From owner-freebsd-security@FreeBSD.ORG Mon Jan 10 12:33:07 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EA2C16A4CE for ; Mon, 10 Jan 2005 12:33:07 +0000 (GMT) Received: from hotmail.com (bay21-f40.bay21.hotmail.com [65.54.233.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id F28F843D5A for ; Mon, 10 Jan 2005 12:33:06 +0000 (GMT) (envelope-from carlmarkbsd@hotmail.co.uk) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 10 Jan 2005 04:33:06 -0800 Message-ID: Received: from 194.210.96.165 by by21fd.bay21.hotmail.msn.com with HTTP; Mon, 10 Jan 2005 12:32:37 GMT X-Originating-IP: [194.210.96.165] X-Originating-Email: [carlmarkbsd@hotmail.co.uk] X-Sender: carlmarkbsd@hotmail.co.uk From: "Carl Mark" To: freebsd-security@freebsd.org Date: Mon, 10 Jan 2005 12:32:37 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 10 Jan 2005 12:33:06.0470 (UTC) FILETIME=[89166460:01C4F710] Subject: connection limit with ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 12:33:07 -0000 Hello folks, I'm trying to set up a ruleset that limits every user to X tcp connections, since I have 300 active users on each server. I've been trying to work it out with the ipfw limit but I really don't know how effective it is. For example: ipfw -q add 15 allow tcp from me to any 80 limit dst-port X keep-state out setup Will this limit the whole machine to X connections that match the rule? I wanted to build somehting that would limit every user to X conns without having one rule for each user using the "uid" directive. Thanks for your precious help. Regards, Carl _________________________________________________________________ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger From owner-freebsd-security@FreeBSD.ORG Mon Jan 10 00:39:41 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13AA116A4CE; Mon, 10 Jan 2005 00:39:41 +0000 (GMT) Received: from ronno.pricegrabber.com (ronno.pricegrabber.com [64.156.13.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id A883943D1D; Mon, 10 Jan 2005 00:39:40 +0000 (GMT) (envelope-from chrismcc@pricegrabber.com) Received: from wednesday.pricegrabber.com (wednesday.pricegrabber.com [192.168.10.19]) (authenticated bits=0)j0A0deac026771; Sun, 9 Jan 2005 16:39:40 -0800 From: Christopher McCrory To: nectar@FreeBSD.org In-Reply-To: Content-Type: text/plain Date: Sun, 09 Jan 2005 16:39:40 -0800 Message-Id: <1105317580.22779.12.camel@wednesday.pricegrabber.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 (2.0.2-3) Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.80/588/Sun Nov 14 16:06:21 2004 clamav-milter version 0.80j on localhost X-Virus-Status: Clean X-Mailman-Approved-At: Mon, 10 Jan 2005 13:12:17 +0000 cc: freebsd-security@FreeBSD.org Subject: update for 4.11 Security Officer-supported branches X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 00:39:41 -0000 Hello... In regards to http://www.freebsd.org/security/ , from what I understand the FreeBSD 4.x branch is generally winding down in favor of the 5.x/6.x branches. It would be nice to know ahead of time if 4.11 will also be an extended release, or if that would fall to 4.12. For those of running 4.8 (expiring about the same time as 4.11 is released) we would be in a better position to know where to upgrade; 4.10 or 4.11. -- Christopher McCrory "The guy that keeps the servers running" chrismcc@pricegrabber.com http://www.pricegrabber.com Let's face it, there's no Hollow Earth, no robots, and no 'mute rays.' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works. From owner-freebsd-security@FreeBSD.ORG Mon Jan 10 13:22:38 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8522116A4CE for ; Mon, 10 Jan 2005 13:22:38 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33B1F43D45 for ; Mon, 10 Jan 2005 13:22:38 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id A29E73E2C3B; Mon, 10 Jan 2005 07:22:42 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id 52EDB5587FD; Mon, 10 Jan 2005 07:22:33 -0600 (CST) Date: Mon, 10 Jan 2005 07:22:33 -0600 From: "Jacques A. Vidrine" To: Christopher McCrory Message-ID: <20050110132233.GA5374@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Christopher McCrory , freebsd-security@FreeBSD.org References: <1105317580.22779.12.camel@wednesday.pricegrabber.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1105317580.22779.12.camel@wednesday.pricegrabber.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-security@FreeBSD.org Subject: Re: update for 4.11 Security Officer-supported branches X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 13:22:38 -0000 On Sun, Jan 09, 2005 at 04:39:40PM -0800, Christopher McCrory wrote: > Hello... > > In regards to http://www.freebsd.org/security/ , from what I understand > the FreeBSD 4.x branch is generally winding down in favor of the 5.x/6.x > branches. It would be nice to know ahead of time if 4.11 will also be > an extended release, or if that would fall to 4.12. For those of > running 4.8 (expiring about the same time as 4.11 is released) we would > be in a better position to know where to upgrade; 4.10 or 4.11. Hi Christopher, Upgrade to FreeBSD 4.11. It will be supported through January 31, 2007. In all likelihood, there will not be a FreeBSD 4.12. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Mon Jan 10 14:58:56 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B09D16A4CE for ; Mon, 10 Jan 2005 14:58:56 +0000 (GMT) Received: from mail.nativenerds.com (host-70-0-111-24.midco.net [24.111.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC5F743D46 for ; Mon, 10 Jan 2005 14:58:55 +0000 (GMT) (envelope-from estover@nativenerds.com) Received: from red (host-14-37-230-24.midco.net [24.230.37.14]) j0AF4qkl052538; Mon, 10 Jan 2005 08:04:52 -0700 (MST) (envelope-from estover@nativenerds.com) From: Ed Stover To: freebsd-security@freebsd.org In-Reply-To: References: Content-Type: text/plain Organization: Native Nerds Date: Mon, 10 Jan 2005 07:58:58 -0700 Message-Id: <1105369138.5197.9.camel@red.nativenerds.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail.nativenerds.com cc: Carl Mark Subject: Re: connection limit with ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: estover@nativenerds.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 14:58:56 -0000 Try posting this to freebsd-ipfw@freebsd.org that might be a little more responsive toward the question. On Mon, 2005-01-10 at 12:32 +0000, Carl Mark wrote: > Hello folks, > > I'm trying to set up a ruleset that limits every user to X tcp > connections, since I have 300 active users on each server. I've been trying > to work it out with the ipfw limit but I really don't know how effective it > is. > > For example: > > ipfw -q add 15 allow tcp from me to any 80 limit dst-port X keep-state out > setup > > > Will this limit the whole machine to X connections that match the rule? I > wanted to build somehting that would limit every user to X conns without > having one rule for each user using the "uid" directive. > > Thanks for your precious help. > Regards, > Carl > > _________________________________________________________________ > It's fast, it's easy and it's free. Get MSN Messenger today! > http://www.msn.co.uk/messenger > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 08:45:03 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 979C416A4CE for ; Tue, 11 Jan 2005 08:45:03 +0000 (GMT) Received: from mx01.uunet.co.za (mx01.uunet.co.za [196.31.48.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 859BF43D2F for ; Tue, 11 Jan 2005 08:45:02 +0000 (GMT) (envelope-from gareth@za.uu.net) Received: from [196.30.72.11] (helo=pixproxy.so.cpt1.za.uu.net) by mx01.uunet.co.za with esmtp (Exim 4.34; FreeBSD) id 1CoHe4-000Nmx-2I for freebsd-security@freebsd.org; Tue, 11 Jan 2005 10:45:01 +0200 Received: from gabba.so.cpt1.za.uu.net (gabba.so.cpt1.za.uu.net [196.30.72.25]) by pixproxy.so.cpt1.za.uu.net (Postfix) with ESMTP id 83EDC57FB for ; Tue, 11 Jan 2005 10:44:55 +0200 (SAST) Date: Tue, 11 Jan 2005 10:44:55 +0200 (SAST) From: Gareth Hopkins X-X-Sender: gareth@gabba.so.cpt1.za.uu.net To: freebsd-security@freebsd.org Message-ID: <20050111104421.V49931@gabba.so.cpt1.za.uu.net> X-Cell: +27 82 929 6668 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanner: Scanned By ClamAV X-Spam-Score: -4.9 (----) X-Scan-Signature: 1a007ac50ac15387d5378093bd6068b5 Subject: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 08:45:03 -0000 Howdie, Is there a way to get the default BSD 5.3 openssh to compile against the MIT kerberos libraries? I have set NO_KERBEROS=yes in /etc/make.conf so that the heimdal kerberos is not built, and rebuilt world, then installed /usr/ports/security/krb5 and rebuilt world again. sshd is however not being built against MIT at all. [root@foobar] ~ # ldd /usr/sbin/sshd /usr/sbin/sshd: libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000) libutil.so.4 => /lib/libutil.so.4 (0x280c7000) libz.so.2 => /lib/libz.so.2 (0x280d3000) libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000) libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000) libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000) libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000) libc.so.5 => /lib/libc.so.5 (0x281ff000) Thanks --- Gareth Hopkins Server Operations UUNET South Africa From owner-freebsd-security@FreeBSD.ORG Mon Jan 10 17:12:40 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A468916A4CE for ; Mon, 10 Jan 2005 17:12:40 +0000 (GMT) Received: from mx01.uunet.co.za (mx01.uunet.co.za [196.31.48.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3686E43D45 for ; Mon, 10 Jan 2005 17:12:40 +0000 (GMT) (envelope-from gareth@uunet.co.za) Received: from [196.30.72.11] (helo=pixproxy.so.cpt1.za.uu.net) by mx01.uunet.co.za with esmtp (Exim 4.34; FreeBSD) id 1Co35n-000AwM-KO for freebsd-security@freebsd.org; Mon, 10 Jan 2005 19:12:39 +0200 Received: from gabba.so.cpt1.za.uu.net (gabba.so.cpt1.za.uu.net [196.30.72.25]) by pixproxy.so.cpt1.za.uu.net (Postfix) with ESMTP id 8F93757AC for ; Mon, 10 Jan 2005 19:12:32 +0200 (SAST) Date: Mon, 10 Jan 2005 19:12:32 +0200 (SAST) From: Gareth Hopkins X-X-Sender: gareth@gabba.so.cpt1.za.uu.net To: freebsd-security@freebsd.org Message-ID: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> X-Cell: +27 82 929 6668 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanner: Scanned By ClamAV X-Spam-Score: -4.9 (----) X-Scan-Signature: 481586322dcdedc11fb294da8311baae X-Mailman-Approved-At: Tue, 11 Jan 2005 14:18:16 +0000 Subject: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 17:12:40 -0000 Howdie, Is there a way to get the default BSD 5.3 openssh to compile against the MIT kerberos libraries? I have set NO_KERBEROS=yes in /etc/make.conf so that the heimdal kerberos is not built, and rebuilt world, then installed /usr/ports/security/krb5 and rebuilt world again. sshd is however not being built against MIT at all. [root@foobar] ~ # ldd /usr/sbin/sshd /usr/sbin/sshd: libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000) libutil.so.4 => /lib/libutil.so.4 (0x280c7000) libz.so.2 => /lib/libz.so.2 (0x280d3000) libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000) libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000) libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000) libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000) libc.so.5 => /lib/libc.so.5 (0x281ff000) Thanks --- Gareth Hopkins Server Operations UUNET South Africa From owner-freebsd-security@FreeBSD.ORG Mon Jan 10 19:16:37 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B6D516A4CE; Mon, 10 Jan 2005 19:16:37 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE81B43D1F; Mon, 10 Jan 2005 19:16:35 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id 372927A44B; Mon, 10 Jan 2005 11:16:34 -0800 (PST) Message-ID: <41E2D492.9020302@elischer.org> Date: Mon, 10 Jan 2005 11:16:34 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: "Jacques A. Vidrine" References: <1105317580.22779.12.camel@wednesday.pricegrabber.com> <20050110132233.GA5374@lum.celabo.org> In-Reply-To: <20050110132233.GA5374@lum.celabo.