from the actual underlying file system. > > II. =A0Problem Description > > Due to the interaction between devfs and VFS, a race condition exists > where the kernel might dereference a NULL pointer. > > III. Impact > > Successful exploitation of the race condition can lead to local kernel > privilege escalation, kernel data corruption and/or crash. > > To exploit this vulnerability, an attacker must be able to run code with = user > privileges on the target system. > > IV. =A0Workaround > > An errata note, FreeBSD-EN-09:05.null has been released simultaneously to > this advisory, and contains a kernel patch implementing a workaround for = a > more broad class of vulnerabilities. =A0However, prior to those changes, = no > workaround is available. > > V. =A0 Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the > RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch > dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3, 6.4, > 7.1, and 7.2 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 6.x] > # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch > # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch.asc > > [FreeBSD 7.x] > # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch > # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. =A0Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Revision > =A0Path > - -----------------------------------------------------------------------= -- > RELENG_6 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 1.114.2.17 > RELENG_6_4 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.416.2.40.2.11 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A01.69.2.18.2.13 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 1.114.2.16.2.2 > RELENG_6_3 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.416.2.37.2.18 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A01.69.2.15.2.17 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 1.114.2.15.2.1 > RELENG_7 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A01.149.2.9 > RELENG_7_2 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 1.507.2.23.2.7 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 1.72.2.11.2.8 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A01.149.2.8.2.2 > RELENG_7_1 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.507.2.13.2.11 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 1.72.2.9.2.12 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A01.149.2.4.2.2 > - -----------------------------------------------------------------------= -- > > Subversion: > > Branch/path =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Revision > - -----------------------------------------------------------------------= -- > stable/6/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r197715 > releng/6.4/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r197715 > releng/6.3/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r197715 > stable/7/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r192301 > releng/7.2/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r197715 > releng/7.1/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r197715 > - -----------------------------------------------------------------------= -- > > VII. References > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:14.devfs.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iD8DBQFKxltlFdaIBMps37IRAp4zAJwJEwIySGqxH4EXwc0wjkDXlcTb1wCfTltO > Syds53GSM0YbsMNUVMGsLaU=3D > =3DexPZ > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" > Hi folks, I just got some problem when compling my kerne. Here we go: rm -f hack.c MAKE=3Dmake sh /usr/src/sys/conf/newvers.sh WILLSZPROXY cc -c -O -pipe -std=3Dc99 -g -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common -finline-limit=3D8000 --param inline-unit-growth=3D100 --param large-function-growth=3D1000 -mno-align-long-strings -mpreferred-stack-boundary=3D2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -mno-sse3 -ffreestanding -Werror vers.c linking kernel.debug kern_fork.o(.text+0x1d18): In function `fork1': /usr/src/sys/kern/kern_fork.c:737: undefined reference to `knote_fork' *** Error code 1 Stop in /usr/obj/usr/src/sys/WILLSZPROXY. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. My box running FreeBSD 7.2-STABLE. Thanks in advance. --=20 budsz From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 12:35:08 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 806F61065670 for ; Mon, 5 Oct 2009 12:35:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 105768FC1A for ; Mon, 5 Oct 2009 12:35:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id BD15941C6F2; Mon, 5 Oct 2009 14:35:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id tkWSaYMqTuSw; Mon, 5 Oct 2009 14:35:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id D133441C6EA; Mon, 5 Oct 2009 14:35:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id AE1AB4448E6; Mon, 5 Oct 2009 12:32:15 +0000 (UTC) Date: Mon, 5 Oct 2009 12:32:15 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: budsz In-Reply-To: <4d4dc3640910050423i24d9ee19q967152458b449df6@mail.gmail.com> Message-ID: <20091005123008.R26486@maildrop.int.zabbadoz.net> References: <200910022012.n92KC4Tb003955@freefall.freebsd.org> <4d4dc3640910050423i24d9ee19q967152458b449df6@mail.gmail.