From owner-freebsd-security Sun Aug 13 0:55:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id E2DF237B7BF for ; Sun, 13 Aug 2000 00:55:05 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id RAA19998 for security@freebsd.org; Sun, 13 Aug 2000 17:55:00 +1000 (EST) From: Darren Reed Message-Id: <200008130755.RAA19998@cairo.anu.edu.au> Subject: ipfw/bridging problem - 2 weeks. To: security@freebsd.org Date: Sun, 13 Aug 2000 17:55:00 +1000 (Australia/NSW) X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So ~two weeks have passed in the time since I posted about the bridging code being less than robust. It would seem that there were a lot of people who made noises about "give us advance warning" - but only one (that I've seen) who's actually looked at it/given any thought to doing anything about it. In future, if you're that distressed about something like that going public before it goes private, before you flame the person(s) who make it public, give some thought to whether or not you can actually do something useful as opposed to just flame. If you can't code up a patch then don't flame others who don't have the time. The patch below is the sort of thing which is required. I've no idea if this will compile nor if it is correct for the bridging code but maybe someone else can review it and test it. Darren p.s. Yes I probably could have done this then but I was tired then and needed sleep and was suffering from ENOTIME errors. p.p.s. I couldn't test this further than doing this so I haven't committed it. Index: bridge.c =================================================================== RCS file: /home/ncvs/src/sys/net/bridge.c,v retrieving revision 1.23 diff -c -r1.23 bridge.c *** bridge.c 2000/07/29 02:00:12 1.23 --- bridge.c 2000/08/13 07:43:31 *************** *** 661,667 **** */ if (ip_fw_chk_ptr) { struct ip_fw_chain *rule = NULL ; ! int off; struct ip *ip ; m = *m0 ; --- 661,667 ---- */ if (ip_fw_chk_ptr) { struct ip_fw_chain *rule = NULL ; ! int off, hlen; struct ip *ip ; m = *m0 ; *************** *** 713,718 **** --- 713,733 ---- } /* + * Sanity checks. Copied from ip_input() with statistic dropped. + * Not clear if ethernet header is present still or not... + */ + if (m->m_pkthdr.len < sizeof(struct ip)) + return 0; + ip = mtod(m, struct ip *); + hlen = IP_VHL_HL(ip->ip_vhl) << 2; + if (hlen < sizeof(struct ip)) /* minimum header length */ + return 0; + if (hlen > m->m_len) { + if ((m = m_pullup(m, hlen)) == 0) + return 0; + } + + /* * before calling the firewall, swap fields the same as IP does. * here we assume the pkt is an IP one and the header is contiguous */ *************** *** 720,725 **** --- 735,755 ---- NTOHS(ip->ip_len); NTOHS(ip->ip_id); NTOHS(ip->ip_off); + + if (ip->ip_len < hlen) + return 0; + if (m->m_pkthdr.len < ip->ip_len) + return 0; + if (m->m_pkthdr.len > ip->ip_len) { + if (m->m_len == m->m_pkthdr.len) { + m->m_len = ip->ip_len; + m->m_pkthdr.len = ip->ip_len; + } else + m_adj(m, ip->ip_len - m->m_pkthdr.len); + } + /* + * Packet should now be okay for firewalling checks. + */ /* * The third parameter to the firewall code is the dst. interface. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 0: 9:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.2.163]) by hub.freebsd.org (Postfix) with ESMTP id 8FF0C37BA2E for ; Mon, 14 Aug 2000 00:09:31 -0700 (PDT) (envelope-from sheldonh@axl.ops.uunet.co.za) Received: from sheldonh (helo=axl.ops.uunet.co.za) by axl.ops.uunet.co.za with local-esmtp (Exim 3.16 #1) id 13OEMr-0008Qg-00; Mon, 14 Aug 2000 09:09:05 +0200 From: Sheldon Hearn To: Markus Holmberg Cc: Gerhard Sittig , freebsd-security@FreeBSD.ORG Subject: Re: Unified diff format in output of /etc/security? In-reply-to: Your message of "Sat, 12 Aug 2000 17:11:26 +0200." <20000812171126.A27987@acc.umu.se> Date: Mon, 14 Aug 2000 09:09:05 +0200 Message-ID: <32405.966236945@axl.ops.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 12 Aug 2000 17:11:26 +0200, Markus Holmberg wrote: > So I can personally live with the default format for now. Funny how > things turn out in the end :). In fact, the only reason that I spoke up against your suggestion was that I had tried it myself a while back and had been disappointed with the results. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 0:24:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.webct.com (mail.webct.com [209.87.17.10]) by hub.freebsd.org (Postfix) with ESMTP id 4A84137BA2E; Mon, 14 Aug 2000 00:24:47 -0700 (PDT) (envelope-from darren.foo@webct.com) Received: from ws98 (ws98.webct.com [209.87.17.128]) by mail.webct.com (8.9.3/8.9.3) with SMTP id AAA00483; Mon, 14 Aug 2000 00:24:59 -0700 (PDT) From: "Darren Foo" To: , Subject: Date: Mon, 14 Aug 2000 00:24:41 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'd like to use a Solaris NIS server to serve c2secure or shadow passwd maps. Solaris uses a passwd.adjunct file for this but I'm not sure about FreeBSD and Linux. Most of my NIS clients will be FreeBSD and Linux. I know that both FreeBSD and Linux support shadow passwd NIS but in the Makefile it specifically says that it doesn't work between different OSes. Has someone been able to get these 3 OSes to play nice with shadow passwords in NIS? Darren Foo WebCT To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 0:29:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.webct.com (mail.webct.com [209.87.17.10]) by hub.freebsd.org (Postfix) with ESMTP id 21D9237B7AD; Mon, 14 Aug 2000 00:29:13 -0700 (PDT) (envelope-from darren.foo@webct.com) Received: from ws98 (ws98.webct.com [209.87.17.128]) by mail.webct.com (8.9.3/8.9.3) with SMTP id AAA00539; Mon, 14 Aug 2000 00:29:29 -0700 (PDT) From: "Darren Foo" To: , Subject: NIS with Shadow Passwords Date: Mon, 14 Aug 2000 00:29:11 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'd like to use a Solaris NIS server to serve c2secure or shadow passwd maps. Solaris uses a passwd.adjunct file for this but I'm not sure about FreeBSD and Linux. Most of my NIS clients will be FreeBSD and Linux. I know that both FreeBSD and Linux support shadow passwd NIS but in the Makefile it specifically says that it doesn't work between different OSes. Has someone been able to get these 3 OSes to play nice with shadow passwords in NIS? Darren Foo WebCT To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 0:29:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.2.163]) by hub.freebsd.org (Postfix) with ESMTP id 21C8E37B7AD for ; Mon, 14 Aug 2000 00:29:36 -0700 (PDT) (envelope-from sheldonh@axl.ops.uunet.co.za) Received: from sheldonh (helo=axl.ops.uunet.co.za) by axl.ops.uunet.co.za with local-esmtp (Exim 3.16 #1) id 13OEgP-0008bR-00; Mon, 14 Aug 2000 09:29:17 +0200 From: Sheldon Hearn To: Matt Heckaman Cc: Gerhard Sittig , freebsd-security@FreeBSD.ORG Subject: Re: Unified diff format in output of /etc/security? In-reply-to: Your message of "Fri, 11 Aug 2000 15:41:56 -0400." Date: Mon, 14 Aug 2000 09:29:17 +0200 Message-ID: <33072.966238157@axl.ops.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Aug 2000 15:41:56 -0400, Matt Heckaman wrote: > : So let everyone have _their_ preferred format and enjoy the > : positive feedback. :> > > I must agree with you. While I can read context diffs, I have always found > it more difficult to read than a unified diff. So are you gentlemen offering to submit well-tested patches, or are you just representatives of the Ideas Brigade? :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 4:34:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from core.schoolnet.sc.ug (wawa.eahd.or.ug [216.129.132.164]) by hub.freebsd.org (Postfix) with ESMTP id 3064E37B6E2 for ; Mon, 14 Aug 2000 04:33:55 -0700 (PDT) (envelope-from begj@core.schoolnet.sc.ug) Received: from localhost (begj@localhost) by core.schoolnet.sc.ug (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id OAA00492 for ; Mon, 14 Aug 2000 14:35:21 +0300 Date: Mon, 14 Aug 2000 14:35:21 +0300 (EAT) From: To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I recently set up a FreeBSD Machine to run as a gateway to the Internet for a LAN but unfortunately, the FreeBSD machine keeps on rebooting talking about Fatal traps and page faults while in kernel mode. I seriously doubt that it can be the ipfw or nat. So i'm wondering whether anyone knows how to go about this. Thanx. NB: I use FreeBSD 4.0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 4:43:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from joe.halenet.com.au (joe.halenet.com.au [203.37.141.114]) by hub.freebsd.org (Postfix) with ESMTP id 8604D37B9B0 for ; Mon, 14 Aug 2000 04:43:37 -0700 (PDT) (envelope-from timbo@halenet.com.au) Received: from temp19 (modem-97-st.halenet.com.au [203.55.33.97]) by joe.halenet.com.au (8.9.1/8.9.1) with SMTP id VAA13798; Mon, 14 Aug 2000 21:34:30 +1000 (EST) (envelope-from timbo@halenet.com.au) Message-ID: <003701c005e5$593a0c40$612137cb@halenet.com.au> From: "Tim McCullagh" To: , References: Subject: Re: Date: Mon, 14 Aug 2000 21:46:52 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Are you using a realtec network card? There is a problem with release 4.0 and realtec network cards that causes this sort of behaviour Release 4.1 has fixed it regards Tim ----- Original Message ----- From: To: Sent: Monday, 14 August 2000 9:35 I recently set up a FreeBSD Machine to run as a gateway to the Internet for a LAN but unfortunately, the FreeBSD machine keeps on rebooting talking about Fatal traps and page faults while in kernel mode. I seriously doubt that it can be the ipfw or nat. So i'm wondering whether anyone knows how to go about this. Thanx. NB: I use FreeBSD 4.0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 4:51:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 30F0637BA0F for ; Mon, 14 Aug 2000 04:51:00 -0700 (PDT) (envelope-from jus@security.za.net) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id NAA03452; Mon, 14 Aug 2000 13:48:26 +0200 (SAST) (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Mon, 14 Aug 2000 13:48:26 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Tim McCullagh Cc: begj@core.schoolnet.sc.ug, freebsd-security@FreeBSD.ORG Subject: Re: In-Reply-To: <003701c005e5$593a0c40$612137cb@halenet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org cvsup is your friend :) -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Mon, 14 Aug 2000, Tim McCullagh wrote: > Are you using a realtec network card? > > There is a problem with release 4.0 and realtec network cards that causes > this sort of behaviour > > > Release 4.1 has fixed it > > regards > > Tim > > > > ----- Original Message ----- > From: > To: > Sent: Monday, 14 August 2000 9:35 > > > > I recently set up a FreeBSD Machine to run as a gateway to the Internet > for a LAN but unfortunately, the FreeBSD machine keeps on rebooting > talking about Fatal traps and page faults while in kernel mode. I > seriously doubt that it can be the ipfw or nat. So i'm wondering whether > anyone knows how to go about > this. > > Thanx. > NB: I use FreeBSD 4.0 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 5:27:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.aqis.com (ns.aqis.com [63.64.247.11]) by hub.freebsd.org (Postfix) with ESMTP id D4E7D37B787 for ; Mon, 14 Aug 2000 05:27:09 -0700 (PDT) (envelope-from bill@billfink.com) Received: from laptop01 (cx800771-a.ports1.ri.home.com [24.8.101.88]) by mail.aqis.com (8.10.1/8.10.1) with SMTP id e7ECR2Z16072 for ; Mon, 14 Aug 2000 08:27:02 -0400 (EDT) Message-ID: <002f01c005ea$f30e4a20$c80dbe81@laptop01> From: "Bill Fink" To: References: Subject: Re: Date: Mon, 14 Aug 2000 08:27:01 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (Might be sligth bit of 'cross post.' - Then again, maybe not.) FreeBSD V4.0 (Release) Too, (FreeBSD V4.0 (Release)) was always rebooting my machine - went BACK to 3.x (Release) and all worked fine, again. I've seen someone else mention having the SAME results with FreeBSD 4.x (Un-Explained) reboots. ... thus, as far as security goes, I do NOT think the third person that I spoke of, me, then you all have something/someone from the "outside" causing core dumps/panics. My machine? Does not allow any "local" logins - just me. Really doesn't do a lot of work - either. FreeBSD 4.x ???? Hmmmm? Regards, William A Fink -Senior Network Engineer Naval Nuclear Weapons Testing Facility Code 5422 - 401-832-4178 Newport, Rhode Island 02841 Unix (Solaris/BSD/Linux) Cisco IOS - Internet Core Routing/Network Security WindowsNT-2000 - TCP/IP/IPX/SPX A+ - INET+ - Network+, Novell (CNE) Certified ----- Original Message ----- From: To: Sent: Monday, August 14, 2000 7:35 AM > > I recently set up a FreeBSD Machine to run as a gateway to the Internet > for a LAN but unfortunately, the FreeBSD machine keeps on rebooting > talking about Fatal traps and page faults while in kernel mode. I > seriously doubt that it can be the ipfw or nat. So i'm wondering whether anyone knows how to go about > this. > > Thanx. > NB: I use FreeBSD 4.0 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 6: 8:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by hub.freebsd.org (Postfix) with ESMTP id 39D6D37BE24 for ; Mon, 14 Aug 2000 06:08:26 -0700 (PDT) (envelope-from buliwyf@libertad.univalle.edu.co) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id e79IBp380399 for ; Wed, 9 Aug 2000 13:11:57 -0500 (COT) Date: Wed, 9 Aug 2000 13:11:51 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: About Natd and ipfw... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, i want to do ip masquerade and transparent proxy for an intranet using a FreeBSD like a gateway. I mean, the server FreeBSD will do all the interface betewen Internet and the computers of my intranet. We have a router Cisco, and it is configured for sending all request of the clients to the server FreeBSD. In this moment, masquerading is working good (it is for irc, telnet, etc)... the problem is that we want to do transparent proxy, using squid on the same server (The FreeBSD). Whats going on?... well, the server have only one network card, and we dont know what rules use to make it work like a transparent proxy WITHOUT masquerading the http requests from the computers of the intranet. We tried several rules, but when we redirect packets to the port 8080 in the same machine, all of them are masqueraded and the squid dont get nothing. The point is, with the same network interface is possible that ip masquerade and transparente proxy (with squid in the same machine) works ??? Thanks... ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 10: 6:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from grimreaper.grondar.za (grimreaper.grondar.za [196.7.18.138]) by hub.freebsd.org (Postfix) with ESMTP id 5309B37BB17 for ; Mon, 14 Aug 2000 10:06:13 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grimreaper.grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.9.3/8.9.3) with ESMTP id TAA86190; Mon, 14 Aug 2000 19:06:42 +0200 (SAST) (envelope-from mark@grimreaper.grondar.za) Message-Id: <200008141706.TAA86190@grimreaper.grondar.za> To: Torbjorn Kristoffersen Cc: freebsd-security@FreeBSD.ORG Subject: Re: suidperl exploit References: In-Reply-To: ; from Torbjorn Kristoffersen "Thu, 10 Aug 2000 20:19:44 +0200." Date: Mon, 14 Aug 2000 19:06:41 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I don't think there'll be a patch to this problem. Everyone should > instead download the recent version. Actually, we _did_ fix this, and we went a bit further too. The actual problem was not dangerous to FreeBSD, but it raised the "Danger!" flag over suidperl, and we dealt with that. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 11:56:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 849E037BB12 for ; Mon, 14 Aug 2000 11:56:45 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 49718 invoked by uid 1000); 14 Aug 2000 18:56:35 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Aug 2000 18:56:35 -0000 Date: Mon, 14 Aug 2000 14:56:33 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Sheldon Hearn Cc: FreeBSD-SECURITY Subject: Re: Unified diff format in output of /etc/security? In-Reply-To: <33072.966238157@axl.ops.uunet.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 14 Aug 2000, Sheldon Hearn wrote: ... : So are you gentlemen offering to submit well-tested patches, or are you : just representatives of the Ideas Brigade? :-) Well, I'm willing to put something together and try it out on my machines and submit it. :) Question though: Where's the apropriate place to put the variable that controls whether unified or context diffs are used? This could be placed in defaults/rc.conf (defaulted to context of course) but I am not sure if this is "proper" usage of rc.conf. : Ciao, : Sheldon. * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5mEDjdMMtMcA1U5ARAi9ZAKC/QZcqVHgvQhB98R0wXgpI0hoITACdGnBn kV1DLZLCcTyAvmlY5SC4xXE= =46AU -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 15:48:58 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 4311837B69B; Mon, 14 Aug 2000 15:48:48 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:34.dhclient Reply-To: security-advisories@freebsd.org Message-Id: <20000814224848.4311837B69B@hub.freebsd.org> Date: Mon, 14 Aug 2000 15:48:48 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:34 Security Advisory FreeBSD, Inc. Topic: dhclient vulnerable to malicious dhcp server Category: core, ports Module: dhclient, isc-dhcp2 (ports), isc-dhcp3 (ports) Announced: 2000-08-14 Affects: All releases of FreeBSD after FreeBSD 3.2-RELEASE and prior to the correction date (including FreeBSD 4.0 and 3.5, but not 4.1) Ports collection prior to the correction date. Credits: OpenBSD Vendor status: Updated version released Corrected: 2000-07-20 [FreeBSD 4.0 base system] 2000-08-01 [isc-dhcp2 port] 2000-07-21 [isc-dhcp3 port] FreeBSD only: NO I. Background ISC-DHCP is an implementation of the DHCP protocol containing client and server. FreeBSD 3.2 and above includes the version 2 client by default in the base system, and the version 2 and version 3 clients and servers in the Ports Collection. II. Problem Description The dhclient utility (DHCP client), versions 2.0pl2 and before (for the version 2.x series), and versions 3.0b1pl16 and before (for the version 3.x series) does not correctly validate input from the server, allowing a malicious DHCP server to execute arbitrary commands as root on the client. DHCP may be enabled if your system was initially configured from a DHCP server at install-time, or if you have specifically enabled it after installation. FreeBSD 4.1 is not affected by this problem since it contains the 2.0pl3 client. III. Impact An attacker who has or gains control of a DHCP server may gain additional root access to DHCP clients running vulnerable versions of ISC-DHCP. If you are not using dhclient to configure client machines via DHCP, or your DHCP server is "trusted" according to your local security policy, then this vulnerability does not apply to you. IV. Workaround Disable the use of DHCP for configuring client machines: remove the case-insensitive string "dhcp" from the "ifconfig_" directives in /etc/rc.conf and replace it with appropriate static interface configuration according to the rc.conf(5) manpage. An example of a DHCP-enabled interface is the following line in /etc/rc.conf: ifconfig_xl0="DHCP" V. Solution NOTE: At this time the FreeBSD 3.x branch has not yet been patched, due to logistical difficulties. Users running a vulnerable 3.x system are advised to either upgrade to FreeBSD 4.1, disable the use of DHCP as described above, or use the dhclient binary from the isc-dhcp2 port dated after the correction date. 1) Upgrade your vulnerable FreeBSD 4.0 system to a version dated after the correction date. See http://www.freebsd.org/handbook/makeworld.html for instructions on how to upgrade and recompile your FreeBSD system from source, or perform a binary upgrade, e.g. to FreeBSD 4.1-RELEASE, described here: http://www.freebsd.org/releases/4.1R/notes.html 2) (If using the isc-dhcp2 or isc-dhcp3 ports) One of the following: 2a) Upgrade your entire ports collection and rebuild the isc-dhcp2 or isc-dhcp3 port. 2b) Deinstall the old package and install a new package dated after the correction date, obtained from: [isc-dhcp3] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/isc-dhcp3-3.0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/isc-dhcp3-3.0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/isc-dhcp3-3.0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/isc-dhcp3-3.0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/isc-dhcp3-3.0.b1.17.tgz NOTE: The isc-dhcp2 port is not available as a package. 2c) download a new port skeleton for the isc-dhcp2 or isc-dhcp3 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 2d) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh3J1UuHi5z0oilAQHXBQQAmCLlTUfikHbgBelFd22agjTo/AVwR933 El0AMRHakiBJAHTMseZ4Nj+HyGUgVzD3oRMgmjx1u+HUCQM2/akuXXZdSHlur5Jc OyEGxcwxyzYXnNzWAL1vh6MYrpkGDfh74bHircLdO16d6uC1d+0VFmkxUOOFN4zb g7yK3m2ZOxo= =qTwd -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 15:50:18 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3E66637B685; Mon, 14 Aug 2000 15:50:06 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:35.proftpd Reply-To: security-advisories@freebsd.org Message-Id: <20000814225006.3E66637B685@hub.freebsd.org> Date: Mon, 14 Aug 2000 15:50:06 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:35 Security Advisory FreeBSD, Inc. Topic: proftpd port contains remote root compromise Category: ports Module: proftpd Announced: 2000-08-14 Credits: lamagra Affects: Ports collection prior to the correction date. Corrected: 2000/07/28 Vendor status: Updated version released FreeBSD only: NO I. Background proftpd is a popular FTP server. II. Problem Description The proftpd port, versions prior to 1.2.0rc2, contains a vulnerability which allows FTP users, both anonymous FTP users and those with a valid account, to execute arbitrary code as root on the local machine, by inserting string-formatting operators into command input, which are incorrectly parsed by the FTP server. This is the same class of vulnerability as the one described in FreeBSD Security Advisory 00:29, which pertained to the wu-ftpd port. The proftpd port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 contains this problem since it was discovered after the release, but FreeBSD 4.1 did not ship with the proftpd package (and the port was disabled to prevent building) because the vulnerability was known but not yet fixed. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact FTP users, including anonymous FTP users, can cause arbitrary commands to be executed as root on the local machine. If you have not chosen to install the proftpd port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the proftpd port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the proftpd port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/proftpd-1.2.0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/proftpd-1.2.0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/proftpd-1.2.0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/proftpd-1.2.0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/proftpd-1.2.0rc2.