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 11 Jan 2005 14:18:16 +0000 cc: Christopher McCrory cc: freebsd-security@freebsd.org Subject: Re: update for 4.11 Security Officer-supported branches X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 19:16:37 -0000 Jacques A. Vidrine wrote: >On Sun, Jan 09, 2005 at 04:39:40PM -0800, Christopher McCrory wrote: > > >>Hello... >> >> In regards to http://www.freebsd.org/security/ , from what I understand >>the FreeBSD 4.x branch is generally winding down in favor of the 5.x/6.x >>branches. It would be nice to know ahead of time if 4.11 will also be >>an extended release, or if that would fall to 4.12. For those of >>running 4.8 (expiring about the same time as 4.11 is released) we would >>be in a better position to know where to upgrade; 4.10 or 4.11. >> >> > >Hi Christopher, > >Upgrade to FreeBSD 4.11. It will be supported through January 31, 2007. >In all likelihood, there will not be a FreeBSD 4.12. > there will however be a RELENG_4 branch still active for those of us who need to continue generating 4.x based releases for ourselves.. I'm assuming security patches goin gto 4.11 will also go there. While a 4.12 will PROBABLY not happen, I do plan on continued MFCs of important changes to RELENG_4 as I do not envision my custommers moving to 5.x until some time in 2006 at the earliest. (Including fixes from dragonfly, and possibly some new drivers and thing like USB fixes. > >Cheers, > > From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 14:24:39 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F50F16A4CE for ; Tue, 11 Jan 2005 14:24:39 +0000 (GMT) Received: from postfix3-1.free.fr (postfix3-1.free.fr [213.228.0.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id A479643D1F for ; Tue, 11 Jan 2005 14:24:38 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-1.free.fr (Postfix) with ESMTP id A85601734ED; Tue, 11 Jan 2005 15:24:37 +0100 (CET) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id B4FCE40B9; Tue, 11 Jan 2005 15:27:39 +0100 (CET) Date: Tue, 11 Jan 2005 15:27:39 +0100 From: Jeremie Le Hen To: Gareth Hopkins Message-ID: <20050111142739.GK686@obiwan.tataz.chchile.org> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 14:24:39 -0000 > Is there a way to get the default BSD 5.3 openssh to compile > against the MIT kerberos libraries? I have set NO_KERBEROS=yes in > /etc/make.conf so > that the heimdal kerberos is not built, and rebuilt world, then installed > /usr/ports/security/krb5 and rebuilt world again. sshd is however not being > built against MIT at all. > > [root@foobar] ~ # ldd /usr/sbin/sshd > /usr/sbin/sshd: > libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000) > libutil.so.4 => /lib/libutil.so.4 (0x280c7000) > libz.so.2 => /lib/libz.so.2 (0x280d3000) > libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000) > libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000) > libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000) > libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000) > libc.so.5 => /lib/libc.so.5 (0x281ff000) I'm not a buildworld guru, but I think that with NO_KERBEROS=yes, /usr/bin/sshd(8) will obviously NOT be linked with any krb library. IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob. Hope this helps. Regards, -- Jeremie Le Hen jeremie@le-hen.org From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 14:48:51 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74C2916A4CE for ; Tue, 11 Jan 2005 14:48:51 +0000 (GMT) Received: from www.cyclades.de (mail.cyclades.de [62.225.173.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id D024243D1F for ; Tue, 11 Jan 2005 14:48:50 +0000 (GMT) (envelope-from mh@kernel32.de) Received: from [192.168.10.147] (helo=[192.168.10.147]) by www.cyclades.de with asmtp (Cipher TLSv1:RC4-MD5:128) (Exim 3.35 #1 (Debian)) id 1CoNJy-0006Xo-00; Tue, 11 Jan 2005 15:48:34 +0100 Message-ID: <41E3E6C3.7070801@kernel32.de> Date: Tue, 11 Jan 2005 15:46:27 +0100 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0 (X11/20041228) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jeremie Le Hen References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <20050111142739.GK686@obiwan.tataz.chchile.org> In-Reply-To: <20050111142739.GK686@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 8bit X-MailScanner: Found to be clean X-MailScanner-SpamCheck: cc: freebsd-security@freebsd.org cc: Gareth Hopkins Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 14:48:51 -0000 Hej There, Jeremie Le Hen wrote: > > > I'm not a buildworld guru, but I think that with NO_KERBEROS=yes, > /usr/bin/sshd(8) will obviously NOT be linked with any krb library. not true at all. NO_KERBEROS=yes says that heimdal kerberos shouldn't be compiled, AFAIK. > IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob. > that's the way I would go. However, you need to make sure that the Ports OpenSSH doesn't interfer with the Base OpenSSH. just my 2 ¢ ;) Marian From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 15:07:58 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5599116A4CE for ; Tue, 11 Jan 2005 15:07:58 +0000 (GMT) Received: from mailhost.unt.edu (mailhost.unt.edu [129.120.209.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC58F43D2D for ; Tue, 11 Jan 2005 15:07:57 +0000 (GMT) (envelope-from searle@unt.edu) Received: from iatro (localhost.localdomain [127.0.0.1]) by mail5 (Postfix) with SMTP id CFD547429F; Tue, 11 Jan 2005 09:07:56 -0600 (CST) Received: from [129.120.32.22] (slink.cascss.unt.edu [129.120.32.22]) by mailhost.unt.edu (Postfix) with ESMTP id CB3A3742A9; Tue, 11 Jan 2005 09:07:49 -0600 (CST) Message-ID: <41E3EBD2.3000202@unt.edu> Date: Tue, 11 Jan 2005 09:08:02 -0600 From: Curry Searle User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jeremie Le Hen References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <20050111142739.GK686@obiwan.tataz.chchile.org> In-Reply-To: <20050111142739.GK686@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: searle@unt.edu List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 15:07:58 -0000 You probably want to define one of the following examples from /etc/defaults/make.conf in your /etc/make.conf: # Kerberos IV # If you want KerberosIV (KTH eBones), define this: # #MAKE_KERBEROS4= yes # # # Kerberos 5 # If you want Kerberos 5 (KTH Heimdal), define this: # #MAKE_KERBEROS5= yes # # Kerberos 5 su (k5su) # If you want to use the k5su utility, define this to have it installed # set-user-ID. #ENABLE_SUID_K5SU= yes # # # Kerberos5 # If you want to install MIT Kerberos5 port somewhere other than /usr/local, # define this (this is also used to tell ssh1 that kerberos is needed): # #KRB5_HOME= /usr/local Jeremie Le Hen wrote: >> Is there a way to get the default BSD 5.3 openssh to compile >>against the MIT kerberos libraries? I have set NO_KERBEROS=yes in >>/etc/make.conf so >>that the heimdal kerberos is not built, and rebuilt world, then installed >>/usr/ports/security/krb5 and rebuilt world again. sshd is however not being >>built against MIT at all. >> >>[root@foobar] ~ # ldd /usr/sbin/sshd >>/usr/sbin/sshd: >> libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000) >> libutil.so.4 => /lib/libutil.so.4 (0x280c7000) >> libz.so.2 => /lib/libz.so.2 (0x280d3000) >> libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000) >> libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000) >> libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000) >> libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000) >> libc.so.5 => /lib/libc.so.5 (0x281ff000) > > > I'm not a buildworld guru, but I think that with NO_KERBEROS=yes, > /usr/bin/sshd(8) will obviously NOT be linked with any krb library. > IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob. > > Hope this helps. > Regards, -- ____________________________________________________ Curry Searle | searle@unt.edu | Postmaster www.cas.unt.edu/~searle | Unix Hosts College of Arts & Sciences | Windows Desktops Computing Support Services | Security Liaison www.cascss.unt.edu | From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 17:16:56 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 014D016A4CE for ; Tue, 11 Jan 2005 17:16:56 +0000 (GMT) Received: from mx01.uunet.co.za (mx01.uunet.co.za [196.31.48.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 014D243D2D for ; Tue, 11 Jan 2005 17:16:55 +0000 (GMT) (envelope-from gareth@za.uu.net) Received: from [196.30.72.11] (helo=pixproxy.so.cpt1.za.uu.net) by mx01.uunet.co.za with esmtp (Exim 4.34; FreeBSD) id 1CoPdR-0008kL-77; Tue, 11 Jan 2005 19:16:53 +0200 Received: from gabba.so.cpt1.za.uu.net (gabba.so.cpt1.za.uu.net [196.30.72.25]) by pixproxy.so.cpt1.za.uu.net (Postfix) with ESMTP id 4132057AC; Tue, 11 Jan 2005 19:16:46 +0200 (SAST) Date: Tue, 11 Jan 2005 19:16:46 +0200 (SAST) From: Gareth Hopkins X-X-Sender: gareth@gabba.so.cpt1.za.uu.net To: Curry Searle In-Reply-To: <41E3EBD2.3000202@unt.edu> Message-ID: <20050111191439.M49931@gabba.so.cpt1.za.uu.net> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <20050111142739.GK686@obiwan.tataz.chchile.org> <41E3EBD2.3000202@unt.edu> X-Cell: +27 82 929 6668 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanner: Scanned By ClamAV X-Spam-Score: -4.9 (----) X-Scan-Signature: ee24718dac2ea057c9322e86be57669f cc: freebsd-security@freebsd.org Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 17:16:56 -0000 On Tue, 11 Jan 2005, Curry Searle wrote: CS>You probably want to define one of the following examples from CS>/etc/defaults/make.conf in your /etc/make.conf: CS> CS># Kerberos IV CS># If you want KerberosIV (KTH eBones), define this: CS># CS>#MAKE_KERBEROS4= yes CS># CS># CS># Kerberos 5 CS># If you want Kerberos 5 (KTH Heimdal), define this: CS># CS>#MAKE_KERBEROS5= yes CS># CS># Kerberos 5 su (k5su) CS># If you want to use the k5su utility, define this to have it installed CS># set-user-ID. CS>#ENABLE_SUID_K5SU= yes CS># CS># CS># Kerberos5 CS># If you want to install MIT Kerberos5 port somewhere other than /usr/local, CS># define this (this is also used to tell ssh1 that kerberos is needed): CS># CS>#KRB5_HOME= /usr/local Howdie, According to /usr/src/UPDATING of a freshly supped 5.3 machine 20030505: Kerberos 5 (Heimdal) is now built by default. Setting MAKE_KERBEROS5 no longer has any effect. If you do NOT want the "base" Kerberos 5, you need to set NO_KERBEROS. Will try installing the MIT port from /usr/ports/security/krb5 and setting KRB5_HOME in /etc/make.conf CS>Jeremie Le Hen wrote: CS>> > Is there a way to get the default BSD 5.3 openssh to compile against CS>> > the MIT kerberos libraries? I have set NO_KERBEROS=yes in /etc/make.conf CS>> > so CS>> > that the heimdal kerberos is not built, and rebuilt world, then installed CS>> > /usr/ports/security/krb5 and rebuilt world again. sshd is however not CS>> > being built against MIT at all. CS>> > CS>> > [root@foobar] ~ # ldd /usr/sbin/sshd CS>> > /usr/sbin/sshd: CS>> > libssh.so.2 => /usr/lib/libssh.so.2 (0x28098000) CS>> > libutil.so.4 => /lib/libutil.so.4 (0x280c7000) CS>> > libz.so.2 => /lib/libz.so.2 (0x280d3000) CS>> > libwrap.so.3 => /usr/lib/libwrap.so.3 (0x280e3000) CS>> > libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000) CS>> > libcrypto.so.3 => /lib/libcrypto.so.3 (0x280f2000) CS>> > libcrypt.so.2 => /lib/libcrypt.so.2 (0x281e7000) CS>> > libc.so.5 => /lib/libc.so.5 (0x281ff000) CS>> CS>> CS>> I'm not a buildworld guru, but I think that with NO_KERBEROS=yes, CS>> /usr/bin/sshd(8) will obviously NOT be linked with any krb library. CS>> IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob. CS>> CS>> Hope this helps. CS>> Regards, CS> CS>-- CS>____________________________________________________ CS>Curry Searle | CS>searle@unt.edu | Postmaster CS>www.cas.unt.edu/~searle | Unix Hosts CS>College of Arts & Sciences | Windows Desktops CS>Computing Support Services | Security Liaison CS>www.cascss.unt.edu | CS>_______________________________________________ CS>freebsd-security@freebsd.org mailing list CS>http://lists.freebsd.org/mailman/listinfo/freebsd-security CS>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" CS> --- Gareth Hopkins Server Operations UUNET South Africa From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 20:15:15 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F7E816A4CE for ; Tue, 11 Jan 2005 20:15:15 +0000 (GMT) Received: from storm.uk.FreeBSD.org (storm.uk.FreeBSD.org [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C61D43D31 for ; Tue, 11 Jan 2005 20:15:14 +0000 (GMT) (envelope-from mark@grondar.org) Received: from storm.uk.FreeBSD.org (uucp@localhost [127.0.0.1]) by storm.uk.FreeBSD.org (8.13.1/8.13.1) with ESMTP id j0BKFCIq024570; Tue, 11 Jan 2005 20:15:12 GMT (envelope-from mark@grondar.org) Received: (from uucp@localhost)j0BKFA5t024569; Tue, 11 Jan 2005 20:15:10 GMT (envelope-from mark@grondar.org) Received: from grondar.org (localhost [127.0.0.1]) by grovel.grondar.org (8.13.1/8.13.1) with ESMTP id j0BKAqR7072466; Tue, 11 Jan 2005 20:10:52 GMT (envelope-from mark@grondar.org) Message-Id: <200501112010.j0BKAqR7072466@grovel.grondar.org> X-Mailer: exmh version 2.7.0 06/18/2004 with nmh-1.0.4 To: Gareth Hopkins From: Mark Murray In-Reply-To: Your message of "Tue, 11 Jan 2005 10:44:55 +0200." <20050111104421.V49931@gabba.so.cpt1.za.