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1214159550-1254745935=:26486" Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:14.devfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 12:35:08 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1214159550-1254745935=:26486 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Mon, 5 Oct 2009, budsz wrote: > On Sat, Oct 3, 2009 at 3:12 AM, FreeBSD Security Advisories > wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D >> FreeBSD-SA-09:14.devfs =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0Security Advisory >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0The FreeBSD Project >> >> Topic: =A0 =A0 =A0 =A0 =A0Devfs / VFS NULL pointer race condition >> >> Category: =A0 =A0 =A0 core >> Module: =A0 =A0 =A0 =A0 kern >> Announced: =A0 =A0 =A02009-10-02 >> Credits: =A0 =A0 =A0 =A0Przemyslaw Frasunek >> Affects: =A0 =A0 =A0 =A0FreeBSD 6.x and 7.x >> Corrected: =A0 =A0 =A02009-05-18 10:41:59 UTC (RELENG_7, 7.2-STABLE) >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_7_2, 7.2-= RELEASE-p4) >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_7_1, 7.1-= RELEASE-p8) >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_6, 6.4-ST= ABLE) >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-= RELEASE-p7) >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-= RELEASE-p13) > Hi folks, > > I just got some problem when compling my kerne. Here we go: > > rm -f hack.c > MAKE=3Dmake sh /usr/src/sys/conf/newvers.sh WILLSZPROXY > cc -c -O -pipe -std=3Dc99 -g -Wall -Wredundant-decls -Wnested-externs > -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline > -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc > -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL > -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common > -finline-limit=3D8000 --param inline-unit-growth=3D100 --param > large-function-growth=3D1000 -mno-align-long-strings > -mpreferred-stack-boundary=3D2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 > -mno-sse3 -ffreestanding -Werror vers.c > linking kernel.debug > kern_fork.o(.text+0x1d18): In function `fork1': > /usr/src/sys/kern/kern_fork.c:737: undefined reference to `knote_fork' > *** Error code 1 > > Stop in /usr/obj/usr/src/sys/WILLSZPROXY. > *** Error code 1 > > Stop in /usr/src. > *** Error code 1 > > Stop in /usr/src. > > My box running FreeBSD 7.2-STABLE. Thanks in advance. If you are on 7.2-STABLE only the EN patch would have been interesting for you. The FreeBSD-SA-09:14.devfs was not applicable to a 7.2-STABLE from 2009-05-18 and later. Can you please check that you didn't accidentally patch something that didn't need to be patched anymore? /bz --=20 Bjoern A. Zeeb It will not break if you know what you are doing. --0-1214159550-1254745935=:26486-- From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 14:08:06 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A2451065694 for ; Mon, 5 Oct 2009 14:08:06 +0000 (UTC) (envelope-from MH@kernel32.de) Received: from crivens.kernel32.de (crivens.asm68k.org [81.169.171.191]) by mx1.freebsd.org (Postfix) with ESMTP id 0BC018FC17 for ; Mon, 5 Oct 2009 14:08:05 +0000 (UTC) Received: from [192.168.100.142] (91-64-131-224-dynip.superkabel.de [91.64.131.224]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by crivens.kernel32.de (Postfix) with ESMTPSA id 29033B0348; Mon, 5 Oct 2009 15:50:37 +0200 (CEST) Message-ID: <4AC9F9C1.9030702@kernel32.de> Date: Mon, 05 Oct 2009 15:50:57 +0200 From: Marian Hettwer User-Agent: Thunderbird 1.5.0.12 (Macintosh/20070509) MIME-Version: 1.0 To: olli hauer References: <20091003121830.GA15170@sorry.mine.nu> In-Reply-To: <20091003121830.GA15170@sorry.mine.nu> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: des@des.no, smithi@nimnet.asn.au, freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 14:08:06 -0000 Hej All, olli hauer schrieb: >>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>> provides a >>> reasonably useful list of ports NOT to choose for an obscure ssh >>> port. >>> >> In practice, you have no choice but to use someting like 443 or 8080, >> because corporate firewalls often block everything but a small number >> of >> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >> 8080 >> go through a transparent proxy) >> > > This may work if the firewall does only port and no additional protocol > filtering. For many products used in corporate envirion it is even > possible to filter ssh v1, skype, stunnel, openvpn with a verry high > success rate within the first packet's on the wire. > > In case for the ssh server take a look into this parameters > - LoginGraceTime > - MaxAuthTries > - MaxSessions > - MaxStartups > > I think nobody mentioned the overload rules from pf(4). I keep away most of the tried attempts by using it. Setup is pretty easy: table persist pass quick log proto { tcp, udp } from any to any port ssh label "ssh-brute" \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 10/30, \ overload flush global) Obviously, read pf.conf(5) to check what you might want to configure WRT max-src-conn and max-src-conn-rate. These rules in combination with enforced key authentication should keep your logfiles clean and your host secured. No need to go to another tcp port. Cheers, Marian From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 18:03:51 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A890106568B for ; Mon, 5 Oct 2009 18:03:51 +0000 (UTC) (envelope-from lyndon@yyc.orthanc.ca) Received: from orthanc.ca (ve6bbm-1-pt.tunnel.tserv13.ash1.ipv6.he.net [IPv6:2001:470:7:139::2]) by mx1.freebsd.org (Postfix) with ESMTP id 2FBB28FC17 for ; Mon, 5 Oct 2009 18:03:50 +0000 (UTC) Received: from orthanc.ca (localhost [127.0.0.1]) by orthanc.ca (8.14.3/8.14.3) with ESMTP id n95I3nbH040786 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 5 Oct 2009 12:03:49 -0600 (MDT) (envelope-from lyndon@yyc.orthanc.ca) Received: (from uucp@localhost) by orthanc.ca (8.14.3/8.14.3/Submit) with UUCP id n95I3nNK040785 for freebsd-security@freebsd.org; Mon, 5 Oct 2009 12:03:49 -0600 (MDT) (envelope-from lyndon@yyc.orthanc.ca) Received: from yyc.orthanc.ca (neo.yyc.orthanc.ca [192.168.0.10]) by legolas.yyc.orthanc.ca (8.14.3/8.14.3) with ESMTP id n95I3ihj011466 for ; Mon, 5 Oct 2009 12:03:44 -0600 (MDT) (envelope-from lyndon@yyc.orthanc.ca) Message-ID: To: freebsd-security@freebsd.org From: Lyndon Nerenberg - VE6BBM/VE7TFX Organization: The Frobozz Magic Homing Pigeon Company Date: Mon, 5 Oct 2009 12:03:44 -0600 In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 18:03:51 -0000 > Personally I tend to either firewall the OpenSSH daemon, or leave it > wide open. I don't really see the point in changing ports, as long as > they are still publicly available. The ssh bots only seem to probe port 22. In well over a year of running my ssh servers on a different (very low numbered) port I haven't logged a single