From owner-freebsd-security Sun Dec 6 05:31:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA25497 for freebsd-security-outgoing; Sun, 6 Dec 1998 05:31:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA25492 for ; Sun, 6 Dec 1998 05:31:07 -0800 (PST) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (IDENT:sTp2SxZuC3nBArBOYOtKFLvJpQf0KLV/@greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.1/8.9.1) with ESMTP id PAA05341; Sun, 6 Dec 1998 15:31:00 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (IDENT:lnaPBBQAp37YjKWPeLKWI3GFvuF1KXEs@localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.1/8.9.1) with ESMTP id PAA51640; Sun, 6 Dec 1998 15:30:44 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199812061330.PAA51640@greenpeace.grondar.za> To: Robert Watson cc: Dima Ruban , lyndon@execmail.com, woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: mail.local In-Reply-To: Your message of " Thu, 03 Dec 1998 17:27:46 EST." References: Date: Sun, 06 Dec 1998 15:30:43 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote: > I would certainly like to move to K5, but that's not an insignificant > amount of trouble in terms of transitioning. Speaking of KerberosV, is > it likely that FreeBSD will shift to shipping K4 instead of K5 by default > at some point? K4 is the most common in all the environments I regularly > use (here at CMU anyway) but K5 certainly has advantages (including, I > believe, better support for multihomed hosts in the form of not using the > IP in tickets/authenticators?) > > I would guess that the transition would be easier now that we have PAM? With PAM it is dead easy. As soon as JDP is finished, I will bring in K5. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 6 17:08:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA26947 for freebsd-security-outgoing; Sun, 6 Dec 1998 17:08:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from yoshi.iq.org (Dial1INnet.vr.in-berlin.de [192.109.21.224]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA26942 for ; Sun, 6 Dec 1998 17:08:17 -0800 (PST) (envelope-from proff@yoshi.iq.org) Received: (from proff@localhost) by yoshi.iq.org (8.8.8/8.8.8) id WAA00456; Sat, 5 Dec 1998 22:55:00 +0100 (CET) To: "Jan B. Koum " Cc: Paul Griffith , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD vs FreeBSD References: <19981201162450.C10475@best.com> cc: proff@iq.org From: Julian Assange Date: 05 Dec 1998 22:55:00 +0100 In-Reply-To: "Jan B. Koum "'s message of "Tue, 1 Dec 1998 16:24:50 -0800" Message-ID: Lines: 9 User-Agent: Gnus/5.070048 (Pterodactyl Gnus v0.48) XEmacs/20.4 (Emerald) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jan B. Koum " writes: > Do you really expect people here, on this list to say > "Use OpenBSD" or "Use Linux" or etc? `Use NetBSD' Cheers, Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 6 17:46:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA29921 for freebsd-security-outgoing; Sun, 6 Dec 1998 17:46:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA29916 for ; Sun, 6 Dec 1998 17:46:11 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id UAA16222; Sun, 6 Dec 1998 20:44:53 -0500 (EST) Date: Sun, 6 Dec 1998 20:44:53 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Julian Assange cc: "Jan B. Koum " , Paul Griffith , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD vs FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 5 Dec 1998, Julian Assange wrote: > > Do you really expect people here, on this list to say > > "Use OpenBSD" or "Use Linux" or etc? > > `Use NetBSD' Use a toaster oven. Toaster ovens have excellent network security characteristics. For example, they are not susceptible to any IMAP-based buffer overflow attacks; additionally, current toaster ovens are not known to have any bugs in their TCP/IP stacks, nor have been vulnerable to any in the recent past (according to CERT advisories, anyway). Toaster ovens require console access to perform administrative functions (such as modification of temperature settings), but this will not impede deployment in a number of environment. Toaster ovens may be vulnerable to a remote denial of service attack involving manipulation of power lines -- however, most operating systems running on standard hardware are also vulnerable to this attack. I have found that my toaster oven has served me well for a number of years, and produces excellent grilled cheese sandwiches, which is far better than my pentium running FreeBSD, largely because the cooling fan on the pentium does too good a job. Go figure. Maybe if I get a pentium pro? Neither my FreeBSD box nor my toaster oven has suffered from a security problem in a while. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 6 18:45:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA05154 for freebsd-security-outgoing; Sun, 6 Dec 1998 18:45:28 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA05145 for ; Sun, 6 Dec 1998 18:45:26 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id VAA16551; Sun, 6 Dec 1998 21:44:37 -0500 (EST) Date: Sun, 6 Dec 1998 21:44:36 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson cc: Julian Assange , "Jan B. Koum " , Paul Griffith , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD vs FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 6 Dec 1998, Robert Watson wrote: > Use a toaster oven. Toaster ovens have excellent network security > characteristics. For example, they are not susceptible to any IMAP-based > buffer overflow attacks; additionally, current toaster ovens are not known A friend of mine points out that toaster ovens are susceptible to a buffer overflow involving pieces of bread exceeding the safe bread limit in the oven, which can result in a fire, or at the very least, a lot of burnt bread. As such, I am no longer planning to deploy toaster ovens as web servers on our network. Apologies for any misleading details concerning the reliability of toaster ovens in hostile environments -- I hope no one has made purchasing decisions based on this misinformation! Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 7 07:06:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA05787 for freebsd-security-outgoing; Mon, 7 Dec 1998 07:06:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.mgr3.k12.mo.us (www.mgr3.k12.mo.us [204.184.227.130]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA05780 for ; Mon, 7 Dec 1998 07:06:58 -0800 (PST) (envelope-from rjn103s@mgr3.k12.mo.us) Received: from cave540 (unverified [204.184.227.140]) by mgr3.k12.mo.us (EMWAC SMTPRS 0.83) with SMTP id ; Mon, 07 Dec 1998 09:09:10 -0600 Message-Id: <3.0.6.32.19981207090315.008713e0@204.184.227.125> X-Sender: rjn103s@204.184.227.125 X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Mon, 07 Dec 1998 09:03:15 -0600 To: security@FreeBSD.ORG From: Nelson Subject: 2.2.8 && ipfw? && 1 other ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings, I am not for sure where to ask these questions but since it is dealing with ipfw I thought I would try security. First the problems: Information: I am running 2.2.8 on a new box for a firewall (replacing a 2.2.2 older box). I am using this box for site blocking purposes for our K12 site. I currently have about 2800 rules namley blocking sites. The rules are enumerated by 1 and the bulk of the rules starting at 1000 (there are several rules before this say maybe a 100 or so). And the firewall is doing its job. However, Problem 1.: when I do an ipfw l It only shows the rules list down to 2066 Problem 2.: when I did an ipfw l | more This morning it caused a reboot to occur.:( Now the silly question: I am not really sure what the lines in the rc.firewall that contain the word "setup" really mean. Would someone care to help me out with it:) Many Thanks && Thoughts Welcome Richard Nelson Technology Director Research & Development Director System Administrator Mountain Grove R-III Schools 420 N. Main Mountain Grove, MO 65711 +++++++++++++++++++++++++++++++++++++++++ + FreeBSD, Linux, & Java = Excellence + + http://www.freebsd.org + + http://www.redhat.com + + http://java.sun.com/ + + Samba + (FreeBSD||Linux)= Free PDC! + + Using FreeBSD for Servers! + + Using Linux for Workstaions! + +++++++++++++++++++++++++++++++++++++++++ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 7 08:06:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA12503 for freebsd-security-outgoing; Mon, 7 Dec 1998 08:06:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA12495 for ; Mon, 7 Dec 1998 08:06:39 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with ESMTP id FAA28228; Tue, 8 Dec 1998 05:06:23 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Tue, 8 Dec 1998 05:06:23 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Nelson cc: security@FreeBSD.ORG Subject: Re: 2.2.8 && ipfw? && 1 other ? In-Reply-To: <3.0.6.32.19981207090315.008713e0@204.184.227.125> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 7 Dec 1998, Nelson wrote: > ipfw l > > It only shows the rules list down to 2066 All of your rules are there and working, but the code for displaying htem only handles 1024 entries. If you look in /usr/src/sbin/ipfw/ipfw.c These are my diffs from the 2.2.7-RELEASE sources: root@aniwa# diff /usr/src/sbin/ipfw/ipfw.c.orig /usr/src/sbin/ipfw/ipfw.c 182c182 < printf("%10lu %10lu ",chain->fw_pcnt,chain->fw_bcnt); --- > printf("%9lu %11lu ",chain->fw_pcnt,chain->fw_bcnt); 407c407 < struct ip_fw rules[1024]; --- > struct ip_fw rules[10240]; The first difference is unrelated - it improves on the problem of truncating display space for the ipfw statistics. You have to have at least 2^11 bytes of traffic matching a rule for it to matter. > I am not really sure what the lines in the rc.firewall that contain the > word "setup" really mean. Would someone care to help me out with it:) They apply to TCP connections only and match only the packets that are sent to establish the connection. you can set a rule saying ipfw allow tcp from any to any established and it will not on it's own allow any connections to be made. Imagine you want to allow outbound ssh connections. If you use rules like this: ipfw allow tcp from $myip to any ssh ipfw allow tcp from any ssh to $myip then anyone can connect from the ssh port on their machine to any port on your machine. So if you want to keep statistics about how much traffic goes through which kinds of services, you might use: ipfw allow tcp from $myip to any ssh ipfw allow tcp from any ssh to $myip established Or, if you don't care about the statistics but you want to keep your rule set simple you might use: ipfw allow tcp from any to any established ipfw allow tcp from any to $myip ssh This still requires two rules to enable this one service, but only the second rule needs to be repeated in order to enable other services. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 9 15:49:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA14455 for freebsd-security-outgoing; Wed, 9 Dec 1998 15:49:49 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cc00ms.unity.ncsu.edu (cc00ms.unity.ncsu.edu [152.1.1.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA14450 for ; Wed, 9 Dec 1998 15:49:45 -0800 (PST) (envelope-from jjyuill@eos.ncsu.edu) Received: from wind (wind.csc.ncsu.edu [152.1.75.167]) by cc00ms.unity.ncsu.edu (8.8.4/US19Dec96) with SMTP id SAA20374 for ; Wed, 9 Dec 1998 18:49:33 -0500 (EST) Message-Id: <3.0.5.32.19981209185323.0093dc90@pop-in.ncsu.edu> X-Sender: jjyuill@pop-in.ncsu.edu X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Wed, 09 Dec 1998 18:53:23 -0500 To: FREEBSD-SECURITY@FreeBSD.ORG From: Jim Yuill Subject: append-only devices for logging Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've been looking for an append-only device for logging, which a remote hacker (with root access) can not erase or alter. Other than a line-printer, are there any such devices that actually work with Unix? >From what I understand, a write-once CD has restricted writing capability that would make it unsuitable for logging. According to CERT, these things exist: >Log selected data to a write-once/read-many device (e.g., a >CD-ROM or a specially configured tape drive) to eliminate the >possibility of the data being modified once it is written, or >to a write-only device (e.g., a printer). > >http://www.cert.org/security-improvement/practices/p041.html but I've spent the afternoon looking, and havent' found anything. Thanks in advance for any pointers, Jim ############################################################# Jim Yuill, graduate student Computer Science Department, North Carolina State University 919-513-1894 (w), 919-546-0537 (h) home page: http://www.pobox.com/~jimyuill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 9 16:28:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA20718 for freebsd-security-outgoing; Wed, 9 Dec 1998 16:28:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from goliath.camtech.net.au (goliath.camtech.net.au [203.5.73.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA20712 for ; Wed, 9 Dec 1998 16:28:44 -0800 (PST) (envelope-from newton@camtech.com.au) Received: from sebastion.sa.camtech.com.au (sebastion.sa.camtech.com.au [203.28.3.2]) by goliath.camtech.net.au (8.8.5/8.8.2) with ESMTP id KAA18688; Thu, 10 Dec 1998 10:57:42 +1030 (CST) Received: (from smtp@localhost) by sebastion.sa.camtech.com.au (8.8.5/8.8.7) id KAA26788; Thu, 10 Dec 1998 10:58:29 +1030 (CST) Received: from slingshot(192.168.1.2) by sebastion via smap (V2.0) id xma026785; Thu, 10 Dec 98 10:58:26 +1030 Received: from frenzy.ct (newton@frenzy.ct [192.168.4.65]) by slingshot.ct (8.9.1/8.9.1) with ESMTP id KAA28134; Thu, 10 Dec 1998 10:58:25 +1030 (CST) From: Mark Newton Received: (from newton@localhost) by frenzy.ct (8.8.8/8.8.8) id KAA21421; Thu, 10 Dec 1998 10:58:24 +1030 (CDT) Message-Id: <199812100028.KAA21421@frenzy.ct> Subject: Re: append-only devices for logging In-Reply-To: <3.0.5.32.19981209185323.0093dc90@pop-in.ncsu.edu> from Jim Yuill at "Dec 9, 98 06:53:23 pm" To: jjyuill@eos.ncsu.edu (Jim Yuill) Date: Thu, 10 Dec 1998 10:58:24 +1030 (CDT) Cc: FREEBSD-SECURITY@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jim Yuill wrote: > I've been looking for an append-only device for logging, which a remote > hacker (with root access) can not erase or alter. Other than a > line-printer, are there any such devices that actually work with Unix? Files fit the bill on FreeBSD. Set your securelevel to 2 and apply the "sappnd" flag (using chflags) to any files you wish to set as "append-only". Not even root can remove the append-only flag unless first bringing the system to a lower security level, which requires physical access to the console for single user mode operation. See chflags(1). - mark --- Mark Newton Email: newton@camtech.com.au Systems Engineer and Senior Trainer Phone: +61-8-8303-3300 Camtech (SA), a member of the Fax: +61-8-8303-4403 CAMTECH group of companies WWW: http://www.camtech.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 9 17:07:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA25601 for freebsd-security-outgoing; Wed, 9 Dec 1998 17:07:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA25588 for ; Wed, 9 Dec 1998 17:06:59 -0800 (PST) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.9.1/8.8.7) with ESMTP id UAA12620; Wed, 9 Dec 1998 20:06:51 -0500 (EST) (envelope-from gjp@gjp.erols.com) To: Jim Yuill cc: FREEBSD-SECURITY@FreeBSD.ORG From: "Gary Palmer" Subject: Re: append-only devices for logging In-reply-to: Your message of "Wed, 09 Dec 1998 18:53:23 EST." <3.0.5.32.19981209185323.0093dc90@pop-in.ncsu.edu> Date: Wed, 09 Dec 1998 20:06:51 -0500 Message-ID: <12616.913252011@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jim Yuill wrote in message ID <3.0.5.32.19981209185323.0093dc90@pop-in.ncsu.edu>: > I've been looking for an append-only device for logging, which a remote > hacker (with root access) can not erase or alter. Other than a > line-printer, are there any such devices that actually work with Unix? Sure, why does it have to be a line printer at the other end of the serial/parallel cable? It could be a PC that just logs the data it gets over a raw serial connection (i.e. one way, no return) ... if the only access to that machine is the console, does that meet your requirements? The other option is the `sappnd' flag and a higher run level, but you need to reboot to do log rotation. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 9 17:13:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA26868 for freebsd-security-outgoing; Wed, 9 Dec 1998 17:13:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cc00ms.unity.ncsu.edu (cc00ms.unity.ncsu.edu [152.1.1.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA26860 for ; Wed, 9 Dec 1998 17:13:19 -0800 (PST) (envelope-from jjyuill@eos.ncsu.edu) Received: from wind (wind.csc.ncsu.edu [152.1.75.167]) by cc00ms.unity.ncsu.edu (8.8.4/US19Dec96) with SMTP id TAA22843 for ; Wed, 9 Dec 1998 19:46:05 -0500 (EST) Message-Id: <3.0.5.32.19981209194955.009414b0@pop-in.ncsu.edu> X-Sender: jjyuill@pop-in.ncsu.edu X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Wed, 09 Dec 1998 19:49:55 -0500 To: FREEBSD-SECURITY@FreeBSD.ORG From: Jim Yuill Subject: Re: append-only devices for logging Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Subject: Re: append-only devices for logging > >At 06:53 PM 12/9/98 -0500, you wrote: >>I've been looking for an append-only device for logging, which a remote >>hacker (with root access) can not erase or alter. Other than a >>line-printer, are there any such devices that actually work with Unix? > >How about a serial line to a non-networked PC which just logs to a local >disk? We're going to be setting up something like this with a multiport >card to monitor a bunch of servers. > > Will you use uucp to handle the serial comm? Thanks for the reply, Jim ############################################################# Jim Yuill, graduate student Computer Science Department, North Carolina State University 919-513-1894 (w), 919-546-0537 (h) home page: http://www.pobox.com/~jimyuill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 9 18:55:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA13376 for freebsd-security-outgoing; Wed, 9 Dec 1998 18:55:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA13361 for ; Wed, 9 Dec 1998 18:55:26 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id VAA15151; Wed, 9 Dec 1998 21:54:21 -0500 (EST) Date: Wed, 9 Dec 1998 21:54:21 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Mark Newton cc: Jim Yuill , FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging In-Reply-To: <199812100028.KAA21421@frenzy.ct> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Dec 1998, Mark Newton wrote: > > I've been looking for an append-only device for logging, which a remote > > hacker (with root access) can not erase or alter. Other than a > > line-printer, are there any such devices that actually work with Unix? > > Files fit the bill on FreeBSD. Set your securelevel to 2 and > apply the "sappnd" flag (using chflags) to any files you wish > to set as "append-only". Not even root can remove the append-only > flag unless first bringing the system to a lower security level, > which requires physical access to the console for single user mode > operation. You should note, however, that to get this to be literally the case, you need to protect many other files against modification (such as boot scripts, etc). There has been extensive discussion in the archives, and the Jan's how-to probably has good information. I discuss a few details on my (temporarily neglected) hardening project page. Take a look around the FreeBSD security page for details. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 01:18:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA26166 for freebsd-security-outgoing; Thu, 10 Dec 1998 01:18:01 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA26144 for ; Thu, 10 Dec 1998 01:17:59 -0800 (PST) (envelope-from netadmin@fastnet.co.uk) Received: from lart.org.uk (netadmin@lart.org.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA28186; Thu, 10 Dec 1998 09:17:40 GMT Date: Thu, 10 Dec 1998 09:17:39 +0000 (GMT) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: Mark Newton cc: FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging In-Reply-To: <199812100028.KAA21421@frenzy.ct> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > I've been looking for an append-only device for logging, which a remote | > hacker (with root access) can not erase or alter. Other than a | > line-printer, are there any such devices that actually work with Unix? | | Files fit the bill on FreeBSD. Set your securelevel to 2 and | apply the "sappnd" flag (using chflags) to any files you wish | to set as "append-only". Not even root can remove the append-only | flag unless first bringing the system to a lower security level, | which requires physical access to the console for single user mode | operation. True but if they have root then they can quite easily alter /etc/rc.local (or wherever your using to run sysctl) so that it doesn't alter the securelevel and then just reboot the machine. Their other option would be to launch something like sshd and then boot the system down to single user mode[1]. [1] probly won't work, haven't woken up yet.. Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 01:48:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA28925 for freebsd-security-outgoing; Thu, 10 Dec 1998 01:48:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA28920 for ; Thu, 10 Dec 1998 01:48:10 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id BAA11142; Thu, 10 Dec 1998 01:47:11 -0800 (PST) Message-ID: <19981210014711.A3541@best.com> Date: Thu, 10 Dec 1998 01:47:11 -0800 From: "Jan B. Koum " To: Jay Tribick Cc: security@FreeBSD.ORG Subject: Re: append-only devices for logging References: <199812100028.KAA21421@frenzy.ct> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Jay Tribick on Thu, Dec 10, 1998 at 09:17:39AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 10, 1998 at 09:17:39AM +0000, Jay Tribick wrote: > > | > I've been looking for an append-only device for logging, which a remote > | > hacker (with root access) can not erase or alter. Other than a > | > line-printer, are there any such devices that actually work with Unix? > | > | Files fit the bill on FreeBSD. Set your securelevel to 2 and > | apply the "sappnd" flag (using chflags) to any files you wish > | to set as "append-only". Not even root can remove the append-only > | flag unless first bringing the system to a lower security level, > | which requires physical access to the console for single user mode > | operation. > > True but if they have root then they can quite easily alter /etc/rc.local > (or wherever your using to run sysctl) so that it doesn't alter the > securelevel and then just reboot the machine. Their other option would be > to launch something like sshd and then boot the system down to single user > mode[1]. > > [1] probly won't work, haven't woken up yet.. > > Regards, > > Jay Tribick > -- > [| Network Admin | FastNet International | http://fast.net.uk/ |] > [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] > [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Well.. one should in theory notice their security critical box reboot and do some further investigation... -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 01:53:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA29863 for freebsd-security-outgoing; Thu, 10 Dec 1998 01:53:38 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA29848 for ; Thu, 10 Dec 1998 01:53:32 -0800 (PST) (envelope-from netadmin@fastnet.co.uk) Received: from lart.org.uk (netadmin@lart.org.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA01450; Thu, 10 Dec 1998 09:53:20 GMT Date: Thu, 10 Dec 1998 09:53:19 +0000 (GMT) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: "Jan B. Koum " cc: security@FreeBSD.ORG Subject: Re: append-only devices for logging In-Reply-To: <19981210014711.A3541@best.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > | > I've been looking for an append-only device for logging, which a remote | > | > hacker (with root access) can not erase or alter. Other than a | > | > line-printer, are there any such devices that actually work with Unix? | > | | > | | > | which requires physical access to the console for single user mode | > | operation. | > | > True but if they have root then they can quite easily alter /etc/rc.local | > (or wherever your using to run sysctl) so that it doesn't alter the | > securelevel and then just reboot the machine. Their other option would be | > to launch something like sshd and then boot the system down to single user | > mode[1]. | > | > [1] probly won't work, haven't woken up yet.. | Well.. one should in theory notice their security critical | box reboot and do some further investigation... So your security standpoint is "Oh, look.. the uptime's only a couple of hours"[1] ? :) [1] doesn't apply to NT sysadmins ;) Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 02:01:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA01405 for freebsd-security-outgoing; Thu, 10 Dec 1998 02:01:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA01397 for ; Thu, 10 Dec 1998 02:01:37 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by zippy.cdrom.com (8.9.1/8.9.1) with ESMTP id CAA30050; Thu, 10 Dec 1998 02:00:26 -0800 (PST) To: Jay Tribick cc: Mark Newton , FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging In-reply-to: Your message of "Thu, 10 Dec 1998 09:17:39 GMT." Date: Thu, 10 Dec 1998 02:00:25 -0800 Message-ID: <30042.913284025@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > True but if they have root then they can quite easily alter /etc/rc.local Anyone setting their securelevel to 2 and *meaning* it will have also chflag'd many of the files in / (including this one) to be effectively read-only. There's no point in locking all your doors and leaving a window open, after all, and anyone clueful enough to run at such a high secure level should also be clueful enough to know where all the obvious doors and windows (like this one) are. :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 05:49:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA22927 for freebsd-security-outgoing; Thu, 10 Dec 1998 05:49:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mgr3.k12.mo.us (mgr3.k12.mo.us [204.184.227.125]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA22922 for ; Thu, 10 Dec 1998 05:49:02 -0800 (PST) (envelope-from rjn103s@mgr3.k12.mo.us) Received: from cave540 (unverified [204.184.227.140]) by mgr3.k12.mo.us (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 10 Dec 1998 07:50:38 -0600 Message-Id: <3.0.6.32.19981210074500.0087a050@mgr3.k12.mo.us> X-Sender: rjn103s@mgr3.k12.mo.us X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Thu, 10 Dec 1998 07:45:00 -0600 To: security@FreeBSD.ORG From: Nelson Subject: firewall && natd && private class B Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings, I would like to put our mail && http server behind our firewall. To do this I setup a small test for the devices and actually placed them behind the firewall, gave the firewall alias addresses, and added some configurations in a configuration file for natd as follows #natd config file same_ports yes #redirect mail redirect_port tcp 172.16.0.3:smtp outside_address:smtp redirect_port udp 172.16.0.3:smtp outside_address:smtp redirect_port tcp 172.16.0.3:pop3 outside_address:pop3 redirect_port udp 172.16.0.3:pop3 outside_address:pop3 #redirect http redirect_port tcp inside_address:80 outside_address:80 redirect_port udp inside_address:80 outside_address:80 voila! It worked for any workstation that had a "real" IP like a champ! However when I tried the workstation with addresses from our Class B I could not get it to work with any address of the form 172.16.xxx.xxx 255.255.0.0 (only tested with w95 boxes). From the client I kept getting 10061 error with the mail. So, I suspected something with the mail client or server however when I tried the webserver I get no success, I get an error of timed outok with private ip's and works like a champ with real ip's. Which lets the mail client and server off the hook. Now I am not for sure where to look for a problem.:( I am thinking I have missed something simple, any ideas what?? Thoughts Welcome! Richard Nelson Technology Director Research & Development Director System Administrator Mountain Grove R-III Schools 420 N. Main Mountain Grove, MO 65711 +++++++++++++++++++++++++++++++++++++++++ + FreeBSD, Linux, & Java = Excellence + + http://www.freebsd.org + + http://www.redhat.com + + http://java.sun.com/ + + Samba + (FreeBSD||Linux)= Free PDC! + + Using FreeBSD for Servers! + + Using Linux for Workstaions! + +++++++++++++++++++++++++++++++++++++++++ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 08:00:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA07947 for freebsd-security-outgoing; Thu, 