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 11 Jan 2005 20:10:52 +0000 Sender: mark@grondar.org cc: freebsd-security@FreeBSD.ORG Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 20:15:15 -0000 Gareth Hopkins writes: > > Howdie, > > Is there a way to get the default BSD 5.3 openssh to compile against > the MIT kerberos libraries? I have set NO_KERBEROS=yes in /etc/make.conf so > that the heimdal kerberos is not built, and rebuilt world, then installed > /usr/ports/security/krb5 and rebuilt world again. sshd is however not being > built against MIT at all. This is a very bad idea. You may get the compile to work, but you will then have a non-standard confuguration, and all assistance bets are off. I'm still working your problem (sorry about the delay!) and I'll get back to you as soon as I have something. Please rebuild _without_ NO_KERBEROS. Thanks! M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 20:33:40 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5B7816A4CE for ; Tue, 11 Jan 2005 20:33:40 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 780BE43D45 for ; Tue, 11 Jan 2005 20:33:40 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 4F4973E2C23; Tue, 11 Jan 2005 14:33:46 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id F266355C89E; Tue, 11 Jan 2005 14:33:38 -0600 (CST) Date: Tue, 11 Jan 2005 14:33:38 -0600 From: "Jacques A. Vidrine" To: Julian Elischer Message-ID: <20050111203338.GD7869@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Julian Elischer , Christopher McCrory , freebsd-security@freebsd.org References: <1105317580.22779.12.camel@wednesday.pricegrabber.com> <20050110132233.GA5374@lum.celabo.org> <41E2D492.9020302@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41E2D492.9020302@elischer.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: Christopher McCrory cc: freebsd-security@freebsd.org Subject: Re: update for 4.11 Security Officer-supported branches X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 20:33:41 -0000 On Mon, Jan 10, 2005 at 11:16:34AM -0800, Julian Elischer wrote: > there will however be a RELENG_4 branch still active for those of us who > need to > continue generating 4.x based releases for ourselves.. > I'm assuming security patches goin gto 4.11 will also go there. Yep! And also errata fixes. > While a 4.12 will PROBABLY not happen, I do plan on continued MFCs of > important changes to RELENG_4 as I do not envision my custommers > moving to 5.x until some time in 2006 at the earliest. (Including > fixes from dragonfly, and possibly some new drivers and thing like USB > fixes. And I don't see any reason that such fixes cannot eventually be merged to the 4.11 errata branch, assuming they are well-tested. That'd be great for everyone! Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 20:53:40 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C1EA16A4CE for ; Tue, 11 Jan 2005 20:53:40 +0000 (GMT) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96D4043D54 for ; Tue, 11 Jan 2005 20:53:39 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-2.free.fr (Postfix) with ESMTP id 99C8AC13F; Tue, 11 Jan 2005 21:53:38 +0100 (CET) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id B3AAB40B9; Tue, 11 Jan 2005 21:56:40 +0100 (CET) Date: Tue, 11 Jan 2005 21:56:40 +0100 From: Jeremie Le Hen To: Gareth Hopkins Message-ID: <20050111205640.GL686@obiwan.tataz.chchile.org> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <20050111142739.GK686@obiwan.tataz.chchile.org> <41E3E6C3.7070801@kernel32.de> <20050111190043.Y49931@gabba.so.cpt1.za.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050111190043.Y49931@gabba.so.cpt1.za.uu.net> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 20:53:40 -0000 > Thanks for the replies. The reason for setting NO_KERBEROS is I do > not want heimdal kerberos built, as I want to use the MIT package. > > There must be a way to get the base system openssh to build against > the installed MIT port. Please, look at Curry Searle's post. As you can see, there is a KRB5_HOME knob in make.conf(5). Setting it to "/usr/local" will surely do the trick. Regards, -- Jeremie Le Hen jeremie@le-hen.org From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 22:02:50 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3087416A4D1 for ; Tue, 11 Jan 2005 22:02:50 +0000 (GMT) Received: from micah.tamu.edu (micah.tamu.edu [128.194.177.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1FC343D1D for ; Tue, 11 Jan 2005 22:02:49 +0000 (GMT) (envelope-from micah@micah.tamu.edu) Received: from micah.tamu.edu (micah.tamu.edu [128.194.177.23]) by micah.tamu.edu (8.13.1/8.13.1) with ESMTP id j0BMAts2049636 for ; Tue, 11 Jan 2005 16:10:55 -0600 (CST) (envelope-from micah@micah.tamu.edu) Received: (from micah@localhost) by micah.tamu.edu (8.13.1/8.13.1/Submit) id j0BMAtWx049635 for freebsd-security@freebsd.org; Tue, 11 Jan 2005 16:10:55 -0600 (CST) (envelope-from micah) Date: Tue, 11 Jan 2005 22:10:55 +0000 From: Micah To: freebsd-security@freebsd.org Message-ID: <20050111221055.GD68350@micah.tamu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: Possible security issue with jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 22:02:50 -0000 Howdy! I'm not sure if this is actually an issue, feature or a bug, but I have found that inside a jail, the jailed root user is able to sniff traffic (and enable promiscuous mode) on at least the interface of the IP address the jail is attached to. I have not found any documentation explaining if this should occur or not, but I feel it is something that should at least be known to those using jails. Please let me know if anyone knows if this is an error, a problem that can't be fixed, or if it's designed to be this way. Thanks! -Micah From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 22:06:15 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F93016A4D3 for ; Tue, 11 Jan 2005 22:06:15 +0000 (GMT) Received: from critter.freebsd.dk (f170.freebsd.dk [212.242.86.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CFB743D1D for ; Tue, 11 Jan 2005 22:06:14 +0000 (GMT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.13.1/8.13.1) with ESMTP id j0BM5hF5024204; Tue, 11 Jan 2005 23:05:43 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Micah From: "Poul-Henning Kamp" In-Reply-To: Your message of "Tue, 11 Jan 2005 22:10:55 GMT." <20050111221055.GD68350@micah.tamu.edu> Date: Tue, 11 Jan 2005 23:05:43 +0100 Message-ID: <24203.1105481143@critter.freebsd.dk> Sender: phk@critter.freebsd.dk cc: freebsd-security@freebsd.org Subject: Re: Possible security issue with jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 22:06:15 -0000 In message <20050111221055.GD68350@micah.tamu.edu>, Micah writes: >Howdy! > >I'm not sure if this is actually an issue, feature or a bug, but I have found >that inside a jail, the jailed root user is able to sniff traffic (and enable >promiscuous mode) on at least the interface of the IP address the jail is attached >to. Only if you leave bpf devices in the devfs mounted on the jail. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Wed Jan 12 00:27:02 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33B1516A4CE for ; Wed, 12 Jan 2005 00:27:02 +0000 (GMT) Received: from micah.tamu.edu (micah.tamu.edu [128.194.177.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9A6243D45 for ; Wed, 12 Jan 2005 00:27:01 +0000 (GMT) (envelope-from micah@micah.tamu.edu) Received: from micah.tamu.edu (micah.tamu.edu [128.194.177.23]) by micah.tamu.edu (8.13.1/8.13.1) with ESMTP id j0C0Z9u8052820 for ; Tue, 11 Jan 2005 18:35:09 -0600 (CST) (envelope-from micah@micah.tamu.edu) Received: (from micah@localhost) by micah.tamu.edu (8.13.1/8.13.1/Submit) id j0C0Z8PC052819 for freebsd-security@freebsd.org; Tue, 11 Jan 2005 18:35:08 -0600 (CST) (envelope-from micah) Date: Wed, 12 Jan 2005 00:35:08 +0000 From: Micah To: freebsd-security@freebsd.org Message-ID: <20050112003508.GE68350@micah.tamu.edu> References: <20050111221055.GD68350@micah.tamu.edu> <24203.1105481143@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <24203.1105481143@critter.freebsd.dk> User-Agent: Mutt/1.4.2.1i Subject: Re: Possible security issue with jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2005 00:27:02 -0000 This was the info I needed. Thanks! -micah On Tue, Jan 11, 2005 at 11:05:43PM +0100, Poul-Henning Kamp wrote: > In message <20050111221055.GD68350@micah.tamu.edu>, Micah writes: > >Howdy! > > > >I'm not sure if this is actually an issue, feature or a bug, but I have found > >that inside a jail, the jailed root user is able to sniff traffic (and enable > >promiscuous mode) on at least the interface of the IP address the jail is attached > >to. > > Only if you leave bpf devices in the devfs mounted on the jail. > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Jan 12 00:27:21 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AAC916A4CE for ; Wed, 12 Jan 2005 00:27:21 +0000 (GMT) Received: from ms-dienst.rz.rwth-aachen.de (ms-2.rz.RWTH-Aachen.DE [134.130.3.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3FD543D46 for ; Wed, 12 Jan 2005 00:27:20 +0000 (GMT) (envelope-from chris@unixpages.org) Received: from r220-1 (r220-1.rz.RWTH-Aachen.DE [134.130.3.31]) by ms-dienst.rz.rwth-aachen.de (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003)) with ESMTP id <0IA60064CH9JUX@ms-dienst.rz.rwth-aachen.de> for freebsd-security@freebsd.org; Wed, 12 Jan 2005 01:27:20 +0100 (MET) Received: from relay.rwth-aachen.de ([134.130.3.1]) by r220-1 (MailMonitor for SMTP v1.2.2 ) ; Wed, 12 Jan 2005 01:27:19 +0100 (MET) Received: from haakonia.hitnet.rwth-aachen.de (mulzirak.hitnet.RWTH-Aachen.DE [137.226.181.149])j0C0RICv005419 for ; Wed, 12 Jan 2005 01:27:18 +0100 (MET) Received: from gondor.middleearth (gondor.middleearth [192.168.1.42]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))(Postfix) with ESMTP id B9CB52842E for ; Wed, 12 Jan 2005 01:27:13 +0100 (CET) Received: by gondor.middleearth (Postfix, from userid 1001) id 767E322824; Wed, 12 Jan 2005 01:27:13 +0100 (CET) Date: Wed, 12 Jan 2005 01:27:13 +0100 From: Christian Brueffer To: freebsd-security@freebsd.org Message-id: <20050112002713.GB603@unixpages.org> MIME-version: 1.0 Content-type: multipart/signed; boundary="3uo+9/B/ebqu+fSQ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-disposition: inline User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 6.0-CURRENT X-PGP-Key: http://people.FreeBSD.org/~brueffer/brueffer.key.asc X-PGP-Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D Subject: Biometric Authentication for BSD/Linux (Forward) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2005 00:27:21 -0000 --3uo+9/B/ebqu+fSQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey guys, this was sent to the openbsd-misc mailing list tonight. It might be interesting for some people here as well. - Christian ----- Forwarded message from "Alexey E. Suslikov" ----- Date: Tue, 11 Jan 2005 11:36:08 +0200 From: "Alexey E. Suslikov" Subject: Biometric Authentication for BSD/Linux X-Mailer: The Bat! (v3.0.2.4 Rush) Professional Homepage is here http://biomark.org.ru/en/ It is BSD-licensed http://biomark.org.ru/files/license.txt and uses PAM under BSD-systems http://biomark.org.ru/en/software/pam_bfp.html=20 ----- End forwarded message ----- --=20 Christian Brueffer chris@unixpages.org brueffer@FreeBSD.org GPG Key: http://people.freebsd.org/~brueffer/brueffer.key.asc GPG Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D --3uo+9/B/ebqu+fSQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB5G7hbHYXjKDtmC0RAv/cAKCYswsMe1IrA2JJiTl0f5A/0pLJVgCeO62T GhcwhX8u70iYerh/JP7tgtw= =t/OE -----END PGP SIGNATURE----- --3uo+9/B/ebqu+fSQ-- From owner-freebsd-security@FreeBSD.ORG Wed Jan 12 08:41:50 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5039F16A4CE for ; Wed, 12 Jan 2005 08:41:50 +0000 (GMT) Received: from mx01.uunet.co.za (mx01.uunet.co.za [196.31.48.