probe (across about a dozen highly visible servers). --lyndon From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 18:30:22 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 560061065783 for ; Mon, 5 Oct 2009 18:30:22 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (root.ucsc.edu [128.114.2.68]) by mx1.freebsd.org (Postfix) with ESMTP id 244CF8FC28 for ; Mon, 5 Oct 2009 18:30:21 +0000 (UTC) Received: from root.ucsc.edu (localhost [127.0.0.1]) by root.ucsc.edu (8.14.3/8.14.3) with ESMTP id n95IGYFt037661 for ; Mon, 5 Oct 2009 11:16:34 -0700 (PDT) (envelope-from booloo@root.ucsc.edu) Received: (from booloo@localhost) by root.ucsc.edu (8.14.3/8.14.3/Submit) id n95IGYC2037660 for freebsd-security@freebsd.org; Mon, 5 Oct 2009 11:16:34 -0700 (PDT) (envelope-from booloo) Date: Mon, 5 Oct 2009 11:16:34 -0700 From: Mark Boolootian To: freebsd-security@freebsd.org Message-ID: <20091005181634.GA37622@root.ucsc.edu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on root.ucsc.edu Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: booloo@ucsc.edu List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 18:30:22 -0000 There's always fwknop: http://www.cipherdyne.org/fwknop/ From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 18:32:39 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C18F2106568F for ; Mon, 5 Oct 2009 18:32:39 +0000 (UTC) (envelope-from a.kuriger@liquidphlux.com) Received: from mail.liquidphlux.com (mail.liquidphlux.com [209.98.210.169]) by mx1.freebsd.org (Postfix) with ESMTP id 8E4868FC1F for ; Mon, 5 Oct 2009 18:32:39 +0000 (UTC) Received: by mail.liquidphlux.com (Postfix, from userid 80) id 3F40D4ECE8C; Mon, 5 Oct 2009 13:14:28 -0500 (CDT) To: Lyndon Nerenberg - VE6BBM/VE7TFX MIME-Version: 1.0 Date: Mon, 05 Oct 2009 13:14:28 -0500 From: Andrew Kuriger In-Reply-To: References: Message-ID: X-Sender: a.kuriger@liquidphlux.com User-Agent: RoundCube Webmail/0.3-stable Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 18:32:39 -0000 On Mon, 5 Oct 2009 12:03:44 -0600, Lyndon Nerenberg - VE6BBM/VE7TFX wrote: >> Personally I tend to either firewall the OpenSSH daemon, or leave it >> wide open. I don't really see the point in changing ports, as long as >> they are still publicly available. > > The ssh bots only seem to probe port 22. In well over a year of > running my ssh servers on a different (very low numbered) port I > haven't logged a single probe (across about a dozen highly visible > servers). > > --lyndon > I personally don't use it (although I'm considering it), but you could look into port knocking. Changing the port that SSHD binds to definitely falls under that obscurity line since if somebody is targeting you, they very well may run a SYN scan (Mmm namp) and read the banners to quickly find out what port you are running sshd on, then target bots accordingly. Granted, if somebody is not specifically targeting you and is just scanning ranges to find sshd on 22 they will pass you right up since that port will be closed. Andrew -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 18:47:02 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2FD6F106571C for ; Mon, 5 Oct 2009 18:47:02 +0000 (UTC) (envelope-from lyndon@yyc.orthanc.ca) Received: from orthanc.ca (ve6bbm-1-pt.tunnel.tserv13.ash1.ipv6.he.net [IPv6:2001:470:7:139::2]) by mx1.freebsd.org (Postfix) with ESMTP id DED018FC13 for ; Mon, 5 Oct 2009 18:47:01 +0000 (UTC) Received: from orthanc.ca (localhost [127.0.0.1]) by orthanc.ca (8.14.3/8.14.3) with ESMTP id n95Il0Fq041764 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Oct 2009 12:47:00 -0600 (MDT) (envelope-from lyndon@yyc.orthanc.ca) Received: (from uucp@localhost) by orthanc.ca (8.14.3/8.14.3/Submit) with UUCP id n95Il017041763; Mon, 5 Oct 2009 12:47:00 -0600 (MDT) (envelope-from lyndon@yyc.orthanc.ca) Received: from yyc.orthanc.ca (neo.yyc.orthanc.ca [192.168.0.10]) by legolas.yyc.orthanc.ca (8.14.3/8.14.3) with ESMTP id n95IktkJ012529; Mon, 5 Oct 2009 12:46:55 -0600 (MDT) (envelope-from lyndon@yyc.orthanc.ca) Message-ID: <7f1779bf9fa52b6cbf7a8384883232a6@yyc.orthanc.ca> To: a.kuriger@liquidphlux.com, lyndon@orthanc.ca From: Lyndon Nerenberg - VE6BBM/VE7TFX Organization: The Frobozz Magic Homing Pigeon Company Date: Mon, 5 Oct 2009 12:46:55 -0600 In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 18:47:02 -0000 > Granted, if somebody is not specifically targeting you and is just scanning > ranges to find sshd on 22 they will pass you right up since that port will > be closed. The port change was intended only to avoid the port scanners. From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 20:26:41 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E31081065693 for ; Mon, 5 Oct 2009 20:26:41 +0000 (UTC) (envelope-from m@micheas.net) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id 792768FC0C for ; Mon, 5 Oct 2009 20:26:40 +0000 (UTC) Received: by bwz27 with SMTP id 27so2598026bwz.43 for ; Mon, 05 Oct 2009 13:26:40 -0700 (PDT) Received: by 10.204.156.3 with SMTP id u3mr4317308bkw.179.1254772972880; Mon, 05 Oct 2009 13:02:52 -0700 (PDT) Received: from ?10.0.1.6? (c-24-5-79-127.hsd1.ca.comcast.net [24.5.79.127]) by mx.google.com with ESMTPS id 1sm495012fkt.11.2009.10.05.13.02.49 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 05 Oct 2009 13:02:51 -0700 (PDT) From: Micheas Herman To: freebsd-security@freebsd.org In-Reply-To: <7f1779bf9fa52b6cbf7a8384883232a6@yyc.orthanc.ca> References: <7f1779bf9fa52b6cbf7a8384883232a6@yyc.orthanc.ca> Content-Type: text/plain; charset="UTF-8" Date: Mon, 05 Oct 2009 13:02:46 -0700 Message-Id: <1254772966.30618.1405.camel@vcampaign> Mime-Version: 1.0 X-Mailer: Evolution 2.28.0 Content-Transfer-Encoding: 7bit Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: m@micheas.