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the proftpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh1u1UuHi5z0oilAQFYQQP/UH7MbeD/cm3aPGrPdb8NXUo9giAajayX uWazNh+kfJGUrpVg3DaYo7jY2ZG5yrBBo5kZRFUUSy5OpDvD20I3QBhtNV0gWItD n2mkSDP90BG4scmVuwx+GexCz5gZ+frpM2hKXlhtFqJRMA2Sk0R4vzapIvc16EFN 6nraHfzVSCk= =7ifu -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 15:51:29 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 12D9837B6B4; Mon, 14 Aug 2000 15:51:14 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:36.ntop Reply-To: security-advisories@freebsd.org Message-Id: <20000814225114.12D9837B6B4@hub.freebsd.org> Date: Mon, 14 Aug 2000 15:51:14 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:36 Security Advisory FreeBSD, Inc. Topic: ntop port allows remote and minor local compromise Category: ports Module: ntop Announced: 2000-08-14 Credits: Discovered during internal auditing Affects: Ports collection prior to the correction date. Corrected: 2000-08-12 (However see below) Vendor status: Contacted FreeBSD only: NO I. Background ntop is a utility for monitoring and summarizing network usage, from the command-line or remotely via HTTP. II. Problem Description The ntop software is written in a very insecure style, with many potentially exploitable buffer overflows (including several demonstrated ones) which could in certain conditions allow the local or remote user to execute arbitrary code on the local system with increased privileges. By default the ntop port is installed setuid root and only executable by root and members of the 'wheel' group. The 'wheel' group is normally only populated by users who also have root access, but this is not necessarily the case (the user must know the root password to increase his or her privileges). ntop allows a member of the wheel group to obtain root privileges directly through a local exploit. If invoked in 'web' mode (ntop -w) then any remote user who can connect to the ntop server port (which is determined by local configuration) can execute arbitrary code on the server as the user running the ntop process, regardless of whether or not they can authenticate to the ntop server by providing a valid username and password. This will not necessarily yield root privileges unless ntop -w is executed as root since by the time it services network connections the program has dropped privileges, although it retains the ability to view all network traffic on the sampled network interface (instead of just the connection summaries which ntop normally presents). However, since ntop is not executable by unprivileged users, it is likely that the majority of installations using 'ntop -w' are doing so as root, in which case full system compromise is directly possible. The ntop port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 and 4.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local users who are members of the wheel group can obtain root privileges without having to pass through the normal system security mechanisms (i.e. entering the root password). If ntop is run in "web" mode (ntop -w) then remote users who can connect to the ntop server port can also execute arbitrary code on the server as the user running ntop -w (usually root). If you have not chosen to install the ntop port/package, then your system is not vulnerable to this problem. IV. Workaround 1) Remove the setuid bit from the ntop binary so that only the superuser may execute it. Depending on local policy this vulnerability may not present significant risk. 2) Avoid using ntop -w. If ntop -w is required, consider imposing access controls to limit access to the ntop server port (e.g. using a perimeter firewall, or ipfw(8) or ipf(8) on the local machine). Note that specifying a username/password access list within the ntop configuration file is insufficient, as noted above. Users who pass the access restrictions can still gain privileges as described above. V. Solution Due to the lack of attention to security in the ntop port no simple fix is possible: for example, the local root overflow can easily be fixed, but since ntop holds a privileged network socket a member of the wheel group could still obtain direct read access to all network traffic by exploiting other vulnerabilities in the program, which remains a technical security violation. The FreeBSD port has been changed to disable '-w' mode and remove the setuid bit, so that the command is only available locally to the superuser. Full functionality will be restored once the ntop developers have addressed these security concerns and provided an adequate fix - this advisory will be reissued at that time. To upgrade your ntop port/package, perform one of the following: 1) Upgrade your entire ports collection and rebuild the ntop port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/ntop-1.1.tgz NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the ntop port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh1m1UuHi5z0oilAQFcIgQArlP0hzT+scsGxjI7wTWXh5fgm5E+CFh0 EfeIvYgGCzsCCCAS0nm3vo+a1IUxloJdk27K2oO4aCjTLy+gLe/vnW28gWn9dzle nIyUDFudMpsx/WpO4F4UkMPTX+w0fiWpNvY2KddjwOeBn2xhRJik9ZVTMpc7zTe6 +2DGgV9jAnM= =9UuJ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 15:52:55 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 093FC37B704; Mon, 14 Aug 2000 15:52:44 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:37.cvsweb Reply-To: security-advisories@freebsd.org Message-Id: <20000814225244.093FC37B704@hub.freebsd.org> Date: Mon, 14 Aug 2000 15:52:44 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:37 Security Advisory FreeBSD, Inc. Topic: cvsweb allows increased access to CVS committers Category: ports Module: cvsweb Announced: 2000-08-14 Credits: Joey Hess Affects: Ports collection prior to the correction date. Corrected: 2000-07-11 Vendor status: Patch released FreeBSD only: NO I. Background cvsweb is a CGI script which provides a read-only interface to a CVS repository for browsing via a web interface. II. Problem Description The cvsweb port, versions prior to 1.86, contains a vulnerability which allows users with commit access to a CVS repository monitored by cvsweb to execute arbitrary code as the user running the cvsweb.cgi script, which may be located on another machine where the committer has no direct access. The vulnerability is that cvsweb does not correctly process input obtained from the repository and is vulnerable to embedding of commands in committed filenames. Such an action is however usually highly visible in the CVS repository and provides an audit trail of sorts for such abuses unless the committer has access to modify the repository files directly to cover his or her tracks. This vulnerability may or may not be a security issue depending on the local security policy (for example, CVS itself is known to easily allow committers to execute commands on the CVS server even without a login account, so this presents little additional exposure if cvsweb is run on the CVS server itself). The cvsweb port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 contains this problem since it was discovered after the release, but it was fixed prior to the release of FreeBSD 4.1. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact CVS committers can execute code as the user running the cvsweb.cgi script, which may present a violation of local security policy. If you have not chosen to install the cvsweb port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the cvsweb port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the cvsweb port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/cvsweb-1.93.1.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/cvsweb-1.93.1.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/cvsweb-1.93.1.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/cvsweb-1.93.1.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/cvsweb-1.93.1.10.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the cvsweb port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh1qlUuHi5z0oilAQEAjAP7B+Kss7dLQ3upyq8HLwVMr5fhOPgW6TWK BtkZ71mBapFQleZi9vWbpd/R2Cow7i42nsZQi8d7kERiXJRW6EGXr125aIA5NopV 1NoR4BKa9KYOP0CI9jqYUWiMj5PfNy03HlLbrDzHbGOIbqMqcsERXEFNGvt0Qvb4 qkjHlQ9faRE= =VajH -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 15:57:15 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 9899237BE28; Mon, 14 Aug 2000 15:53:25 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:38.zope Reply-To: security-advisories@freebsd.org Message-Id: <20000814225325.9899237BE28@hub.freebsd.org> Date: Mon, 14 Aug 2000 15:53:25 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:38 Security Advisory FreeBSD, Inc. Topic: zope port allows remote modification of DTML documents Category: ports Module: zope Announced: 2000-08-14 Credits: Unknown Affects: Ports collection prior to the correction date. Corrected: 2000-08-05 Vendor status: Patch released FreeBSD only: NO I. Background zope is an object-based dynamic web application platform. II. Problem Description To quote the vendor advisory about this problem: > The issue involves an inadequately protected method in one of > the base classes in the DocumentTemplate package that could allow > the contents of DTMLDocuments or DTMLMethods to be changed > remotely or through DTML code without forcing proper user > authorization. The zope port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 contains this problem, but FreeBSD 4.1 did not ship with the proftpd package (and the port was disabled to prevent building) because the vulnerability was known but not yet fixed. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can modify DTML documents without authorization. If you have not chosen to install the zope port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the zope port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the zope port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2.2.0.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the zope port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh1lFUuHi5z0oilAQFsowP+JE+R5hHUpY0pDfNl9Dd/ai354XJh8PYG X5DlmdMTMiByXkR0KMZBMB9SuRljuqBsknc8L3KB8UIyMUccnN0IhsFqZ2WEYiY4 EAgS7I5EPTf/4y6g81Vt4g+s3l2XXu845kOv92hwJxFgUMINVXrIduJpdICAgcpr rcw+4BM/Www= =AoKX -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 16: 3:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id 5034237BE4C for ; Mon, 14 Aug 2000 16:00:38 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by Awfulhak.org (8.9.3/8.9.3) with ESMTP id XAA00622; Mon, 14 Aug 2000 23:59:17 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id WAA01927; Mon, 14 Aug 2000 22:56:49 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200008142156.WAA01927@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Matt Heckaman Cc: Sheldon Hearn , FreeBSD-SECURITY , brian@Awfulhak.org Subject: Re: Unified diff format in output of /etc/security? In-Reply-To: Message from Matt Heckaman of "Mon, 14 Aug 2000 14:56:33 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 14 Aug 2000 22:56:49 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Mon, 14 Aug 2000, Sheldon Hearn wrote: > ... > : So are you gentlemen offering to submit well-tested patches, or are you > : just representatives of the Ideas Brigade? :-) > > Well, I'm willing to put something together and try it out on my machines > and submit it. :) Question though: Where's the apropriate place to put > the variable that controls whether unified or context diffs are used? This > could be placed in defaults/rc.conf (defaulted to context of course) but I > am not sure if this is "proper" usage of rc.conf. It should be in defaults/periodic.conf. > : Ciao, > : Sheldon. > > > * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * > * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 16:15:28 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 6132C37BF5D; Mon, 14 Aug 2000 16:12:28 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:38.zope Reply-To: security-advisories@freebsd.org Message-Id: <20000814231228.6132C37BF5D@hub.freebsd.org> Date: Mon, 14 Aug 2000 16:12:28 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:38 Security Advisory FreeBSD, Inc. Topic: zope port allows remote modification of DTML documents Category: ports Module: zope Announced: 2000-08-14 Credits: Unknown Affects: Ports collection prior to the correction date. Corrected: 2000-08-05 Vendor status: Patch released FreeBSD only: NO I. Background zope is an object-based dynamic web application platform. II. Problem Description To quote the vendor advisory about this problem: > The issue involves an inadequately protected method in one of > the base classes in the DocumentTemplate package that could allow > the contents of DTMLDocuments or DTMLMethods to be changed > remotely or through DTML code without forcing proper user > authorization. The zope port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 contains this problem, but FreeBSD 4.1 did not ship with the proftpd package (and the port was disabled to prevent building) because the vulnerability was known but not yet fixed. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can modify DTML documents without authorization. If you have not chosen to install the zope port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the zope port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the zope port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2.2.0.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the zope port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh1lFUuHi5z0oilAQFsowP+JE+R5hHUpY0pDfNl9Dd/ai354XJh8PYG X5DlmdMTMiByXkR0KMZBMB9SuRljuqBsknc8L3KB8UIyMUccnN0IhsFqZ2WEYiY4 EAgS7I5EPTf/4y6g81Vt4g+s3l2XXu845kOv92hwJxFgUMINVXrIduJpdICAgcpr rcw+4BM/Www= =AoKX -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 14 17:17:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 32B9037B66D for ; Mon, 14 Aug 2000 17:17:46 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id RAA32910 for ; Mon, 14 Aug 2000 17:17:45 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 14 Aug 2000 17:17:45 -0700 (PDT) From: Kris Kennaway To: security@freebsd.org Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-00:38.zope In-Reply-To: <20000814225325.9899237BE28@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Okay, so this was a duplicate..stupid shell history :/ Sorry.. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 4:16:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from freenix.no (atreides.freenix.no [213.188.21.6]) by hub.freebsd.org (Postfix) with ESMTP id 5E3BE37BA47 for ; Tue, 15 Aug 2000 04:16:28 -0700 (PDT) (envelope-from shamz@freenix.no) Received: (from shamz@localhost) by freenix.no (8.9.3/8.9.3) id NAA12671 for freebsd-security@freebsd.org; Tue, 15 Aug 2000 13:16:25 +0200 (CEST) (envelope-from shamz) Date: Tue, 15 Aug 2000 13:16:25 +0200 From: Shaun Jurrens To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:34.dhclient Message-ID: <20000815131625.C7893@atreides.freenix.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i X-Operating-System: FreeBSD 4.0-STABLE X-Philosophy: If you can read this, you're too close. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I wrote David O'Brien a few weeks ago asking about the merge of the post 2.0p12 back to 3-STABLE and he said he had no boxes to test it on. I will try to grab the code directly from my 4-STABLE box and see if it builds correctly. Just a note: the isc-dhcp2 port has the client build commented out. I am currently trying to get it to build, but am running into problems on my 3.5 box. So afaics, the proposed solution of using the dhclient binary from the port isn't a viable solution until someone changes patch-aa and then gets the client to build correctly. -- Yours truly, Shaun D. Jurrens shaun@shamz.net shamz@freenix.no IRCNET nick: shamz #chillout #unix #FreeBSD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 4:21:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id EB74337BA87; Tue, 15 Aug 2000 04:21:43 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id EAA21627; Tue, 15 Aug 2000 04:21:44 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 15 Aug 2000 04:21:43 -0700 (PDT) From: Kris Kennaway To: Shaun Jurrens Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:34.dhclient In-Reply-To: <20000815131625.C7893@atreides.freenix.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Aug 2000, Shaun Jurrens wrote: > Hi, > > I wrote David O'Brien a few weeks ago asking about the merge of the post > 2.0p12 back to 3-STABLE and he said he had no boxes to test it on. I will > try to grab the code directly from my 4-STABLE box and see if it builds > correctly. Yeah, that was the aforementioned logistical difficulty. I understand BSDi are going to be setting up a 3.x build machine for the developers to use, but it hasn't happened yet, and most of the developers have no 3.x machines to test this on their own. > Just a note: the isc-dhcp2 port has the client build commented out. I am > currently trying to get it to build, but am running into problems on my 3.5 > box. So afaics, the proposed solution of using the dhclient binary from the > port isn't a viable solution until someone changes patch-aa and then gets > the client to build correctly. Ah, I forgot about this (it was a deliberate change since we have the client in the base and so theres no point in building it in the port as well). Well, I guess that option is out..I'll update the advisory. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 5:43:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from freenix.no (atreides.freenix.no [213.188.21.6]) by hub.freebsd.org (Postfix) with ESMTP id 9B65437B645; Tue, 15 Aug 2000 05:43:04 -0700 (PDT) (envelope-from shamz@freenix.no) Received: (from shamz@localhost) by freenix.no (8.9.3/8.9.3) id OAA12922; Tue, 15 Aug 2000 14:43:02 +0200 (CEST) (envelope-from shamz) Date: Tue, 15 Aug 2000 14:43:01 +0200 From: Shaun Jurrens To: Kris Kennaway Cc: freebsd-security@FreeBSD.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:34.dhclient Message-ID: <20000815144301.D7893@atreides.freenix.no> References: <20000815131625.C7893@atreides.freenix.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from kris@FreeBSD.org on Tue, Aug 15, 2000 at 04:21:43AM -0700 X-Operating-System: FreeBSD 4.0-STABLE X-Philosophy: If you can read this, you're too close. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Aug 15, 2000 at 04:21:43AM -0700, Kris Kennaway wrote: #> On Tue, 15 Aug 2000, Shaun Jurrens wrote: #> #> > Hi, #> > #> > I wrote David O'Brien a few weeks ago asking about the merge of the post #> > 2.0p12 back to 3-STABLE and he said he had no boxes to test it on. I will #> > try to grab the code directly from my 4-STABLE box and see if it builds #> > correctly. Simply copying the src from contrib from my 4-STABLE (cvsup 12Aug) box to my 3.5 box as well as the Makefile from /usr/src/sbin/dhclient compiled and installed successfully. Should have gotten around to it when I first saw the PR. Hope this helps. Seems to be working correctly as well. #> #> Yeah, that was the aforementioned logistical difficulty. I understand BSDi #> are going to be setting up a 3.x build machine for the developers to use, #> but it hasn't happened yet, and most of the developers have no 3.x #> machines to test this on their own. #> #> > Just a note: the isc-dhcp2 port has the client build commented out. I am #> > currently trying to get it to build, but am running into problems on my 3.5 #> > box. So afaics, the proposed solution of using the dhclient binary from the #> > port isn't a viable solution until someone changes patch-aa and then gets #> > the client to build correctly. #> #> Ah, I forgot about this (it was a deliberate change since we have the #> client in the base and so theres no point in building it in the port as #> well). Well, I guess that option is out..I'll update the advisory. #> #> Kris #> Btw, I never did get the client part in the port to work, but the other way was essentially easier, so I stopped wasting my time on it. -- Yours truly, Shaun D. Jurrens shaun@shamz.net shamz@freenix.no IRCNET nick: shamz #chillout #unix #FreeBSD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 7:48:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 5124637B9AE for ; Tue, 15 Aug 2000 07:47:55 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 73255 invoked by uid 666); 15 Aug 2000 14:47:27 -0000 Date: Tue, 15 Aug 2000 17:47:27 +0300 From: Alex Popa To: freebsd-security@freebsd.org Subject: xinetd versus inetd Message-ID: <20000815174727.A73246@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Could someone point out what the differences between the two are, and why I should use one or the other? Thanks in advance, Alex ------------+------------------------------------------ Alex Popa, |There never was a good war or a bad peace razor@ldc.ro| -- B. Franklin ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 8:27:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from f5-exchange2.win.net (mulder.f5.com [205.229.151.150]) by hub.freebsd.org (Postfix) with ESMTP id DA6E937BB40 for ; Tue, 15 Aug 2000 08:27:38 -0700 (PDT) (envelope-from m.mcpherson@f5.com) Received: by f5-exchange2.win.net with Internet Mail Service (5.5.2448.0) id ; Tue, 15 Aug 2000 08:29:22 -0700 Message-ID: From: Mike McPherson To: Alex Popa , freebsd-security@FreeBSD.ORG Subject: RE: xinetd versus inetd Date: Tue, 15 Aug 2000 08:29:19 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="windows-1252" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Check out http://www.synack.net/xinetd/faq.html first. > -----Original Message----- > From: Alex Popa [mailto:razor@ldc.ro] > Sent: Tuesday, August 15, 2000 10:47 AM > To: freebsd-security@FreeBSD.ORG > Subject: xinetd versus inetd > > > Could someone point out what the differences between the two are, and > why I should use one or the other? > > Thanks in advance, > Alex > > ------------+------------------------------------------ > Alex Popa, |There never was a good war or a bad peace > razor@ldc.ro| -- B. Franklin > ------------+------------------------------------------ > "It took the computing power of three C-64s to fly to the Moon. > It takes a 486 to run Windows 95. Something is wrong here." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 8:48:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from pukeko.bc.edu (pukeko.bc.edu [136.167.2.218]) by hub.freebsd.org (Postfix) with ESMTP id E1F1837B815 for ; Tue, 15 Aug 2000 08:48:52 -0700 (PDT) (envelope-from kelleyry@bc.edu) Received: from netfin6.bc.edu (netfin6.bc.edu [136.167.2.128]) by pukeko.bc.edu (8.8.7/8.8.7) with ESMTP id LAA184678; Tue, 15 Aug 2000 11:48:25 -0400 X-WebMail-UserID: kelleyry@mail2.bc.edu Date: Tue, 15 Aug 2000 11:48:25 -0400 From: Ryan Kelley To: Alex Popa , freebsd-security X-EXP32-SerialNo: 00002702 Subject: RE: xinetd versus inetd Message-ID: <39B6595C@netfin6.bc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: WebMail (Hydra) SMTP v3.61 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I could be wrong (it's happened before) but as far as i know the main difference is that inetd is subject to DoS attacks, as it will suck up as much memory as it wants filling requests. xinetd prevents against this. on a semi-related note, where's tcpserver in this equation, and is anyone running non-qmail services in tcpserver? -ryan >===== Original Message From Alex Popa ===== >Could someone point out what the differences between the two are, and >why I should use one or the other? > >Thanks in advance, > Alex > >------------+------------------------------------------ >Alex Popa, |There never was a good war or a bad peace >razor@ldc.ro| -- B. Franklin >------------+------------------------------------------ >"It took the computing power of three C-64s to fly to the Moon. >It takes a 486 to run Windows 95. Something is wrong here." > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- Ryan Kelley kelleyry@bc.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 9:15:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 5EB9F37BE17 for ; Tue, 15 Aug 2000 09:15:26 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 89034 invoked by uid 1000); 15 Aug 2000 16:15:25 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Aug 2000 16:15:25 -0000 Date: Tue, 15 Aug 2000 11:15:25 -0500 (CDT) From: Mike Silbersack To: Ryan Kelley Cc: Alex Popa , freebsd-security Subject: RE: xinetd versus inetd In-Reply-To: <39B6595C@netfin6.bc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Aug 2000, Ryan Kelley wrote: > I could be wrong (it's happened before) but as far as i know the main > difference is that inetd is subject to DoS attacks, as it will suck up as much > memory as it wants filling requests. xinetd prevents against this. on a > semi-related note, where's tcpserver in this equation, and is anyone running > non-qmail services in tcpserver? > -ryan I used to run tcpserver, but soon realized that xinetd could perform all the same important functions, and was much easier to configure. I don't think any modern inetd is as susceptible to resource exhaustion attacks as the tcpserver page will lead you to believe, but running xinetd does seem wise, as you can tune the various resource limits quite exactly. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 10:37: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from pcbtech.ru (servak.pcbtech.ru [195.54.223.248]) by hub.freebsd.org (Postfix) with SMTP id 2565A37B610 for ; Tue, 15 Aug 2000 10:37:03 -0700 (PDT) (envelope-from admin@pcbtech.ru) Received: (qmail 4313 invoked from network); 15 Aug 2000 17:37:18 -0000 Received: from 164.inforser.ru (HELO iNDiAN) (195.54.223.164) by servak.pcbtech.ru with SMTP; 15 Aug 2000 17:37:18 -0000 Message-ID: <001a01c006df$44803360$a4df36c3@Inforser.Ru> From: "Oleg Strizhak" To: "Ryan Kelley" Cc: References: <39B6595C@netfin6.bc.edu> Subject: Re: xinetd versus inetd Date: Tue, 15 Aug 2000 21:35:28 +0400 Organization: PCB Technologies MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I could be wrong (it's happened before) but as far as i know the main > difference is that inetd is subject to DoS attacks, as it will suck up as much > memory as it wants filling requests. xinetd prevents against this. on a > semi-related note, where's tcpserver in this equation, and is anyone running > non-qmail services in tcpserver? > -ryan have a small set of services (ftp+qmail) but tcpserver handles'em nice. All other (httpd, ssh, ...) are standalone. Have no probs ... yet Oleg Strizhak To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 11:25:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 906B637B99E for ; Tue, 15 Aug 2000 11:25:27 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 28281 invoked by uid 1001); 15 Aug 2000 18:25:22 +0000 (GMT) To: silby@silby.com Cc: kelleyry@bc.edu, razor@ldc.ro, freebsd-security@FreeBSD.ORG Subject: RE: xinetd versus inetd From: sthaug@nethelp.no In-Reply-To: Your message of "Tue, 15 Aug 2000 11:15:25 -0500 (CDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 15 Aug 2000 20:25:21 +0200 Message-ID: <28279.966363921@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I used to run tcpserver, but soon realized that xinetd could perform all > the same important functions, and was much easier to configure. > > I don't think any modern inetd is as susceptible to resource exhaustion > attacks as the tcpserver page will lead you to believe, but running xinetd > does seem wise, as you can tune the various resource limits quite exactly. But do you trust xinetd? Seems it's time to repost the following News article from Marcus Ranum, dating back to 1993. Still relevant, I think. Note: I have no personal experience with xinetd. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- From: mjr@tis.com (Marcus J. Ranum) Subject: Re: Frigging inetd!!!! Date: 26 Oct 1993 19:07:53 GMT [I added comp.security.unix to the distribution and dropped the gopher group, since this is really a security rant, and part of an ongoing rant from comp.security.unix] > Why not just get a copy of the source for inetd and rebuild it >for your system? Also, there is a new program called xinetd, which >is supposed to be an augmented inetd that has built in security. I've >got the source code, but I have not had much of a chance to play with >it yet. Here I must insert my mandatory rant about "augmentation" "features" and "security." Xinetd has (presumably) a huge number of features. It's also a relatively huge piece of code. Compare it to the BSD inetd sources: Program Modules Lines of Code ------- ------- ------------- inetd, from BSD Net-2 1 964 xinetd, minus support libraries 36 11801 For a security critical application like inetd, the last thing you want is security at the price of 12 times as much code. Large programs that do security critical things (sendmail, xinetd, wuarchive-ftpd, Xterm) are traditionally a snakepit of security holes. The idea of "built in security" is contrary to most formal security practices. The security critical policy sections should be clearly isolated from the rest of the code that does bookkeeping or whatever else. I enclose below a version of inetd that's 80 lines of code. The security critical section is clearly visible. More importantly, the implementation is small enough that when I showed a copy to a friend, he instantly spotted a bug. It's a lot easier to spot a bug in a 1 page program, than in an 11,801 line program that is 36+ files in 2 directories. Also, this version of inetd is not vulnerable to attacks on inetd.conf since it doesn't use one, and doesn't have any argument limitations on the invoked programs. It doesn't support UDP services, but then, from a security standpoint, UDP services make me all nervous anyhow. Note, too, that the code has only one comment. It's simple enough that it needs no comments. mjr. ------------------------------ #include #include #include #include #include #include reap() { int s; while(wait(&s) != -1); } main(ac,av) int ac; char *av[]; { struct sockaddr_in mya; struct servent *sp; fd_set muf; int myfd, new, x, maxfd = getdtablesize(); openlog("inetd",LOG_PID,LOG_DAEMON); if(ac < 3) { syslog(LOG_ERR,"usage: %s serviceport command [args]",av[0]); exit(1); } signal(SIGCLD,reap); if((myfd = socket(AF_INET,SOCK_STREAM,0)) < 0) { syslog(LOG_ERR,"socket : %m"); exit(1); } mya.sin_family = AF_INET; bzero(&mya.sin_addr,sizeof(mya.sin_addr)); if((sp = getservbyname(av[1],"tcp")) == (struct servent *)0) { if(atoi(av[1]) <= 0) { syslog(LOG_ERR,"Cannot interpret %s as service",av[1]); exit(1); } mya.sin_port = htons(atoi(av[1])); } else mya.sin_port = sp->s_port; if(bind(myfd,(struct sockaddr *)&mya,sizeof(mya))) { syslog(LOG_ERR,"bind: %m"); exit(1); } /* END SECURITY CRITICAL CODE */ /* setuid(4); */ if(listen(myfd,1) < 0) { perror("listen"); exit(1); } loop: FD_ZERO(&muf); FD_SET(myfd,&muf); if(select(myfd + 1,&muf,0,0,0) != 1 || !FD_ISSET(myfd,&muf)) goto loop; if((new = accept(myfd,0,0)) < 0) goto loop; if(fork() == 0) { for(x = 2; x < maxfd; x++) if(x != new) close(x); for(x = 0; x < NSIG; x++) signal(x,SIG_DFL); dup2(new,0); close(new); dup2(0,1); dup2(0,2); execv(av[2],av + 2); syslog(LOG_ERR,"exec %s: %m",av[2]); exit(1); } close(new); goto loop; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 12:49: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 657F337B8E6 for ; Tue, 15 Aug 2000 12:48:59 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 89574 invoked by uid 1000); 15 Aug 2000 19:48:57 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Aug 2000 19:48:57 -0000 Date: Tue, 15 Aug 2000 14:48:57 -0500 (CDT) From: Mike Silbersack To: sthaug@nethelp.no Cc: kelleyry@bc.edu, razor@ldc.ro, freebsd-security@FreeBSD.ORG Subject: RE: xinetd versus inetd In-Reply-To: <28279.966363921@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Aug 2000 sthaug@nethelp.no wrote: > > I used to run tcpserver, but soon realized that xinetd could perform all > > the same important functions, and was much easier to configure. > > > > I don't think any modern inetd is as susceptible to resource exhaustion > > attacks as the tcpserver page will lead you to believe, but running xinetd > > does seem wise, as you can tune the various resource limits quite exactly. > > But do you trust xinetd? Seems it's time to repost the following News > article from Marcus Ranum, dating back to 1993. Still relevant, I think. > > Note: I have no personal experience with xinetd. I trust it, but I don't have any solid reason to. I have the idea in my head that it's hard to introduce a security bug in a program which does only what xinetd does, but strange things have happened. Looking at the inetd manpage now, it appears that per-service rate limting and such are now available on the freebsd inetd. I'll look into switching when I get some time. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 15:55:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by hub.freebsd.org (Postfix) with ESMTP id EA29A37B9E2 for ; Tue, 15 Aug 2000 15:55:08 -0700 (PDT) (envelope-from buliwyf@libertad.univalle.edu.co) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id e7FMgec53464 for ; Tue, 15 Aug 2000 17:42:46 -0500 (COT) Date: Tue, 15 Aug 2000 17:42:40 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: About ipnat (The revenge) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok... im working with ipf and ipnat for do a transparent proxy and ip masquerade in the same server (FreeBSD) with just one interface. The transparent proxy is working fine... now, i want to do the masquerade for my intranet. I was reading about ipnat and i found this: (Start here) Network Address Translation (NAT) Packets coming back in the same interface are remapped, as a matter of course, to their original address information. # map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source # port number to something between 10,000 and 20,000 inclusive. For all other # IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255,temporarily # for each new user. In this example, ed1 is the external interface. # Use ipnat, not ipf to load these rules. # map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000 map ed1 10.1.0.0/16 -> 240.1.0.0/24 (Finish Here) I try some rules with ipnat for masquerade my subnet 192.168.0.0 with one valid ip (e.g. 200.25.53.10)... but it wasnt work :/ Anyone can tell what rule i need for my specific case??? Thanks. ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 15 22:40:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from vindaloo.allsolutions.com.au (vindaloo.allsolutions.com.au [203.111.24.54]) by hub.freebsd.org (Postfix) with ESMTP id 6B31837BF1C for ; Tue, 15 Aug 2000 22:40:52 -0700 (PDT) (envelope-from David_May@allsolutions.com.au) Received: from ASPerth1.allsolutions.com.au (aspns.internal [192.9.200.250]) by vindaloo.allsolutions.com.au (8.9.3/8.9.3) with SMTP id NAA04344 for ; Wed, 16 Aug 2000 13:40:48 +0800 (WST) (envelope-from David_May@allsolutions.com.au) Received: by ASPerth1.allsolutions.com.au(Lotus SMTP MTA v1.2 (600.1 3-26-1998)) id 4825693D.001F31D9 ; Wed, 16 Aug 2000 13:40:43 +0800 X-Lotus-FromDomain: ALL SOLUTIONS From: "David May" To: freebsd-security@freebsd.org Message-ID: <4825693D.00159022.00@ASPerth1.allsolutions.com.au> Date: Wed, 16 Aug 2000 13:40:41 +0800 Subject: [Q] why does my firewall degrade Web performance? Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a FreeBSD 3.2 firewall running ipfw+natd in front of a Windows NT 4.0 Web server and an internal network. Internet connection is 2Mb DSL. When the Web server is protected by the firewall Internet users report Web server responses are unacceptably slow. If I connect the Web server directly to Internet users report page downloads are faster. The firewall machine CPU load is always light. It is a Pentium II Celeron 300MHz, 64Mb RAM, four Ethernet cards (3 D-Link 10/100, 1 NE2000), and around 180 ipfw rules. I can see nothing wrong when I look at output from tcpdump, netstat. No dropped packets, no fragmentation, no collisions, traffic on the 2Mb link is light. It is just seems slow. Any suggestions as to what is wrong here? What can I do to find the cause? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 1: 2:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id F1A8F37B6F6; Wed, 16 Aug 2000 01:02:16 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id BAA89799; Wed, 16 Aug 2000 01:02:16 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 16 Aug 2000 01:02:16 -0700 (PDT) From: Kris Kennaway To: security@freebsd.org Cc: ports@freebsd.org Subject: Hilighting dangerous ports Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What does everyone think of the attached patch to bsd.port.mk, which hilights potentially insecure files installed by a port at install-time? It does a find(1) over the packing list of the port looking for setuid/setgid files, as well as checking for startup scripts installed in ${PREFIX}/etc/rc.d which usually indicates a network daemon (Thanks to Brian Feldman for the latter idea). If the port includes a WWW site, the user is directed there for contact information so they can talk to the software developers about the security of the port, if they have doubts (i.e. so they don't bother us) (Thanks to Peter Wemm for this idea) (The first one below doesn't actually list www.freebsd.org as the website, I added that during testing). Sample output: ---- ===> Installing for icmpquery-1.0.3 ===> Generating temporary packing list ===> Registering installation for icmpquery-1.0.3 ===> SECURITY NOTE: This port has installed the following binaries which execute with increased privileges. 620393 16 -r-sr-xr-x 1 root wheel 7232 Aug 16 00:57 /usr/local/bin/icmpquery If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://www.freebsd.org/ ===> Installing for cfs-1.4.0b2 ===> Generating temporary packing list ===> Compressing manual pages for cfs-1.4.0b2 ===> Registering installation for cfs-1.4.0b2 ===> SECURITY NOTE: This port has installed the following startup scripts which may cause network services to be started at boot time. /etc/rc.d/cfsd.sh If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. ---- I'd also like to add something similar to pkg_add. Kris Index: bsd.port.mk =================================================================== RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v retrieving revision 1.345 diff -u -r1.345 bsd.port.mk --- bsd.port.mk 2000/08/03 09:28:57 1.345 +++ bsd.port.mk 2000/08/16 07:57:55 @@ -1992,6 +1992,37 @@ ${INSTALL_COOKIE}: @cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} build @cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} real-install +# Scan PLIST for setugid files and startup scripts + -@for i in `${GREP} -v '^@' ${TMPPLIST}`; do \ + /usr/bin/find ${PREFIX}/$$i -prune -type f \( -perm -4000 -o -perm -2000 \) \( -perm -0010 -o -perm -0001 \) -ls; \ + done > ${WRKDIR}/.PLIST.setuid; \ + ${GREP} '^etc/rc.d/' ${TMPPLIST} > ${WRKDIR}/.PLIST.startup; \ + if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.startup ]; then \ + echo "===> SECURITY NOTE: "; \ + if [ -s ${WRKDIR}/.PLIST.setuid ] ; then \ + echo " This port has installed the following binaries which execute with"; \ + echo " increased privileges."; \ + ${CAT} ${WRKDIR}/.PLIST.setuid; \ + echo; \ + fi; \ + if [ -s ${WRKDIR}/.PLIST.startup ] ; then \ + echo " This port has installed the following startup scripts which may cause"; \ + echo " network services to be started at boot time."; \ + ${SED} s,^,$$PREFIX/, < ${WRKDIR}/.PLIST.startup; \ + echo; \ + fi; \ + echo "If there are vulnerabilities in these programs there may be a security"; \ + echo "risk to the system. FreeBSD makes no guarantee about the security of"; \ + echo "ports included in the Ports Collection. Please type 'make deinstall'"; \ + echo "to deinstall the port if this is a concern."; \ + if [ ! -z "`make www-site`" ]; then \ + echo; \ + echo "For more information, and contact details about the security"; \ + echo "status of this software, see the following webpage: "; \ + ${MAKE} www-site; \ + fi; \ + fi + ${PACKAGE_COOKIE}: @cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} install @cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} real-package -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 1:30: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.2.163]) by hub.freebsd.org (Postfix) with ESMTP id AACE637BE3D; Wed, 16 Aug 2000 01:29:49 -0700 (PDT) (envelope-from sheldonh@axl.ops.uunet.co.za) Received: from sheldonh (helo=axl.ops.uunet.co.za) by axl.ops.uunet.co.za with local-esmtp (Exim 3.16 #1) id 13Oya1-0003ty-00; Wed, 16 Aug 2000 10:29:45 +0200 From: Sheldon Hearn To: Kris Kennaway Cc: security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: Hilighting dangerous ports In-reply-to: Your message of "Wed, 16 Aug 2000 01:02:16 MST." Date: Wed, 16 Aug 2000 10:29:45 +0200 Message-ID: <15001.966414585@axl.ops.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Aug 2000 01:02:16 MST, Kris Kennaway wrote: > What does everyone think of the attached patch to bsd.port.mk, which > hilights potentially insecure files installed by a port at install-time? I like the idea. It would be even more of an improvement over the status quo if a solution for packages could be found. Many folks use packages only and many more use packages mostly. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 2:11:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 567EB37C2BB; Wed, 16 Aug 2000 02:11:07 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id CAA99368; Wed, 16 Aug 2000 02:03:33 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 16 Aug 2000 02:03:33 -0700 (PDT) From: Kris Kennaway To: Sheldon Hearn Cc: security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: Hilighting dangerous ports In-Reply-To: <15001.966414585@axl.ops.uunet.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Aug 2000, Sheldon Hearn wrote: > > What does everyone think of the attached patch to bsd.port.mk, which > > hilights potentially insecure files installed by a port at install-time? > > I like the idea. It would be even more of an improvement over the > status quo if a solution for packages could be found. Many folks use > packages only and many more use packages mostly. :-) In principle it's a straightforward thing, since pkg_add also has the PLIST available - it's just slightly more difficult to write the equivalent in C than as a shell script. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 2:35:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 70DB537BD50 for ; Wed, 16 Aug 2000 02:35:01 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 83585 invoked by uid 1000); 16 Aug 2000 09:34:58 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Aug 2000 09:34:58 -0000 Date: Wed, 16 Aug 2000 05:34:56 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Kris Kennaway Cc: security@freebsd.org, ports@freebsd.org Subject: Re: Hilighting dangerous ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For what my 2 cents are worth, I really like this idea. I suppose people "should" (in an ideal world) be researching what they install, but this would definately be a help to a lot of people. (in my opinion) Cheers, Matt * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5mmBCdMMtMcA1U5ARAkfPAJ4tjNLvTpV98wWDlkBVokT1T3AVEgCgvO4p /OLvcfwhHPjMOxYpLNHInPU= =NuE5 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 3:28:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id 16ED837BB73 for ; Wed, 16 Aug 2000 03:28:14 -0700 (PDT) (envelope-from jedgar@fxp.org) Received: from earth (oca-c1s1-13.mfi.net [209.26.94.14]) by pawn.primelocation.net (Postfix) with ESMTP id 0A4B89B05 for ; Wed, 16 Aug 2000 06:28:11 -0400 (EDT) Date: Wed, 16 Aug 2000 06:28:12 -0400 (EDT) From: "Chris D. Faulhaber" X-Sender: jedgar@earth.causticlabs.com To: freebsd-security@FreeBSD.org Subject: Restricting ftpd commands Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have found quite a few commands that ftpd shouldn't necessarily be responding to if the user hasn't logged in. In total, the following commands are taught to not talk to strangers: TYPE, STRU, MODE, ALLO, ABOR, SITE IDLE, SYST, REST. Many of these were obtained from OpenBSD. As a side note, OpenBSD doesn't restrict many of the command we already do. See http://www.fxp.org/~jedgar/ftpcmd.y.diff for the diff. ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 12:57:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.xnet.com (quake.xnet.com [198.147.221.67]) by hub.freebsd.org (Postfix) with ESMTP id 0A84F37BEC9 for ; Wed, 16 Aug 2000 12:57:51 -0700 (PDT) (envelope-from drwho@xnet.com) Received: from typhoon.xnet.com (typhoon.xnet.com [198.147.221.66]) by mail.xnet.com (8.9.3+Sun/XNet-3.0R) with ESMTP id OAA19847 for ; Wed, 16 Aug 2000 14:57:49 -0500 (CDT) Received: by typhoon.xnet.com (Postfix, from userid 5500) id A2A5738670; Wed, 16 Aug 2000 14:57:49 -0500 (CDT) Date: Wed, 16 Aug 2000 14:57:49 -0500 From: Michael Maxwell To: freebsd-security@freebsd.org Subject: Re: Hilighting dangerous ports Message-ID: <20000816145749.A18387@typhoon.xnet.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from kris@FreeBSD.ORG on Wed, Aug 16, 2000 at 01:02:16AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 16, 2000 at 01:02:16AM -0700, Kris Kennaway wrote: > What does everyone think of the attached patch to bsd.port.mk, which > hilights potentially insecure files installed by a port at install-time? > [...] I have to say, I really like this. I find myself checking over all ports installations, looking for *exactly* the same things, but I'm doing it manually, and hoping I don't miss anything important. Consider this a vote in favor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 14: 9:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 47A6E37B71A for ; Wed, 16 Aug 2000 14:09:28 -0700 (PDT) (envelope-from todd@flyingcroc.net) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id OAA06950 for ; Wed, 16 Aug 2000 14:08:55 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Wed, 16 Aug 2000 14:08:55 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: freebsd-security@FreeBSD.ORG Subject: Re: syslogd poll state In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I tried on -questions and didn't get any bites. Any ideas here?: (updated info: I increased my udp.recvspace via sysctl to overcome any possible overloads due to +250 servers spewing syslog data to it. That was not the problem and the poll state continues to occur. One thing I noticed is that when syslogd is in the "poll" state the following is listed in the output of sockstat: machinename# sockstat root syslogd 83 4 udp4 *.514 *.* root syslogd 83 6 udp4 x.x.x.x.271 x.x.x.x.53 ^^^^^^^ ^^^^^^^ machine IP nameserver IP I am wondering why syslogd would be attempting to do any type of lookups? Thanks. - Todd > > Greetings. > > Application: > > I am running a central syslog repository that logs +250 freebsd > servers. The syslog server is running 4.0-STABLE on good hardware (PII > 400, 256mb ram, Cheetah HD, adaptec 2940, Intel NIC). > > Issue: > > Syslog seems to die (enter poll state) at undetermined times. At first I > thought it was newsyslog related but I turned off newsyslog in cron and > the problem continues. Hupping syslogd has no effect and I must kill it > and restart to clear the poll state. I have searched the archives (pain in > the neck without having the ability to search by date :^P ) and have not > seen similar instances that have been answered. > > Question: > > Could some entry from one of my remote machines be killing syslogd? > (I have looked at the entries in /var/log/messages that correspond to the > times that cron dies/stops logging and nothing is out of the ordinary) > There are no other cronjobs that correspond to the times that syslog > stops... > > I would like to find out if anyone else has had this type of difficulty > before I rebuild the system/replace files/at script to grep for the poll > states, kill and restart syslogd... > > > Thanks in advance. > > - Todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 15:16:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by hub.freebsd.org (Postfix) with ESMTP id 25C8337BFB4; Wed, 16 Aug 2000 15:16:16 -0700 (PDT) (envelope-from bmah@cisco.com) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.0/8.11.0) id e7GMGA807614; Wed, 16 Aug 2000 15:16:10 -0700 (PDT) (envelope-from bmah) Message-Id: <200008162216.e7GMGA807614@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Matt Heckaman Cc: Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: Hilighting dangerous ports In-Reply-To: References: Comments: In-reply-to Matt Heckaman message dated "Wed, 16 Aug 2000 05:34:56 -0400." From: bmah@cisco.com (Bruce A. Mah) Reply-To: bmah@cisco.com X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1463126532P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 16 Aug 2000 15:16:10 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_1463126532P Content-Type: text/plain; charset=us-ascii If memory serves me right, Matt Heckaman wrote: > For what my 2 cents are worth, I really like this idea. I suppose people > "should" (in an ideal world) be researching what they install, but this > would definately be a help to a lot of people. (in my opinion) Me too. Bruce. --==_Exmh_1463126532P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: +/K/zrLeA8NXGLOz6OpY6I/yL6ItxhvQ iQA/AwUBOZsSqtjKMXFboFLDEQLb5gCguDWVu5THx9crlRSyGXG43/X3nAgAoODp AZ3Z5Jreg2xCt1XldIpMmLA/ =XmDO -----END PGP SIGNATURE----- --==_Exmh_1463126532P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 16:25:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id EDBAF37B571 for ; Wed, 16 Aug 2000 16:25:17 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 14535 invoked by uid 1000); 16 Aug 2000 23:25:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Aug 2000 23:25:16 -0000 Date: Wed, 16 Aug 2000 18:25:16 -0500 (CDT) From: Mike Silbersack To: Kris Kennaway Cc: security@freebsd.org, ports@freebsd.org Subject: Re: Hilighting dangerous ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Aug 2000, Kris Kennaway wrote: > What does everyone think of the attached patch to bsd.port.mk, which > hilights potentially insecure files installed by a port at install-time? > > It does a find(1) over the packing list of the port looking for > setuid/setgid files, as well as checking for startup scripts installed in > ${PREFIX}/etc/rc.d which usually indicates a network daemon (Thanks to > Brian Feldman for the latter idea). > > If the port includes a WWW site, the user is directed there for contact > information so they can talk to the software developers about the security > of the port, if they have doubts (i.e. so they don't bother us) (Thanks to > Peter Wemm for this idea) Any way this could be mailed to root as well, or incorporated into that day's security log? I find when I'm installing ports, I tend to zoom by all the messages. However, if the info was (in addition) mailed to me, I'd be more likely to pay attention. I can see the mail to root being useful on boxes with multiple admins as well. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 16:29:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id BDBB337B812 for ; Wed, 16 Aug 2000 16:29:12 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 14544 invoked by uid 1000); 16 Aug 2000 23:29:11 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Aug 2000 23:29:11 -0000 Date: Wed, 16 Aug 2000 18:29:11 -0500 (CDT) From: Mike Silbersack To: David May Cc: freebsd-security@freebsd.org Subject: Re: [Q] why does my firewall degrade Web performance? In-Reply-To: <4825693D.00159022.00@ASPerth1.allsolutions.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Aug 2000, David May wrote: > The firewall machine CPU load is always light. It is a Pentium II Celeron > 300MHz, 64Mb RAM, four Ethernet cards (3 D-Link 10/100, 1 NE2000), > and around 180 ipfw rules. I'm not sure how fast/slow ipfw is, but 180 rules sounds like a LOT. Could you get by with a few less? (Or at least try the setup with no rules and the firewall box just runningas a pure router.) One other thing you may want to check first, though, is if your firewall is introducing a network-level problem. Many people have been bitten by NICs auto-negotiating duplex wrong and driving speeds through the floor. Try doing filetransfers from each point in the system to other points in the system to see if you can notice where the slowdown is occuring (on the network -> firewall link, or the firewall -> NT link.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 16:30:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 0CEBB37BBB6; Wed, 16 Aug 2000 16:30:51 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id QAA28944; Wed, 16 Aug 2000 16:30:50 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 16 Aug 2000 16:30:50 -0700 (PDT) From: Kris Kennaway To: Mike Silbersack Cc: security@freebsd.org Subject: Re: Hilighting dangerous ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Aug 2000, Mike Silbersack wrote: > Any way this could be mailed to root as well, or incorporated into that > day's security log? I find when I'm installing ports, I tend to zoom by > all the messages. However, if the info was (in addition) mailed to me, > I'd be more likely to pay attention. The setuid files will show up in the daily report. More useful than reporting startup scripts would probably be a list of current programs which are listening on sockets (from sockstat or whatever) - or do you think etc/rc.d changes are also worthwhile? I've got an improved /etc/security script which I'm working on at the moment - I'll look at optionally adding this to the report as well. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 17:13:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id D825637BBCD for ; Wed, 16 Aug 2000 17:13:37 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 14671 invoked by uid 1000); 17 Aug 2000 00:13:34 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Aug 2000 00:13:34 -0000 Date: Wed, 16 Aug 2000 19:13:34 -0500 (CDT) From: Mike Silbersack To: Kris Kennaway Cc: security@freebsd.org Subject: Re: Hilighting dangerous ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Aug 2000, Kris Kennaway wrote: > On Wed, 16 Aug 2000, Mike Silbersack wrote: > > > Any way this could be mailed to root as well, or incorporated into that > > day's security log? I find when I'm installing ports, I tend to zoom by > > all the messages. However, if the info was (in addition) mailed to me, > > I'd be more likely to pay attention. > > The setuid files will show up in the daily report. True. However, that doesn't mean an extra reminder would hurt. I personally don't think an extra e-mail every time I install a port with setuid files would be too annoying. > More useful than reporting startup scripts would probably be a list of > current programs which are listening on sockets (from sockstat or > whatever) - or do you think etc/rc.d changes are also worthwhile? That sounds useful, but I'd be concerned about bind or other programs which switch ports every once and a while causing false errors and falsely alarming people. And related to that, it seems feasible that once people got used to that, I could rename my remote UDP shell to bind, and have it hide, pretending to be one of those false alarms. So, I'm not sure a simple diff would suffice. You'd have to be a bit more clever for bind. Ftp servers would probably kick off alarms as well, I suppose. (I'm not trying to be harsh on the idea, I'm just worried that a false-prone report would be worse than no report at all.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 17:17:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.port.ru (mx5.port.ru [194.67.23.40]) by hub.freebsd.org (Postfix) with ESMTP id 3EF9437B531 for ; Wed, 16 Aug 2000 17:17:16 -0700 (PDT) (envelope-from kabaev@mail.ru) Received: from adsl-141-154-14-138.bellatlantic.net ([141.154.14.138] helo=kan.dnsalias.net) by smtp4.port.ru with esmtp (Exim 3.14 #4) id 13PDMu-000BYS-00; Thu, 17 Aug 2000 04:17:12 +0400 Received: (from kan@localhost) by kan.dnsalias.net (8.11.0/8.11.0) id e7H0H8v08536; Wed, 16 Aug 2000 20:17:08 -0400 (EDT) (envelope-from kan) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <4825693D.00159022.00@ASPerth1.allsolutions.com.au> Date: Wed, 16 Aug 2000 20:17:07 -0400 (EDT) From: "Alexander N. Kabaev" To: David May Subject: RE: [Q] why does my firewall degrade Web performance? Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is your ISP using PPPoE? If so, did you change default MTU size on your Windows boxes to be 1492 instead of default 1500 bytes? There is a nice entry expalining why you have to do that in FreeBSD handbook. ---------------------------------- E-Mail: Alexander N. Kabaev Date: 16-Aug-00 Time: 20:12:34 ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 17:23:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from eep.lcs.mit.edu (eep.lcs.mit.edu [18.31.0.114]) by hub.freebsd.org (Postfix) with ESMTP id 51C3737B6DC for ; Wed, 16 Aug 2000 17:23:23 -0700 (PDT) (envelope-from dga@eep.lcs.mit.edu) Received: (from dga@localhost) by eep.lcs.mit.edu (8.9.3/8.9.3) id UAA74582; Wed, 16 Aug 2000 20:23:20 -0400 (EDT) (envelope-from dga) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14747.12408.502747.852822@eep.lcs.mit.edu> Date: Wed, 16 Aug 2000 20:23:20 -0400 (EDT) From: "David G. Andersen" To: freebsd-security@freebsd.org Subject: Log message improvement for rpc.statd X-Mailer: VM 6.71 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just noticed that someone decided to try to be annoying with my rpc.statd: Aug 16 15:27:10 eep rpc.statd: invalid hostname to sm_stat: ^Xw^??^Xw^??^Yw^??^Yw^??^Zw^??^Zw^??^[w^??^[w^??%8x%8x%8x%8x%8x%8x%8x %8x%8x%236x%n%137x%n%10x%n%192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P The thing that strikes me about this is that the logging doesn't include the IP address which resolved to this hostname; in /usr/src/usr.sbin/rpc.statd/procs.c:sm_stat_1_svc if (gethostbyname(arg->mon_name)) res.res_stat = stat_succ; else { syslog(LOG_ERR, "invalid hostname to sm_stat: %s", arg->mon_name); res.res_stat = stat_fail; } Is there a reason not to add in a call to svc_getcaller() to identify the IP address of the remote host? It would facilitate not only security, but debugging in general. (My anoncvs doesn't appear to be working at the moment, so I'm unable to check the history, but the version from -current seems to have the same issue). -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 22: 8: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.135]) by hub.freebsd.org (Postfix) with ESMTP id 4471B37B7CB for ; Wed, 16 Aug 2000 22:07:47 -0700 (PDT) (envelope-from shelton@sentry.granch.com) Received: (from shelton@localhost) by sentry.granch.com (8.9.3/8.9.3) id MAA27484 for freebsd-security@freebsd.org; Thu, 17 Aug 2000 12:10:55 +0700 (NOVST) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Thu, 17 Aug 2000 12:10:54 +0700 (NOVST) Reply-To: "Rashid N. Achilov" Organization: Granch Ltd. From: "Rashid N. Achilov" To: freebsd-security@freebsd.org Subject: deny incoming icmp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What can I deny/fake incoming icmp traffic and allow outgoung? -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514, Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 22:16:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from katroo.Sendmail.COM (katroo.Sendmail.COM [209.246.26.35]) by hub.freebsd.org (Postfix) with ESMTP id 6241137B8B3 for ; Wed, 16 Aug 2000 22:16:32 -0700 (PDT) (envelope-from emechler@sendmail.com) Received: from sam.sendmail.com (root@sam.Sendmail.COM [10.210.109.78]) by katroo.Sendmail.COM (8.9.3/8.9.3) with ESMTP id WAA10681; Wed, 16 Aug 2000 22:16:22 -0700 (PDT) Received: (from emechler@localhost) by sam.sendmail.com (8.9.3/8.9.3/Debian 8.9.3-21) id WAA23461; Wed, 16 Aug 2000 22:15:21 -0700 Date: Wed, 16 Aug 2000 22:15:21 -0700 From: Erick Mechler To: "Rashid N. Achilov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: deny incoming icmp Message-ID: <20000816221521.B23432@sendmail.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: ; from Rashid N. Achilov on Thu, Aug 17, 2000 at 12:10:54PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org First you have to enable firewalling code in your kernel. Once you've done that, the following two ipfw rules should do what you want: ipfw add deny icmp from any to any ipfw add allow icmp from ${oip} to any via ${oif} where ${oip} is the IP address of your outside interface, and ${oif} is the outside interface itself. Regards, Erick At Thu, Aug 17, 2000 at 12:10:54PM +0700, Rashid N. Achilov said this: :: What can I deny/fake incoming icmp traffic and allow outgoung? :: -- :: With Best Regards. :: Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514, Granch Ltd. lead engineer :: e-mail: achilov@granch.ru, tel (383-2) 24-2363 :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 22:17:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 3CCA437BC1D for ; Wed, 16 Aug 2000 22:17:30 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id XAA33942; Wed, 16 Aug 2000 23:17:16 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id XAA09705; Wed, 16 Aug 2000 23:16:27 -0600 (MDT) Message-Id: <200008170516.XAA09705@harmony.village.org> To: Mike Silbersack Subject: Re: [Q] why does my firewall degrade Web performance? Cc: David May , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 16 Aug 2000 18:29:11 CDT." References: Date: Wed, 16 Aug 2000 23:16:27 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Mike Silbersack writes: : : On Wed, 16 Aug 2000, David May wrote: : : > The firewall machine CPU load is always light. It is a Pentium II Celeron : > 300MHz, 64Mb RAM, four Ethernet cards (3 D-Link 10/100, 1 NE2000), : > and around 180 ipfw rules. : : I'm not sure how fast/slow ipfw is, but 180 rules sounds like a : LOT. Could you get by with a few less? (Or at least try the setup with : no rules and the firewall box just runningas a pure router.) 180 is about normal for having multiple cards. 300MHz should be plenty fast enough. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 22:41:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id E41F737B99A for ; Wed, 16 Aug 2000 22:41:10 -0700 (PDT) (envelope-from cjc@149.211.6.64.reflexcom.com) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 16 Aug 2000 22:40:03 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id WAA80755; Wed, 16 Aug 2000 22:41:05 -0700 (PDT) (envelope-from cjc) Date: Wed, 16 Aug 2000 22:41:05 -0700 From: "Crist J . Clark" To: Todd Backman Cc: freebsd-security@FreeBSD.ORG Subject: Re: syslogd poll state Message-ID: <20000816224105.D28027@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from todd@flyingcroc.net on Wed, Aug 16, 2000 at 02:08:55PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 16, 2000 at 02:08:55PM -0700, Todd Backman wrote: > > I tried on -questions and didn't get any bites. Any ideas here?: > > (updated info: I increased my udp.recvspace via sysctl to overcome any > possible overloads due to +250 servers spewing syslog data to it. That was > not the problem and the poll state continues to occur. > > One thing I noticed is that when syslogd is in the "poll" state the > following is listed in the output of sockstat: > > machinename# sockstat > > root syslogd 83 4 udp4 *.514 *.* > root syslogd 83 6 udp4 x.x.x.x.271 x.x.x.x.53 > ^^^^^^^ ^^^^^^^ > machine IP nameserver IP > > I am wondering why syslogd would be attempting to do any type of lookups? Probably has something to do with this, -a allowed_peer Allow allowed_peer to log to this syslogd using UDP datagrams. Multiple -a options may be specified. Allowed_peer can be any of the following: . . . domainname[:service] Accept datagrams where the reverse address lookup yields domainname for the sender address. The meaning of service is as explained above. Are you using the -a option? -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 16 23:25:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [63.67.141.99]) by hub.freebsd.org (Postfix) with ESMTP id 1808937BBCD for ; Wed, 16 Aug 2000 23:25:30 -0700 (PDT) (envelope-from scanner@jurai.net) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id CAA07146; Thu, 17 Aug 2000 02:25:07 -0400 (EDT) Date: Thu, 17 Aug 2000 02:25:06 -0400 (EDT) From: To: Erick Mechler Cc: "Rashid N. Achilov" , freebsd-security@FreeBSD.ORG Subject: Re: deny incoming icmp In-Reply-To: <20000816221521.B23432@sendmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Aug 2000, Erick Mechler wrote: > First you have to enable firewalling code in your kernel. Once you've done > that, the following two ipfw rules should do what you want: > > ipfw add deny icmp from any to any > ipfw add allow icmp from ${oip} to any via ${oif} > > where ${oip} is the IP address of your outside interface, and ${oif} is the > outside interface itself. Ok I was going to make this private but I want this on public record. Look people. You cannot just "flip off" ICMP without understanding the consequences. The above is bad advice. If your going to filter ICMP *do it correctly*. I see way to many post's today suggesting to just filter ICMP entirely. FEH! Read the following URL: http://users.worldgate.com/~marcs/mtu/ And then filter *correctly*. There very few reasons to place an embargo on the entire ICMP protocol. ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tommorow?" BSD: "Are you guys coming or what?" ============================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 2:11:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.135]) by hub.freebsd.org (Postfix) with ESMTP id E4E5837B518 for ; Thu, 17 Aug 2000 02:07:56 -0700 (PDT) (envelope-from shelton@sentry.granch.com) Received: (from shelton@localhost) by sentry.granch.com (8.9.3/8.9.3) id QAA27892; Thu, 17 Aug 2000 16:05:09 +0700 (NOVST) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20000816221521.B23432@sendmail.com> Date: Thu, 17 Aug 2000 16:05:09 +0700 (NOVST) Reply-To: "Rashid N. Achilov" Organization: Granch Ltd. From: "Rashid N. Achilov" To: Erick Mechler Subject: Re: deny incoming icmp Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 17-Aug-00 Erick Mechler wrote: > First you have to enable firewalling code in your kernel. Once you've done > that, the following two ipfw rules should do what you want: > > ipfw add deny icmp from any to any > ipfw add allow icmp from ${oip} to any via ${oif} > > where ${oip} is the IP address of your outside interface, and ${oif} is the > outside interface itself. > Sorry, more precision... I have a firewall, protecting my network. IPFIREWALL, IPFIREWALL_VERBOSE, IPFIREWALL_FORWARD enabled. What can I allow icmp from our network any deny/fake incoming to our network icmp? -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514, Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 2:17:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id 73AC037B507 for ; Thu, 17 Aug 2000 02:17:05 -0700 (PDT) (envelope-from 3APA3A@SECURITY.NNOV.RU) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.3) with ESMTP id NAA33998; Thu, 17 Aug 2000 13:07:57 +0400 (MSD) Date: Thu, 17 Aug 2000 13:07:58 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> X-Mailer: The Bat! (v1.41) Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU> Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <19547.000817@sandy.ru> To: "David May" Cc: freebsd-security@freebsd.org Subject: Re: [Q] why does my firewall degrade Web performance? In-reply-To: <4825693D.00159022.00@ASPerth1.allsolutions.com.au> References: <4825693D.00159022.00@ASPerth1.allsolutions.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello David May, You have not reported which Web server you use, so it's hard to determine exact reason. It seems like you filtering UDP packets to your Web server. Then someone requests page from Web server server usually tries to resolve symbolic name of the peer. MS procedure of name resolution involves resolution of NetBIOS name then resolution of DNS name failed. If you filter UDP, server will wait until timed out. Make sure 1. Web server can access DNS server, that is UDP between DNS: 53 and WEB: 1024-65535 allowed. 2. You do not deny UDP between ANY: 137 and WEB: 137. It's required for NetBIOS resolution. If you think this UDP traffic violates your security policy (with latest service pack there is no known security problem with NetBIOS name resolution in NT) try to use "unreach port" or "unreach host" for UDP 137 packets _from_ Web server. If all of your Windows hosts are configured as WINS clients you can also try to put your WEB server in p-node resolution mode to always use WINS, but I'm not sure if it helps for reverse resolution. You can also try to change log option for your Web to do not log peer name. If you have network with mixed topology also check you do not block IP fragments. This is allow TCP from any 0 to any 0 frag You can also use "log" option with all deny's to check what else is blocked. 16.08.00 9:40, you wrote: [Q] why does my firewall degrade Web performance?; D> I have a FreeBSD 3.2 firewall running ipfw+natd in front of a Windows D> NT 4.0 Web server and an internal network. Internet connection is 2Mb DSL. D> When the Web server is protected by the firewall Internet users report D> Web server responses are unacceptably slow. /3APA3A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 3:52: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from small-2.inet.it (small-2.inet.it [194.20.8.11]) by hub.freebsd.org (Postfix) with ESMTP id DE06037B88B for ; Thu, 17 Aug 2000 03:51:36 -0700 (PDT) Received: (from trusted@localhost) by small-2.inet.it (AIX4.3/8.9.3/8.9.3) id LAA138782; Thu, 17 Aug 2000 11:28:19 +0200 Received: from sonoro.inet.it(194.185.73.48) by small-2.inet.it via I-SMTP id queue/s-194.185.73.48-eth8Ma; Thu Aug 17 11:28:17 2000 Message-ID: <399BB063.EB511C8A@inet.it> Date: Thu, 17 Aug 2000 11:29:07 +0200 From: Manfredi Blasucci X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: it, en MIME-Version: 1.0 To: "Rashid N. Achilov" Cc: Erick Mechler , freebsd-security@FreeBSD.ORG Subject: Re: deny incoming icmp References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rashid N. Achilov" wrote: > > Sorry, more precision... > > I have a firewall, protecting my network. IPFIREWALL, IPFIREWALL_VERBOSE, IPFIREWALL_FORWARD > enabled. What can I allow icmp from our network any deny/fake incoming to our network icmp? > -- Try with those: ${fwcmd} add allow log icmp from any to $ip via $eth out ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 0 <- Echo Reply ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 3 <- Destination Unreachable ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 8 <- Echo ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 11 <- Time Exceded ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 12 <- Parameter Problem See also http://www.sys-security.com/archive/papers/ICMP_Scanning.pdf. Bye, Manf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 4:18:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from kleopatra.acc.umu.se (kleopatra.acc.umu.se [130.239.18.150]) by hub.freebsd.org (Postfix) with ESMTP id 8F95437B618 for ; Thu, 17 Aug 2000 04:18:08 -0700 (PDT) Received: from mao.acc.umu.se (root@mao.acc.umu.se [130.239.18.154]) by kleopatra.acc.umu.se (8.11.0/8.11.0) with ESMTP id e7HBI4S19464 for ; Thu, 17 Aug 2000 13:18:04 +0200 Received: (from markush@localhost) by mao.acc.umu.se (8.9.3/8.9.3/Debian/GNU) id NAA30993 for freebsd-security@freebsd.org; Thu, 17 Aug 2000 13:18:04 +0200 Date: Thu, 17 Aug 2000 13:18:04 +0200 From: Markus Holmberg To: freebsd-security@freebsd.org Subject: Purpose of world being able to see the mail queue? Message-ID: <20000817131804.A24557@acc.umu.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3-current-20000511i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi.. Recently I noticed that /var/log/maillog was stored world readable and contains each messages sender and recipient information (at least Postfix by default stores this, can't remember if Sendmail does?). This isn't a big issue, but still I was surprised considering the unnecessary exposure of details in the systems users mail communication. I was about to ask why maillog wasn't stored as read/write for root only, when I discovered that also the mail queue (using mailq) also was world readable. This also seemed to be the case with the Linux and Solaris systems I tested. I don't expect any mail transport node on the path to the destination to expose the envelope information "unnecessarily" (although of course I can absolutely not *assume* that), and therefore neither expect my own MTA to do that.. (yes, I might have naive expectations, in that case I need to fix them :)) What is the rationale behind having the MTA by default exposing information on who the users on the system receive and send mail to through the mail log and the message queue? (The mail queue information seemed to be world viewable (with mailq) on all Unix systems I tested.) I understand that the envelope information of a mail message can not be considered private, but this seems like unnecessary exposure..? I'm interested in enlightenment/opinions on this subject :).. In a way I'm hesitating to send this out now, because I realize the similarity of this issue with standard unix concepts. For example "viewing who else is logged in", "viewing other users processes" etc which are totally given in a Unix environment. But now when I think about it, are even these really justified? Regards, Markus. -- Markus Holmberg | Give me Unix or give me a typewriter. markush@acc.umu.se | http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 6:16:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 57AD737B61D for ; Thu, 17 Aug 2000 06:16:06 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA14632 for ; Thu, 17 Aug 2000 06:16:01 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda14628; Thu Aug 17 06:15:50 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA10333 for ; Thu, 17 Aug 2000 06:15:50 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdn10331; Thu Aug 17 06:15:28 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e7HDFSh12972 for ; Thu, 17 Aug 2000 06:15:28 -0700 (PDT) Message-Id: <200008171315.e7HDFSh12972@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdO12968; Thu Aug 17 06:15:06 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: freebsd-security@freebsd.org Subject: Group-writable executable in OpenLDAP (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 17 Aug 2000 06:15:04 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Still catching up on email after 4 weeks of vacation and noticed this BUGTRAQ gem in my inbox. Our OpenLDAP port needs to be fixed to address this. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message [headers deleted] Message-ID: Date: Wed, 26 Jul 2000 13:33:23 +0200 Reply-To: Christian Kleinewaechter Sender: Bugtraq List From: Christian Kleinewaechter Subject: Group-writable executable in OpenLDAP To: BUGTRAQ@SECURITYFOCUS.COM Resent-To: cy Resent-Date: Wed, 26 Jul 2000 13:11:54 -0700 Resent-From: Cy Schubert X-UIDL: 4H?!!jI-"!Y6V"!3XP"! OpenLDAP installs the ud binary in $binpath with mode 775 and default group (i.e. either you primary gid or the directories gid). Of course the consequences depend on which group this actually is. This was checked with 1.2.11 (latest stable), but probably also exists in earlier versions, since the Makefile.in is dated 1/14/1999. Developers have been notified and fixed this issue (at least in the CVS tree). So either change the mode in line $(LTINSTALL) $(INSTALLFLAGS) -m 775 ud $(bindir) to $(LTINSTALL) $(INSTALLFLAGS) -m 755 ud $(bindir) in clients/ud/Makefile.in (resp. clients/ud/Makefile if you don't use autoconf) or chmod the executable afterwards (or maybe do nothing at all if "default group" is a trusted group). - ---------------------------------------------------------------------- ----- Dr. Christian Kleinewaechter Universitaet Bielefeld - ---------------------------------------------------------------------- ----- Wieviel Prozent hat ein Bit? ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 6:25:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id E87B337B616 for ; Thu, 17 Aug 2000 06:25:46 -0700 (PDT) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id IAA73986; Thu, 17 Aug 2000 08:25:27 -0500 (CDT) (envelope-from dmartin@origen.com) Message-ID: <399BE73E.5C380746@origen.com> Date: Thu, 17 Aug 2000 08:23:10 -0500 From: Richard Martin Organization: OriGen, inc. X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Manfredi Blasucci Cc: "Rashid N. Achilov" , Erick Mechler , freebsd-security@FreeBSD.ORG Subject: Re: deny incoming icmp References: <399BB063.EB511C8A@inet.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Correct me if I am wrong, but wouldn't a single rule be faster? /sbin/ipfw add pass icmp from ${oip} to any icmptypes 0,3,4,8,11,12 # outward /sbin/ipfw add pass icmp from any to ${oip} icmptypes 0,3,4,11,12 # inward ( icmp type 4 is source quench) and you may not want to log every ping, but know what isn't getting in /sbin/ipfw add deny log icmp from any to any > > Try with those: > > ${fwcmd} add allow log icmp from any to $ip via $eth out > ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 0 <- Echo Reply > ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 3 <- Destination Unreachable > ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 8 <- Echo > ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 11 <- Time Exceded > ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 12 <- Parameter Problem > > See also http://www.sys-security.com/archive/papers/ICMP_Scanning.pdf. > > Bye, > Manf > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Richard Martin dmartin@origen.com OriGen, inc. Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 http://www.origen.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 6:26:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id 292C937B639 for ; Thu, 17 Aug 2000 06:26:48 -0700 (PDT) Received: by pawn.primelocation.net (Postfix, from userid 1016) id 009549B05; Thu, 17 Aug 2000 09:26:44 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by pawn.primelocation.net (Postfix) with ESMTP id EA141BA03; Thu, 17 Aug 2000 09:26:44 -0400 (EDT) Date: Thu, 17 Aug 2000 09:26:44 -0400 (EDT) From: "Chris D. Faulhaber" X-Sender: cdf.lists@pawn.primelocation.net To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@freebsd.org Subject: Re: Group-writable executable in OpenLDAP (fwd) In-Reply-To: <200008171315.e7HDFSh12972@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Aug 2000, Cy Schubert - ITSD Open Systems Group wrote: > Still catching up on email after 4 weeks of vacation and noticed this > BUGTRAQ gem in my inbox. Our OpenLDAP port needs to be fixed to > address this. > I thought I fixed this with ports/net/openldap/patches/patch-ae Did I miss something? ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 6:37:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.135]) by hub.freebsd.org (Postfix) with ESMTP id 0247537B62B for ; Thu, 17 Aug 2000 06:37:21 -0700 (PDT) Received: (from shelton@localhost) by sentry.granch.com (8.9.3/8.9.3) id UAA28589; Thu, 17 Aug 2000 20:39:04 +0700 (NOVST) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <399BE73E.5C380746@origen.com> Date: Thu, 17 Aug 2000 20:39:04 +0700 (NOVST) Reply-To: "Rashid N. Achilov" Organization: Granch Ltd. From: "Rashid N. Achilov" To: Richard Martin Subject: Re: deny incoming icmp Cc: Erick Mechler , freebsd-security@FreeBSD.ORG, Manfredi Blasucci Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 17-Aug-00 Richard Martin wrote: > Correct me if I am wrong, but wouldn't a single rule be faster? > > /sbin/ipfw add pass icmp from ${oip} to any icmptypes 0,3,4,8,11,12 # outward > /sbin/ipfw add pass icmp from any to ${oip} icmptypes 0,3,4,11,12 # inward > > ( icmp type 4 is source quench) > and you may not want to log every ping, but know what isn't getting in > > /sbin/ipfw add deny log icmp from any to any > What type of ICMP messages uses traceroute? I'd like to mask internal network structure from tracing... -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514, Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 6:49:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.ooe.gv.at (ns.ooe.gv.at [194.232.68.1]) by hub.freebsd.org (Postfix) with ESMTP id 7777137B659 for ; Thu, 17 Aug 2000 06:49:00 -0700 (PDT) Received: (from daemon@localhost) by ns.ooe.gv.at (8.10.1/8.8.5) id e7HDkKt18028 for freebsd-security@freebsd.org.stripped; Thu, 17 Aug 2000 15:46:20 +0200 Received: by ns.ooe.gv.at (8.10.1/8.8.5) id e7HDkId25780; Thu, 17 Aug 2000 15:46:18 +0200 Received: via SMTP by firewall.ooe.gv.at, id smtpdfaoKia; Thu Aug 17 15:46:14 2000 Received: Received: id ; Thu, 17 Aug 2000 15:48:45 +0200 Message-ID: From: Egon.Rath@lsr-ooe.gv.at To: achilov@granch.ru Cc: freebsd-security@FreeBSD.ORG Subject: AW: deny incoming icmp Date: Thu, 17 Aug 2000 15:48:02 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="KOI8-R" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org |> |> What type of ICMP messages uses traceroute? I'd like to mask |> internal network structure from |> tracing... |> -- Traceroute uses ICMP types 0 (Echo Reply), 8 (Echo request) and 11 (TTL expired) to determine the route to the host. Yours, Egon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 7:12:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 12DE837B62B for ; Thu, 17 Aug 2000 07:12:48 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA14909; Thu, 17 Aug 2000 07:12:43 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda14907; Thu Aug 17 07:12:26 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA10831; Thu, 17 Aug 2000 07:12:26 -0700 (PDT) Message-Id: <200008171412.HAA10831@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdk10826; Thu Aug 17 07:12:16 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cschuber To: "Chris D. Faulhaber" Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@freebsd.org Subject: Re: Group-writable executable in OpenLDAP (fwd) In-reply-to: Your message of "Thu, 17 Aug 2000 09:26:44 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 17 Aug 2000 07:12:16 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , " Chris D. Faulhaber" writes: > On Thu, 17 Aug 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > Still catching up on email after 4 weeks of vacation and noticed this > > BUGTRAQ gem in my inbox. Our OpenLDAP port needs to be fixed to > > address this. > > > > I thought I fixed this with ports/net/openldap/patches/patch-ae Did I > miss something? It's probably my mistake. I may have missed this port the last time I upgraded my ports, which was on Monday. I'll go back and do my homework first. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 7:14:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.whistle.com (gatekeeper.whistle.com [207.76.204.2]) by hub.freebsd.org (Postfix) with ESMTP id D15F337B66F for ; Thu, 17 Aug 2000 07:14:42 -0700 (PDT) Received: from pau-amma.whistle.com (pau-amma.whistle.com [207.76.205.64]) by gatekeeper.whistle.com (8.9.3/8.9.3) with ESMTP id HAA06078; Thu, 17 Aug 2000 07:14:35 -0700 (PDT) (envelope-from dhw@whistle.com) Received: (from dhw@localhost) by pau-amma.whistle.com (8.9.3/8.9.3) id HAA02662; Thu, 17 Aug 2000 07:14:30 -0700 (PDT) (envelope-from dhw) Date: Thu, 17 Aug 2000 07:14:30 -0700 (PDT) From: David Wolfskill Message-Id: <200008171414.HAA02662@pau-amma.whistle.com> To: achilov@granch.ru, Egon.Rath@lsr-ooe.gv.at Subject: Re: AW: deny incoming icmp Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From: Egon.Rath@lsr-ooe.gv.at >Date: Thu, 17 Aug 2000 15:48:02 +0200 >|> What type of ICMP messages uses traceroute? I'd like to mask >|> internal network structure from tracing... >Traceroute uses ICMP types 0 (Echo Reply), 8 (Echo request) and 11 (TTL >expired) to determine the route to the host. That didn't seem quite right to me, so I looked (in /usr/src/contrib/traceroute/traceroute.c); there is a rather large comment block near the beginning of the file tagged * -- Van Jacobson (van@ee.lbl.gov) * Tue Dec 20 03:50:13 PST 1988 that explains how & why the program uses high-numbered UDP datagrams for the probes. It does rely on ICMP (time exceeded; ICMP type 11) for receiving notification from a router, though. Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 7:50:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 8CCBB37B64B for ; Thu, 17 Aug 2000 07:50:26 -0700 (PDT) Received: (qmail 57906 invoked by uid 1001); 17 Aug 2000 14:50:13 +0000 (GMT) To: dhw@whistle.com Cc: achilov@granch.ru, Egon.Rath@lsr-ooe.gv.at, freebsd-security@FreeBSD.ORG Subject: Re: AW: deny incoming icmp From: sthaug@nethelp.no In-Reply-To: Your message of "Thu, 17 Aug 2000 07:14:30 -0700 (PDT)" References: <200008171414.HAA02662@pau-amma.whistle.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 17 Aug 2000 16:50:13 +0200 Message-ID: <57904.966523813@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >Traceroute uses ICMP types 0 (Echo Reply), 8 (Echo request) and 11 (TTL > >expired) to determine the route to the host. > > That didn't seem quite right to me, so I looked (in > /usr/src/contrib/traceroute/traceroute.c); there is a rather large > comment block near the beginning of the file tagged > > * -- Van Jacobson (van@ee.lbl.gov) > * Tue Dec 20 03:50:13 PST 1988 > > that explains how & why the program uses high-numbered UDP datagrams for > the probes. It does rely on ICMP (time exceeded; ICMP type 11) for > receiving notification from a router, though. The Microsoft implementation of traceroute uses ICMP instead of UDP though... Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 8:17:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id B65A637B67A for ; Thu, 17 Aug 2000 08:17:39 -0700 (PDT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.9.3/8.9.3) with ESMTP id PAA85608; Thu, 17 Aug 2000 15:11:07 GMT (envelope-from fgleiser@cactus.fi.uba.ar) Date: Thu, 17 Aug 2000 12:11:07 -0300 (ART) From: Fernando Gleiser To: Egon.Rath@lsr-ooe.gv.at Cc: achilov@granch.ru, freebsd-security@FreeBSD.ORG Subject: Re: AW: deny incoming icmp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Aug 2000 Egon.Rath@lsr-ooe.gv.at wrote: > > |> > |> What type of ICMP messages uses traceroute? I'd like to mask > |> internal network structure from > |> tracing... > |> -- > > Traceroute uses ICMP types 0 (Echo Reply), 8 (Echo request) and 11 (TTL > expired) to determine the route to the host. That's winblows traceroute. Unix traceroute uses UDP instead of icmp echo. The icmp that come back are 11/0 (time exeeded in transit) and several type 3 (host unreach, net unreach, and port unreach.) . take a look at http://www.kohala.com/start/papers.others/vanj.99feb08.txt to see why. > Yours, Egon > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 8:32:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 031AC37B672 for ; Thu, 17 Aug 2000 08:32:18 -0700 (PDT) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id IAA12754; Thu, 17 Aug 2000 08:32:00 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Thu, 17 Aug 2000 08:32:00 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: syslogd poll state In-Reply-To: <20000816224105.D28027@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No, I am not using -a for syslogd. I have blocked 514 at the borders and did not want to add any more overhead to this server. I am thinking that it might be a DNS issue and not a syslogd issue. Thanks. - Todd On Wed, 16 Aug 2000, Crist J . Clark wrote: > On Wed, Aug 16, 2000 at 02:08:55PM -0700, Todd Backman wrote: > > > > I tried on -questions and didn't get any bites. Any ideas here?: > > > > (updated info: I increased my udp.recvspace via sysctl to overcome any > > possible overloads due to +250 servers spewing syslog data to it. That was > > not the problem and the poll state continues to occur. > > > > One thing I noticed is that when syslogd is in the "poll" state the > > following is listed in the output of sockstat: > > > > machinename# sockstat > > > > root syslogd 83 4 udp4 *.514 *.* > > root syslogd 83 6 udp4 x.x.x.x.271 x.x.x.x.53 > > ^^^^^^^ ^^^^^^^ > > machine IP nameserver IP > > > > I am wondering why syslogd would be attempting to do any type of lookups? > > Probably has something to do with this, > > -a allowed_peer > Allow allowed_peer to log to this syslogd using UDP datagrams. > Multiple -a options may be specified. > > Allowed_peer can be any of the following: > . > . > . > domainname[:service] Accept datagrams where the reverse > address lookup yields domainname for > the sender address. The meaning of > service is as explained above. > > Are you using the -a option? > -- > Crist J. Clark cjclark@alum.mit.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 8:34:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from Mercury.unixrules.net (Mercury.unixrules.net [216.65.46.2]) by hub.freebsd.org (Postfix) with SMTP id 563D737B6B0 for ; Thu, 17 Aug 2000 08:34:21 -0700 (PDT) Received: (qmail 4839 invoked by uid 1070); 17 Aug 2000 15:34:26 -0000 Date: Thu, 17 Aug 2000 08:34:26 -0700 (PDT) From: "geniusj (Jason DiCioccio)" X-Sender: w@Mercury.unixrules.net To: Fernando Schapachnik Cc: Walter Cruz , freebsd-security@FreeBSD.ORG Subject: Re: Problem with SWAP. In-Reply-To: <200008031308.KAA04559@ns1.via-net-works.net.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org www.freebsddiary.org ;) On Thu, 3 Aug 2000, Fernando Schapachnik wrote: > En un mensaje anterior, Walter Cruz escribi=F3: > > (sorry, my english is terrible!) > >=20 > > Hi! > >=20 > > I'm a BSD newbie and my web server (FreeBSD 4.0) is crashing constantly= ... > > "swap_space_getswapspace: failed" ... this is the error message. > > Please, can anyone post the step-by-step to add more swap space? Anythi= ng > > 'll be welcome! >=20 > You have that in the handbook (or FAQ, I don't remember which). I=20 > don't think there are portuguese versions, but there are spanish ones. >=20 > Good luck! >=20 > PD: By the way, you will be better off asking this kind of questions=20 > in -questions, not in -security :) >=20 >=20 > Fernando P. Schapachnik > Administraci=F3n de la red > VIA NET.WORKS ARGENTINA S.A. > fernando@via-net-works.net.ar > (54-11) 4323-3333 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 8:48:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from Mercury.unixrules.net (Mercury.unixrules.net [216.65.46.2]) by hub.freebsd.org (Postfix) with SMTP id 24EF537B6A7 for ; Thu, 17 Aug 2000 08:48:19 -0700 (PDT) Received: (qmail 6630 invoked by uid 1070); 17 Aug 2000 15:48:20 -0000 Date: Thu, 17 Aug 2000 08:48:20 -0700 (PDT) From: "geniusj (Jason DiCioccio)" X-Sender: w@Mercury.unixrules.net To: Markus Holmberg Cc: freebsd-security@freebsd.org Subject: Re: Purpose of world being able to see the mail queue? In-Reply-To: <20000817131804.A24557@acc.umu.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Change it then :).. I don't think we need a global default change for this however.. It's not really a vulnerability and probably better left to the administrator to decide. -jd- On Thu, 17 Aug 2000, Markus Holmberg wrote: > Hi.. > > Recently I noticed that /var/log/maillog was stored world readable > and contains each messages sender and recipient information (at least > Postfix by default stores this, can't remember if Sendmail > does?). > > This isn't a big issue, but still I was surprised considering the > unnecessary exposure of details in the systems users mail communication. > I was about to ask why maillog wasn't stored as read/write for root only, > when I discovered that also the mail queue (using mailq) also was world > readable. This also seemed to be the case with the Linux and Solaris > systems I tested. > > I don't expect any mail transport node on the path to the destination to > expose the envelope information "unnecessarily" (although of course I can > absolutely not *assume* that), and therefore neither expect my own MTA > to do that.. (yes, I might have naive expectations, in that case I need > to fix them :)) > > What is the rationale behind having the MTA by default exposing > information on who the users on the system receive and send > mail to through the mail log and the message queue? > (The mail queue information seemed to be world viewable (with mailq) on > all Unix systems I tested.) > > I understand that the envelope information of a mail message can not > be considered private, but this seems like unnecessary exposure..? > > I'm interested in enlightenment/opinions on this subject :).. > > In a way I'm hesitating to send this out now, because I realize the > similarity of this issue with standard unix concepts. For example > "viewing who else is logged in", "viewing other users processes" etc > which are totally given in a Unix environment. But now when I think > about it, are even these really justified? > > Regards, Markus. > > -- > > Markus Holmberg | Give me Unix or give me a typewriter. > markush@acc.umu.se | http://www.freebsd.org/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 9: 0:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 4807C37B6E6 for ; Thu, 17 Aug 2000 09:00:01 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id JAA16056; Thu, 17 Aug 2000 09:59:29 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id JAA23163; Thu, 17 Aug 2000 09:58:36 -0600 (MDT) (envelope-from nate) Date: Thu, 17 Aug 2000 09:58:36 -0600 (MDT) Message-Id: <200008171558.JAA23163@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Warner Losh Cc: Mike Silbersack , David May , freebsd-security@FreeBSD.ORG Subject: Re: [Q] why does my firewall degrade Web performance? In-Reply-To: <200008170516.XAA09705@harmony.village.org> References: <200008170516.XAA09705@harmony.village.org> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > : > The firewall machine CPU load is always light. It is a Pentium II Celeron > : > 300MHz, 64Mb RAM, four Ethernet cards (3 D-Link 10/100, 1 NE2000), > : > and around 180 ipfw rules. > : > : I'm not sure how fast/slow ipfw is, but 180 rules sounds like a > : LOT. Could you get by with a few less? (Or at least try the setup with > : no rules and the firewall box just runningas a pure router.) > > 180 is about normal for having multiple cards. 300MHz should be > plenty fast enough. No kidding. I have 133 on my firewall, and it's a 486/66, and it keeps up *just fine* running with a 100MB ethernet connected to a T1. I've never seen the box under any load average, and it's been on the net since '93. We used a 486 for firewall in commercial products (and would continue to do so except that you can't find them anymore). Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 9: 1:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id EDE2B37B66F; Thu, 17 Aug 2000 09:01:43 -0700 (PDT) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0) with ESMTP id e7HG3Dk51483; Thu, 17 Aug 2000 11:03:13 -0500 (CDT) Date: Thu, 17 Aug 2000 11:03:13 -0500 (CDT) From: Alex Charalabidis To: Kris Kennaway Cc: security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: Hilighting dangerous ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Aug 2000, Mike Silbersack wrote: > > On Wed, 16 Aug 2000, Kris Kennaway wrote: > > > What does everyone think of the attached patch to bsd.port.mk, which > > hilights potentially insecure files installed by a port at install-time? > > > > It does a find(1) over the packing list of the port looking for > > setuid/setgid files, as well as checking for startup scripts installed in > > ${PREFIX}/etc/rc.d which usually indicates a network daemon (Thanks to > > Brian Feldman for the latter idea). > > > > If the port includes a WWW site, the user is directed there for contact > > information so they can talk to the software developers about the security > > of the port, if they have doubts (i.e. so they don't bother us) (Thanks to > > Peter Wemm for this idea) > I like the idea. Something similar to indicate which ports have been audited would also be useful. -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 Systems Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 9: 7:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.84.199.194]) by hub.freebsd.org (Postfix) with ESMTP id F30CA37B777 for ; Thu, 17 Aug 2000 09:07:20 -0700 (PDT) Received: by alpha.simphost.com (Postfix, from userid 1004) id 557F730720; Thu, 17 Aug 2000 10:07:40 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id 4F1CD2C90F; Thu, 17 Aug 2000 10:07:40 -0600 (MDT) Date: Thu, 17 Aug 2000 10:07:40 -0600 (MDT) From: "Jonathan M. Slivko" To: Nate Williams Cc: Warner Losh , Mike Silbersack , David May , freebsd-security@FreeBSD.ORG Subject: Re: [Q] why does my firewall degrade Web performance? In-Reply-To: <200008171558.JAA23163@nomad.yogotech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have some i'm willing to sell if anyone is interested ;) ---- Jonathan M. Slivko Technical Support: Simple Hosting Solutions Sys Administrator: BN Networks Looking for shells and hosting? check out http://www.simphost.com for great deals! ---- On Thu, 17 Aug 2000, Nate Williams wrote: > > : > The firewall machine CPU load is always light. It is a Pentium II Celeron > > : > 300MHz, 64Mb RAM, four Ethernet cards (3 D-Link 10/100, 1 NE2000), > > : > and around 180 ipfw rules. > > : > > : I'm not sure how fast/slow ipfw is, but 180 rules sounds like a > > : LOT. Could you get by with a few less? (Or at least try the setup with > > : no rules and the firewall box just runningas a pure router.) > > > > 180 is about normal for having multiple cards. 300MHz should be > > plenty fast enough. > > No kidding. I have 133 on my firewall, and it's a 486/66, and it keeps > up *just fine* running with a 100MB ethernet connected to a T1. > > I've never seen the box under any load average, and it's been on the net > since '93. We used a 486 for firewall in commercial products (and > would continue to do so except that you can't find them anymore). > > > > Nate > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 9:13:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 8B2F737B72B for ; Thu, 17 Aug 2000 09:13:52 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA16164; Thu, 17 Aug 2000 10:13:22 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA23225; Thu, 17 Aug 2000 10:12:29 -0600 (MDT) (envelope-from nate) Date: Thu, 17 Aug 2000 10:12:29 -0600 (MDT) Message-Id: <200008171612.KAA23225@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: sthaug@nethelp.no Cc: dhw@whistle.com, achilov@granch.ru, Egon.Rath@lsr-ooe.gv.at, freebsd-security@FreeBSD.ORG Subject: Re: AW: deny incoming icmp In-Reply-To: <57904.966523813@verdi.nethelp.no> References: <200008171414.HAA02662@pau-amma.whistle.com> <57904.966523813@verdi.nethelp.no> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > >Traceroute uses ICMP types 0 (Echo Reply), 8 (Echo request) and 11 (TTL > > >expired) to determine the route to the host. > > > > That didn't seem quite right to me, so I looked (in > > /usr/src/contrib/traceroute/traceroute.c); there is a rather large > > comment block near the beginning of the file tagged > > > > * -- Van Jacobson (van@ee.lbl.gov) > > * Tue Dec 20 03:50:13 PST 1988 > > > > that explains how & why the program uses high-numbered UDP datagrams for > > the probes. It does rely on ICMP (time exceeded; ICMP type 11) for > > receiving notification from a router, though. > > The Microsoft implementation of traceroute uses ICMP instead of UDP > though... Not as far as I can tell, since it wouldn't work with my firewall if it did. However, I haven't done any explicit testing to see what exactly it does. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 9:15: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from digitalinet.com (digitalinet.com [216.65.124.130]) by hub.freebsd.org (Postfix) with SMTP id 8AB9737B798 for ; Thu, 17 Aug 2000 09:14:59 -0700 (PDT) Received: (qmail 26150 invoked from network); 17 Aug 2000 16:14:54 -0000 Received: from unknown (HELO john) (24.96.19.19) by digitalinet.com with SMTP; 17 Aug 2000 16:14:54 -0000 Message-ID: <000b01c00866$5ca6de20$03030303@john> From: "John" To: "Nate Williams" , "Warner Losh" Cc: "Mike Silbersack" , "David May" , References: <200008170516.XAA09705@harmony.village.org> <200008171558.JAA23163@nomad.yogotech.com> Subject: Re: [Q] why does my firewall degrade Web performance? Date: Thu, 17 Aug 2000 12:15:27 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I recommend making sure the nic's on the machine are performing fine. I also recommend you benchmark your webserver from inside the firewall then from outside. If you can't figure anything out I recommend you try using ipfilter instead of ipfw. Thanks, John (Digitalinet Noc Engenier) "Want a free domain? Visit: www.digitalinet.com" ----- Original Message ----- From: "Nate Williams" To: "Warner Losh" Cc: "Mike Silbersack" ; "David May" ; Sent: Thursday, August 17, 2000 11:58 AM Subject: Re: [Q] why does my firewall degrade Web performance? > > : > The firewall machine CPU load is always light. It is a Pentium II Celeron > > : > 300MHz, 64Mb RAM, four Ethernet cards (3 D-Link 10/100, 1 NE2000), > > : > and around 180 ipfw rules. > > : > > : I'm not sure how fast/slow ipfw is, but 180 rules sounds like a > > : LOT. Could you get by with a few less? (Or at least try the setup with > > : no rules and the firewall box just runningas a pure router.) > > > > 180 is about normal for having multiple cards. 300MHz should be > > plenty fast enough. > > No kidding. I have 133 on my firewall, and it's a 486/66, and it keeps > up *just fine* running with a 100MB ethernet connected to a T1. > > I've never seen the box under any load average, and it's been on the net > since '93. We used a 486 for firewall in commercial products (and > would continue to do so except that you can't find them anymore). > > > > Nate > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 9:17:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 3BE8037B7F1 for ; Thu, 17 Aug 2000 09:17:38 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA16189; Thu, 17 Aug 2000 10:17:07 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA23260; Thu, 17 Aug 2000 10:16:15 -0600 (MDT) (envelope-from nate) Date: Thu, 17 Aug 2000 10:16:15 -0600 (MDT) Message-Id: <200008171616.KAA23260@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "John" Cc: "Nate Williams" , "Warner Losh" , "Mike Silbersack" , "David May" , Subject: Re: [Q] why does my firewall degrade Web performance? In-Reply-To: <000b01c00866$5ca6de20$03030303@john> References: <200008170516.XAA09705@harmony.village.org> <200008171558.JAA23163@nomad.yogotech.com> <000b01c00866$5ca6de20$03030303@john> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I recommend making sure the nic's on the machine are performing fine. For what it's worth, I'm using one of the *really* crappy cards (3c509) on my 486/66, and it's still working fine. IPFW is a *very* effecient packet filtering implementation, so either the firewall rules are implemented poorly (you can optimize them rather easily by doing fast-path guesses), or something else is wrong. > I also recommend you benchmark your webserver from inside the firewall then > from outside. > If you can't figure anything out I recommend you try using ipfilter instead > of ipfw. ipfilter is much more resource hungry than ipfw. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 9:21: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from daemon.dnepr.net (mizi.dnepr.net [195.24.156.63]) by hub.freebsd.org (Postfix) with ESMTP id 3498637B7B7 for ; Thu, 17 Aug 2000 09:20:35 -0700 (PDT) Received: (from land@localhost) by daemon.dnepr.net (8.9.3/8.9.3) id TAA05749; Thu, 17 Aug 2000 19:19:57 +0300 (EEST) (envelope-from land) Date: Thu, 17 Aug 2000 19:19:57 +0300 From: Andrey Lakhno To: sthaug@nethelp.no Cc: security@freebsd.org Subject: Re: deny incoming icmp Message-ID: <20000817191957.A5618@daemon.dnepr.net> References: <200008171414.HAA02662@pau-amma.whistle.com> <57904.966523813@verdi.nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <57904.966523813@verdi.nethelp.no>; from sthaug@nethelp.no on Thu, Aug 17, 2000 at 16:50:13 +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi sthaug! On Thu, 17 Aug 2000, sthaug@nethelp.no wrote: > > >Traceroute uses ICMP types 0 (Echo Reply), 8 (Echo request) and 11 (TTL > > >expired) to determine the route to the host. > > > > That didn't seem quite right to me, so I looked (in > > /usr/src/contrib/traceroute/traceroute.c); there is a rather large > > comment block near the beginning of the file tagged > > > > * -- Van Jacobson (van@ee.lbl.gov) > > * Tue Dec 20 03:50:13 PST 1988 > > > > that explains how & why the program uses high-numbered UDP datagrams for > > the probes. It does rely on ICMP (time exceeded; ICMP type 11) for > > receiving notification from a router, though. > > The Microsoft implementation of traceroute uses ICMP instead of UDP > though... Where can I read about Microsoft implementation of traceroute ? Or could you explain in a few words how it works ? -- Best regards, Andrey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 9:25:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from blizzard.sabbo.net (blizzard.sabbo.net [193.193.218.18]) by hub.freebsd.org (Postfix) with ESMTP id 3E90637B774; Thu, 17 Aug 2000 09:24:52 -0700 (PDT) Received: from vic.sabbo.net (root@vic.sabbo.net [193.193.218.106]) by blizzard.sabbo.net (8.9.1/8.9.3) with ESMTP id TAA06404; Thu, 17 Aug 2000 19:24:20 +0300 (EEST) Received: from FreeBSD.org (big_brother.vega.com [192.168.1.1]) by vic.sabbo.net (8.9.3/8.9.3) with ESMTP id TAA06241; Thu, 17 Aug 2000 19:24:21 +0300 (EEST) (envelope-from sobomax@FreeBSD.org) Message-ID: <399C11B1.B69DCDED@FreeBSD.org> Date: Thu, 17 Aug 2000 19:24:17 +0300 From: Maxim Sobolev Organization: Vega International Capital X-Mailer: Mozilla 4.74 [en] (WinNT; U) X-Accept-Language: uk,ru,en MIME-Version: 1.0 To: Kris Kennaway Cc: Sheldon Hearn , security@FreeBSD.org, ports@FreeBSD.org Subject: Re: Hilighting dangerous ports References: Content-Type: text/plain; charset=x-user-defined Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > On Wed, 16 Aug 2000, Sheldon Hearn wrote: > > > > What does everyone think of the attached patch to bsd.port.mk, which > > > hilights potentially insecure files installed by a port at install-time? > > > > I like the idea. It would be even more of an improvement over the > > status quo if a solution for packages could be found. Many folks use > > packages only and many more use packages mostly. :-) > > In principle it's a straightforward thing, since pkg_add also has the > PLIST available - it's just slightly more difficult to write the > equivalent in C than as a shell script. Good idea. Few notes, though: 1. There should be the way to disable security notification, so user will have chance to shoot himself in a foot if he wants to. 2. You not necessary have to modify pkg_add to check securitry of the package being installed. IMHO the much easier is to add appropriate logic into bsd.port.mk, which would display security warnings *and* append its copy into MESSAGE, so the user will see it during package install. Just my 2 cents. -Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 9:42:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.84.199.194]) by hub.freebsd.org (Postfix) with ESMTP id 5E77237C1C5; Thu, 17 Aug 2000 09:42:02 -0700 (PDT) Received: by alpha.simphost.com (Postfix, from userid 1004) id CE3BA30720; Thu, 17 Aug 2000 10:42:20 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id CAA142C90F; Thu, 17 Aug 2000 10:42:20 -0600 (MDT) Date: Thu, 17 Aug 2000 10:42:20 -0600 (MDT) From: "Jonathan M. Slivko" To: Maxim Sobolev Cc: Kris Kennaway , Sheldon Hearn , security@FreeBSD.org, ports@FreeBSD.org Subject: Re: Hilighting dangerous ports In-Reply-To: <399C11B1.B69DCDED@FreeBSD.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org heh, I agree with those notes totally :) But, I beleive that lynx-2.8.2ssl already has something like that. ---- Jonathan M. Slivko Technical Support: Simple Hosting Solutions Sys Administrator: BN Networks Network Sol. ID: JSR730 Looking for shells and hosting? check out http://www.simphost.com for great deals! ---- On Thu, 17 Aug 2000, Maxim Sobolev wrote: > Kris Kennaway wrote: > > > On Wed, 16 Aug 2000, Sheldon Hearn wrote: > > > > > > What does everyone think of the attached patch to bsd.port.mk, which > > > > hilights potentially insecure files installed by a port at install-time? > > > > > > I like the idea. It would be even more of an improvement over the > > > status quo if a solution for packages could be found. Many folks use > > > packages only and many more use packages mostly. :-) > > > > In principle it's a straightforward thing, since pkg_add also has the > > PLIST available - it's just slightly more difficult to write the > > equivalent in C than as a shell script. > > Good idea. Few notes, though: > 1. There should be the way to disable security notification, so user will have > chance to shoot himself in a foot if he wants to. > 2. You not necessary have to modify pkg_add to check securitry of the package > being installed. IMHO the much easier is to add appropriate logic into > bsd.port.mk, which would display security warnings *and* append its copy into > MESSAGE, so the user will see it during package install. > > Just my 2 cents. > > -Maxim > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 18:41:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 36B7037B626; Thu, 17 Aug 2000 18:41:06 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id RAA02211; Thu, 17 Aug 2000 17:04:53 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 17 Aug 2000 17:04:53 -0700 (PDT) From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@freebsd.org Subject: Re: Group-writable executable in OpenLDAP (fwd) In-Reply-To: <200008171315.e7HDFSh12972@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Aug 2000, Cy Schubert - ITSD Open Systems Group wrote: > Still catching up on email after 4 weeks of vacation and noticed this > BUGTRAQ gem in my inbox. Our OpenLDAP port needs to be fixed to > address this. It's already fixed, but this is only of minor importance on FreeBSD since it's owned by group wheel, and on most installations the people who are in that group know the root password anyway. There are a number of other ports which install files writable by the wheel group - I've been going through and fixing them for the past few days. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 18:50:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.129.65]) by hub.freebsd.org (Postfix) with ESMTP id 1C4BC37BA26 for ; Thu, 17 Aug 2000 18:50:36 -0700 (PDT) Received: from mta04.onebox.com (mta04.onebox.com [216.33.158.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFAEF6E4107 for ; Thu, 17 Aug 2000 16:14:59 -0700 (PDT) Received: from onebox.com ([216.33.158.157]) by mta04.onebox.com (InterMail vM.4.01.02.27 201-229-119-110) with SMTP id <20000817231426.HTFW19998.mta04.onebox.com@onebox.com> for ; Thu, 17 Aug 2000 16:14:26 -0700 Received: from [24.163.218.81] by onebox.com with HTTP; Thu, 17 Aug 2000 16:14:26 -0700 Date: Thu, 17 Aug 2000 19:14:26 -0400 Subject: MadCow Virus From: "Paul Richards" To: security@FreeBSD.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Message-Id: <20000817231426.HTFW19998.mta04.onebox.com@onebox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You have just received the "MadCow Virus." As we don't have any programming experience, this virus works on the honor system. Please delete all the files from your hard drive and manually forward this virus to everyone on your mailing list. Thanks for your cooperation ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 18:51: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.129.65]) by hub.freebsd.org (Postfix) with ESMTP id CA11C37BB12 for ; Thu, 17 Aug 2000 18:50:39 -0700 (PDT) Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94A646E3351 for ; Thu, 17 Aug 2000 14:27:20 -0700 (PDT) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.9.3/8.9.3) id RAA16515 for freebsd-security@freebsd.org; Thu, 17 Aug 2000 17:23:34 -0400 (EDT) From: David La Croix Message-Id: <200008172123.RAA16515@cowpie.acm.vt.edu> Subject: rpc.statd -- is someone trying to exploit a buffer overflow? To: freebsd-security@freebsd.org Date: Thu, 17 Aug 2000 16:23:34 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I manage a fileserver for my company, and it happens to be running FreeBSD 3.4-Stable (April 10) with NFS enabled: I've noticed repeated messages of the form: DATE maurice rpc.statd: invalid hostname to sm_stat: lots of binary crap. The binary stuff takes on 2 values: Aug 9 07:02:40 maurice rpc.statd: invalid hostname to sm_stat: ^Xw^??^Xw^??^Yw^ ??^Yw^??^Zw^??^Zw^??^[w^??^[w^??%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n% 192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P and Aug 9 17:22:50 maurice rpc.statd: Invalid hostname to sm_mon: ^Dw^??^Dw^??^Ew^? ?^Ew^??^Fw^??^Fw^??^Gw^??^Gw^??%08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055x%n%012x%n%0192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^ P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^PkK^ v,^Cn ^M^(^CF ^0^Cn ^M^.^CF ^CC ^Ck# ^41@^Cn ^HF'^HF*^CF ^HF+ F80+, s^MN,^MV8M all told, there have been a total of 49 entries like this in the log of this one server. Can ANYBODY explain what these messages mean? Is it an attempt by someone to exploit a buffer overflow via bad DNS? Is someone (script kiddie) trying to hack boxes all over the place that have a old rpc.statd? Is there anything I should be concerned about? (I am about to enable firewall code on the box in question to block access to RPC and other stuff from outside the immediate lan. Just a little tricky doing this on a production box while people are working). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 18:57:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.129.65]) by hub.freebsd.org (Postfix) with ESMTP id BF44337BBA7; Thu, 17 Aug 2000 18:52:08 -0700 (PDT) Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id F18426E41DD; Thu, 17 Aug 2000 16:52:52 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 17 Aug 2000 16:51:00 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id QAA88650; Thu, 17 Aug 2000 16:51:50 -0700 (PDT) (envelope-from cjc) Date: Thu, 17 Aug 2000 16:51:49 -0700 From: "Crist J . Clark" To: freebsd-security@freebsd.org, security-officer@freebsd.org Subject: xlock Vulnerability Misrepresented at Bugtraq Message-ID: <20000817165149.A88516@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I noticed this and sent an email to the original poster of the vulnerability, but no reply. If you go to, http://www.securityfocus.com/vdb/bottom.html?vid=1585 You will see this is listed as a FreeBSD vulnerability. It is not per se. 1) X is not part of FreeBSD. But FreeBSD distributes XFree86 with its CDs and from most FTP sites. 2) No xlock executable comes with the default XFree86 distribution for FreeBSD, package or port. 3) You need to install the 'xlockmore' to get the vulnerable xlock to which the original Bugtraq poster was refering. I think this needs to be straightened out: FreeBSD itself is not vulnerable. FreeBSD with the distributed XFree86 is not vulnerable. FreeBSD users are only vulnerable if you have aded the xlockmore port, other xlock tool, or a X distribution with a vulnerable xlock on your own. Am I right here? I can't find xlock on my FreeBSD machines anyway. Even the ones with XFree86. -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 20:14:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from toutatis.igt.net (toutatis.igt.net [216.208.228.226]) by hub.freebsd.org (Postfix) with ESMTP id 7A7EC37B446 for ; Thu, 17 Aug 2000 20:14:27 -0700 (PDT) Received: from nightlive (modemcable140.151-201-24.mtl.mc.videotron.net [24.201.151.140]) by toutatis.igt.net (8.9.3+3.2W/Linux) with ESMTP id XAA09897 for ; Thu, 17 Aug 2000 23:14:23 -0400 X-Authentication-Warning: toutatis.igt.net: Host modemcable140.151-201-24.mtl.mc.videotron.net [24.201.151.140] claimed to be nightlive From: "Eric LeBlanc" To: security@freebsd.org Date: Thu, 17 Aug 2000 23:12:30 -0400 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: MadCow Virus Message-ID: <399C715E.14553.36E19D@localhost> In-reply-to: <20000817231426.HTFW19998.mta04.onebox.com@onebox.com> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org mouhahah! I like this joke.... fucking HOAX :-) Rick On 17 Aug 2000, at 19:14, Paul Richards wrote: > You have just received the "MadCow Virus." As we don't have any programming > experience, this virus works on the honor system. Please delete all the > files from your hard drive and manually forward this virus to everyone > on your mailing list. > > Thanks for your cooperation > > > ___________________________________________________________________ > To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, > all in one place - sign up today at http://www.zdnetonebox.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 20:17:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from scribe.cc.purdue.edu (scribe.cc.purdue.edu [128.210.11.6]) by hub.freebsd.org (Postfix) with ESMTP id 2441937B43E; Thu, 17 Aug 2000 20:17:40 -0700 (PDT) Received: from [128.211.209.78] by scribe.cc.purdue.edu with ESMTP; Thu, 17 Aug 2000 22:17:36 -0500 Received: by argon.gryphonsoft.com (Postfix, from userid 1000) id A8B0919AE; Thu, 17 Aug 2000 22:14:08 -0500 (EST) Date: Thu, 17 Aug 2000 22:14:08 -0500 From: Will Andrews To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: xlock Vulnerability Misrepresented at Bugtraq Message-Id: <20000817221408.B422@argon.gryphonsoft.com> Mail-Followup-To: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG References: <20000817165149.A88516@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20000817165149.A88516@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Thu, Aug 17, 2000 at 04:51:49PM -0700 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 17, 2000 at 04:51:49PM -0700, Crist J . Clark wrote: > Am I right here? I can't find xlock on my FreeBSD machines > anyway. Even the ones with XFree86. You are correct. -- Will Andrews GCS/E/S @d- s+:+ a--- C++ UB++++$ P+ L- E--- W+ N-- !o ?K w--- O- M+ V- PS+ PE++ Y+ PGP+>+++ t++ 5 X+ R+ tv+ b++ DI+++ D+ G++ e>++++ h! r- y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 20:21:40 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 4D1A937B509; Thu, 17 Aug 2000 20:21:37 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 4A6E62E8039; Thu, 17 Aug 2000 20:21:37 -0700 (PDT) Date: Thu, 17 Aug 2000 20:21:36 -0700 (PDT) From: Kris Kennaway To: David La Croix Cc: freebsd-security@freebsd.org Subject: Re: rpc.statd -- is someone trying to exploit a buffer overflow? In-Reply-To: <200008172123.RAA16515@cowpie.acm.vt.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Aug 2000, David La Croix wrote: > > I manage a fileserver for my company, and it happens to be running > FreeBSD 3.4-Stable (April 10) with NFS enabled: > > I've noticed repeated messages of the form: > DATE maurice rpc.statd: invalid hostname to sm_stat: lots of binary crap. Most linux distributions had a root exploit in rpc.statd recently..the %8x operators indicate thats what they're trying to exploit here. But never fear, FreeBSD has no vulnerability here :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 21: 1:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 3907937B50F for ; Thu, 17 Aug 2000 21:01:27 -0700 (PDT) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0) with ESMTP id e7I42xM18634; Thu, 17 Aug 2000 23:02:59 -0500 (CDT) Date: Thu, 17 Aug 2000 23:02:59 -0500 (CDT) From: Alex Charalabidis To: Paul Richards Cc: security@FreeBSD.ORG Subject: Re: MadCow Virus In-Reply-To: <20000817231426.HTFW19998.mta04.onebox.com@onebox.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Aug 2000, Paul Richards wrote: > You have just received the "MadCow Virus." As we don't have any programming > experience, this virus works on the honor system. Please delete all the > files from your hard drive and manually forward this virus to everyone > on your mailing list. > > Thanks for your cooperation Dear Mr. Richards, We have all acquired immunity to the above virus and are no longer affected by it, due to the fact that we have been infected with it multiple times during the very recent past. Tts humour value has decreased to match that of Culex Pipiens and this virus has no aggregate effect on our systems so repeated infection attempts will cause no symptoms other than mild irritation. It is expected to mutate into an Acquired Humour Deficiency Syndrome agent in the near future, countermeasures are already in place. Regards -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 Systems Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 22:42:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id CC31337B43E for ; Thu, 17 Aug 2000 22:42:21 -0700 (PDT) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id HAA10874; Fri, 18 Aug 2000 07:42:42 +0200 (SAST) (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Fri, 18 Aug 2000 07:42:40 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Alex Charalabidis Cc: Paul Richards , security@FreeBSD.ORG Subject: Re: MadCow Virus In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well said, by jove *grin* -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Thu, 17 Aug 2000, Alex Charalabidis wrote: > On Thu, 17 Aug 2000, Paul Richards wrote: > > > You have just received the "MadCow Virus." As we don't have any programming > > experience, this virus works on the honor system. Please delete all the > > files from your hard drive and manually forward this virus to everyone > > on your mailing list. > > > > Thanks for your cooperation > > Dear Mr. Richards, > > We have all acquired immunity to the above virus and are no longer > affected by it, due to the fact that we have been infected with it > multiple times during the very recent past. Tts humour value has decreased > to match that of Culex Pipiens and this virus has no aggregate effect > on our systems so repeated infection attempts will cause no symptoms other > than mild irritation. It is expected to mutate into an Acquired Humour > Deficiency Syndrome agent in the near future, countermeasures are already > in place. > > Regards > > -ac > > > -- > ============================================================== > Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 > Systems Administrator Memphis, TN 38157 > WebNet Memphis (901) 432 6000 > Author, The Book of IRC http://www.bookofirc.com/ > ============================================================== > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 17 23:46:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 59E4937B42C for ; Thu, 17 Aug 2000 23:46:06 -0700 (PDT) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id AAA06760; Fri, 18 Aug 2000 00:45:27 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <399CDD03.EDB5F11F@softweyr.com> Date: Fri, 18 Aug 2000 00:51:47 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.1-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: Andrey Lakhno Cc: sthaug@nethelp.no, security@FreeBSD.ORG Subject: Re: deny incoming icmp References: <200008171414.HAA02662@pau-amma.whistle.com> <57904.966523813@verdi.nethelp.no> <20000817191957.A5618@daemon.dnepr.