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 559AE43D2F for ; Wed, 12 Jan 2005 08:41:49 +0000 (GMT) (envelope-from gareth@za.uu.net) Received: from [196.30.72.11] (helo=pixproxy.so.cpt1.za.uu.net) by mx01.uunet.co.za with esmtp (Exim 4.34; FreeBSD) id 1Coe4T-000LZd-2w; Wed, 12 Jan 2005 10:41:45 +0200 Received: from gabba.so.cpt1.za.uu.net (gabba.so.cpt1.za.uu.net [196.30.72.25]) by pixproxy.so.cpt1.za.uu.net (Postfix) with ESMTP id 9407757AC; Wed, 12 Jan 2005 10:41:40 +0200 (SAST) Date: Wed, 12 Jan 2005 10:41:40 +0200 (SAST) From: Gareth Hopkins X-X-Sender: gareth@gabba.so.cpt1.za.uu.net To: Jeremie Le Hen In-Reply-To: <20050111205640.GL686@obiwan.tataz.chchile.org> Message-ID: <20050112103938.K49931@gabba.so.cpt1.za.uu.net> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <41E3E6C3.7070801@kernel32.de> <20050111205640.GL686@obiwan.tataz.chchile.org> X-Cell: +27 82 929 6668 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanner: Scanned By ClamAV X-Spam-Score: -4.9 (----) X-Scan-Signature: 1a007ac50ac15387d5378093bd6068b5 cc: freebsd-security@freebsd.org Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2005 08:41:50 -0000 On Tue, 11 Jan 2005, Jeremie Le Hen wrote: JLH>> Thanks for the replies. The reason for setting NO_KERBEROS is I do JLH>> not want heimdal kerberos built, as I want to use the MIT package. JLH>> JLH>> There must be a way to get the base system openssh to build against JLH>> the installed MIT port. JLH> JLH>Please, look at Curry Searle's post. As you can see, there is a JLH>KRB5_HOME knob in make.conf(5). Setting it to "/usr/local" will surely JLH>do the trick. Howdie, It looks like most of those kerberos options are no longer valid in BSD 5.x. Everything works fine on BSD 4.10 with the KERBEROS options set. Will play a little more today with the 5.3 installation. Any other info would be greatly appreciated :) --- Gareth Hopkins Server Operations UUNET South Africa From owner-freebsd-security@FreeBSD.ORG Tue Jan 11 17:02:39 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1209E16A4CE for ; Tue, 11 Jan 2005 17:02:39 +0000 (GMT) Received: from mx01.uunet.co.za (mx01.uunet.co.za [196.31.48.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98B0443D2D for ; Tue, 11 Jan 2005 17:02:38 +0000 (GMT) (envelope-from ghopkins@uunet.co.za) Received: from [196.30.72.11] (helo=pixproxy.so.cpt1.za.uu.net) by mx01.uunet.co.za with esmtp (Exim 4.34; FreeBSD) id 1CoPPa-0008Vx-HI; Tue, 11 Jan 2005 19:02:35 +0200 Received: from gabba.so.cpt1.za.uu.net (gabba.so.cpt1.za.uu.net [196.30.72.25]) by pixproxy.so.cpt1.za.uu.net (Postfix) with ESMTP id 93F4857B3; Tue, 11 Jan 2005 19:02:27 +0200 (SAST) Date: Tue, 11 Jan 2005 19:02:27 +0200 (SAST) From: Gareth Hopkins X-X-Sender: gareth@gabba.so.cpt1.za.uu.net To: Marian Hettwer In-Reply-To: <41E3E6C3.7070801@kernel32.de> Message-ID: <20050111190043.Y49931@gabba.so.cpt1.za.uu.net> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <41E3E6C3.7070801@kernel32.de> X-Cell: +27 82 929 6668 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanner: Scanned By ClamAV X-Spam-Score: -4.9 (----) X-Scan-Signature: fc8f8023c2a914d1e5081738c3296aec X-Mailman-Approved-At: Wed, 12 Jan 2005 15:18:44 +0000 cc: freebsd-security@freebsd.org cc: Jeremie Le Hen Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 17:02:39 -0000 On Tue, 11 Jan 2005, Marian Hettwer wrote: MH>Hej There, MH> MH>Jeremie Le Hen wrote: MH>> MH>> MH>> I'm not a buildworld guru, but I think that with NO_KERBEROS=yes, MH>> /usr/bin/sshd(8) will obviously NOT be linked with any krb library. MH>not true at all. NO_KERBEROS=yes says that heimdal kerberos shouldn't be MH>compiled, AFAIK. MH> MH>> IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob. MH>> MH>that's the way I would go. MH>However, you need to make sure that the Ports OpenSSH doesn't interfer with MH>the Base OpenSSH. Howdie, Thanks for the replies. The reason for setting NO_KERBEROS is I do not want heimdal kerberos built, as I want to use the MIT package. There must be a way to get the base system openssh to build against the installed MIT port. --- Gareth Hopkins Server Operations UUNET South Africa From owner-freebsd-security@FreeBSD.ORG Wed Jan 12 15:33:23 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03FF116A4CE; Wed, 12 Jan 2005 15:33:23 +0000 (GMT) Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 903AD43D41; Wed, 12 Jan 2005 15:33:22 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from mobile.pittgoth.com (64-144-75-100.client.dsl.net [64.144.75.100]) (authenticated bits=0) by pittgoth.com (8.12.10/8.12.10) with ESMTP id j0CFXKoa058882 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 12 Jan 2005 10:33:21 -0500 (EST) (envelope-from trhodes@FreeBSD.org) Date: Wed, 12 Jan 2005 10:33:28 -0500 From: Tom Rhodes To: Gareth Hopkins Message-ID: <20050112103328.0c6288d3@mobile.pittgoth.com> In-Reply-To: <20050111190043.Y49931@gabba.so.cpt1.za.uu.net> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <41E3E6C3.7070801@kernel32.de> <20050111190043.Y49931@gabba.so.cpt1.za.uu.net> X-Mailer: Sylpheed-Claws 0.9.13 (GTK+ 1.2.10; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 12 Jan 2005 15:37:15 +0000 cc: freebsd-security@FreeBSD.org cc: Jeremie Le Hen cc: Mark Murray cc: Marian Hettwer Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2005 15:33:23 -0000 On Tue, 11 Jan 2005 19:02:27 +0200 (SAST) Gareth Hopkins wrote: > On Tue, 11 Jan 2005, Marian Hettwer wrote: > > MH>Hej There, > MH> > MH>Jeremie Le Hen wrote: > MH>> > MH>> > MH>> I'm not a buildworld guru, but I think that with NO_KERBEROS=yes, > MH>> /usr/bin/sshd(8) will obviously NOT be linked with any krb library. > MH>not true at all. NO_KERBEROS=yes says that heimdal kerberos shouldn't be > MH>compiled, AFAIK. > MH> > MH>> IMHO, you should build OpenSSH from ports with the KERBEROS=yes knob. > MH>> > MH>that's the way I would go. > MH>However, you need to make sure that the Ports OpenSSH doesn't interfer with > MH>the Base OpenSSH. > > Howdie, > > Thanks for the replies. The reason for setting NO_KERBEROS is I do > not want heimdal kerberos built, as I want to use the MIT package. > > There must be a way to get the base system openssh to build against > the installed MIT port. Have you asked Mark Murray about this? I think he has worked with Kerberos in the base system. -- Tom Rhodes From owner-freebsd-security@FreeBSD.ORG Wed Jan 12 15:52:56 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0590616A4D0; Wed, 12 Jan 2005 15:52:56 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A62243D46; Wed, 12 Jan 2005 15:52:55 +0000 (GMT) (envelope-from nectar@celabo.org) Received: by gw.celabo.org (Postfix, from userid 1001) id 163253E2C3B; Wed, 12 Jan 2005 09:53:03 -0600 (CST) Date: Wed, 12 Jan 2005 09:53:03 -0600 From: "Jacques A. Vidrine" To: Tom Rhodes Message-ID: <20050112155303.GA35406@hellblazer.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Tom Rhodes , Gareth Hopkins , freebsd-security@FreeBSD.org, Jeremie Le Hen , Mark Murray , Marian Hettwer References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <41E3E6C3.7070801@kernel32.de> <20050111190043.Y49931@gabba.so.cpt1.za.uu.net> <20050112103328.0c6288d3@mobile.pittgoth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050112103328.0c6288d3@mobile.pittgoth.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-security@FreeBSD.org cc: Jeremie Le Hen cc: Marian Hettwer cc: Mark Murray cc: Gareth Hopkins Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2005 15:52:56 -0000 On Wed, Jan 12, 2005 at 10:33:28AM -0500, Tom Rhodes wrote: > Have you asked Mark Murray about this? I think he has worked > with Kerberos in the base system. He's on the CC: list (^_^) The short answer is: There is no facility to link the *base system* OpenSSH with MIT Kerberos. Use the OpenSSH port if you want to do that. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Wed Jan 12 20:25:01 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B7E516A4CE for ; Wed, 12 Jan 2005 20:25:01 +0000 (GMT) Received: from eagle.aitken.com (eagle.aitken.com [198.137.194.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id F26DF43D54 for ; Wed, 12 Jan 2005 20:25:00 +0000 (GMT) (envelope-from jaitken@aitken.com) Received: by eagle.aitken.com (Postfix, from userid 1000) id 2D662B2470; Wed, 12 Jan 2005 15:24:58 -0500 (EST) Date: Wed, 12 Jan 2005 15:24:58 -0500 From: Jeff Aitken To: freebsd-security@FreeBSD.org Message-ID: <20050112202458.GA4065@eagle.aitken.com> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <41E3E6C3.7070801@kernel32.de> <20050111190043.Y49931@gabba.so.cpt1.za.uu.net> <20050112103328.0c6288d3@mobile.pittgoth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050112103328.0c6288d3@mobile.pittgoth.com> User-Agent: Mutt/1.4.2i Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2005 20:25:01 -0000 On Wed, Jan 12, 2005 at 10:33:28AM -0500, Tom Rhodes wrote: > > There must be a way to get the base system openssh to build against > > the installed MIT port. > > Have you asked Mark Murray about this? I think he has worked > with Kerberos in the base system. On a related note, when building the krb5 port in FreeBSD-5.3, it appears that ksu is not installed. I'm not sure I understand fully why this is the case, but it appears that the following lines in /usr/ports/security/krb5/Makefile: CONFIGURE_ENV= INSTALL="${INSTALL}" YACC=/usr/bin/yacc \ CFLAGS="${CFLAGS}" MAKE_ARGS= INSTALL="${INSTALL}" clobber the value of INSTALL in several of the generated Makefiles. This only appears to affect ksu because it is the only one where the install target references INSTALL_SETUID. After running a 'make' in the top level, this is what you get in src/clients/Makefile: INSTALL=install INSTALL_STRIP= INSTALL_PROGRAM=install -s -o root -g wheel -m 555 $(INSTALL_STRIP) INSTALL_SCRIPT=install -o root -g wheel -m 555 INSTALL_DATA=install -o root -g wheel -m 444 INSTALL_SHLIB=@INSTALL_SHLIB@ INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root Note that INSTALL_SETUID references INSTALL, which is not defined as I would expect; I think the correct value should look like this: INSTALL=/usr/bin/install -c -o root -g wheel Most of the other executables that get installed seem to reference INSTALL_PROGRAM directly. Also interesting is that src/clients/ksu/Makefile appears to lack a defined install-unix target. All of the other Makefiles have something that looks like this: install-unix:: for f in klist; do \ $(INSTALL_PROGRAM) $$f \ $(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \ $(INSTALL_DATA) $(srcdir)/$$f.M \ $(DESTDIR)$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \ done I don't know if this is a problem or not. Anyway, if you remove the CONFIGURE_ENV and MAKE_ARGS definitions in /usr/ports/security/krb5/Makefile, you get a "correct" Makefile in src/clients/ksu: INSTALL=/usr/bin/install -c -o root -g wheel INSTALL_STRIP= INSTALL_PROGRAM=install -s -o root -g wheel -m 555 $(INSTALL_STRIP) INSTALL_SCRIPT=install -o root -g wheel -m 555 INSTALL_DATA=install -o root -g wheel -m 444 INSTALL_SHLIB=@INSTALL_SHLIB@ INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root The krb5 Makefiles are a maze of indirection so I'm not sure I have this figured out, but figured I'd toss it out and see if anyone else can confirm or deny. --Jeff From owner-freebsd-security@FreeBSD.ORG Wed Jan 12 22:10:05 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F319E16A4CE for ; Wed, 12 Jan 2005 22:10:04 +0000 (GMT) Received: from mproxy.gmail.com (mproxy.gmail.com [216.239.56.