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 20:26:42 -0000 On Mon, 2009-10-05 at 12:46 -0600, Lyndon Nerenberg - VE6BBM/VE7TFX wrote: > > Granted, if somebody is not specifically targeting you and is just scanning > > ranges to find sshd on 22 they will pass you right up since that port will > > be closed. > > The port change was intended only to avoid the port scanners. And when you get notices in your logs, you can respond, as you know you are being targeted and can take appropriate responses. The biggest reason I can see for running ssh on an non-standard port is increasing the signal to noise ratio in the logs. If you can investigate every failed ssh login, you should be safer than if you ignore 40,000 failed logins a day. Just my experience, but of course being able to effortlessly investigate 40,000 failed logins would probably be a better situation. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Things past redress and now with me past care. -- William Shakespeare, "Richard II" From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 20:56:28 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 015971065694 for ; Mon, 5 Oct 2009 20:56:28 +0000 (UTC) (envelope-from a.kuriger@liquidphlux.com) Received: from mail.liquidphlux.com (mail.liquidphlux.com [209.98.210.169]) by mx1.freebsd.org (Postfix) with ESMTP id C05058FC17 for ; Mon, 5 Oct 2009 20:56:27 +0000 (UTC) Received: by mail.liquidphlux.com (Postfix, from userid 80) id 4D9054EBFC5; Mon, 5 Oct 2009 15:55:33 -0500 (CDT) To: MIME-Version: 1.0 Date: Mon, 05 Oct 2009 15:55:33 -0500 From: Andrew Kuriger In-Reply-To: <1254772966.30618.1405.camel@vcampaign> References: <7f1779bf9fa52b6cbf7a8384883232a6@yyc.orthanc.ca> <1254772966.30618.1405.camel@vcampaign> Message-ID: X-Sender: a.kuriger@liquidphlux.com User-Agent: RoundCube Webmail/0.3-stable Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 20:56:28 -0000 On Mon, 05 Oct 2009 13:02:46 -0700, Micheas Herman wrote: > On Mon, 2009-10-05 at 12:46 -0600, Lyndon Nerenberg - VE6BBM/VE7TFX > wrote: >> > Granted, if somebody is not specifically targeting you and is just >> > scanning >> > ranges to find sshd on 22 they will pass you right up since that port >> > will >> > be closed. >> >> The port change was intended only to avoid the port scanners. > > > And when you get notices in your logs, you can respond, as you > know you are being targeted and can take appropriate responses. > > The biggest reason I can see for running ssh on an non-standard > port is increasing the signal to noise ratio in the logs. > > If you can investigate every failed ssh login, you should be > safer than if you ignore 40,000 failed logins a day. > > Just my experience, but of course being able to effortlessly > investigate 40,000 failed logins would probably be a better > situation. > I agree its not a bad thing to have sshd running on a non-standard port, but just wait until the bot herder with 10,000 bots under his control finds out what port your running it under... If your receiving 40,000 false logins a day, your either targeted, or extremely popular and probably shouldn't be running sshd that is accessible via the internet anyways, aside from port knocking/VPN. I don't know about you, but when I have been attacked its not 100 connections from the same IP, its thousands randomly throughout the world. It does however eliminate the background script kiddie noise and sshd scanners, but once your found out/targeted its all in the air anyways. -Andrew -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 21:47:42 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55EB3106566B for ; Mon, 5 Oct 2009 21:47:42 +0000 (UTC) (envelope-from erik@cederstrand.dk) Received: from csmtp3.one.com (csmtp3.one.com [195.47.247.213]) by mx1.freebsd.org (Postfix) with ESMTP id E0D058FC0A for ; Mon, 5 Oct 2009 21:47:41 +0000 (UTC) Received: from [192.168.10.164] (0x573b9942.cpe.ge-1-2-0-1101.ronqu1.customer.tele.dk [87.59.153.66]) by csmtp3.one.com (Postfix) with ESMTP id 42B8724061F5; Mon, 5 Oct 2009 21:28:46 +0000 (UTC) Message-Id: From: Erik Cederstrand To: Andrew Kuriger In-Reply-To: Content-Type: multipart/signed; boundary=Apple-Mail-1174--554472706; micalg=sha1; protocol="application/pkcs7-signature" Mime-Version: 1.0 (Apple Message framework v936) Date: Mon, 5 Oct 2009 23:28:37 +0200 References: <7f1779bf9fa52b6cbf7a8384883232a6@yyc.orthanc.ca> <1254772966.30618.1405.camel@vcampaign> X-Mailer: Apple Mail (2.936) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org, m@micheas.net Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 21:47:42 -0000 --Apple-Mail-1174--554472706 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Den 05/10/2009 kl. 22.55 skrev Andrew Kuriger: > I agree its not a bad thing to have sshd running on a non-standard > port, > but just wait until the bot herder with 10,000 bots under his > control finds > out what port your running it under... It's like spam filtering: at the time this actually becomes a problem, we change tactics. It's not about finding the perfect solution, it's about having a manageable log. My log is being spammed, and changing the port solves that. "botnet-12-34-56-78.couldntcareless.mx tried to log into your nonexistent oracle account" is not a very interesting log message. Someone bruteforcing a valid non-trivial account name on a non-standard port is, even though they will never succeed. > If your receiving 40,000 false logins a day, your either targeted, or > extremely popular and probably shouldn't be running sshd that is > accessible > via the internet anyways, aside from port knocking/VPN. 6 normal, very boring colo-servers here. 40.000 login attempts a day per server on port 22 sounds about right - that's still almost nothing translated to bandwidth. I use only key-based auth and the bots were still trying, som I'm pretty sure it's just someone trying to bruteforce every IP under the sun looking for low-hanging fruit. I still need ssh access for normal admin work so disabling ssh is not an option. Erik --Apple-Mail-1174--554472706-- From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 22:24:43 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C63E410656AE for ; Mon, 5 Oct 2009 22:24:43 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 5DEC88FC08 for ; Mon, 5 Oct 2009 22:24:43 +0000 (UTC) Received: (qmail 27196 invoked by uid 399); 5 Oct 2009 21:58:02 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 5 Oct 2009 21:58:02 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4ACA6BE8.3000402@FreeBSD.org> Date: Mon, 05 Oct 2009 14:58:00 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.23 (X11/20090822) MIME-Version: 1.0 To: Daniel Bond References: <20091003121830.GA15170@sorry.mine.nu> <4AC7B690.1060607@gmail.com> In-Reply-To: X-Enigmail-Version: 0.96.0 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Eric Williams Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 22:24:43 -0000 Daniel Bond wrote: > However, I'm concerned about the suggestion of using an > unprivileged port Please explain your reasoning, and how it's relevant in a world where the vast majority of Internet users have complete administrative control over the systems they use. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 22:57:43 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 806CB106568B for ; Mon, 5 Oct 2009 22:57:43 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 620438FC1D for ; Mon, 5 Oct 2009 22:57:43 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id 22B74775033; Mon, 5 Oct 2009 15:57:37 -0700 (PDT) Date: Mon, 5 Oct 2009 15:57:36 -0700 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20091005225736.GA28186@noncombatant.org> References: <20091003121830.GA15170@sorry.mine.nu> <4AC7B690.1060607@gmail.com> <4ACA6BE8.3000402@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4ACA6BE8.3000402@FreeBSD.org> User-Agent: Mutt/1.4.2.3i Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 22:57:43 -0000 Doug Barton writes: > > However, I'm concerned about the suggestion of using an unprivileged > > port > > Please explain your reasoning, and how it's relevant in a world where the > vast majority of Internet users have complete administrative control over > the systems they use. Shared shell servers do still exist, and on such systems, it would be unwise to allow low-privilege users to be able to listen on what the other users think the "official" SSH port is. The port ACL idea, and the port != 22 && port < 1024 idea, therefore still make sense. Of course, can we really trust that local low-privilege users can't escalate to root? Sob. As for the log spam issue, the problem is more general than just SSH -- do you have your web server listen on port 81, too? ;) There's tons of spam in there, and there's tons of real stuff in there. Web apps are real apps... what are people doing with them? The general solution is something like Marcus Ranum's "artificial ignorance". Whether it is a cheap-ass Python script like mine or a real grown-up log management system like Splunk, you want something that lets you easily see the real stuff and ignore the spam for ALL your apps, not just SSH. It doesn't take much effort to generate the cheap-ass solution (ping me privately if you want my trivial code), but the pay-off is huge. Imagine relevant cron emails! The dream is alive... -- http://www.noncombatant.org/ http://hemiolesque.blogspot.com/ From owner-freebsd-security@FreeBSD.ORG Tue Oct 6 05:31:33 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B464E10656A5 for ; Tue, 6 Oct 2009 05:31:33 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with SMTP id 851888FC12 for ; Tue, 6 Oct 2009 05:31:31 +0000 (UTC) Received: (qmail 31562 invoked from network); 6 Oct 2009 05:04:48 -0000 Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213) by poshta.pknet.net with SMTP; 6 Oct 2009 05:04:48 -0000 Received: from 216.241.167.212 (SquirrelMail authenticated user fbsdq@peterk.org) by webmail.pknet.net with HTTP; Mon, 5 Oct 2009 23:04:48 -0600 (MDT) Message-ID: In-Reply-To: <4AC9F9C1.9030702@kernel32.de> References: <20091003121830.GA15170@sorry.mine.nu> <4AC9F9C1.9030702@kernel32.de> Date: Mon, 5 Oct 2009 23:04:48 -0600 (MDT) From: "Peter" To: "Marian Hettwer" User-Agent: SquirrelMail/1.4.17 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: olli hauer , des@des.no, smithi@nimnet.asn.au, freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 05:31:33 -0000 > Hej All, > > olli hauer schrieb: >>>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>>> provides a >>>> reasonably useful list of ports NOT to choose for an obscure ssh >>>> port. >>>> >>> In practice, you have no choice but to use someting like 443 or 8080, >>> because corporate firewalls often block everything but a small number >>> of >>> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >>> 8080 >>> go through a transparent proxy) >>> >> >> This may work if the firewall does only port and no additional protocol >> filtering. For many products used in corporate envirion it is even >> possible to filter ssh v1, skype, stunnel, openvpn with a verry high >> success rate within the first packet's on the wire. >> >> In case for the ssh server take a look into this parameters >> - LoginGraceTime >> - MaxAuthTries >> - MaxSessions >> - MaxStartups >> >> > I think nobody mentioned the overload rules from pf(4). I keep away most > of the tried attempts by using it. > Setup is pretty easy: > table persist > pass quick log proto { tcp, udp } from any to any port ssh label > "ssh-brute" \ > flags S/SA keep state \ > (max-src-conn 15, max-src-conn-rate 10/30, \ > overload flush global) > > Obviously, read pf.conf(5) to check what you might want to configure WRT > max-src-conn and max-src-conn-rate. > > These rules in combination with enforced key authentication should keep > your logfiles clean and your host secured. > No need to go to another tcp port. > > Cheers, > Marian Or combine that with portknocking - Only open port 22 after X number of attempts to connect on port 1234: # Table for allowed IPs # [gets auto populated via portknocking] table persist . .. ... block #default block policy # Allow everyone to hit 'any' on port '1234' - pf proxies tcp connection # [if not using 'synproxy', the connection is never established to # 'overload' the rule] # 5 attempts in 15 seconds pass in log quick proto tcp from any to any port {1234} synproxy state \ (max-src-conn-rate 5/15, overload ) #Allow IPs that have been 'overload'ed into the portknock_ssh table pass in log quick