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrey Lakhno wrote: > > Hi sthaug! > > On Thu, 17 Aug 2000, sthaug@nethelp.no wrote: > > > > >Traceroute uses ICMP types 0 (Echo Reply), 8 (Echo request) and 11 (TTL > > > >expired) to determine the route to the host. > > > > > > That didn't seem quite right to me, so I looked (in > > > /usr/src/contrib/traceroute/traceroute.c); there is a rather large > > > comment block near the beginning of the file tagged > > > > > > * -- Van Jacobson (van@ee.lbl.gov) > > > * Tue Dec 20 03:50:13 PST 1988 > > > > > > that explains how & why the program uses high-numbered UDP datagrams for > > > the probes. It does rely on ICMP (time exceeded; ICMP type 11) for > > > receiving notification from a router, though. > > > > The Microsoft implementation of traceroute uses ICMP instead of UDP > > though... > > Where can I read about Microsoft implementation of traceroute ? > Or could you explain in a few words how it works ? Just grab a packet trace of it running. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 7:45: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id B86CC37B422 for ; Fri, 18 Aug 2000 07:45:06 -0700 (PDT) Received: from bsdie.rwsystems.net([209.197.223.2]) (1515 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 18 Aug 2000 09:36:43 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Fri, 18 Aug 2000 09:36:43 -0500 (CDT) From: James Wyatt To: freebsd-security@FreeBSD.ORG Subject: Re: [Q] why does my firewall degrade Web performance? In-Reply-To: <200008171558.JAA23163@nomad.yogotech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Doesn't load average count the average number of processes waiting on (or in) a 'run' state? Don't the ipfw functions get performed by the kernel? If so, wouldn't the only rise in load average be from a secondary effect on 'coalmine canary' like programs? If you aren't running apache or lotsa sendmail or something would loadave even go up much under heavy load? Just wanting to learn how things work - Jy@ On Thu, 17 Aug 2000, Nate Williams wrote: > > : > The firewall machine CPU load is always light. It is a Pentium II Celeron > > : > 300MHz, 64Mb RAM, four Ethernet cards (3 D-Link 10/100, 1 NE2000), [ ... ] > No kidding. I have 133 on my firewall, and it's a 486/66, and it keeps > up *just fine* running with a 100MB ethernet connected to a T1. > > I've never seen the box under any load average, and it's been on the net > since '93. We used a 486 for firewall in commercial products (and > would continue to do so except that you can't find them anymore). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 9:32:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (federation.addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id E07A737B423 for ; Fri, 18 Aug 2000 09:32:44 -0700 (PDT) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id MAA04709 for ; Fri, 18 Aug 2000 12:32:44 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Fri, 18 Aug 2000 12:32:44 -0400 (EDT) From: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Q] why does my firewall degrade Web performance? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Personally, I think we're straying a bit from 'security' - but it's close enough that I guess I can chime in with something that may help improve someone's "gut feel" sense. (which is why I liked reading the other messages in this thread- thanks all) We run a firewall with about 3000 rules- used mainly for bandwidth tracking purposes. The highest load average I ever see is about .1 (when the bandwidth tracking scripts update our database) but the telling numbers are this line from "top" but also available in other utilities like iostat, etc. > CPU states: 0.0% user, 0.0% nice, 0.0% system, 40.5% interrupt, 59.5%idle The interrupt load on that machine is about 10 or 20 times higher than on any of the machines behind the wall. (which of course makes perfect sense) The hardware is a 400MHz Celeron- slowest thing we could find at the time, 64MB RAM, 100MB NIC, connected to a dual T1 through an etinc interface. (in other words it's a router-firewall in one box) The software is FreeBSD 3.3R and ipfw. I've never had trouble with slow browsing from the outside, even during heavy use periods. (although to be honest we've never fully maxxed our connection out) YMMV, but I'd say that the problems described would be a duplex-mismatch or other oddball thing. Firwalling just isn't that hard on the CPU, a Cisco 2500 is like a 68030- right? Anyway, hope this helps a little. -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 9:48:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 1BC0037B42C for ; Fri, 18 Aug 2000 09:48:53 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 14CF71C64; Fri, 18 Aug 2000 12:48:40 -0400 (EDT) Date: Fri, 18 Aug 2000 12:48:40 -0400 From: Bill Fumerola To: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Q] why does my firewall degrade Web performance? Message-ID: <20000818124839.R65562@jade.chc-chimes.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from jim@federation.addy.com on Fri, Aug 18, 2000 at 12:32:44PM -0400 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 18, 2000 at 12:32:44PM -0400, Jim Sander wrote: > We run a firewall with about 3000 rules- used mainly for bandwidth > tracking purposes. The highest load average I ever see is about .1 (when > the bandwidth tracking scripts update our database) but the telling > numbers are this line from "top" but also available in other utilities > like iostat, etc. > > > CPU states: 0.0% user, 0.0% nice, 0.0% system, 40.5% interrupt, 59.5%idle > > The interrupt load on that machine is about 10 or 20 times higher than > on any of the machines behind the wall. (which of course makes perfect > sense) The hardware is a 400MHz Celeron- slowest thing we could find at > the time, 64MB RAM, 100MB NIC, connected to a dual T1 through an etinc > interface. (in other words it's a router-firewall in one box) The software > is FreeBSD 3.3R and ipfw. > > I've never had trouble with slow browsing from the outside, even during > heavy use periods. (although to be honest we've never fully maxxed our > connection out) YMMV, but I'd say that the problems described would be a > duplex-mismatch or other oddball thing. Firwalling just isn't that hard on > the CPU, a Cisco 2500 is like a 68030- right? ipfw with that many rules _is_ slow and will eat interrupt CPU as you see there. you might want to consolidate your rules, unless you're using skipto. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 11:58: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 4DF9A37B424 for ; Fri, 18 Aug 2000 11:58:00 -0700 (PDT) Received: (qmail 6062 invoked by uid 0); 18 Aug 2000 18:57:58 -0000 Received: from p3e9efdc7.dip0.t-ipconnect.de (HELO gmx.net) (62.158.253.199) by mail.gmx.net with SMTP; 18 Aug 2000 18:57:58 -0000 Date: Fri, 18 Aug 2000 21:00:28 +0200 From: Jens Sauer Reply-To: Jens Sauer To: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Where to get TIS FWTK-Port X-Mailer: Jens Sauer's registered AK-Mail 3.1 publicbeta2a [ger] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000818185800.4DF9A37B424@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I'm not able to find the TIS Firewall Toolkit-Port on any of the FreeBSD-FTP-Servers around, although the port-name is located in the index-files for all ports (../security/fwtk/). on these servers. But in the package-browser I can't find it anyway. Somebody can help me out, because I have only the downloaded 4.1 bootable CD? Thanks Jens To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 12:33:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from ra.nks.net (ra.nks.net [208.226.218.5]) by hub.freebsd.org (Postfix) with ESMTP id A1CA237B42C; Fri, 18 Aug 2000 12:33:11 -0700 (PDT) Received: from localhost (joeo@localhost) by ra.nks.net (8.8.7/8.8.7) with ESMTP id PAA03683; Fri, 18 Aug 2000 15:33:03 -0400 Date: Fri, 18 Aug 2000 15:33:03 -0400 (EDT) From: X-Sender: joeo@ra.nks.net To: Jens Sauer Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Where to get TIS FWTK-Port In-Reply-To: <20000818185800.48CF137B423@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You need to download the sources seperately. Used to be you had to find the request page at www.tis.com (before they were bought) and submit a form agreeing to some licensing restrictions, and they'd email back an ftp directory to grab the sources from. I am not sure if the toolkit is still available, as TIS dropped support (as in making contributed patches available) for it a few years ago... On Fri, 18 Aug 2000, Jens Sauer wrote: > Hi all, > > I'm not able to find the TIS Firewall Toolkit-Port on > any of the FreeBSD-FTP-Servers around, although the port-name > is located in the index-files for all ports (../security/fwtk/). > on these servers. > But in the package-browser I can't find it anyway. > Somebody can help me out, because I have only the downloaded > 4.1 bootable CD? > > Thanks > Jens > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 13:22:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id B403437B424 for ; Fri, 18 Aug 2000 13:22:47 -0700 (PDT) Received: (qmail 30062 invoked by uid 0); 18 Aug 2000 20:22:46 -0000 Received: from p3ee094aa.dip0.t-ipconnect.de (HELO gmx.net) (62.224.148.170) by mail.gmx.net with SMTP; 18 Aug 2000 20:22:46 -0000 Date: Fri, 18 Aug 2000 22:25:16 +0200 From: Jens Sauer Reply-To: Jens Sauer To: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Cc: jedgar@fxp.org, joeo@cracktown.com Subject: Re: Where to get TIS FWTK-Port X-Mailer: Jens Sauer's registered AK-Mail 3.1 publicbeta2a [ger] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000818202247.B403437B424@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Fri, 18 Aug 2000, Chris D. Faulhaber wrote: >Looking at the port's Makefile, you will find: >RESTRICTED= "No form of redistribution is allowed" >which means you will not be able to download a binary package. However, >you should be able to use the port (follow the directions provided when >you type 'make') to compile and install fwtk. >----- >Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org Thank you too I have now found someone elses tip too on the fwtk-users-mailinglist-archive. It sounds like this: >>J A Shamsi wrote: >>If you have the ports collection installed copy the 2 main >>gzipped files to /usr/ports/distfiles. Go to >>/usr/ports/security/fwtk and type make then make install. >> >>To install any patches you want you can type make then >>make clean. Then modify the source then type make and >>make install. >> >>If you don't have the ports collection installed then look >>at fwtk-2.1 under: >>http://www.freebsd.org/ports/security.html >> >>Syntax So, together with your help, I will make a try. Thanks again Cheers, Jens To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 13:46:15 2000 Delivered-To: freebsd-security@freefall.freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 0636937B424 for ; Fri, 18 Aug 2000 13:46:12 -0700 (PDT) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id WAA09758; Fri, 18 Aug 2000 22:48:05 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200008182048.WAA09758@info.iet.unipi.it> Subject: Re: [avalon@COOMBS.ANU.EDU.AU: Ip packet filtering with bridging on freebsd] (fwd) To: freebsd-security@freefall.freebsd.org Date: Fri, 18 Aug 2000 22:48:05 +0200 (CEST) Cc: Luigi Rizzo X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was informed by a few people of a thread on alleged problems with ipfw+bridging, so i think i should say a few things on the subject. Darren was complaining that net/bridge.c was missing some sanity checks on packets before passing them to ip_fw_chk(). I looked at his proposed fix on -security archives (i am not subscribed to the list, this is why i did not react). I am not sure which version of FreeBSD Darren refers to -- the missing checks were there when i committed the code to 3.x and 4.x -- only thing, they are|were located in /sys/netinet/ip_fw.c, function ip_fw_chk() near this section of code: if (pip) { /* normal ip packet */ ip = *pip; offset = (ip->ip_off & IP_OFFMASK); } else { /* bridged or non-ip packet */ struct ether_header *eh = mtod(*m, struct ether_header *); switch (ntohs(eh->ether_type)) { case ETHERTYPE_IP : ... and the checks are here, doing all things which are in Darren's proposed patch. So i think RELENG_3 and RELENG_4_0_RELEASE are safe from this point of view. This part of the code got in fact nuked in rev 1.134 of ip_fw.c when Archie Cobbs did his changes to ether_input(); but with a subsequent change to net/bridge.c on June 2th Archie also removed ipfw support for bridged packets. So we lost some functionality in RELENG_4, 4.1 and CURRENT (including some problems with bridging of multicast traffic), but i do not believe that we lost safety. Remember, RELENG_3 is still safe and good for doing ipfw filtering on bridged packets (modulo other bugs that i am unaware of), and so is the floppy image that you can get from my dummynet page. Speaking of Archie's changes to ether_input(): I did like the idea of putting common parts from the drivers into ether_input(). I disagreed (by email both to the list and to Archie) on the way this was done (e.g. without testing that bridging still worked as before, and eventually removing some functionality); but being idle like i was has never been a good excuse for stopping progress in FreeBSD so in a sense i think Archie did the right thing and whatever was lost in the process may be fixed in the future should someone have a strong need. Hope this clarifies things -- sorry for not reacting earlier but i am not subscribing to -security (so please Cc me) and did not know it was such a big deal. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 14:40:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by hub.freebsd.org (Postfix) with ESMTP id DECCC37B43C for ; Fri, 18 Aug 2000 14:40:13 -0700 (PDT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id e7ILjka04127 for ; Fri, 18 Aug 2000 16:45:48 -0500 (COT) Date: Fri, 18 Aug 2000 16:45:46 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: Binary Compatibility Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a question about FreeBSD binary compatibility : - What kind of binaries can be supported by FreeBSD? I know about Linux Compatibility... but, what else??? Thanks. ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 14:50:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from databits.net (analog.databits.net [207.29.192.55]) by hub.freebsd.org (Postfix) with SMTP id E766437B424 for ; Fri, 18 Aug 2000 14:50:31 -0700 (PDT) Received: (qmail 19667 invoked by uid 1000); 18 Aug 2000 21:50:25 -0000 Date: Fri, 18 Aug 2000 17:50:24 -0400 From: Pete Fritchman To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: Binary Compatibility Message-ID: <20000818175024.L23548@databits.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from buliwyf@libertad.univalle.edu.co on Fri, Aug 18, 2000 at 04:45:46PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD supports the following binaries types (of course, you have to define the appropriate options in your kernel): - 4.3BSD (and older FreeBSD) - Linux - Svr4 This is not really a -security related question, in the future this would be more appropriate for -questions probably. -Pete ++ 18/08/00 16:45 -0500 - Buliwyf McGraw: > > I have a question about FreeBSD binary compatibility : > > - What kind of binaries can be supported by FreeBSD? > > I know about Linux Compatibility... but, what else??? > > Thanks. > >======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle >======================================================================= > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- Pete Fritchman Databits Network Services, Inc http://www.databits.net finger: petef@analog.databits.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 16:13:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from gnu.IN-Berlin.DE (gnu.in-berlin.de [192.109.42.4]) by hub.freebsd.org (Postfix) with ESMTP id CF15037B422 for ; Fri, 18 Aug 2000 16:13:28 -0700 (PDT) Received: from uriela.in-berlin.de (root@servicia.in-berlin.de [193.175.21.3]) by gnu.IN-Berlin.DE (8.10.1/8.10.1) with ESMTP id e7INDRj22034 for ; Sat, 19 Aug 2000 01:13:27 +0200 (CEST) (envelope-from server.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.102 1998-Aug-2 #2) id m13PvKI-0058FpC; Sat, 19 Aug 2000 01:13:26 +0200 (CEST) Received: (from ripley@localhost) by server.nostromo.in-berlin.de (8.9.3/8.9.3) id AAA42946 for freebsd-security@FreeBSD.ORG; Sat, 19 Aug 2000 00:57:52 +0200 (CEST) (envelope-from ripley) Date: Sat, 19 Aug 2000 00:57:52 +0200 From: "H. Eckert" To: freebsd-security@FreeBSD.ORG Subject: Re: [Q] why does my firewall degrade Web performance? Message-ID: <20000819005752.A42236@server.nostromo.in-berlin.de> References: <200008171558.JAA23163@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2i In-Reply-To: ; from jwyatt@rwsystems.net on Fri, Aug 18, 2000 at 09:36:43AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting James Wyatt (jwyatt@rwsystems.net): > Doesn't load average count the average number of processes waiting on > (or in) a 'run' state? Don't the ipfw functions get performed by the > kernel? If so, wouldn't the only rise in load average be from a > secondary effect on 'coalmine canary' like programs? If you aren't > running apache or lotsa sendmail or something would loadave even go up > much under heavy load? Well, yes. But look at "top" which monitors active processes: last pid: 42568; load averages: 0.11, 0.06, 0.01 up 57+22:27:13 00:44:58 48 processes: 1 running, 47 sleeping CPU states: 0.4% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.6% idle Mem: 10M Active, 5768K Inact, 9596K Wired, 3428K Cache, 3394K Buf, 488K Free Swap: 254M Total, 30M Used, 224M Free, 12% Inuse As you can see in the output, my machine is 99.6% idle. If there's a lot of network activity at the kernel level going on, it is shown as system or interrupt load. So one can easily see how busy the machine is, even if there's no user process actively using up CPU cycles. Greetings, Ripley -- H. Eckert, 10777 Berlin, Germany, http://me.in-berlin.de/~nostromo/ ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. "(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich anhören?" (Neelix) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 17:35:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from superman.imag.net (superman.imag.net [207.200.148.6]) by hub.freebsd.org (Postfix) with ESMTP id 913AA37B423 for ; Fri, 18 Aug 2000 17:35:46 -0700 (PDT) Received: from crap.imag.net ([204.244.221.2]) by superman.imag.net (8.10.2/8.10.2) with ESMTP id e7J0dTJ24649 for ; Fri, 18 Aug 2000 17:39:29 -0700 (PDT) Message-Id: <4.3.1.2.20000818172410.00ba9f08@mail.imag.net> X-Sender: van1126@mail.imag.net X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Fri, 18 Aug 2000 17:38:43 -0700 To: freebsd-security@freebsd.org From: Luke Cowell Subject: Re: [Q] why does my firewall degrade Web performance? In-Reply-To: <20000819005752.A42236@server.nostromo.in-berlin.de> References: <200008171558.JAA23163@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I had a NAT firewall setup for my wave connection at home. I had some old=20 cable I decided to run through my wall. When all was said and done it did=20 not work as expected. I did see that my interrupt % was very high (90%=20 approx) the culprit was a faulty cable. This may be part of you problem=20 because when you introduced the firewall to the system you would of=20 introduced additional cabling. Luke At 12:57 AM 8/19/2000 +0200, you wrote: >Quoting James Wyatt (jwyatt@rwsystems.net): > > Doesn't load average count the average number of processes waiting on > > (or in) a 'run' state? Don't the ipfw functions get performed by the > > kernel? If so, wouldn't the only rise in load average be from a > > secondary effect on 'coalmine canary' like programs? If you aren't > > running apache or lotsa sendmail or something would loadave even go up > > much under heavy load? > >Well, yes. But look at "top" which monitors active processes: > >last pid: 42568; load averages: 0.11, 0.06, 0.01 up 57+22:27:13 = 00:44:58 >48 processes: 1 running, 47 sleeping >CPU states: 0.4% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.6%= idle >Mem: 10M Active, 5768K Inact, 9596K Wired, 3428K Cache, 3394K Buf, 488K= Free >Swap: 254M Total, 30M Used, 224M Free, 12% Inuse > >As you can see in the output, my machine is 99.6% idle. If there's >a lot of network activity at the kernel level going on, it is shown >as system or interrupt load. So one can easily see how busy the machine >is, even if there's no user process actively using up CPU cycles. > > >Greetings, > Ripley >-- >H. Eckert, 10777 Berlin, Germany, http://me.in-berlin.de/~nostromo/ >ISO 8859-1: =C4=3DAe, =D6=3DOe, =DC=3DUe, =E4=3Dae, =F6=3Doe, =FC=3Due,= =DF=3Dsz. >"(Technobabbel)" (Jetrel) - "M=FCssen wir uns diesen Schwachsinn wirklich >anh=F6ren?" (Neelix) > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 18:32:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from digitalinet.com (digitalinet.com [216.65.124.130]) by hub.freebsd.org (Postfix) with SMTP id 39A4B37B423 for ; Fri, 18 Aug 2000 18:32:32 -0700 (PDT) Received: (qmail 36436 invoked from network); 19 Aug 2000 01:32:37 -0000 Received: from unknown (HELO john) (24.96.19.19) by digitalinet.com with SMTP; 19 Aug 2000 01:32:37 -0000 Message-ID: <000d01c0097d$603f5860$03030303@john> From: "John" To: References: <200008171558.JAA23163@nomad.yogotech.com> <4.3.1.2.20000818172410.00ba9f08@mail.imag.net> Subject: Re: [Q] why does my firewall degrade Web performance? Date: Fri, 18 Aug 2000 21:32:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As I stated to this issue before. Benchmark your webserver from inside your local network then test it from outiside your local network. This will give you a much better idea of what is happening. ----- Original Message ----- From: "Luke Cowell" To: Sent: Friday, August 18, 2000 8:38 PM Subject: Re: [Q] why does my firewall degrade Web performance? I had a NAT firewall setup for my wave connection at home. I had some old cable I decided to run through my wall. When all was said and done it did not work as expected. I did see that my interrupt % was very high (90% approx) the culprit was a faulty cable. This may be part of you problem because when you introduced the firewall to the system you would of introduced additional cabling. Luke At 12:57 AM 8/19/2000 +0200, you wrote: >Quoting James Wyatt (jwyatt@rwsystems.net): > > Doesn't load average count the average number of processes waiting on > > (or in) a 'run' state? Don't the ipfw functions get performed by the > > kernel? If so, wouldn't the only rise in load average be from a > > secondary effect on 'coalmine canary' like programs? If you aren't > > running apache or lotsa sendmail or something would loadave even go up > > much under heavy load? > >Well, yes. But look at "top" which monitors active processes: > >last pid: 42568; load averages: 0.11, 0.06, 0.01 up 57+22:27:13 00:44:58 >48 processes: 1 running, 47 sleeping >CPU states: 0.4% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.6% idle >Mem: 10M Active, 5768K Inact, 9596K Wired, 3428K Cache, 3394K Buf, 488K Free >Swap: 254M Total, 30M Used, 224M Free, 12% Inuse > >As you can see in the output, my machine is 99.6% idle. If there's >a lot of network activity at the kernel level going on, it is shown >as system or interrupt load. So one can easily see how busy the machine >is, even if there's no user process actively using up CPU cycles. > > >Greetings, > Ripley >-- >H. Eckert, 10777 Berlin, Germany, http://me.in-berlin.de/~nostromo/ >ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. >"(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich >anhören?" (Neelix) > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 18:45: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id C148F37B423 for ; Fri, 18 Aug 2000 18:45:06 -0700 (PDT) Received: from bsdie.rwsystems.net([209.197.223.2]) (1484 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 18 Aug 2000 20:41:59 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Fri, 18 Aug 2000 20:41:59 -0500 (CDT) From: James Wyatt To: freebsd-security@freebsd.org Subject: Re: [Q] why does my firewall degrade Web performance? In-Reply-To: <4.3.1.2.20000818172410.00ba9f08@mail.imag.