10 Dec 1998 08:00:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA07941 for ; Thu, 10 Dec 1998 08:00:34 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA18126; Thu, 10 Dec 1998 10:59:35 -0500 (EST) Date: Thu, 10 Dec 1998 10:59:34 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Jordan K. Hubbard" cc: Jay Tribick , Mark Newton , FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging In-Reply-To: <30042.913284025@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One also, of course, needs to make sure that all the CAM SCSI devices (pass-through, etc) obey securelevel semantics, etc. I would guess that at least some hardware drivers on the system might allow the circumventing of the higher securelevel prohibition on writing directly to disk devices, or all manipulation of the device such that it allows access to portions of memory that it should not. For example, it may be that some bus mastering devices can be pursuaded to do things on the bus that they should not, or incorrectly treat memory as mapped into their address space, etc. I assume that direct io port access is restricted in high securelevels? In the normal case, only root can do these things, so it is assumed to be ok, but in securelevels, root is suddenly a restricted user also. On Thu, 10 Dec 1998, Jordan K. Hubbard wrote: > > True but if they have root then they can quite easily alter /etc/rc.local > > Anyone setting their securelevel to 2 and *meaning* it will have also > chflag'd many of the files in / (including this one) to be effectively > read-only. There's no point in locking all your doors and leaving a > window open, after all, and anyone clueful enough to run at such a > high secure level should also be clueful enough to know where all the > obvious doors and windows (like this one) are. :-) > > - Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 10:48:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA28640 for freebsd-security-outgoing; Thu, 10 Dec 1998 10:48:53 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from RWSystems.net (commie.rwsystems.net [209.197.192.99]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA28634 for ; Thu, 10 Dec 1998 10:48:47 -0800 (PST) (envelope-from jwyatt@rwsystr.RWSystems.net) Received: from rwsystr.RWSystems.net([209.197.192.108]) (1708 bytes) by RWSystems.net via sendmail with P:smtp/R:inet_hosts/T:smtp (sender: ) id for ; Thu, 10 Dec 1998 12:33:25 -0600 (CST) (Smail-3.2.0.101 1997-Dec-17 #1 built 1998-Jul-31) Date: Thu, 10 Dec 1998 12:33:20 -0600 (CST) From: James Wyatt To: Jim Yuill cc: FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging In-Reply-To: <3.0.5.32.19981209185323.0093dc90@pop-in.ncsu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Dec 1998, Jim Yuill wrote: > I've been looking for an append-only device for logging, which a remote > hacker (with root access) can not erase or alter. Other than a > line-printer, are there any such devices that actually work with Unix? > > >From what I understand, a write-once CD has restricted writing capability > that would make it unsuitable for logging. We've configured a machine (at another customer's site) to write logs to a serial port that a second machine sucks-up and writes to a hard drive. It was just running ProComm+ for DOS in ASCII-file-download mode. Since it was DOS, remote logins were not an issue. Nowadays I would likely use a stripped-down FreeBSD box and cat (or minicom) the serial port to a file. It *could* be configured with a small web server (no CGI) to write the files to HTML-space for remote reading, but disallow *any* other remote access. I've also done something similar with PBX SMDR output to a LAN drive for a custom (homebrew you get paid for 8{) call-accounting package. Hope this helps someone - Jy@ (jwyatt@rwsystems.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 11:19:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA02479 for freebsd-security-outgoing; Thu, 10 Dec 1998 11:19:15 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from RWSystems.net (commie.rwsystems.net [209.197.192.99]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA02473 for ; Thu, 10 Dec 1998 11:19:11 -0800 (PST) (envelope-from jwyatt@rwsystr.RWSystems.net) Received: from rwsystr.RWSystems.net([209.197.192.108]) (1820 bytes) by RWSystems.net via sendmail with P:smtp/R:inet_hosts/T:smtp (sender: ) id for ; Thu, 10 Dec 1998 13:12:32 -0600 (CST) (Smail-3.2.0.101 1997-Dec-17 #1 built 1998-Jul-31) Date: Thu, 10 Dec 1998 13:12:21 -0600 (CST) From: James Wyatt To: Mark Newton cc: Jim Yuill , FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging In-Reply-To: <199812100028.KAA21421@frenzy.ct> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Jim Yuill wrote: > I've been looking for an append-only device for logging, which a remote > hacker (with root access) can not erase or alter. Other than a > line-printer, are there any such devices that actually work with Unix? On Thu, 10 Dec 1998, Mark Newton wrote: > Files fit the bill on FreeBSD. Set your securelevel to 2 and > apply the "sappnd" flag (using chflags) to any files you wish > to set as "append-only". Not even root can remove the append-only > flag unless first bringing the system to a lower security level, > which requires physical access to the console for single user mode > operation. For the truly paranoid: How many of you audit your system scripts on reboot? If I wanted to erase my tracks (and thought you might not know I was there or wanted to hide how long I'd been there), I could tamper with scripts to kill logs next bringup. Tripwire(tm) is nearly perfect for watching rc.* changes and such. Many of us just take the machine down, go '-s', blindly run our single-user-mode-admin-scripts, and go multiuser. This does have better logging bandwidth than serial/parallel port logging, though. (^_^) Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 13:35:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA21293 for freebsd-security-outgoing; Thu, 10 Dec 1998 13:35:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mgr3.k12.mo.us (mgr3.k12.mo.us [204.184.227.125]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA21285 for ; Thu, 10 Dec 1998 13:35:41 -0800 (PST) (envelope-from rjn103s@mgr3.k12.mo.us) Received: from asd (unverified [204.184.227.140]) by mgr3.k12.mo.us (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 10 Dec 1998 15:37:35 -0600 Message-Id: <3.0.6.32.19981210153511.007de100@mgr3.k12.mo.us> X-Sender: rjn103s@mgr3.k12.mo.us X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Thu, 10 Dec 1998 15:35:11 -0600 To: security@FreeBSD.ORG From: Nelson Subject: Re: firewall && natd && private class B In-Reply-To: <3.0.6.32.19981210074500.0087a050@mgr3.k12.mo.us> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings, After recieving several replies to the posting the problem appears to be a shortcomming of natd running on the outside interface. (according to several replies) One person has implemented a solution to the problem by having 2 boxes, one for outgoing traffic running natd and one for incomming traffic running natd. My knowledge is somewhat limited in the subject area, could someone please critique the below thoughts on wheter it is possible and if so what shortcommings I would be creating with these hypothetical solutions: Since someone is running 2 boxes to solve the problem they are actually running 2 copies of natd. Why can't you run 2 copies of natd on a single box (a copy on each card)? If so I would assume you would need 2 divert ports instead of 1.(????Thoughts????) Would this get anywhere? There must be a way to consolidate the 2 boxes into 1. It was pointed out to me, that there was no need to redirect udp traffic as well. I have since corrected my natd conf file. Thanks to all that replied! I find the support on this list EXCELLENT! At 07:45 AM 12/10/98 -0600, you wrote: >Greetings, > >I would like to put our mail && http server behind our firewall. To do >this I setup a small test for the devices and actually placed them behind >the firewall, gave the firewall alias addresses, and added some >configurations in a configuration file for natd as follows > >#natd config file >same_ports yes >#redirect mail >redirect_port tcp 172.16.0.3:smtp outside_address:smtp >redirect_port udp 172.16.0.3:smtp outside_address:smtp >redirect_port tcp 172.16.0.3:pop3 outside_address:pop3 >redirect_port udp 172.16.0.3:pop3 outside_address:pop3 >#redirect http >redirect_port tcp inside_address:80 outside_address:80 >redirect_port udp inside_address:80 outside_address:80 > >voila! It worked for any workstation that had a "real" IP like a champ! >However when I tried the workstation with addresses from our Class B I >could not get it to work with any address of the form 172.16.xxx.xxx >255.255.0.0 (only tested with w95 boxes). From the client I kept getting >10061 error with the mail. So, I suspected something with the mail client >or server however when I tried the webserver I get no success, I get an >error of timed outok with private ip's and works like a champ with real >ip's. Which lets the mail client and server off the hook. Now I am not for >sure where to look for a problem.:( > >I am thinking I have missed something simple, any ideas what?? > >Thoughts Welcome! > > > >Richard Nelson >Technology Director >Research & Development Director >System Administrator >Mountain Grove R-III Schools >420 N. Main >Mountain Grove, MO 65711 >+++++++++++++++++++++++++++++++++++++++++ >+ FreeBSD, Linux, & Java = Excellence + >+ http://www.freebsd.org + >+ http://www.redhat.com + >+ http://java.sun.com/ + >+ Samba + (FreeBSD||Linux)= Free PDC! + >+ Using FreeBSD for Servers! + >+ Using Linux for Workstaions! + >+++++++++++++++++++++++++++++++++++++++++ > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > Richard Nelson Technology Director Research & Development Director System Administrator Mountain Grove R-III Schools 420 N. Main Mountain Grove, MO 65711 +++++++++++++++++++++++++++++++++++++++++ + FreeBSD, Linux, & Java = Excellence + + http://www.freebsd.org + + http://www.redhat.com + + http://java.sun.com/ + + Samba + (FreeBSD||Linux)= Free PDC! + + Using FreeBSD for Servers! + + Using Linux for Workstaions! + +++++++++++++++++++++++++++++++++++++++++ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 14:19:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA27885 for freebsd-security-outgoing; Thu, 10 Dec 1998 14:19:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mx2.dmz.fedex.com (mx2.dmz.fedex.com [199.81.194.