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFA5D43D2D for ; Wed, 12 Jan 2005 22:10:04 +0000 (GMT) (envelope-from hardmac@gmail.com) Received: by mproxy.gmail.com with SMTP id q44so479056cwc for ; Wed, 12 Jan 2005 14:10:04 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=EU7wp+LtMbroCwJs0uJ8CEQQICvM9eAQNAD6fEngjFy/c1J2cxEwCJHZi5Ff5Tk6rxWwmo1qU+QhHjUr5gLgoWSW33wYy1BtaprQHTaTOJgNB+e6n/HLGwrYnCaV4Nq3Fa740uPJLhysmHxiS71u2kjd+KFues0wKJ4sXMSLSuk= Received: by 10.11.118.71 with SMTP id q71mr26244cwc; Wed, 12 Jan 2005 13:43:24 -0800 (PST) Received: by 10.11.94.13 with HTTP; Wed, 12 Jan 2005 13:43:24 -0800 (PST) Message-ID: <41609175050112134348eef6a6@mail.gmail.com> Date: Wed, 12 Jan 2005 13:43:24 -0800 From: Thomas Hardly To: freebsd-security@freebsd.org In-Reply-To: <20050108163117.AE9EA2BDEA@mx5.roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20050108120108.3CAC016A4CF@hub.freebsd.org> <20050108163117.AE9EA2BDEA@mx5.roble.com> Subject: Re: OSX Intrusion Suspected, Advice Sought X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Thomas Hardly List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2005 22:10:05 -0000 >From the sounds of it I don't think you are hacked but there's always a possibility. Although this list is fairly quiet at times you can try here: Mac OS and Mac OS X Security http://www.macsecurity.org/mailman/listinfo/macsec Cheers, Thomas Hardly On Sat, 8 Jan 2005 08:31:17 -0800 (PST), Roger Marquis wrote: > JohnG wrote: > > I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband connection. > > I have reason to think my system has been tampered with. Security > > features in Mac OS X have been left unlocked (Preference Pane - Users) > > OSX is substantially different from FreeBSD (even without netinfo) > despite having some of the same source code. I doubt you'll find > much OSX expertise among freebsd-security subscribers even if it > wasn't OT. > > Assuming there is no osx-security list or newsgroup your best bet > would be to contact Apple directly. However, given Apple's > difficulties issuing patches and all the insecure, desktop-oriented > changes made to OSX's older FreeBSD base, it's a losing battle > (IME). > > -- > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- ..o: It's 12 o'clock - do you know where your data is? :o... ------------------------------------------------------------------------------------------- Hardening Your Macintosh - http://members.lycos.co.uk/hardapple/ MacSecurity.org - http://www.macsecurity.org pgp key fingerprint: 0F02 99D5 1D23 E445 22C9 9C90 8F24 FDBA B618 33C4 From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 13:07:02 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC3B016A4CE for ; Thu, 13 Jan 2005 13:07:02 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0D5943D49 for ; Thu, 13 Jan 2005 13:07:01 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 288CE1201A; Thu, 13 Jan 2005 14:07:00 +0100 (CET) Date: Thu, 13 Jan 2005 14:06:59 +0100 From: "Simon L. Nielsen" To: freebsd-security@FreeBSD.org Message-ID: <20050113130659.GC776@zaphod.nitro.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="adJ1OR3c6QgCpb/j" Content-Disposition: inline User-Agent: Mutt/1.5.6i Subject: Reminder: This list is freebsd-security@FreeBSD.org, not security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 13:07:02 -0000 --adJ1OR3c6QgCpb/j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello Just a little reminder that the FreeBSD Security list only has the address freebsd-security@FreeBSD.org, and not security@FreeBSD.org. The address security@FreeBSD.org is for the FreeBSD Security Team. If anyone is interested in the reason for this, see this thread from last year: http://docs.freebsd.org/cgi/mid.cgi?20040407154220.GA5651 . --=20 Simon L. Nielsen FreeBSD Security Team --adJ1OR3c6QgCpb/j Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB5nJzh9pcDSc1mlERAq5YAKCtemghDkCtB3kFcEYekUkI1pIsOwCffNlL W0m7aCHz+l48ii5CdrWhfmg= =pBn9 -----END PGP SIGNATURE----- --adJ1OR3c6QgCpb/j-- From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 13:27:37 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A6BD16A4CE for ; Thu, 13 Jan 2005 13:27:37 +0000 (GMT) Received: from kathi.vvi.at (kathi.vvi.at [208.252.225.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58CAE43D5A for ; Thu, 13 Jan 2005 13:27:37 +0000 (GMT) (envelope-from tech@vvi.at) Received: from [208.252.225.99] ([208.252.225.99]) (authenticated bits=0) by kathi.vvi.at (8.12.10/8.13.1) with ESMTP id j0DDVgN1084854 for ; Thu, 13 Jan 2005 05:31:42 -0800 (PST) (envelope-from tech@vvi.at) User-Agent: Microsoft-Entourage/10.1.6.040913.0 Date: Thu, 13 Jan 2005 05:27:34 -0800 From: vvi tech To: Message-ID: In-Reply-To: <20050113130659.GC776@zaphod.nitro.dk> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: Re: Reminder: This list is freebsd-security@FreeBSD.org, not security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 13:27:37 -0000 I usually lurk here, but I think generally mailing lists should be delegated to a different sub-domain perhaps something like security@lists.freebsd.org would make fewer errors. In any case have a great new year guys, Jason de Cordoba On 1/13/05 05:06, "Simon L. Nielsen" wrote: > Hello > > Just a little reminder that the FreeBSD Security list only has the > address freebsd-security@FreeBSD.org, and not security@FreeBSD.org. > The address security@FreeBSD.org is for the FreeBSD Security Team. > > If anyone is interested in the reason for this, see this thread from > last year: http://docs.freebsd.org/cgi/mid.cgi?20040407154220.GA5651 . From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 14:04:44 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47D1116A4CE; Thu, 13 Jan 2005 14:04:44 +0000 (GMT) Received: from mx01.uunet.co.za (mx01.uunet.co.za [196.31.48.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 52E3643D48; Thu, 13 Jan 2005 14:04:43 +0000 (GMT) (envelope-from gareth@za.uu.net) Received: from [196.30.72.11] (helo=pixproxy.so.cpt1.za.uu.net) by mx01.uunet.co.za with esmtp (Exim 4.34; FreeBSD) id 1Cp5aX-0001jn-3w; Thu, 13 Jan 2005 16:04:41 +0200 Received: from gabba.so.cpt1.za.uu.net (gabba.so.cpt1.za.uu.net [196.30.72.25]) by pixproxy.so.cpt1.za.uu.net (Postfix) with ESMTP id 869D357AC; Thu, 13 Jan 2005 16:04:36 +0200 (SAST) Date: Thu, 13 Jan 2005 16:04:36 +0200 (SAST) From: Gareth Hopkins X-X-Sender: gareth@gabba.so.cpt1.za.uu.net To: "Jacques A. Vidrine" In-Reply-To: <20050112155303.GA35406@hellblazer.celabo.org> Message-ID: <20050113160249.C71794@gabba.so.cpt1.za.uu.net> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <41E3E6C3.7070801@kernel32.de> <20050112103328.0c6288d3@mobile.pittgoth.com> <20050112155303.GA35406@hellblazer.celabo.org> X-Cell: +27 82 929 6668 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanner: Scanned By ClamAV X-Spam-Score: -4.9 (----) X-Scan-Signature: bbc9321660c8d71ee37aa53dc7e21ad0 cc: freebsd-security@FreeBSD.org cc: Mark Murray Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 14:04:44 -0000 On Wed, 12 Jan 2005, Jacques A. Vidrine wrote: JAV>On Wed, Jan 12, 2005 at 10:33:28AM -0500, Tom Rhodes wrote: JAV>> Have you asked Mark Murray about this? I think he has worked JAV>> with Kerberos in the base system. JAV> JAV>He's on the CC: list (^_^) JAV> JAV> JAV>The short answer is: There is no facility to link the *base system* JAV>OpenSSH with MIT Kerberos. Use the OpenSSH port if you want to do that. Howdie, Would that be the openssh port (3.6.1) or the openssh-portable port (3.9.0.1) Looks like I may need to stick with 4.11 if I want to use the full functionality of kerberos. --- Gareth Hopkins Server Operations UUNET South Africa From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 14:27:25 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B41BE16A4CF; Thu, 13 Jan 2005 14:27:25 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 378A643D3F; Thu, 13 Jan 2005 14:27:25 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id D84553E2C41; Thu, 13 Jan 2005 08:27:24 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id 4DE99561912; Thu, 13 Jan 2005 08:27:24 -0600 (CST) Date: Thu, 13 Jan 2005 08:27:24 -0600 From: "Jacques A. Vidrine" To: Gareth Hopkins Message-ID: <20050113142724.GD7171@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Gareth Hopkins , freebsd-security@FreeBSD.org, Mark Murray References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <41E3E6C3.7070801@kernel32.de> <20050111190043.Y49931@gabba.so.cpt1.za.uu.net> <20050112103328.0c6288d3@mobile.pittgoth.com> <20050112155303.GA35406@hellblazer.celabo.org> <20050113160249.C71794@gabba.so.cpt1.za.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050113160249.C71794@gabba.so.cpt1.za.uu.net> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-security@FreeBSD.org cc: Mark Murray Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 14:27:25 -0000 On Thu, Jan 13, 2005 at 04:04:36PM +0200, Gareth Hopkins wrote: > Howdie, > > Would that be the openssh port (3.6.1) or the openssh-portable port (3.9.0.1) openssh-portable. > Looks like I may need to stick with 4.11 if I want to use the full functionality > of kerberos. Huh? -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Wed Jan 12 16:00:29 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE79116A4CE; Wed, 12 Jan 2005 16:00:29 +0000 (GMT) Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 697CD43D55; Wed, 12 Jan 2005 16:00:29 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from mobile.pittgoth.com (64-144-75-100.client.dsl.net [64.144.75.100]) (authenticated bits=0) by pittgoth.com (8.12.10/8.12.10) with ESMTP id j0CG0Roa059048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 12 Jan 2005 11:00:28 -0500 (EST) (envelope-from trhodes@FreeBSD.org) Date: Wed, 12 Jan 2005 11:00:32 -0500 From: Tom Rhodes To: "Jacques A. Vidrine" Message-ID: <20050112110032.0dc5a82e@mobile.pittgoth.com> In-Reply-To: <20050112155303.GA35406@hellblazer.celabo.org> References: <20050110190814.J49931@gabba.so.cpt1.za.uu.net> <41E3E6C3.7070801@kernel32.de> <20050111190043.Y49931@gabba.so.cpt1.za.uu.net> <20050112103328.0c6288d3@mobile.pittgoth.com> <20050112155303.GA35406@hellblazer.celabo.org> X-Mailer: Sylpheed-Claws 0.9.13 (GTK+ 1.2.10; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 13 Jan 2005 15:29:46 +0000 cc: freebsd-security@FreeBSD.org cc: Jeremie Le Hen cc: Marian Hettwer cc: Mark Murray cc: Gareth Hopkins Subject: Re: MIT Kerberos and OpenSSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2005 16:00:29 -0000 On Wed, 12 Jan 2005 09:53:03 -0600 "Jacques A. Vidrine" wrote: > On Wed, Jan 12, 2005 at 10:33:28AM -0500, Tom Rhodes wrote: > > Have you asked Mark Murray about this? I think he has worked > > with Kerberos in the base system. > > He's on the CC: list (^_^) I know, I added him. :) > > > The short answer is: There is no facility to link the *base system* > OpenSSH with MIT Kerberos. Use the OpenSSH port if you want to do that. Guess that will have to work then. -- Tom Rhodes From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 05:08:59 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11E6C16A4CE for ; Thu, 13 Jan 2005 05:08:59 +0000 (GMT) Received: from main.uucpssh.org (main.uucpssh.org [212.27.33.