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am *amazed* at how much a simple 90 degree bend in a 100bT (or 10bT) can ruin throughput in a cable. Forget it straight-out if you have a kink! If you ever have access to a TDR cable tester, grab a cheap patch cable or long cable or two and try it. Nothing teaches like experimentation! That said, the advice to try uploading and downloading from both ends to the machine in the middle is just plain sage. Cut your problems in half a few times and you'll be within inches of them. - Jy@ On Fri, 18 Aug 2000, Luke Cowell wrote: > I had a NAT firewall setup for my wave connection at home. I had some old > cable I decided to run through my wall. When all was said and done it did > not work as expected. I did see that my interrupt % was very high (90% > approx) the culprit was a faulty cable. This may be part of you problem > because when you introduced the firewall to the system you would of > introduced additional cabling. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 20:57:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (ipl-229-002.npt-sdsl.stargate.net [208.223.229.2]) by hub.freebsd.org (Postfix) with ESMTP id 128D237B43C for ; Fri, 18 Aug 2000 20:57:15 -0700 (PDT) Received: from w2xo.w2xo.pgh.pa.us (w2xo.w2xo.pgh.pa.us [192.168.5.1]) by w2xo.pgh.pa.us (8.9.3/8.9.3) with ESMTP id DAA36515 for ; Sat, 19 Aug 2000 03:57:08 GMT (envelope-from durham@w2xo.pgh.pa.us) Date: Sat, 19 Aug 2000 03:57:08 +0000 (GMT) From: Jim Durham To: freebsd-security@freebsd.org Subject: PPTP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anyone have any advice regarding security problems caused by PPTP using PopTop on FreeBSD? We'd like to implement this, but I'm a little nervous about it, having heard that the cypher has been cracked. Is this true? How about root access from buffer overflows, etc? Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 18 22:56:51 2000 Delivered-To: freebsd-security@freefall.freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 572F937B423 for ; Fri, 18 Aug 2000 22:56:44 -0700 (PDT) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id PAA16336; Sat, 19 Aug 2000 15:56:22 +1000 (EST) From: Darren Reed Message-Id: <200008190556.PAA16336@cairo.anu.edu.au> Subject: Re: [avalon@COOMBS.ANU.EDU.AU: Ip packet filtering with bridging on To: luigi@info.iet.unipi.it (Luigi Rizzo) Date: Sat, 19 Aug 2000 15:56:22 +1000 (Australia/NSW) Cc: freebsd-security@freefall.freebsd.org In-Reply-To: <200008182048.WAA09758@info.iet.unipi.it> from "Luigi Rizzo" at Aug 18, 2000 10:48:05 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Luigi Rizzo, sie said: > > I was informed by a few people of a thread on alleged problems with > ipfw+bridging, so i think i should say a few things on the subject. > > Darren was complaining that net/bridge.c was missing some sanity > checks on packets before passing them to ip_fw_chk(). I looked at > his proposed fix on -security archives (i am not subscribed to the > list, this is why i did not react). > > I am not sure which version of FreeBSD Darren refers to -- the What's in -current. > missing checks were there when i committed the code to 3.x and 4.x > -- only thing, they are|were located in /sys/netinet/ip_fw.c, > function ip_fw_chk() near this section of code: [...] Huh ? Can you point to *exact* versions of the relevant files ? I'm looking at /sys/net/bridge.c (1.23) and I see: if (ntohs(eh->ether_type) != ETHERTYPE_IP) goto forward ; /* not an IP packet, ipfw is not appropriate */ /* * In this section, canfree=1 means m is the same as *m0. * canfree==0 means m is a copy. We need to make a copy here * (to be destroyed on exit from the firewall section) because * the firewall itself might destroy the packet. * (This is not very smart... i should really change ipfw to * leave the pkt alive!) */ if (canfree == 0 ) { /* * Need to make a copy (and for good measure, make sure that * the header is contiguous). The original is still in *m0 */ int needed = min(MHLEN, max_protohdr) ; needed = min(needed, (*m0)->m_len ) ; m = m_copypacket( (*m0), M_DONTWAIT); if (m == NULL) { printf("-- bdg: m_copypacket failed.\n") ; return ENOBUFS ; } if (m->m_len < needed && (m = m_pullup(m, needed)) == NULL) { printf("-- bdg: pullup failed.\n") ; return ENOBUFS ; } } Which is *NOT* sufficient. Version 1.138 of ip_fw.c does not have "ETHERTYPE_IP" anywhere in it. Version 1.131.2.1 (FreeBSD 4.0) has this in ip_fw.c: case ETHERTYPE_IP : if ((*m)->m_lenip_v != IPVERSION) goto non_ip ; hlen = ip->ip_hl << 2; if (hlen < sizeof(struct ip)) /* minimum header length */ goto non_ip ; if ((*m)->m_len < 14 + hlen + 14) { printf("-- m_len %d, need more...\n", (*m)->m_len); goto non_ip ; } offset = (ip->ip_off & IP_OFFMASK); break ; default : non_ip: ip = NULL ; break ; } Which almost does the right thing. It will cause some packets to be dropped when they shouldn't (what is "14 + hlen + 14" ?). Having looked at other ipfw code, it would *appear* this is a cheap way of saying "sizeof(struct ether_header) + hlen + some_magic_bytes", where some_magic_bytes is hopefully enough to get all the important TCP fields. Furthermore, ip_len is never checked ... it's unclear if this poses a threat to icmp_error()/tcp_respond(). Luckily the "state" code for ipfw has not reached a level of sophistication where it examines the ICMP payload as does IP Filter. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 0:16:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from grimreaper.grondar.za (grimreaper.grondar.za [196.7.18.138]) by hub.freebsd.org (Postfix) with ESMTP id 36E0C37B422 for ; Sat, 19 Aug 2000 00:16:44 -0700 (PDT) Received: from grimreaper.grondar.za (mark@localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.0/8.11.0) with ESMTP id e7J7H0G22330; Sat, 19 Aug 2000 09:17:00 +0200 (SAST) (envelope-from mark@grimreaper.grondar.za) Message-Id: <200008190717.e7J7H0G22330@grimreaper.grondar.za> To: Jim Durham Cc: freebsd-security@FreeBSD.ORG Subject: Re: PPTP References: In-Reply-To: ; from Jim Durham "Sat, 19 Aug 2000 03:57:08 GMT." Date: Sat, 19 Aug 2000 09:17:00 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Does anyone have any advice regarding security problems caused by > PPTP using PopTop on FreeBSD? > > We'd like to implement this, but I'm a little nervous about it, > having heard that the cypher has been cracked. Is this true? > How about root access from buffer overflows, etc? Look on Bruce Schneier's site - http://www.counterpane.com (take the "labs" link). He has a cryptanalysis of PPTP there that may be what you are looking for. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 11:17: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from drwho.xnet.com (drwho.xnet.com [205.243.140.183]) by hub.freebsd.org (Postfix) with ESMTP id 9490737B422 for ; Sat, 19 Aug 2000 11:17:04 -0700 (PDT) Received: from sun.segfault.lan (sun.segfault.lan [192.168.16.4]) by drwho.xnet.com (8.9.3/8.9.3) with SMTP id NAA09304 for ; Sat, 19 Aug 2000 13:17:02 -0500 (CDT) Message-Id: <200008191817.NAA09304@drwho.xnet.com> Date: Sat, 19 Aug 2000 13:18:13 -0500 (CDT) From: Michael Maxwell Reply-To: Michael Maxwell Subject: Re: Log message improvement for rpc.statd To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: 76zpfCqq/m/tIMX/rkdImQ== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4m sparc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Just noticed that someone decided to try to be annoying with >my rpc.statd: Is there any particular reason you *need* to have RPC visible to the outside? If not, you would be well advised to firewall this stuff, especially ports 111, 2049, etc... If there *is* a reason you need it open, then first try to find another solution. Otherwise, you'll just have to live with it. RPC is, by nature, insecure. Michael Maxwell | Certified Unix Geek: BSD/Solaris/SCO drwho @ xnet . com | "I'm not wearing any pants..." Film at eleven. home.xnet.com/~drwho | "Four legs good, two legs bad." -G. Orwell/Animal Farm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 11:21:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id 76CBA37B423 for ; Sat, 19 Aug 2000 11:21:37 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id SAA19338; Sat, 19 Aug 2000 18:17:02 GMT Date: Sat, 19 Aug 2000 18:16:52 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: Michael Maxwell Cc: freebsd-security@FreeBSD.ORG Subject: Need to install stelnet,sftp ?????????????????? In-Reply-To: <200008191817.NAA09304@drwho.xnet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear all, I need to install stlenet, sftp , shttp on a FreeBsd 3.3 any Help? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 11:32:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from matrix.advancewebhosting.com (ns.advancewebhosting.com [207.35.169.2]) by hub.freebsd.org (Postfix) with ESMTP id C87CF37B440 for ; Sat, 19 Aug 2000 11:32:45 -0700 (PDT) Received: from joelt (cr917308-a.shprd1.on.wave.home.com [24.112.71.73]) by matrix.advancewebhosting.com (8.9.3/8.9.3) with SMTP id OAA97065; Sat, 19 Aug 2000 14:28:00 -0400 (EDT) (envelope-from joe@fasti.net) From: "Joe Oliveiro" To: "Ali Alaoui El Hassani" <961BE653994@stud.alakhawayn.ma>, "Michael Maxwell" Cc: Subject: RE: Need to install stelnet,sftp ?????????????????? Date: Sat, 19 Aug 2000 14:30:46 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org They should be in your ports directory, if they arnt try upgrading your ports collection -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Ali Alaoui El Hassani Sent: Saturday, August 19, 2000 2:17 PM To: Michael Maxwell Cc: freebsd-security@FreeBSD.ORG Subject: Need to install stelnet,sftp ?????????????????? Dear all, I need to install stlenet, sftp , shttp on a FreeBsd 3.3 any Help? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 11:56:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id 1DE3B37B42C for ; Sat, 19 Aug 2000 11:56:47 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id SAA19368; Sat, 19 Aug 2000 18:52:15 GMT Date: Sat, 19 Aug 2000 18:52:15 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: Joe Oliveiro Cc: Michael Maxwell , freebsd-security@FreeBSD.ORG Subject: RE: Need to install stelnet,sftp ?????????????????? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So how do I check if I have them in my ports ? On Sat, 19 Aug 2000, Joe Oliveiro wrote: > They should be in your ports directory, if they arnt try upgrading your > ports collection > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Ali Alaoui El > Hassani > Sent: Saturday, August 19, 2000 2:17 PM > To: Michael Maxwell > Cc: freebsd-security@FreeBSD.ORG > Subject: Need to install stelnet,sftp ?????????????????? > > > Dear all, > I need to install > stlenet, sftp , shttp on a FreeBsd 3.3 > > any Help? > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 12:19:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 4BDE437B424 for ; Sat, 19 Aug 2000 12:19:42 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 19 Aug 2000 12:18:36 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id MAA11293; Sat, 19 Aug 2000 12:19:41 -0700 (PDT) (envelope-from cjc) Date: Sat, 19 Aug 2000 12:19:40 -0700 From: "Crist J . Clark" To: Michael Maxwell Cc: freebsd-security@FreeBSD.ORG Subject: Re: Log message improvement for rpc.statd Message-ID: <20000819121940.R28027@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200008191817.NAA09304@drwho.xnet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200008191817.NAA09304@drwho.xnet.com>; from drwho@xnet.com on Sat, Aug 19, 2000 at 01:18:13PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Aug 19, 2000 at 01:18:13PM -0500, Michael Maxwell wrote: > >Just noticed that someone decided to try to be annoying with > >my rpc.statd: > > Is there any particular reason you *need* to have RPC visible to the > outside? If not, you would be well advised to firewall this stuff, > especially ports 111, 2049, etc... If there *is* a reason you need it > open, then first try to find another solution. Otherwise, you'll just > have to live with it. > > RPC is, by nature, insecure. Someone asked me about this a few months back. Most of the problems with RPC daemons have been buffer overflows. Buffer overflows are not design flaws, but rather, programming errors. I was asked that provided the programs were actually written securely, is there something still inherently insecure about Sun's RPC protocols? I really did not know enough to answer definitively. I do know that the extra layer of complexity, essentially adding another layer in the network stack between TCP or UDP and the application layer, makes me nervous. Complexity bad. But if there is anything beyond that, I am not sure. Sun isn't known for being the most security conscious vendor... but then again I am a BSD fan and BSD is associated with the notorious r* protocols. ;) -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 15:21:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id 70BD437B424 for ; Sat, 19 Aug 2000 15:21:05 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id WAA19488 for ; Sat, 19 Aug 2000 22:17:04 GMT Date: Sat, 19 Aug 2000 22:17:04 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: freebsd-security@FreeBSD.ORG Subject: Difference btw ztelnet and telnet ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear all, Does anyone know the difference btw ztelnet and telnet ? Thank you in advance Ali To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 15:22:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id 987FB37B424 for ; Sat, 19 Aug 2000 15:22:38 -0700 (PDT) Received: by pawn.primelocation.net (Postfix, from userid 1016) id 57DBB9B05; Sat, 19 Aug 2000 18:22:37 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by pawn.primelocation.net (Postfix) with ESMTP id 4053CBA03; Sat, 19 Aug 2000 18:22:37 -0400 (EDT) Date: Sat, 19 Aug 2000 18:22:37 -0400 (EDT) From: "Chris D. Faulhaber" X-Sender: cdf.lists@pawn.primelocation.net To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Difference btw ztelnet and telnet ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Aug 2000, Ali Alaoui El Hassani wrote: > Dear all, > Does anyone know the difference btw ztelnet and telnet ? > See /usr/ports/net/ztelnet/pkg/DESCR ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 15:33:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id AD2A437B423 for ; Sat, 19 Aug 2000 15:33:48 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id WAA19526; Sat, 19 Aug 2000 22:29:42 GMT Date: Sat, 19 Aug 2000 22:29:41 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: "Chris D. Faulhaber" Cc: freebsd-security@FreeBSD.ORG Subject: install SSlTelent on freeBSD 3.3 box? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear All, I need to install ssltelnet on freebSd 3.3 but I could not find its port on /ports/net what is wrong ? any idea? Thank you in advance Ali. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 17:51: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from lyra.ci.uc.pt (lyra.ci.uc.pt [193.136.200.58]) by hub.freebsd.org (Postfix) with ESMTP id 0CCFE37B424 for ; Sat, 19 Aug 2000 17:51:00 -0700 (PDT) Received: from godfather.mafia.net (pm1-54.uc.pt [193.137.211.182]) by lyra.ci.uc.pt (8.9.3/8.9.3) with ESMTP id BAA24424; Sun, 20 Aug 2000 01:50:23 +0100 (WET DST) Message-ID: X-Mailer: XFMail 1.4.2 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Sun, 20 Aug 2000 01:53:32 +0100 (BST) Reply-To: pedro@qui.uc.pt Organization: Webvolution Networks From: Pedro Almeida To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Subject: RE: install SSlTelent on freeBSD 3.3 box? Cc: freebsd-security@FreeBSD.ORG, "Chris D. Faulhaber" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The port exists! http://www.freebsd.org/cgi/ports.cgi?query=ssltelnet&stype=all If you can't find it on your ports collection, you must update your collection. regards, Pedro ================================== Pedro Almeida Web Software Engineering Newvolution Networks mailto: pedro@webvolution.net http://www.webvolution.net ================================== -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzlBhUwAAAEEALvHLK2QJ04G/Jhp0NZxg2QhW/FeNl8O97ImDH9hAYExvDYD zB3yvbc5N70agwI1fs2Rxjp69QL9CrsKb+VK2mmrvSE4N2HOEUC8V9iivZBg1sul hSJk6TSMvKhm5dprPGIgGRtl95WFZ8t9Rc+GWDpnZvEPUP8QLvZ0iiMXugBRAAUR tCVQZWRybyBBbG1laWRhIDxwZWRyb0B3ZWJ2b2x1dGlvbi5uZXQ+iQCVAwUQOUGF TPZ0iiMXugBRAQHOvAP/YOfh6quqnQZ0+/jxpQ50OCzpgMBuCushogJ3Owq8vtBS bJrwWXNUBK6bKVCwZV9cuJ6D1qrFJ/8aEe6E7/+lApxaE2fE3nNRwq+jjx70X9vI C1+Z8t6PjcRO3Tkcl8O7484BSvtPDpMd3kyVKEGJZg4kJyOWnpUxfPMpsEscRCU= =lJxF -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 20:54:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.135]) by hub.freebsd.org (Postfix) with ESMTP id 3DAAE37B43C for ; Sat, 19 Aug 2000 20:54:23 -0700 (PDT) Received: (from shelton@localhost) by sentry.granch.com (8.9.3/8.9.3) id KAA39965; Sun, 20 Aug 2000 10:57:11 +0700 (NOVST) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Sun, 20 Aug 2000 10:57:10 +0700 (NOVST) Reply-To: "Rashid N. Achilov" Organization: Granch Ltd. From: "Rashid N. Achilov" To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Subject: RE: Need to install stelnet,sftp ?????????????????? Cc: freebsd-security@FreeBSD.ORG, Michael Maxwell Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 19-Aug-00 Ali Alaoui El Hassani wrote: > I need to install > stlenet, sftp , shttp on a FreeBsd 3.3 > Don't shout so loudly, please, we are hear you perfeclty :-) Are you mean ssh? (ssh2 includes sftp and of course stelnet :-) )? Or you mean stelnet for WinDeads? -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514, Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 22:15:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from matrix.advancewebhosting.com (ns.advancewebhosting.com [207.35.169.2]) by hub.freebsd.org (Postfix) with ESMTP id A598937B424 for ; Sat, 19 Aug 2000 22:15:47 -0700 (PDT) Received: from joelt (cr917308-a.shprd1.on.wave.home.com [24.112.71.73]) by matrix.advancewebhosting.com (8.9.3/8.9.3) with SMTP id BAA15279; Sun, 20 Aug 2000 01:10:43 -0400 (EDT) (envelope-from joe@fasti.net) From: "Joe Oliveiro" To: "Ali Alaoui El Hassani" <961BE653994@stud.alakhawayn.ma>, "Joe Oliveiro" Cc: "Michael Maxwell" , Subject: RE: Need to install stelnet,sftp ?????????????????? Date: Sun, 20 Aug 2000 01:13:28 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org try using the locate command ie: locate sftp -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Ali Alaoui El Hassani Sent: Saturday, August 19, 2000 2:52 PM To: Joe Oliveiro Cc: Michael Maxwell; freebsd-security@FreeBSD.ORG Subject: RE: Need to install stelnet,sftp ?????????????????? So how do I check if I have them in my ports ? On Sat, 19 Aug 2000, Joe Oliveiro wrote: > They should be in your ports directory, if they arnt try upgrading your > ports collection > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Ali Alaoui El > Hassani > Sent: Saturday, August 19, 2000 2:17 PM > To: Michael Maxwell > Cc: freebsd-security@FreeBSD.ORG > Subject: Need to install stelnet,sftp ?????????????????? > > > Dear all, > I need to install > stlenet, sftp , shttp on a FreeBsd 3.3 > > any Help? > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 22:32:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id E4C4A37B424 for ; Sat, 19 Aug 2000 22:32:43 -0700 (PDT) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id WAA27694 for ; Sat, 19 Aug 2000 22:32:41 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Sat, 19 Aug 2000 22:32:41 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: freebsd-security@freebsd.org Subject: Routing firewall w/ipfw questions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings! I am setting up a firewall to protect a class c network and am having difficulty with routing. Here is the scenario (ips changed to protect the guilty): Firewall box running 4.0 stable with plenty of horsepower and 2 nics. outside interface is set to xxx.xxx.xxx.83 in a /29 netmask .248 inside interface is going to be set to xxx.xxx.xxx.1 in a /24 netmask .0 gateway of inside net is currently on a virtual interface on a router with the IP of xxx.xxx.xxx.1 Problem: When testing the firewall today I had one of the neteng guys shut the virt int on the router, re-route the traffic destined for the inside net to the outside interface of the firewall and brought up the xxx.xxx.xxx.1 on the inside interface. After that was accomplished I had someone test connectivity outbound from within the /24 that I am attempting to protect and all was fine. However, inbound traffic to the outside interface and/or the internal /24 was not passing. I could not even traceroute to the outside interface at all. At that time I figured that I had not spent enough time on my rules and went ahead and set ipfw to pass ip from any to any. Still no luck. Question: Is my reasoning flawed in regards to the routing portion of this setup? I made sure that ipforwarding was enabled as well. (please let me know if you need more info to assist with this problem) I am not a routing whiz so I'll need the big thump with the clue bat for sure... Thanks for any help you might provide. Upon successful completion of this project I will document all *correct* procedures and post as I have not found any documentation on setting ipfw up for protecting an internal /24 with a different subnet on the outside interface. - Todd BTW...has anyone discussed some sort of document pool for various projects that freebsd users implement? There are many of us out here that have done some pretty cool stuff and if we all dump our docs somewhere with a search tool on the front end...? I do understand that many of our documentation methods (or lack there of) are diff but I think that the variety of directions and slightly diff circumstances regarding the implementations are a plus. I certainly would not mind sifting through others' docs looking for the right match to any of my hair-pulling projects. Just my .02. And, yes, I am willing to donate time/resources (and my docs) to the project. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 19 22:58:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from amazhan.bitstream.net (amazhan.bitstream.net [216.243.128.132]) by hub.freebsd.org (Postfix) with SMTP id E103537B422 for ; Sat, 19 Aug 2000 22:58:18 -0700 (PDT) Received: (qmail 25836 invoked from network); 20 Aug 2000 05:58:17 -0000 Received: from unknown (HELO copper) (216.243.168.19) by amazhan with SMTP; 20 Aug 2000 05:58:17 -0000 Date: Sat, 19 Aug 2000 22:56:55 -0700 From: Dan Debertin X-Sender: airboss@copper.air-boss.net To: Todd Backman Cc: freebsd-security@freebsd.org Subject: Re: Routing firewall w/ipfw questions In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org First, as this is not exactly security-related, a better forum for this is -net (or -questions, but that list tends to have more questions than answers ;). Now, on to your question: > > Question: > Is my reasoning flawed in regards to the routing portion of this setup? Your subnetting plan looks fine to me. One thing that strikes me, though, is that you need to have a router on the external side who knows that your FreeBSD box is the next-hop router for the post-firewall /24. Is there such a router in your setup? For example, let's say that your firewall's external interface is 1.1.1.6/29, and the internal is 1.1.2.1/24. There should be a router with an interface on the 1.1.1.0/29 subnet that "knows" that 1.1.2.0/24 is reached via 1.1.1.6. In cisco syntax this would be ip route 1.1.1.0 255.255.255.0 1.1.1.6 or via the UNIX "route" command: route add -net 1.1.2.0 -netmask 255.255.255.0 1.1.1.6 Also, make sure you have a default gateway on your firewall pointing to that external router. I am also assuming you've done the basic lower-layer checks for link lights, cable integrity, etc. > Thanks for any help you might provide. Upon successful completion of this > project I will document all *correct* procedures and post as I have not > found any documentation on setting ipfw up for protecting an internal /24 > with a different subnet on the outside interface. We've been doing this successfully for quite some time, so I assure you it's fairly standard ;). ~Dan D. -- ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message