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA27835 for ; Thu, 10 Dec 1998 14:18:53 -0800 (PST) (envelope-from wam@mohawk.dpd.fedex.com) Received: from mx2.zmd.fedex.com (sendmail@mx2.zmd.fedex.com [199.82.159.11]) by mx2.dmz.fedex.com (8.9.1/8.9.1) with ESMTP id QAA14420 for ; Thu, 10 Dec 1998 16:18:45 -0600 (CST) Received: from s07.sa.fedex.com (root@s07.sa.fedex.com [199.81.124.17]) by mx2.zmd.fedex.com (8.9.1/8.9.1) with ESMTP id QAA11905 for ; Thu, 10 Dec 1998 16:18:44 -0600 (CST) Received: from mohawk.dpd.fedex.com (mohawk.dpd.fedex.com [199.81.74.121]) by s07.sa.fedex.com (8.9.1/8.9.1) with SMTP id QAA09114; Thu, 10 Dec 1998 16:18:43 -0600 (CST) Message-Id: <199812102218.QAA09114@s07.sa.fedex.com> To: James Wyatt cc: Jim Yuill , FREEBSD-SECURITY@FreeBSD.ORG, ksb@sa.fedex.com Subject: Re: append-only devices for logging Date: Thu, 10 Dec 1998 16:18:43 -0600 From: William McVey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I've been looking for an append-only device for logging, which a remote > hacker (with root access) can not erase or alter. Other than a > line-printer, are there any such devices that actually work with Unix? I highly recommend syslogging to a serial device connected to seperate machine running the console server package available at: ftp://ftp.physics.purdue.edu/pub/pundits/conserver-7.4.tgz (There is a precompiled version of this application in the PORTS collection; however, it is outdated). The conserver package can be configured to do lots of stuff. It is typically used to manage serial interfaces for "headless" console access to a Unix box, but if the conserver is connected to a host which is logging to its serial device, you get what you want. The conserver logs all input it sees to logfiles local to the conserver (which wouldn't be available to the machine being monitored). -- William To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 15:07:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA04166 for freebsd-security-outgoing; Thu, 10 Dec 1998 15:07:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heinlein.acpub.duke.edu (heinlein.acpub.duke.edu [152.3.233.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA04161 for ; Thu, 10 Dec 1998 15:07:05 -0800 (PST) (envelope-from reese@chem.duke.edu) Received: from louis.ourway.org (async249-123.async.duke.edu [152.3.249.123]) by heinlein.acpub.duke.edu (8.8.5/Duke-4.6.0) with SMTP id SAA24581; Thu, 10 Dec 1998 18:00:54 -0500 (EST) Message-Id: <1.5.4.32.19981210230102.00743b60@chem.duke.edu> X-Sender: reese@chem.duke.edu X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 10 Dec 1998 18:01:02 -0500 To: freebsd-security@FreeBSD.ORG From: Charles Reese Subject: tripwire was Re: append-only devices for logging Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:12 PM 12/10/98 -0600, you wrote: >> Jim Yuill wrote: >> I've been looking for an append-only device for logging, which a remote >> hacker (with root access) can not erase or alter. Other than a >> line-printer, are there any such devices that actually work with Unix? > >On Thu, 10 Dec 1998, Mark Newton wrote: >> Files fit the bill on FreeBSD. Set your securelevel to 2 and >> apply the "sappnd" flag (using chflags) to any files you wish >> to set as "append-only". Not even root can remove the append-only >> flag unless first bringing the system to a lower security level, >> which requires physical access to the console for single user mode >> operation. > >For the truly paranoid: How many of you audit your system scripts on >reboot? If I wanted to erase my tracks (and thought you might not know I >was there or wanted to hide how long I'd been there), I could tamper with >scripts to kill logs next bringup. Tripwire(tm) is nearly perfect >for watching rc.* changes and such. Many of us just take the >machine down, go '-s', blindly run our single-user-mode-admin-scripts, >and go multiuser. > >This does have better logging bandwidth than serial/parallel port >logging, though. (^_^) Jy@ > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > Can tripwire be modified to compare two databases rather then one data base and the current files? I ask because I monitor some systems remotely and I would like to be able to automatically generate a tripwire database on the remote system, ftp it to my local site and compare it with a previously created database that I have stored here on read-only media. It is not possible for me to use read-only media on the remote machine. Cheers Charlie Reese One Unix to Rule them all, One Resolver to Find them, One IP to Name them all, In the Zone that Binds them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 16:40:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA17446 for freebsd-security-outgoing; Thu, 10 Dec 1998 16:40:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (p38-max11.wlg.ihug.co.nz [209.78.48.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA17409 for ; Thu, 10 Dec 1998 16:40:39 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with ESMTP id NAA19969; Fri, 11 Dec 1998 13:35:22 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Fri, 11 Dec 1998 13:35:21 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Charles Reese cc: freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging In-Reply-To: <1.5.4.32.19981210230102.00743b60@chem.duke.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Dec 1998, Charles Reese wrote: > Can tripwire be modified to compare two databases rather then one data base > and the current files? I ask because I monitor some systems remotely and I > would like to be able to automatically generate a tripwire database on the > remote system, ftp it to my local site and compare it with a previously > created database that I have stored here on read-only media. It is not > possible for me to use read-only media on the remote machine. Check out L5 from Hobbit. From the README: L5 simply walks down Unix or DOS filesystems, sort of like "ls -R" or "find" would, generating listings of anything it finds there. It tells you everything it can about a file's status, and adds on the MD5 hash of it. Its output is rather "numeric", but it is a very simple format and is designed to be post-treated by scripts that call L5. Find it at any good archive of security tools. If file transfer is much of an issue, you can just compare an md5 summary of the entire file and only transfer the whole file when there's a discrepancy. Without read only media, you are vulnerable to someone putting a trojan in place of tripwire, L5, or whatever else you are using If you've got a floppy on hand but it's not big enough for complete sets of checksums then put your checksumming system and summary hashes there. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 19:49:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA06388 for freebsd-security-outgoing; Thu, 10 Dec 1998 19:49:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from RWSystems.net (commie.rwsystems.net [209.197.192.99]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA06382 for ; Thu, 10 Dec 1998 19:49:29 -0800 (PST) (envelope-from jwyatt@rwsystr.RWSystems.net) Received: from rwsystr.RWSystems.net([209.197.192.108]) (2394 bytes) by RWSystems.net via sendmail with P:smtp/R:inet_hosts/T:smtp (sender: ) id for ; Thu, 10 Dec 1998 21:42:30 -0600 (CST) (Smail-3.2.0.101 1997-Dec-17 #1 built 1998-Jul-31) Date: Thu, 10 Dec 1998 21:42:25 -0600 (CST) From: James Wyatt To: Charles Reese cc: freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging In-Reply-To: <1.5.4.32.19981210230102.00743b60@chem.duke.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt rambled again: >reboot? If I wanted to erase my tracks (and thought you might not know I >was there or wanted to hide how long I'd been there), I could tamper with >scripts to kill logs next bringup. Tripwire(tm) is nearly perfect >for watching rc.* changes and such. Many of us just take the >machine down, go '-s', blindly run our single-user-mode-admin-scripts, >and go multiuser. On Thu, 10 Dec 1998, Charles Reese wrote: > Can tripwire be modified to compare two databases rather then one data base > and the current files? I ask because I monitor some systems remotely and I > would like to be able to automatically generate a tripwire database on the > remote system, ftp it to my local site and compare it with a previously > created database that I have stored here on read-only media. It is not > possible for me to use read-only media on the remote machine. This is a *great* idea! I had set the BIOS to boot w/o floppy and written the DB to a floppy I changed to R/O by hand. This has a limit of 1.44MB or 2.88 MB, depending on how much you spend for a floppy drive. I guess a zip disk would work too, but I was given a parallel zip which seems to be unsupported on FreeBSD. 