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7506643D2D for ; Thu, 13 Jan 2005 05:08:58 +0000 (GMT) (envelope-from dan@specialk.af0.net) Received: from localhost (localhost [127.0.0.1]) by main.uucpssh.org (Postfix) with ESMTP id 2E52C6C9C0; Thu, 13 Jan 2005 06:08:57 +0100 (CET) Received: by main.uucpssh.org (Postfix, from userid 10) id 5732D6C9C7; Thu, 13 Jan 2005 06:08:54 +0100 (CET) Received: by specialk.af0.net (Postfix, from userid 1000) id EE19D920E8A; Thu, 13 Jan 2005 00:03:13 -0500 (EST) Date: Thu, 13 Jan 2005 00:03:13 -0500 From: Dan Margolis To: JohnG Message-ID: <20050113050313.GB3475@specialk> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i X-Mailman-Approved-At: Thu, 13 Jan 2005 15:29:46 +0000 cc: FreeBSD-security@freebsd.org Subject: Re: Intrusion Suspected, Advice Sought X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 05:08:59 -0000 On Thu, Jan 06, 2005 at 08:29:20PM -0800, JohnG wrote: > I've worked on this machine for about 17 > months, and I know its rhythms and what should be what. It doesn't sound like you have a lot of evidence for a deliberate intrusion versus a system anomoly, but let's entertain the notion for a bit. - The most likely attack vectors are not remote active attacks--you are, after all, firewalled and not running any listening services, right?--but rather a variety of passive attacks: trojans, Web-based attacks, etc. As in the case of the telnet://, disk://, help://, etc URI handler vulnerabilities, it is possible for a malicious Website to execute arbitrary code when you visit it - If an attacker wanted to preserve access, he'd almost certainly install a backdoor. There are certainly ways to install a network backdoor on a machine that doesn't have remote access facilities without adding an obvious listening service, but since you're behind a firewall, it's hard to imagine this happening, especially for a relatively low-value target as your desktop PC (unless you're not telling us something about your day job--are you a narc or something? ;) In other words, the likely scenario here is a passive attack as the initial intrusion, with a very sneaky backdoor as the follow up. It's hard to imagine this combination; why go to such trouble for a target likely to be %5 of your hits (unless you're a Mac site or something), a large chunk of which wont be vulnerable anyway? It just strikes me as improbable. Anyway, to regain confidence, your best bet would indeed be a reinstall, but your primary concern (barring buffer overflows via specially crafted documents, etc) should be executables. If you do an archive reinstall and replace all your third party apps, you'll replace all those without losing your documents, and you're most likely pretty safe. Another proactive approach is to use something like Samhain, AIDE, or Tripwire--a Host-based Intrusion Detection System. They should work as well on OSX as they do on FreeBSD. Sorry for the off topic thread, folks. But I was hoping I could be of a little bit of service. -- Dan From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 18:32:42 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF8E116A4CE for ; Thu, 13 Jan 2005 18:32:42 +0000 (GMT) Received: from omoikane.mb.skyweb.ca (64-42-246-34.mb.skyweb.ca [64.42.246.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EC7943D1F for ; Thu, 13 Jan 2005 18:32:42 +0000 (GMT) (envelope-from mark@skyweb.ca) Received: by omoikane.mb.skyweb.ca (Postfix, from userid 1001) id CE85561D9D; Thu, 13 Jan 2005 12:32:44 -0600 (CST) From: Mark Johnston To: freebsd-security@freebsd.org Date: Thu, 13 Jan 2005 12:32:44 -0600 User-Agent: KMail/1.6.1 MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200501131232.44441.mjohnston@skyweb.ca> Subject: Aggregating logs from numerous FreeBSD machines X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 18:32:42 -0000 Hi folks, My stack of trusty FreeBSD servers always seems to be growing, and it's getting to the point where the daily and security output mail is too much to make good use of. I'm looking for suggestions for log monitoring and aggregation tools, especially from a monitoring-for-security perspective. If I had to imagine an ideal system, it would be a central server that securely collects syslog messages from all my servers, indexes them by server and severity, and gives a reasonable management interface. Given expressions based on facility, severity, log message, and the like, it could throw away useless messages, or page me for critical ones. This would tie into AIDE/Samhain/Tripwire (haven't picked one yet) and maybe even different flavors of IDS. It could even warn me when processes run away with the CPU or RAM, or disks get too full. I've found a variety of things that almost do this. Nagios is good at paging for service failures, disk full warnings, and that sort of thing, but it doesn't seem well-suited for aggregating log messages. The Prelude IDS seems to have some kind of console, as does Samhain, but I want to try to avoid having different interfaces for each service type. I realize this is something that could be had using IPSec-protected remote logging with some greps and interface stuff bolted on, but if there's a ready-made tool, it'd save me a fair bit of implementation time. What kind of things are other security-minded admins using to stay on top of all the logs? Thanks, Mark From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 18:44:27 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBB8D16A4CE for ; Thu, 13 Jan 2005 18:44:27 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D91E43D60 for ; Thu, 13 Jan 2005 18:44:27 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] (pool-68-160-208-232.ny325.east.verizon.net [68.160.208.232]) by pi.codefab.com (8.12.11/8.12.11) with ESMTP id j0DIiLYf044496 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 13 Jan 2005 13:44:23 -0500 (EST) Message-ID: <41E6C15C.4030907@mac.com> Date: Thu, 13 Jan 2005 13:43:40 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 Followup-To: freebsd-questions@freebsd.org To: Mark Johnston References: <200501131232.44441.mjohnston@skyweb.ca> In-Reply-To: <200501131232.44441.mjohnston@skyweb.ca> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=1.8 required=5.5 tests=AWL,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on pi.codefab.com cc: freebsd-security@freebsd.org Subject: Re: Aggregating logs from numerous FreeBSD machines X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 18:44:27 -0000 Mark Johnston wrote: > If I had to imagine an ideal system, it would be a central server that > securely collects syslog messages from all my servers, indexes them by server > and severity, and gives a reasonable management interface. Given expressions > based on facility, severity, log message, and the like, it could throw away > useless messages, or page me for critical ones. This would tie into > AIDE/Samhain/Tripwire (haven't picked one yet) and maybe even different > flavors of IDS. It could even warn me when processes run away with the CPU > or RAM, or disks get too full. Consider Big Brother from www.bb4.com. It monitors processes, ports, disk space, load average, looks for interesting stuff in the system logfile, and has a central web-based dashboard with historical logs. [ Slightly off-topic for freebsd-security, moving to -questions. ] -- -Chuck From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 18:54:33 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8A8316A4CE for ; Thu, 13 Jan 2005 18:54:33 +0000 (GMT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFE4743D45 for ; Thu, 13 Jan 2005 18:54:32 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from [10.177.171.220] (neutrino.centtech.com [10.177.171.220]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id j0DIsVOJ025205; Thu, 13 Jan 2005 12:54:31 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <41E6C3DE.3080709@centtech.com> Date: Thu, 13 Jan 2005 12:54:22 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.3) Gecko/20041110 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mark Johnston References: <200501131232.44441.mjohnston@skyweb.ca> In-Reply-To: <200501131232.44441.mjohnston@skyweb.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Aggregating logs from numerous FreeBSD machines X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 18:54:33 -0000 Mark Johnston wrote: > Hi folks, > > My stack of trusty FreeBSD servers always seems to be growing, and it's > getting to the point where the daily and security output mail is too much to > make good use of. I'm looking for suggestions for log monitoring and > aggregation tools, especially from a monitoring-for-security perspective. A project started about a year ago to do just this. Did in the archives of the freebsd mailing lists for it.. Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology I have seen the future and it is just like the present, only longer. ------------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 20:02:58 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4965316A4CE for ; Thu, 13 Jan 2005 20:02:58 +0000 (GMT) Received: from no-such-agency.net (eschelon.no-such-agency.net [216.93.183.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC55343D48 for ; Thu, 13 Jan 2005 20:02:55 +0000 (GMT) (envelope-from jpp@cloudview.com) Received: from eschelon.no-such-agency.net (localhost [127.0.0.1]) by guardian (Postfix) with SMTP id 282141732B7 for ; Thu, 13 Jan 2005 12:02:55 -0800 (PST) Received: from no-such-agency.net ([216.93.183.141]) by eschelon.no-such-agency.net ([216.93.183.141]) with SMTP (gateway) id A05CFA17F1C; Thu, 13 Jan 2005 12:02:55 -0800 Received: from [192.168.2.120] (blackhole.no-such-agency.net [64.142.103.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by no-such-agency.net (Postfix) with ESMTP id E63A31732B7 for ; Thu, 13 Jan 2005 12:02:54 -0800 (PST) Message-ID: <41E6D3EE.5090205@cloudview.com> Date: Thu, 13 Jan 2005 12:02:54 -0800 From: John Pettitt Organization: CloudView Photographic User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Listening outside ipfw / program interface to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 20:02:58 -0000 Hi, Two quick questions that I can't seem to find answers for using google. 1) is is possible to listen outside an ipfw firewall - that is have ethereal record the packets before ipfw starts dropping them? If so how? 2) Is there an api to ipfw that will let me manipulate rules, query stats etc? I need something faster than running the command line binary? Thanks John From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 22:19:53 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A8B216A4CE for ; Thu, 13 Jan 2005 22:19:53 +0000 (GMT) Received: from postfix3-1.free.fr (postfix3-1.free.fr [213.228.0.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCF6143D3F for ; Thu, 13 Jan 2005 22:19:52 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-1.free.fr (Postfix) with ESMTP id 0F6951734D2; Thu, 13 Jan 2005 23:19:51 +0100 (CET) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 9124B40B9; Thu, 13 Jan 2005 23:19:47 +0100 (CET) Date: Thu, 13 Jan 2005 23:19:47 +0100 From: Jeremie Le Hen To: John Pettitt Message-ID: <20050113221947.GC46977@obiwan.tataz.chchile.org> References: <41E6D3EE.5090205@cloudview.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41E6D3EE.5090205@cloudview.com> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Listening outside ipfw / program interface to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 22:19:53 -0000 > Hi, > Two quick questions that I can't seem to find answers for using google. > > 1) is is possible to listen outside an ipfw firewall - that is have > ethereal record the packets before ipfw starts dropping them? If so how? tcpdump(8) uses the bpf(4) device and the latter will always see a packet reaching the box whether a packet filter will drop it or not. > 2) Is there an api to ipfw that will let me manipulate rules, query > stats etc? I need something faster than running the command line binary? Yes, you should look at the ``SEE ALSO'' section in ipfw(8) manual page. ipfirewall(4) is what you are looking for, but looking at ipfw(8) source code might help too. Regards, -- Jeremie Le Hen jeremie@le-hen.org From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 00:52:37 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3706816A4CE for ; Fri, 14 Jan 2005 00:52:37 +0000 (GMT) Received: from main.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5244843D45 for ; Fri, 14 Jan 2005 00:52:36 +0000 (GMT) (envelope-from freebsd-security@m.gmane.org) Received: from root by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1CpFha-0005bk-00 for ; Fri, 14 Jan 2005 01:52:34 +0100 Received: from gray.impulse.net ([207.154.64.174]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 14 Jan 2005 01:52:34 +0100 Received: from ted by gray.impulse.