proto tcp from {} to any port {ssh} . .. ... Then put a crontab on a per needed basis to expire all IPs in that table that have not been referenced in 60 seconds: * * * * * /sbin/pfctl -vt portknock_ssh -T expire 60 All established sessions will be kept alive, all new sessions will need to portknock after the IP is cleared from table ]Peter[ From owner-freebsd-security@FreeBSD.ORG Tue Oct 6 09:06:35 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A74551065695 for ; Tue, 6 Oct 2009 09:06:35 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 68AB88FC1E for ; Tue, 6 Oct 2009 09:06:35 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 82D566D41B; Tue, 6 Oct 2009 09:06:34 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id EFE498449F; Tue, 6 Oct 2009 11:06:33 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Peter" References: <20091003121830.GA15170@sorry.mine.nu> <4AC9F9C1.9030702@kernel32.de> Date: Tue, 06 Oct 2009 11:06:33 +0200 In-Reply-To: (Peter's message of "Mon, 5 Oct 2009 23:04:48 -0600 (MDT)") Message-ID: <86vdis99ie.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: olli hauer , freebsd-security@freebsd.org, smithi@nimnet.asn.au, Marian Hettwer Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 09:06:35 -0000 "Peter" writes: > Or combine that with portknocking - Only open port 22 after X number of > attempts to connect on port 1234: As has already been explained, that's no good if you need to ssh in from behind a corporate firewall that blocks everything except 20, 22, 80 and 443. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Oct 6 16:42:56 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB635106566B for ; Tue, 6 Oct 2009 16:42:56 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id C3E4C8FC17 for ; Tue, 6 Oct 2009 16:42:56 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.193] ([24.201.201.211]) by VL-MO-MR001.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KR3006XUQFJPZF0@VL-MO-MR001.ip.videotron.ca> for freebsd-security@freebsd.org; Tue, 06 Oct 2009 12:42:55 -0400 (EDT) Message-id: <4ACB7391.5040204@optiksecurite.com> Date: Tue, 06 Oct 2009 12:42:57 -0400 From: Martin Turgeon User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) To: Thomas Rasmussen References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> In-reply-to: <4AC3FA90.1000405@gibfest.dk> Cc: freebsd-security@freebsd.org Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 16:42:57 -0000 Thomas Rasmussen a écrit : > Martin Turgeon wrote: >> Hi list! >> >> We tested mod_antiloris 0.4 and found it quite efficient, but before >> putting it in production, we would like to hear some feedback from >> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is >> anyone using it? Do you have any other way to patch against Slowloris >> other than putting a proxy in front or using the HTTP accept filter? >> >> Thanks for your feedback, >> >> Martin >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > Hello, > > I am using it succesfully although not under any serious load, same > Apache and FreeBSD versions. I found it easy (compared to the > alternatives) and efficient, and no I don't know of any other ways of > blocking the attack, short of using Varnish or similar. However, > accf_http doesn't help at all, since HTTP POST requests bypass the > filter. HTTP POST can be enabled by passing the -httpready switch to > Slowloris. > > Please report back with your findings, I've been wondering how it > would perform under load. > > Best of luck with it, > > Thomas Rasmussen > Hi everyone, We haven't put mod_antiloris in production yet, but I wrote this little shell script to protect us against distributed attack. It's running every minutes in crontab. It checks for any IP with more than 100 connections in FIN_WAIT_2 state and block those IP in PF. #!/bin/sh /usr/bin/netstat -nfinet | grep FIN_WAIT_2 > netstat.out /usr/local/sbin/expiretable -t 300 slowloris for ip in `awk '{print $5}' netstat.out | awk -F. '{print $1"."$2"."$3"."$4}' | sort | uniq` ; do if [ `grep -c $ip netstat.out` -gt 100 ] ; then pfctl -t slowloris -Ta $ip 2> /dev/null fi done Did anyone have any comments on the script itself or the method used to detect the attackers? Thanks for your input, Martin From owner-freebsd-security@FreeBSD.ORG Tue Oct 6 18:41:18 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29A22106566B for ; Tue, 6 Oct 2009 18:41:18 +0000 (UTC) (envelope-from mwoliver@gmail.com) Received: from mail-yx0-f184.google.com (mail-yx0-f184.google.com [209.85.210.184]) by mx1.freebsd.org (Postfix) with ESMTP id D920F8FC1C for ; Tue, 6 Oct 2009 18:41:17 +0000 (UTC) Received: by yxe14 with SMTP id 14so5362240yxe.7 for ; Tue, 06 Oct 2009 11:41:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=zH6tKDn3XIXFFux5sbpTPOfcF0d9UM0dCPwwA0eATA4=; b=YgVqClIxMP8ohACl0wHW6mzJlrwmfpuGGHQhrvUoVTeePydPwP2A508lNUltHK/Z7T 1HvZPRJyscBk5RfXtDshi79xR0v8DPLYz3PbzjLre7ipAALafNOlOl0fgoplbvA+VLcR E8OXlgXRwe/FAsebF+9zZfMfKOXIXW0YoKKg0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=b1b3bgFyL0ZTwHMm+MSQy6KvJiAYkukzL3RFBEgMaFJeCD3yKVEXCbvITdUuUZ42p3 8dw7TTwFmRGJNy9PSTeEVsQ8DdOFzKtW3uO3K9OkGtDDvzCZZ/S4pIxyAwMknN/YdozA jT5Tk9z0472pLmNIaJaEwXUfnbTN4RBo6Rkjw= MIME-Version: 1.0 Received: by 10.101.201.2 with SMTP id d2mr1769802anq.197.1254853172845; Tue, 06 Oct 2009 11:19:32 -0700 (PDT) In-Reply-To: <20091005181634.GA37622@root.ucsc.edu> References: <20091005181634.GA37622@root.ucsc.edu> Date: Tue, 6 Oct 2009 14:19:32 -0400 Message-ID: <8c64b8d20910061119ya32f330s876809d96e33fb49@mail.gmail.com> From: Mike Oliver To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 18:41:18 -0000 On Mon, Oct 5, 2009 at 14:16, Mark Boolootian wrote: > > There's always fwknop: =A0http://www.cipherdyne.org/fwknop/ Back when I ran ipfw I had a Bourne script that would change the outside port (translated to 22 on the inside by natd) to something between 10000 and 65500 every so often, maybe hourly. The script would rewrite the natd.conf, bounce natd, do some other stuff I can't remember, and finish by sending me the new outside port number via SMS. I did that for