8{( btw: You might implement this with something that, when called by the right host, performed a tripwire scan and dumped it back to the calling host. The calling host need not *receive* connects, just return the data. Of fourse, a cracker might just replace the program with one that returned the 'right' result, rather than perform the scan... I guess you could also replace the tripwire executables, but how do you protect tripwire from modification? I knida miss the drives on my old Tandy 6000 that I could write-protect by hand! - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 10 23:21:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA27864 for freebsd-security-outgoing; Thu, 10 Dec 1998 23:21:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hillbilly.hayseed.net (dnai-207-181-249-194.dsl.dnai.com [207.181.249.194]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA27859 for ; Thu, 10 Dec 1998 23:21:44 -0800 (PST) (envelope-from enkhyl@scient.com) Received: from localhost (IDENT:root@localhost [127.0.0.1]) by hillbilly.hayseed.net (8.9.1/8.8.5) with ESMTP id XAA10978; Thu, 10 Dec 1998 23:21:26 -0800 Date: Thu, 10 Dec 1998 23:21:31 -0800 (PST) From: Christopher Nielsen X-Sender: enkhyl@ender.sf.scient.com Reply-To: Christopher Nielsen To: Jim Yuill cc: FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging In-Reply-To: <3.0.5.32.19981209194955.009414b0@pop-in.ncsu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Dec 1998, Jim Yuill wrote: > >Subject: Re: append-only devices for logging > > > >At 06:53 PM 12/9/98 -0500, you wrote: > >>I've been looking for an append-only device for logging, which a remote > >>hacker (with root access) can not erase or alter. Other than a > >>line-printer, are there any such devices that actually work with Unix? > > > >How about a serial line to a non-networked PC which just logs to a local > >disk? We're going to be setting up something like this with a multiport > >card to monitor a bunch of servers. > > > > > > Will you use uucp to handle the serial comm? Something akin to this was discussed on the cryptography mailing list recently. The result was a suggestion of using xmodem over a serial line. The response is below. >I contend that an xmodem transfer of the file is as secure as a floppy >disk transfer. The truly paranoid would insert a PIC chip which >enforces that only the xmodem protocol could transit the wire, and >then in only one direction. -- Christopher Nielsen Scient: The eBusiness Systems Innovator cnielsen@scient.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 11 04:16:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA28220 for freebsd-security-outgoing; Fri, 11 Dec 1998 04:16:56 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA28196 for ; Fri, 11 Dec 1998 04:16:50 -0800 (PST) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA25395; Fri, 11 Dec 1998 09:14:33 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199812111214.JAA25395@ns1.sminter.com.ar> Subject: Re: tripwire was Re: append-only devices for logging In-Reply-To: from James Wyatt at "Dec 10, 98 09:42:25 pm" To: jwyatt@rwsystr.RWSystems.net (James Wyatt) Date: Fri, 11 Dec 1998 09:14:32 -0300 (GMT) Cc: reese@chem.duke.edu, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, James Wyatt escribió: > On Thu, 10 Dec 1998, Charles Reese wrote: > > Can tripwire be modified to compare two databases rather then one data base > > and the current files? I ask because I monitor some systems remotely and I > > would like to be able to automatically generate a tripwire database on the > > remote system, ftp it to my local site and compare it with a previously > > created database that I have stored here on read-only media. It is not > > possible for me to use read-only media on the remote machine. > > This is a *great* idea! I had set the BIOS to boot w/o floppy and written > the DB to a floppy I changed to R/O by hand. This has a limit of 1.44MB > or 2.88 MB, depending on how much you spend for a floppy drive. I guess a > zip disk would work too, but I was given a parallel zip which seems to be > unsupported on FreeBSD. 8{( Also, you can use ssyslog to send (encripted) your logs to a "safe machine". This is usefull if you are planning to protect logs from more than one box. ssyslog can be found on http://www.core-sdi.com/ssyslog Regards! Fernando P. Schapachnik Administracion de la red S&M International SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 11 05:01:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA03449 for freebsd-security-outgoing; Fri, 11 Dec 1998 05:01:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pohl.acpub.duke.edu (pohl.acpub.duke.edu [152.3.233.64]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA03441 for ; Fri, 11 Dec 1998 05:01:56 -0800 (PST) (envelope-from reese@chem.duke.edu) Received: from louis.ourway.org (async249-152.async.duke.edu [152.3.249.152]) by pohl.acpub.duke.edu (8.8.5/Duke-4.6.0) with SMTP id HAA23089; Fri, 11 Dec 1998 07:58:21 -0500 (EST) Message-Id: <1.5.4.32.19981211125822.006d10e8@chem.duke.edu> X-Sender: reese@chem.duke.edu X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 11 Dec 1998 07:58:22 -0500 To: freebsd-security@FreeBSD.ORG From: Charles Reese Subject: Re: tripwire was Re: append-only devices for logging Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:42 PM 12/10/98 -0600, you wrote: >James Wyatt rambled again: >>reboot? If I wanted to erase my tracks (and thought you might not know I >>was there or wanted to hide how long I'd been there), I could tamper with >>scripts to kill logs next bringup. Tripwire(tm) is nearly perfect >>for watching rc.* changes and such. Many of us just take the >>machine down, go '-s', blindly run our single-user-mode-admin-scripts, >>and go multiuser. > >On Thu, 10 Dec 1998, Charles Reese wrote: >> Can tripwire be modified to compare two databases rather then one data base >> and the current files? I ask because I monitor some systems remotely and I >> would like to be able to automatically generate a tripwire database on the >> remote system, ftp it to my local site and compare it with a previously >> created database that I have stored here on read-only media. It is not >> possible for me to use read-only media on the remote machine. > >This is a *great* idea! I had set the BIOS to boot w/o floppy and written >the DB to a floppy I changed to R/O by hand. This has a limit of 1.44MB >or 2.88 MB, depending on how much you spend for a floppy drive. I guess a >zip disk would work too, but I was given a parallel zip which seems to be >unsupported on FreeBSD. 8{( > >btw: You might implement this with something that, when called by the >right host, performed a tripwire scan and dumped it back to the calling >host. The calling host need not *receive* connects, just return the data. >Of fourse, a cracker might just replace the program with one that returned >the 'right' result, rather than perform the scan... I guess you could also >replace the tripwire executables, but how do you protect tripwire from >modification? I knida miss the drives on my old Tandy 6000 that I could >write-protect by hand! - Jy@ > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > I like the 'call' idea; as far as the tripwire executable goes I could put that on read-only (floppy) media on the remote machine. The problem I have isn't the lack of read-only media it is that I am in the US and the machines are in England. It's a long reach to change the floppy :-). I guess my broader question is how 'secure' can an internet server be? I don't think I can make mine 'full proof' but I would like a 'full proof' scheme that would let me know when I've been compromised. As the tripwire approach (MD5 etc.) seems to be pretty solid it seems to boil down to how do you prevent tampering with it and at the same time keep the machine maintainable without having to go to single user mode? Cheers Charlie Reese One Unix to Rule them all, One Resolver to Find them, One IP to Name them all, In the Zone that Binds them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 11 06:27:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA11320 for freebsd-security-outgoing; Fri, 11 Dec 1998 06:27:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA11314 for ; Fri, 11 Dec 1998 06:27:18 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA24242; Fri, 11 Dec 1998 09:27:04 -0500 (EST) Date: Fri, 11 Dec 1998 09:27:03 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Charles Reese cc: freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging In-Reply-To: <1.5.4.32.19981210230102.00743b60@chem.duke.