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 14 Jan 2005 01:52:34 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Ted Cabeen Date: Thu, 13 Jan 2005 16:39:11 -0800 Lines: 40 Message-ID: <87wtug26a8.fsf@gray.impulse.net> References: <200501131232.44441.mjohnston@skyweb.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: gray.impulse.net User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Security Through Obscurity, berkeley-unix) Cancel-Lock: sha1:rys+0O6jxZGAl06N1tH4aD6EKrc= Sender: news Subject: Re: Aggregating logs from numerous FreeBSD machines X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 00:52:37 -0000 Mark Johnston writes: > Hi folks, > > My stack of trusty FreeBSD servers always seems to be growing, and it's > getting to the point where the daily and security output mail is too much to > make good use of. I'm looking for suggestions for log monitoring and > aggregation tools, especially from a monitoring-for-security perspective. > > If I had to imagine an ideal system, it would be a central server that > securely collects syslog messages from all my servers, indexes them by server > and severity, and gives a reasonable management interface. Given expressions > based on facility, severity, log message, and the like, it could throw away > useless messages, or page me for critical ones. This would tie into > AIDE/Samhain/Tripwire (haven't picked one yet) and maybe even different > flavors of IDS. It could even warn me when processes run away with the CPU > or RAM, or disks get too full. > > I've found a variety of things that almost do this. Nagios is good at paging > for service failures, disk full warnings, and that sort of thing, but it > doesn't seem well-suited for aggregating log messages. The Prelude IDS seems > to have some kind of console, as does Samhain, but I want to try to avoid > having different interfaces for each service type. > > I realize this is something that could be had using IPSec-protected remote > logging with some greps and interface stuff bolted on, but if there's a > ready-made tool, it'd save me a fair bit of implementation time. What kind > of things are other security-minded admins using to stay on top of all the > logs? syslog-ng is useful for separating incoming log entries by server, facility and priority. I'd start with that. You could then use something like logwatch or logcheck to mail you or trigger a nagios warning on strange log lines. -- Ted Cabeen http://www.pobox.com/~secabeen ted@cabeen.org Check Website or Keyserver for PGP/GPG Key BA0349D2 ted@impulse.net "I have taken all knowledge to be my province." -F. Bacon secabeen@pobox.com "Human kind cannot bear very much reality."-T.S.Eliot secabeen@gmail.com From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 01:43:50 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D4C916A4CE for ; Fri, 14 Jan 2005 01:43:50 +0000 (GMT) Received: from kathi.vvi.at (kathi.vvi.at [208.252.225.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id D86A543D69 for ; Fri, 14 Jan 2005 01:43:49 +0000 (GMT) (envelope-from tech@vvi.at) Received: from [208.252.225.99] ([208.252.225.99]) (authenticated bits=0) by kathi.vvi.at (8.12.10/8.13.1) with ESMTP id j0E1lvN1089515 for ; Thu, 13 Jan 2005 17:47:58 -0800 (PST) (envelope-from tech@vvi.at) User-Agent: Microsoft-Entourage/10.1.6.040913.0 Date: Thu, 13 Jan 2005 17:43:47 -0800 From: vvi tech To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: Equilivant for a sshchroot file? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 01:43:50 -0000 Hey guys I really have made use of the ftpchroot file in /etc but I wonder why is there no equivalent of that for ssh and telnet accounts? Basically simply limiting traversing the file system to specific shell users root. Regards, Jason From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 01:51:39 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1510E16A4CE for ; Fri, 14 Jan 2005 01:51:39 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id C26AA43D58 for ; Fri, 14 Jan 2005 01:51:38 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id j0E1smcj005014; Thu, 13 Jan 2005 17:54:48 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id j0E1smtD005013; Thu, 13 Jan 2005 17:54:48 -0800 Date: Thu, 13 Jan 2005 17:54:47 -0800 From: Brooks Davis To: vvi tech Message-ID: <20050114015447.GA4695@odin.ac.hmc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: freebsd-security@freebsd.org Subject: Re: Equilivant for a sshchroot file? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 01:51:39 -0000 --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 13, 2005 at 05:43:47PM -0800, vvi tech wrote: > Hey guys I really have made use of the ftpchroot file in /etc but I wonder > why is there no equivalent of that for ssh and telnet accounts? Basically > simply limiting traversing the file system to specific shell users root. It's a vastly different problem. With ftp, all you need to do is keep the daemon and possiably a few external programs working. With ssh or telnet, there's little point unless you can keep a set of applications working. There are choot patches for ssh avaliable. Alternativly, you can use jail(8) to seperate processes from each other. One (debian specific)writeup on chrooted ssh: http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.e= n.html -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --tThc/1wpZn/ma/RB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFB5yZnXY6L6fI4GtQRAjyzAJ44hV4zpHVt3ovP5BI79jgME6YUdQCggBWE EQtIlMroKBPrW9z5GAveW3w= =2Wed -----END PGP SIGNATURE----- --tThc/1wpZn/ma/RB-- From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 07:54:47 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FFF416A4CE for ; Fri, 14 Jan 2005 07:54:47 +0000 (GMT) Received: from figg.securenet.com.au (ns2.isecure.com.au [202.125.4.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8678143D58 for ; Fri, 14 Jan 2005 07:54:42 +0000 (GMT) (envelope-from Stanley.Hopcroft@IPAustralia.Gov.AU) Received: from iron.securenet.com.au (iron.isecure.com.au [202.125.4.94]) j0E7sfMw014383 for ; Fri, 14 Jan 2005 18:54:41 +1100 Received: (from uucp@localhost) by iron.securenet.com.au (8.12.6/8.12.6) id j0E7sfDB012243 for ; Fri, 14 Jan 2005 18:54:41 +1100 (EST) Received: from nodnsquery(10.11.3.10) by iron.securenet.com.au via csmap (V6.0) id srcAAAWkaq6x; Fri, 14 Jan 05 18:54:41 +1100 Received: from vmail.aipo.gov.au (localhost [127.0.0.1]) j0E7seff001994 for ; Fri, 14 Jan 2005 18:54:41 +1100 Received: from stan.aipo.gov.au (wf-142.aipo.gov.au [192.168.1.142]) by vmail.aipo.gov.au (8.12.9p2/8.12.9) with ESMTP id j0E7scFb020212 for ; Fri, 14 Jan 2005 18:54:39 +1100 (EST) (envelope-from Stanley.Hopcroft@IPAustralia.Gov.AU) Received: from stan.aipo.gov.au (localhost [127.0.0.1]) by stan.aipo.gov.au (8.12.11/8.12.11) with ESMTP id j0E7scwt000276 for ; Fri, 14 Jan 2005 18:54:38 +1100 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) Received: (from anwsmh@localhost) by stan.aipo.gov.au (8.12.11/8.12.11/Submit) id j0E7sbSI000275 for freebsd-security@freebsd.org; Fri, 14 Jan 2005 18:54:37 +1100 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) X-Authentication-Warning: stan.aipo.gov.au: anwsmh set sender to anwsmh@IPAustralia.Gov.AU using -f Date: Fri, 14 Jan 2005 18:54:37 +1100 From: Stanley Hopcroft To: freebsd-security@freebsd.org Message-ID: <20050114075435.GA239@IPAustralia.Gov.AU> References: <200501131232.44441.mjohnston@skyweb.ca> <87wtug26a8.fsf@gray.impulse.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_1105689280-17516-261" Content-Disposition: inline In-Reply-To: <87wtug26a8.fsf@gray.impulse.net> User-Agent: Mutt/1.4.2.1i X-Scanned-By: MIMEDefang 2.48 on 10.0.100.191 Subject: Re: Aggregating logs from numerous FreeBSD machines X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 07:54:47 -0000 This is a multi-part message in MIME format... ------------=_1105689280-17516-261 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Dear Folks, On Thu, Jan 13, 2005 at 04:39:11PM -0800, Ted Cabeen wrote: > Mark Johnston writes: > > > Hi folks, > > > > My stack of trusty FreeBSD servers always seems to be growing, and it's > > getting to the point where the daily and security output mail is too much to > > make good use of. I'm looking for suggestions for log monitoring and > > aggregation tools, especially from a monitoring-for-security perspective. > > .. snip .. > > syslog-ng is useful for separating incoming log entries by server, > facility and priority. I'd start with that. You could then use > something like logwatch or logcheck to mail you or trigger a nagios > warning on strange log lines. > a helpful way of looking at the problem may be 1 data collection/aggregation log forwarding is the way to go (there is free code to forward events from MS event logs to syslog [these are Win binaries] for collecting all events. Mr Cabeens suggestion of using the better classification of syslog-ng sounds very helpful on the host that is collecting the syslog'd events. 2 event correlation and or filtering. Programs like logsurfer and swatch can be used to react to simuli in the event stream (ie the logs being tailed) and react by forking shell scripts, mailing, highlighting the message on a viewer etc. The SourceForge project SEC can analyse multiple log files (the number is probably limited by the resources of your analysis/logging host) and do the above + process events (ie mesages that occur with a particular time sequence eg within an interval of one another, or after a message ...) SEC also does useful things such as compression (ie many stimuli one response). Actively developed. Junk free mail list. Mr John Rouillard gave a paper on SEC at the last LISA conference (Boston ?). SEC like Swatch is a Perl application and the rules can use arbitrary in-line Perl code. People use it for lots of things including real time Snort log analysis. Lastlu, I am not sure if the name is a conscious pun, but SEC is absolutely completely unrelated to the Tivoli TEC product. If you appreciate, TECs capabilities you'll do more with SEC and have more fun (unless you happen to love Prolog and rules based processing). Yours sincerely. -- Stanley Hopcroft IP Australia Ph: (02) 6283 3189 Fax: (02) 6281 1353 PO Box 200 Woden ACT 2606 http://www.ipaustralia.gov.au ------------=_1105689280-17516-261 Content-Type: text/plain; name="disclaimer.txt" Content-Disposition: inline; filename="disclaimer.txt" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-Mailer: MIME-tools 5.415 (Entity 5.415) -- This message contains privileged and confidential information only for use by the intended recipient. If you are not the intended recipient of this message, you must not disseminate, copy or use it in any manner. If you have received this message in error, please advise the sender by reply e-mail. Please ensure all e-mail attachments are scanned for viruses prior to opening or using. ------------=_1105689280-17516-261-- From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 09:08:12 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFCB216A4CE for ; Fri, 14 Jan 2005 09:08:12 +0000 (GMT) Received: from cray.e-card.bg (mjak.e-card.bg [212.91.167.