a few years and never had a single problem with it. That was a fun project. --=20 Mike Oliver, KT2T +1-863-738-2334 kt2t@arrl.net -or- mwoliver@gmail.com From owner-freebsd-security@FreeBSD.ORG Tue Oct 6 20:18:26 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65ED61065672 for ; Tue, 6 Oct 2009 20:18:26 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.157]) by mx1.freebsd.org (Postfix) with ESMTP id E17CA8FC16 for ; Tue, 6 Oct 2009 20:18:25 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id 16so1615317fgg.13 for ; Tue, 06 Oct 2009 13:18:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:cc :subject:in-reply-to:message-id:references:user-agent :x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; bh=5gXXDnAOIhJ4lig0J1oDAHydccU9d8NRdWodY3VKwpw=; b=lxcG9NNMWQRFvjjz9SO7GS3As81t5VeMFpzxd7w/T9ant/zC1xErKMF58Jz7KjuHJU All6l3oFDo9/QOBM9AcUOC0kM/5Na6Kdj8dGJBk31oLJfIN6AoYdDqvFwhRA49+5mOSV K/yrx5kZXisspYaIkZr+BrpliOo50cuh8XgIE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=AMXIOJlckRBdB1Xm42Klqbw6d1eFOiUX327dvFV5Pla7MB2XA6k34nDJow0iZDJ9wx JJigr04Ms2qv2kVPBZULMs8zSjC/I/BN5ZujUc1/r2VMdhSHYdKVYAc8DNpbHGsVMTza rI2GbDQj8uHROgmwhy0Qxj3NoLsyx756VXDD0= Received: by 10.86.184.35 with SMTP id h35mr925205fgf.18.1254858565384; Tue, 06 Oct 2009 12:49:25 -0700 (PDT) Received: from dimension.5p.local (adsl-99-35-15-84.dsl.klmzmi.sbcglobal.net [99.35.15.84]) by mx.google.com with ESMTPS id l19sm1370511fgb.7.2009.10.06.12.49.23 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 06 Oct 2009 12:49:24 -0700 (PDT) Sender: "J. Hellenthal" Date: Tue, 6 Oct 2009 15:49:16 -0400 From: jhell To: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= In-Reply-To: <86vdis99ie.fsf@ds4.des.no> Message-ID: References: <20091003121830.GA15170@sorry.mine.nu> <4AC9F9C1.9030702@kernel32.de> <86vdis99ie.fsf@ds4.des.no> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: olli hauer , FreeBSD Security , Peter , smithi@nimnet.asn.au, Marian Hettwer Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 20:18:26 -0000 On Tue, 6 Oct 2009 11:06 +0200, des@ wrote: > "Peter" writes: >> Or combine that with portknocking - Only open port 22 after X number of >> attempts to connect on port 1234: > > As has already been explained, that's no good if you need to ssh in from > behind a corporate firewall that blocks everything except 20, 22, 80 and > 443. > > DES > Don't forget about making good use of the following configuration turntables. You can enforce a default policy of deny by just saying that a user must be in the group of AllowGroups. This does enforce a little bit more of a administrative overhead but that's for your staff and policy to decide. AllowGroups AllowUsers DenyGroups DenyUsers Collect tried user names and don't allow those to be added to your system as legitimate users is another approach. Configuring pw(8) and adduser(8) for this will be a good exercise. -- %{----------------------------------------------------+ | dataix.net!jhell 2048R/89D8547E 2009-09-30 | | BSD since FreeBSD 4.2 Linux since Slackware 2.1 | | 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E | +----------------------------------------------------%} From owner-freebsd-security@FreeBSD.ORG Tue Oct 6 21:09:20 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C22F71065676 for ; Tue, 6 Oct 2009 21:09:20 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (hergotha.csail.mit.edu [66.92.79.170]) by mx1.freebsd.org (Postfix) with ESMTP id 719148FC16 for ; Tue, 6 Oct 2009 21:09:19 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.3/8.14.3) with ESMTP id n96L8u3c045242; Tue, 6 Oct 2009 17:08:56 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.3/8.14.3/Submit) id n96L8uBU045239; Tue, 6 Oct 2009 17:08:56 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19147.45544.619211.308287@hergotha.csail.mit.edu> Date: Tue, 6 Oct 2009 17:08:56 -0400 From: Garrett Wollman To: jhell In-Reply-To: References: <20091003121830.GA15170@sorry.mine.nu> <4AC9F9C1.9030702@kernel32.de> <86vdis99ie.fsf@ds4.des.no> X-Mailer: VM 7.17 under 21.4 (patch 21) "Educational Television" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (hergotha.csail.mit.edu [127.0.0.1]); Tue, 06 Oct 2009 17:08:56 -0400 (EDT) X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on hergotha.csail.mit.edu X-Mailman-Approved-At: Tue, 06 Oct 2009 21:38:55 +0000 Cc: FreeBSD Security Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 21:09:20 -0000 < said: > Don't forget about making good use of the following configuration > turntables. You can enforce a default policy of deny by just saying that a > user must be in the group of AllowGroups. This does enforce a little bit > more of a administrative overhead but that's for your staff and policy to > decide. Indeed, for a personal server that only I ever log in to, one of the first things that I do is add "AllowUsers wollman" to /usr/local/etc/ssh/sshd_config. That's just a belt-and-suspenders thing, though, to make sure that I don't fat-finger the password file or something. I generally ignore the ssh "invalid user" complaints -- I have a modified version of /etc/periodic/security/800.loginfail that filters them out -- because they're totally irrelevant and have no impact on security. That allows me to pay attention to the (very occasional) password failures on real user accounts. -GAWollman From owner-freebsd-security@FreeBSD.ORG Thu Oct 8 16:19:21 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7E0F10656AA for ; Thu, 8 Oct 2009 16:19:21 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id 7EA4B8FC4F for ; Thu, 8 Oct 2009 16:19:20 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.193] ([24.201.201.211]) by VL-MO-MR005.