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My only concern about tripwire is that it may inspire too much confidence. You don't get the smart ones with tripwire, only the script kiddies. And any time someone releases a better script-kiddie-tool, you miss them also. The real solution is presumably a combination of securelevels and readonly media for your binaries, not to mention bug-free OS software, etc. That and physical access to the machine to replace the read-only media when you perform upgrades :). The next closest thing is using a serial console and access to the kernel to mediate return to a non-securelevel to allow modification of key system binaries and config files without the intervention of schg; unless you protect against use of the debugger, root can always hijack your applications if you have some process-invoked mechanism for getting to single user mode otherwise. Of course, all that (the exploit) is real hard to program the first time--but once it's been done once or twice, someone is going to release the code to automate it :). A smart hacker doesn't trojan login or inetd in a noticeable way;there are plenty of ways to get modify it without md5 checksums catching you, or to get at the data other ways. Don't let this stop you from using tripwire; just be aware that tripwire isn't the last word in intrusion detection :). On Thu, 10 Dec 1998, Charles Reese wrote: > At 01:12 PM 12/10/98 -0600, you wrote: > >> Jim Yuill wrote: > >> I've been looking for an append-only device for logging, which a remote > >> hacker (with root access) can not erase or alter. Other than a > >> line-printer, are there any such devices that actually work with Unix? > > > >On Thu, 10 Dec 1998, Mark Newton wrote: > >> Files fit the bill on FreeBSD. Set your securelevel to 2 and > >> apply the "sappnd" flag (using chflags) to any files you wish > >> to set as "append-only". Not even root can remove the append-only > >> flag unless first bringing the system to a lower security level, > >> which requires physical access to the console for single user mode > >> operation. > > > >For the truly paranoid: How many of you audit your system scripts on > >reboot? If I wanted to erase my tracks (and thought you might not know I > >was there or wanted to hide how long I'd been there), I could tamper with > >scripts to kill logs next bringup. Tripwire(tm) is nearly perfect > >for watching rc.* changes and such. Many of us just take the > >machine down, go '-s', blindly run our single-user-mode-admin-scripts, > >and go multiuser. > > > >This does have better logging bandwidth than serial/parallel port > >logging, though. (^_^) Jy@ > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > > Can tripwire be modified to compare two databases rather then one data base > and the current files? I ask because I monitor some systems remotely and I > would like to be able to automatically generate a tripwire database on the > remote system, ftp it to my local site and compare it with a previously > created database that I have stored here on read-only media. It is not > possible for me to use read-only media on the remote machine. > > Cheers > Charlie Reese > One Unix to Rule them all, One Resolver to Find them, > One IP to Name them all, In the Zone that Binds them. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 11 12:09:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA21105 for freebsd-security-outgoing; Fri, 11 Dec 1998 12:09:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from intelsvr.hqpacaf.af.mil (Intelsvr.hqpacaf.af.mil [131.38.152.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA21098 for ; Fri, 11 Dec 1998 12:09:15 -0800 (PST) (envelope-from paashma@intelsvr.hqpacaf.af.mil) Received: by Intelsvr.hqpacaf.af.mil with Internet Mail Service (5.5.1960.3) id ; Fri, 11 Dec 1998 10:09:18 -1000 Message-ID: <8DEF279C6FB4D11199C60000F81EE23C06B329@Intelsvr.hqpacaf.af.mil> From: "AIS Ashby, Michael A. (SSgt)" To: "'freebsd-security@freebsd.org'" Subject: Subscribe Date: Fri, 11 Dec 1998 10:09:10 -1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would like to subscribe to the Advisories and Bulletins available from AFCERT. SSgt Michael A. Ashby PACAF AIS/INC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 11 21:49:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA18418 for freebsd-security-outgoing; Fri, 11 Dec 1998 21:49:15 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from isr3277.urh.uiuc.edu (isr3277.urh.uiuc.edu [130.126.65.13]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id VAA18413 for ; Fri, 11 Dec 1998 21:49:14 -0800 (PST) (envelope-from ftobin@bigfoot.com) Received: (qmail 3312 invoked by uid 1000); 12 Dec 1998 05:49:03 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Dec 1998 05:49:03 -0000 Date: Fri, 11 Dec 1998 23:47:32 -0600 (CST) From: Frank Tobin X-Sender: ftobin@isr3277.urh.uiuc.edu To: FreeBSD-security Mailing List Subject: Limiting which users can login via xdm Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was wondering if there was a way to limit access to xdm according to users. A major reason I'd like to be able to do this is that it could ensure that I could keep track of logins to xdm that are done remotely. Can one get xdm to use login(1), and consequently, check access via /etc/login.access? - -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve If you use Pine and PGP 5.0(i), try pgpenvelope. http://www.bigfoot.com/~ftobin/resources.html -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBNnH1vgL4UDr0DrZeEQJo0ACgrulKFqcHLUqw10DwJHF1/NSew/oAoLaR c5IhVzfZKi2Rsq+z7iWFNvX9 =nSD+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 11 22:47:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA23709 for freebsd-security-outgoing; Fri, 11 Dec 1998 22:47:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from roble.com (roble.com [207.5.40.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA23694 for ; Fri, 11 Dec 1998 22:47:01 -0800 (PST) (envelope-from sendmail@roble.com) Received: from localhost (localhost [127.0.0.1]) by roble.com (Roble) with SMTP id WAA15937 for ; Fri, 11 Dec 1998 22:46:51 -0800 (PST) Date: Fri, 11 Dec 1998 22:46:51 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging In-Reply-To: <199812120549.VAA18425@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt wrote: > This is a *great* idea! I had set the BIOS to boot w/o floppy and written > the DB to a floppy I changed to R/O by hand. This has a limit of 1.44MB Except when the floppy has bad sectors, and a large percent of floppys do, and sends the drive into an I/O loop that can't be fixed w/o a reboot. > how do you protect tripwire from modification? We keep the entire tripwire directory encrypted when not in use. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 11 23:34:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA28424 for freebsd-security-outgoing; Fri, 11 Dec 1998 23:34:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from po8.andrew.cmu.edu (PO8.ANDREW.CMU.EDU [128.2.10.108]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA28418 for ; Fri, 11 Dec 1998 23:34:35 -0800 (PST) (envelope-from tcrimi+@andrew.cmu.edu) Received: (from postman@localhost) by po8.andrew.cmu.edu (8.8.5/8.8.2) id CAA18069 for security@FreeBSD.ORG; Sat, 12 Dec 1998 02:34:22 -0500 (EST) Received: via switchmail; Sat, 12 Dec 1998 02:34:21 -0500 (EST) Received: from unix14.andrew.cmu.edu via qmail ID ; Sat, 12 Dec 1998 02:34:16 -0500 (EST) Received: from unix14.andrew.cmu.edu via qmail ID ; Sat, 12 Dec 1998 02:34:16 -0500 (EST) Received: from mms.4.60.Jun.27.1996.03.02.53.sun4.51.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix14.andrew.cmu.edu.sun4m.54 via MS.5.6.unix14.andrew.cmu.edu.sun4_51; Sat, 12 Dec 1998 02:34:16 -0500 (EST) Message-ID: <8qQVls_00YUq0lKqg0@andrew.cmu.edu> Date: Sat, 12 Dec 1998 02:34:16 -0500 (EST) From: Thomas Valentino Crimi To: security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Excerpts from FreeBSD-Security: 11-Dec-98 Re: tripwire was Re: append.. by Roger Marquis@roble.com >> how do you protect tripwire from modification? > >We keep the entire tripwire directory encrypted when not in use. This latest discussion has had me toying with the idea of an NFS R/O mount for tripwire use, it has the obvious advantages of complete protection for tripwire and its datafiles. The main points of weakness that need to be addressed are: You need to trust your mount_nfs command, as well as the kernel Making sure the remote connection isn't tampered with. You can load mount_nfs off a floppy, and, in general I think that having to trust the kernel is a necessity. Where I begin to doubt is what to do for the network connection. I'm uncertain how feasable an attack on the network is, but UDP mode seems especilly volnerable to a hacked machine injecting data, I'm not sure how NFS woudl react to this at all. It would appear to be a good medium security measure, a network attack seems infeasable or at least easilly detectable were it to exist, forwarding a TCP NFS over ssh is tempting, but then you have to trust ssh (etc). Any comments on this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 12 05:09:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA22195 for freebsd-security-outgoing; Sat, 12 Dec 1998 05:09:54 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fep04-svc.tin.it (mta04-acc.tin.it [212.216.176.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA22187 for ; Sat, 12 Dec 1998 05:09:52 -0800 (PST) (envelope-from molter@tin.it) Received: from nympha.ecomotor.it ([212.216.1.243]) by fep04-svc.tin.it (InterMail v4.0 201-221-105) with SMTP id <19981212130945.BLDM22548.fep04-svc@nympha.ecomotor.it> for ; Sat, 12 Dec 1998 14:09:45 +0100 Received: (qmail 568 invoked by uid 1000); 12 Dec 1998 13:03:03 -0000 From: "Marco Molteni" Date: Sat, 12 Dec 1998 14:03:03 +0100 (CET) X-Sender: molter@nympha Reply-To: Marco Molteni To: Thomas Valentino Crimi cc: freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging In-Reply-To: <8qQVls_00YUq0lKqg0@andrew.cmu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 12 Dec 1998, Thomas Valentino Crimi wrote: [..] > This latest discussion has had me toying with the idea of an NFS > R/O mount for tripwire use [..] > in general I think that having to trust the kernel is a necessity. [..] > Where I begin to doubt is what to do for the network connection. I'm > uncertain how feasable an attack on the network is, but UDP mode seems > especilly volnerable to a hacked machine injecting data, I'm not sure > how NFS woudl react to this at all. > > It would appear to be a good medium security measure, a network attack > seems infeasable or at least easilly detectable were it to exist, > forwarding a TCP NFS over ssh is tempting, but then you have to trust > ssh (etc). Any comments on this? Your suggested scenario is: tripwire over ro nfs mount + trusted kernel, right? and you are worried about the network. So, what about using IPsec? IPsec is part of the kernel, and you don't need ssh. Marco --- "Hi, I have a Compaq machine running Windows 95. How do I install FreeBSD?" "I'm sorry, this is device driver testing: brain implants are two doors down on the right". (Bill Paul, on the freebsd-net mailing list) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 12 05:46:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA24650 for freebsd-security-outgoing; Sat, 12 Dec 1998 05:46:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA24645 for ; Sat, 12 Dec 1998 05:46:14 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id OAA19907; Sat, 12 Dec 1998 14:46:02 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id OAA24100; Sat, 12 Dec 1998 14:45:58 +0100 (MET) Message-ID: <19981212144557.O5444@follo.net> Date: Sat, 12 Dec 1998 14:45:57 +0100 From: Eivind Eklund To: Charles Reese , freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging References: <1.5.4.32.19981211125822.006d10e8@chem.duke.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <1.5.4.32.19981211125822.006d10e8@chem.duke.edu>; from Charles Reese on Fri, Dec 11, 1998 at 07:58:22AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 11, 1998 at 07:58:22AM -0500, Charles Reese wrote: > let me know when I've been compromised. As the tripwire approach (MD5 etc.) > seems to be pretty solid it seems to boil down to how do you prevent > tampering with it and at the same time keep the machine maintainable without > having to go to single user mode? Answer: You put it in the kernel (including code to transfer it to another machine, with some algorithm to make the transfer non-modifiable - e.g, shared secret and hash), make _only_ the kernel immutable using the schg flag, and go to single user mode when you need to upgrade the kernel. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 12 06:23:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA28668 for freebsd-security-outgoing; Sat, 12 Dec 1998 06:23:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heinlein.acpub.duke.edu (heinlein.acpub.duke.edu [152.3.233.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA28663 for ; Sat, 12 Dec 1998 06:23:14 -0800 (PST) (envelope-from reese@chem.duke.edu) Received: from louis.ourway.org (async249-65.async.duke.edu [152.3.249.65]) by heinlein.acpub.duke.edu (8.8.5/Duke-4.6.0) with SMTP id JAA20886; Sat, 12 Dec 1998 09:18:51 -0500 (EST) Message-Id: <1.5.4.32.19981212141849.00754fb8@chem.duke.edu> X-Sender: reese@chem.duke.edu X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 12 Dec 1998 09:18:49 -0500 To: freebsd-security@FreeBSD.ORG From: Charles Reese Subject: Re: tripwire was Re: append-only devices for logging Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:45 PM 12/12/98 +0100, you wrote: >On Fri, Dec 11, 1998 at 07:58:22AM -0500, Charles Reese wrote: >> let me know when I've been compromised. As the tripwire approach (MD5 etc.) >> seems to be pretty solid it seems to boil down to how do you prevent >> tampering with it and at the same time keep the machine maintainable without >> having to go to single user mode? > >Answer: You put it in the kernel (including code to transfer it to >another machine, with some algorithm to make the transfer >non-modifiable - e.g, shared secret and hash), make _only_ the kernel >immutable using the schg flag, and go to single user mode when you >need to upgrade the kernel. > >Eivind. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > Sound like a great idea to me, the programming is over my head though. Do we have a volunteer? :-) Cheers Charlie Reese One Unix to Rule them all, One Resolver to Find them, One IP to Name them all, In the Zone that Binds them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 12 10:35:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA14795 for freebsd-security-outgoing; Sat, 12 Dec 1998 10:35:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA14790 for ; Sat, 12 Dec 1998 10:35:41 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id TAA22629; Sat, 12 Dec 1998 19:35:39 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id TAA24839; Sat, 12 Dec 1998 19:35:38 +0100 (MET) Message-ID: <19981212193538.T5444@follo.net> Date: Sat, 12 Dec 1998 19:35:38 +0100 From: Eivind Eklund To: Charles Reese , freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging References: <1.5.4.32.19981212141849.00754fb8@chem.duke.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <1.5.4.32.19981212141849.00754fb8@chem.duke.edu>; from Charles Reese on Sat, Dec 12, 1998 at 09:18:49AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Dec 12, 1998 at 09:18:49AM -0500, Charles Reese wrote: > At 02:45 PM 12/12/98 +0100, you wrote: > >On Fri, Dec 11, 1998 at 07:58:22AM -0500, Charles Reese wrote: >>> let me know when I've been compromised. As the tripwire approach (MD5 etc.) >>> seems to be pretty solid it seems to boil down to how do you prevent >>> tampering with it and at the same time keep the machine maintainable without >>> having to go to single user mode? >> >> Answer: You put it in the kernel (including code to transfer it to >> another machine, with some algorithm to make the transfer >> non-modifiable - e.g, shared secret and hash), make _only_ the kernel >> immutable using the schg flag, and go to single user mode when you >> need to upgrade the kernel. > > Sound like a great idea to me, the programming is over my head though. Do > we have a volunteer? :-) If you're attempting to volunteer me: Not right now, at any rate. I could point somebody in the right directions WRT how to the kernel side of it, though. If somebody need pointers for how to do the recieving and verification stuff in the other end, they're probably not the right person for the task. And, alas, shared secrets will not work :-( On breaking root on a box, the attacker will have access to the kernel image. It will be necessary with a full implementation of some form of public key system - to get this into the standard distribution, I believe it would be best to go with the government's "Digital Signature Standard". DSS is described at http://www.itl.nist.gov/div897/pubs/fip186.htm Note that using MD5 as the 'secure hash function' might not be a good idea for this application. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 12 13:20:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA27946 for freebsd-security-outgoing; Sat, 12 Dec 1998 13:20:22 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA27939 for ; Sat, 12 Dec 1998 13:20:20 -0800 (PST) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id QAA26507; Sat, 12 Dec 1998 16:35:32 -0500 (EST) Message-ID: <19981212163532.A26497@weathership.homeport.org> Date: Sat, 12 Dec 1998 16:35:32 -0500 From: Adam Shostack To: Roger Marquis , security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging References: <199812120549.VAA18425@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: ; from Roger Marquis on Fri, Dec 11, 1998 at 10:46:51PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 11, 1998 at 10:46:51PM -0800, Roger Marquis wrote: | James Wyatt wrote: | > This is a *great* idea! I had set the BIOS to boot w/o floppy and written | > the DB to a floppy I changed to R/O by hand. This has a limit of 1.44MB | Except when the floppy has bad sectors, and a large percent of floppys | do, and sends the drive into an I/O loop that can't be fixed w/o a | reboot. It seems to me that thats a bug that ought to be fixed, that a bad floppy can require a reboot. | > how do you protect tripwire from modification? | | We keep the entire tripwire directory encrypted when not in use. Encryption is not authentication. I'd urge that you look to an authentication algorithm, such as md5-hmac or pgp signing. I personally keep the tw databases on floppy; its cheaper than cd-rom, and I've yet to be bitten by a needed reboot. (Floppies are cheaper because they're reusable; burn a CD, make some changes, burn a new cd.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 12 22:54:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA21507 for freebsd-security-outgoing; Sat, 12 Dec 1998 22:54:36 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA21502 for ; Sat, 12 Dec 1998 22:54:35 -0800 (PST) (envelope-from miket@dnai.com) Received: from desktop (dnai-207-181-255-10.dialup.dnai.com [207.181.255.10]) by dnai.com (8.8.8/8.8.8) with SMTP id WAA18053 for ; Sat, 12 Dec 1998 22:54:33 -0800 (PST) Message-Id: <4.0.1.19981212224345.00e1e370@mail.dnai.com> X-Sender: miket@mail.dnai.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sat, 12 Dec 1998 22:53:00 -0800 To: freebsd-security@FreeBSD.ORG From: Mike Thompson Subject: Securing FreeBSD Internet Servers Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'll be configuring a couple of FreeBSD based servers (2.2.x) to run Apache and some other server applications on the Internet in about a month or so. Because these servers will eventually be the lifeblood of our business I need a crash course in making sure that these servers are as secure as possible. In researching this topic on the Web I have come across information such as the following link which discusses securing Unix systems in general. ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist Can someone point me in the general direction of other similar resources that I can use to further ensure these servers are secure? The more specific to FreeBSD the better, but I'll take anything I can get. Thanks, Mike Thompson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message