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KR7002MYENPVR30@VL-MO-MR005.ip.videotron.ca> for freebsd-security@freebsd.org; Thu, 08 Oct 2009 12:19:01 -0400 (EDT) Message-id: <4ACE10F5.2000303@optiksecurite.com> Date: Thu, 08 Oct 2009 12:19:01 -0400 From: Martin Turgeon User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) To: Thomas Rasmussen References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> <4ACB7391.5040204@optiksecurite.com> In-reply-to: <4ACB7391.5040204@optiksecurite.com> Cc: freebsd-security@freebsd.org Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2009 16:19:21 -0000 Martin Turgeon a écrit : > Thomas Rasmussen a écrit : >> Martin Turgeon wrote: >>> Hi list! >>> >>> We tested mod_antiloris 0.4 and found it quite efficient, but before >>> putting it in production, we would like to hear some feedback from >>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is >>> anyone using it? Do you have any other way to patch against >>> Slowloris other than putting a proxy in front or using the HTTP >>> accept filter? >>> >>> Thanks for your feedback, >>> >>> Martin >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >> Hello, >> >> I am using it succesfully although not under any serious load, same >> Apache and FreeBSD versions. I found it easy (compared to the >> alternatives) and efficient, and no I don't know of any other ways of >> blocking the attack, short of using Varnish or similar. However, >> accf_http doesn't help at all, since HTTP POST requests bypass the >> filter. HTTP POST can be enabled by passing the -httpready switch to >> Slowloris. >> >> Please report back with your findings, I've been wondering how it >> would perform under load. >> >> Best of luck with it, >> >> Thomas Rasmussen >> > Hi everyone, > > We haven't put mod_antiloris in production yet, but I wrote this > little shell script to protect us against distributed attack. It's > running every minutes in crontab. It checks for any IP with more than > 100 connections in FIN_WAIT_2 state and block those IP in PF. > > #!/bin/sh > > /usr/bin/netstat -nfinet | grep FIN_WAIT_2 > netstat.out > > /usr/local/sbin/expiretable -t 300 slowloris > > for ip in `awk '{print $5}' netstat.out | awk -F. '{print > $1"."$2"."$3"."$4}' | sort | uniq` ; do > if [ `grep -c $ip netstat.out` -gt 100 ] ; then > pfctl -t slowloris -Ta $ip 2> /dev/null > fi > done > > Did anyone have any comments on the script itself or the method used > to detect the attackers? > > Thanks for your input, > > Martin > Sorry for replying to my own post, but I have new informations to share. We putted in production mod_antiloris and my script yesterday night. No problem yet with the module but I got a few false positive with my script. It seems that there are a few IP that got more than 100 simultaneous connections in FIN_WAIT_2 state. We noticed that a lot of the FIN_WAIT_2 connections were related to a jail running Lighttpd (immune to slowloris, which IP is 127.0.0.25) so I modified the initial netstat so it looks like that: /usr/bin/netstat -nfinet | grep -v 127.0.0.25 | grep FIN_WAIT_2 > netstat.out We didn't get any false positive since then but I'm wondering how a client can have so many unclosed connections? To get in FIN_WAIT state, it's the server that closed the connections but the client never closed it's side of the connections. Does anyone have an idea how this can happen? Is this because of a bad browser, a bad OS/TCP stack or something else? Thanks for taking the time to shed some light on this, Martin From owner-freebsd-security@FreeBSD.ORG Sat Oct 10 04:14:39 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D39C106566B for ; Sat, 10 Oct 2009 04:14:39 +0000 (UTC) (envelope-from remodeler@alentogroup.org) Received: from courriel.marmotmail.com (courriel.marmotmail.com [85.17.36.172]) by mx1.freebsd.org (Postfix) with ESMTP id 106E78FC13 for ; Sat, 10 Oct 2009 04:14:38 +0000 (UTC) Received: from bruce.epifora.com (localhost.local [127.0.0.1]) by courriel.marmotmail.com (Postfix) with ESMTP id 2D29023954C for ; Sat, 10 Oct 2009 06:59:21 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by bruce.epifora.com (Postfix) with ESMTP id 4E6624761F9 for ; Fri, 9 Oct 2009 23:57:24 -0400 (EDT) Received: from bruce.epifora.com ([127.0.0.1]) by localhost (bruce.epifora.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19327-03 for ; Fri, 9 Oct 2009 23:57:23 -0400 (EDT) Received: from alentogroup.org (localhost [127.0.0.1]) by bruce.epifora.com (Postfix) with ESMTP id 1F58E4761F8 for ; Fri, 9 Oct 2009 23:57:23 -0400 (EDT) From: "remodeler" To: freebsd-security@freebsd.org Date: Fri, 9 Oct 2009 23:57:23 -0400 Message-Id: <20091010035529.M29871@alentogroup.org> X-OriginatingIP: 127.0.0.1 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: GPU crypto acceleration? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Oct 2009 04:14:39 -0000 I'm wondering if there's any core functionality or third-party utilities to off-load cryptographic processing to the GPU or audio chip, instead of using a hardware acceleration expansion card? This is on amd64 build. Thank you. From owner-freebsd-security@FreeBSD.ORG Sat Oct 10 06:36:42 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86DDB106568D for ; Sat, 10 Oct 2009 06:36:42 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 6B5A28FC13 for ; Sat, 10 Oct 2009 06:36:42 +0000 (UTC) Received: from [10.0.0.101] (strawberry.noncombatant.org [64.142.6.126]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by strawberry.noncombatant.org (Postfix) with ESMTPSA id 5B380775142; Fri, 9 Oct 2009 23:36:47 -0700 (PDT) Message-Id: <65088DA3-6AFD-4758-B2C3-A88F9B15AEA1@noncombatant.org> From: Chris Palmer To: "remodeler" In-Reply-To: <20091010035529.M29871@alentogroup.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Fri, 9 Oct 2009 23:36:43 -0700 References: <20091010035529.M29871@alentogroup.org> X-Mailer: Apple Mail (2.936) Cc: freebsd-security@freebsd.org Subject: Re: GPU crypto acceleration? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Oct 2009 06:36:42 -0000 On Oct 9, 2009, at 8:57 PM, remodeler wrote: > I'm wondering if there's any core functionality or third-party > utilities to > off-load cryptographic processing to the GPU or audio chip, instead > of using a > hardware acceleration expansion card? This is on amd64 build. Check out the Nvidia Tesla, although it probably will only work on Windows and Linux. What is your application, though? -- http://www.noncombatant.org/ http://hemiolesque.blogspot.com/