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C50D43D1D for ; Fri, 14 Jan 2005 09:08:10 +0000 (GMT) (envelope-from altares@e-card.bg) Received: from e-card.bg (localhost.e-card.bg [127.0.0.1]) by cray.e-card.bg (8.13.1/8.13.1) with ESMTP id j0E97Mxh022312; Fri, 14 Jan 2005 11:07:31 +0200 (EET) (envelope-from altares@e-card.bg) Message-ID: <41E78BCA.2080903@e-card.bg> Date: Fri, 14 Jan 2005 11:07:22 +0200 From: Rumen Telbizov Organization: E-Card Ltd. User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jeremie Le Hen References: <41E6D3EE.5090205@cloudview.com> <20050113221947.GC46977@obiwan.tataz.chchile.org> In-Reply-To: <20050113221947.GC46977@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org cc: John Pettitt Subject: Re: Listening outside ipfw / program interface to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: altares@e-card.bg List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 09:08:13 -0000 Hi Jeremie Le Hen wrote: >>2) Is there an api to ipfw that will let me manipulate rules, query >>stats etc? I need something faster than running the command line binary? > > > Yes, you should look at the ``SEE ALSO'' section in ipfw(8) manual page. > ipfirewall(4) is what you are looking for, but looking at ipfw(8) > source code might help too. On what version of FreeBSD are you looking the ipfirewall(4) man page? Recently I needed the C api to ipfw, but it turns out that ipfirewall(4) man page no longer describes it. This is on 5.3-STABLE and 4.10-STABLE. I also searched in google and I think I had found a post saying that currently the only way to manipulate/use firewall rules is via ifpw(8) command. If someone can provide me a reference to the C api of ipfw I will be thankfull. Rumen Telbizov From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 09:32:59 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C694016A4CE for ; Fri, 14 Jan 2005 09:32:59 +0000 (GMT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26C6543D53 for ; Fri, 14 Jan 2005 09:32:59 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 3401F6520E; Fri, 14 Jan 2005 09:32:57 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31941-03; Fri, 14 Jan 2005 09:32:56 +0000 (GMT) Received: from empiric.dek.spc.org (unknown [213.210.24.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id BD3C1651FC; Fri, 14 Jan 2005 09:32:53 +0000 (GMT) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id BEDAF6891; Fri, 14 Jan 2005 09:33:17 +0000 (GMT) Date: Fri, 14 Jan 2005 09:33:17 +0000 From: Bruce M Simpson To: Rumen Telbizov Message-ID: <20050114093317.GB57985@empiric.icir.org> Mail-Followup-To: Rumen Telbizov , Jeremie Le Hen , freebsd-security@freebsd.org, John Pettitt References: <41E6D3EE.5090205@cloudview.com> <20050113221947.GC46977@obiwan.tataz.chchile.org> <41E78BCA.2080903@e-card.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41E78BCA.2080903@e-card.bg> cc: freebsd-security@freebsd.org cc: John Pettitt cc: Jeremie Le Hen Subject: Re: Listening outside ipfw / program interface to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 09:32:59 -0000 On Fri, Jan 14, 2005 at 11:07:22AM +0200, Rumen Telbizov wrote: > If someone can provide me a reference to the C api > of ipfw I will be thankfull. There isn't an ipfw API as such. Look at XORP, xorp/fea/pa_backend_ipfw2.cc. BMS From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 13:28:07 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1384416A4CE for ; Fri, 14 Jan 2005 13:28:07 +0000 (GMT) Received: from f23.mail.ru (f23.mail.ru [194.67.57.149]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94E1543D5C for ; Fri, 14 Jan 2005 13:28:06 +0000 (GMT) (envelope-from _pppp@mail.ru) Received: from mail by f23.mail.ru with local id 1CpRUj-000G2E-00; Fri, 14 Jan 2005 16:28:05 +0300 Received: from [81.200.13.122] by win.mail.ru with HTTP; Fri, 14 Jan 2005 16:28:05 +0300 From: dima <_pppp@mail.ru> To: altares@e-card.bg Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [81.200.13.122] Date: Fri, 14 Jan 2005 16:28:05 +0300 In-Reply-To: <41E78BCA.2080903@e-card.bg> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: cc: freebsd-security@freebsd.org Subject: Re[2]: Listening outside ipfw / program interface to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dima <_pppp@mail.ru> List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 13:28:07 -0000 > >>2) Is there an api to ipfw that will let me manipulate rules, query > >>stats etc? I need something faster than running the command line binary? > > Yes, you should look at the ``SEE ALSO'' section in ipfw(8) manual page. > > ipfirewall(4) is what you are looking for, but looking at ipfw(8) > > source code might help too. > On what version of FreeBSD are you looking the > ipfirewall(4) man page? > > Recently I needed the C api to ipfw, but it > turns out that ipfirewall(4) man page no longer > describes it. This is on 5.3-STABLE and 4.10-STABLE. > I also searched in google and I think I had found > a post saying that currently the only way to manipulate/use > firewall rules is via ifpw(8) command. > > If someone can provide me a reference to the C api > of ipfw I will be thankfull. C API for ipfw(8) is getsockopt() & setsockopt(); see /usr/src/sbin/ipfw/ipfw2.c for details. The optname in your software would look like IP_FW_GET, IP_FW_ADD etc. From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 09:17:09 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EDA416A4CE for ; Fri, 14 Jan 2005 09:17:09 +0000 (GMT) Received: from blah.sun-fish.com (blah.sun-fish.com [62.176.125.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86BCF43D49 for ; Fri, 14 Jan 2005 09:17:08 +0000 (GMT) (envelope-from vladimir.terziev@sun-fish.com) Received: by blah.sun-fish.com (Postfix, from userid 599) id E9E7834190; Fri, 14 Jan 2005 10:17:05 +0100 (CET) Received: from sun-fish.com (fs.cmotd.com [192.168.3.253]) by blah.sun-fish.com (Postfix) with ESMTP id DB06834176; Fri, 14 Jan 2005 10:17:05 +0100 (CET) Received: from sun-fish.com (localhost.cmotd.com [127.0.0.1]) by sun-fish.com (Postfix) with ESMTP id 6264E38406; Fri, 14 Jan 2005 10:17:05 +0100 (CET) Received: from daemon.cmotd.com (daemon.cmotd.com [192.168.3.104]) by sun-fish.com (Postfix) with SMTP id 2DE0B38404; Fri, 14 Jan 2005 10:17:05 +0100 (CET) Date: Fri, 14 Jan 2005 11:17:05 +0200 From: Vladimir Terziev To: altares@e-card.bg Message-Id: <20050114111705.38c8f955.vlady@sun-fish.com> In-Reply-To: <41E78BCA.2080903@e-card.bg> References: <41E6D3EE.5090205@cloudview.com> <20050113221947.GC46977@obiwan.tataz.chchile.org> <41E78BCA.2080903@e-card.bg> Organization: SunFish Ltd., Sofia X-Mailer: Sylpheed version 1.0.0-gtk2-20041224 (GTK+ 2.4.0; i386-unknown-freebsd4.10) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AV-Checked: ClamAV X-Mailman-Approved-At: Fri, 14 Jan 2005 13:40:25 +0000 cc: freebsd-security@freebsd.org cc: jpp@cloudview.com cc: jeremie@le-hen.org Subject: Re: Listening outside ipfw / program interface to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 09:17:09 -0000 I have an old FreeBSD 4.3 and the man page of ipfirewall(4) describes the C api for manipulation of IP filtering rules. I'm not sure the C api interface in 4.10 is still the same as in 4.3, but i suggest you to try. Just find the man page from somewhere. Vladimir On Fri, 14 Jan 2005 11:07:22 +0200 Rumen Telbizov wrote: > > Hi > > Jeremie Le Hen wrote: > >>2) Is there an api to ipfw that will let me manipulate rules, query > >>stats etc? I need something faster than running the command line binary? > > > > > > Yes, you should look at the ``SEE ALSO'' section in ipfw(8) manual page. > > ipfirewall(4) is what you are looking for, but looking at ipfw(8) > > source code might help too. > > On what version of FreeBSD are you looking the > ipfirewall(4) man page? > > Recently I needed the C api to ipfw, but it > turns out that ipfirewall(4) man page no longer > describes it. This is on 5.3-STABLE and 4.10-STABLE. > I also searched in google and I think I had found > a post saying that currently the only way to manipulate/use > firewall rules is via ifpw(8) command. > > If someone can provide me a reference to the C api > of ipfw I will be thankfull. > > Rumen Telbizov > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 09:54:46 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47BC216A4CE for ; Fri, 14 Jan 2005 09:54:46 +0000 (GMT) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74E7543D4C for ; Fri, 14 Jan 2005 09:54:44 +0000 (GMT) (envelope-from avg@icyb.net.ua) Received: from [212.40.38.87] (oddity.topspin.kiev.ua [212.40.38.87]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id LAA13451 for ; Fri, 14 Jan 2005 11:54:37 +0200 (EET) (envelope-from avg@icyb.net.ua) Message-ID: <41E796DC.2090102@icyb.net.ua> Date: Fri, 14 Jan 2005 11:54:36 +0200 From: Andriy Gapon User-Agent: Mozilla Thunderbird 1.0 (X11/20041230) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=KOI8-U Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 14 Jan 2005 13:40:25 +0000 Subject: debugging encrypted part of isakmp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 09:54:46 -0000 Are there any tools to decode encrypted part of isakmp provided that identities of both peers are known to me and that I am able to observe the whole exchange ? -- Andriy Gapon From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 13:50:05 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E19916A4CE for ; Fri, 14 Jan 2005 13:50:05 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF71C43D1D for ; Fri, 14 Jan 2005 13:50:02 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from working.potentialtech.com (pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by internet.potentialtech.com (Postfix) with ESMTP id 9C03D69A3F; Fri, 14 Jan 2005 08:50:01 -0500 (EST) Date: Fri, 14 Jan 2005 08:50:00 -0500 From: Bill Moran To: Vladimir Terziev Message-Id: <20050114085000.37369544.wmoran@potentialtech.com> In-Reply-To: <20050114111705.38c8f955.vlady@sun-fish.com> References: <41E6D3EE.5090205@cloudview.com> <20050113221947.GC46977@obiwan.tataz.chchile.org> <41E78BCA.2080903@e-card.bg> <20050114111705.38c8f955.vlady@sun-fish.com> Organization: Potential Technologies X-Mailer: Sylpheed version 1.0.0rc (GTK+ 1.2.10; i386-portbld-freebsd4.10) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org cc: jeremie@le-hen.org Subject: Re: Listening outside ipfw / program interface to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 13:50:05 -0000 Vladimir Terziev wrote: > > I have an old FreeBSD 4.3 and the man page of ipfirewall(4) > describes the C api for manipulation of IP filtering rules. I'm not > sure the C api interface in 4.10 is still the same as in 4.3, but i > suggest you to try. Just find the man page from somewhere. http://www.freebsd.org/cgi/man.cgi?query=ipfirewall&apropos=0&sektion=4&manpath=FreeBSD+4.3-RELEASE&format=html The www site archives all versions of man pages. > > Vladimir > > On Fri, 14 Jan 2005 11:07:22 +0200 > Rumen Telbizov wrote: > > > > > Hi > > > > Jeremie Le Hen wrote: > > >>2) Is there an api to ipfw that will let me manipulate rules, query > > >>stats etc? I need something faster than running the command line binary? > > > > > > > > > Yes, you should look at the ``SEE ALSO'' section in ipfw(8) manual page. > > > ipfirewall(4) is what you are looking for, but looking at ipfw(8) > > > source code might help too. > > > > On what version of FreeBSD are you looking the > > ipfirewall(4) man page? > > > > Recently I needed the C api to ipfw, but it > > turns out that ipfirewall(4) man page no longer > > describes it. This is on 5.3-STABLE and 4.10-STABLE. > > I also searched in google and I think I had found > > a post saying that currently the only way to manipulate/use > > firewall rules is via ifpw(8) command. > > > > If someone can provide me a reference to the C api > > of ipfw I will be thankfull. > > > > Rumen Telbizov > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Bill Moran Potential Technologies http://www.potentialtech.com From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 14:07:06 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A15B16A4D0 for ; Fri, 14 Jan 2005 14:07:06 +0000 (GMT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id D168343D58 for ; Fri, 14 Jan 2005 14:07:05 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 231CF652FE; Fri, 14 Jan 2005 14:07:04 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 35358-03-2; Fri, 14 Jan 2005 14:07:03 +0000 (GMT) Received: from empiric.dek.spc.org (unknown [213.210.24.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 848ED65211; Fri, 14 Jan 2005 14:06:49 +0000 (GMT) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id 7CEA9612E; Fri, 14 Jan 2005 14:07:09 +0000 (GMT) Date: Fri, 14 Jan 2005 14:07:09 +0000 From: Bruce M Simpson To: Andriy Gapon Message-ID: <20050114140709.GD57985@empiric.icir.org> Mail-Followup-To: Andriy Gapon , freebsd-security@freebsd.org References: <41E796DC.2090102@icyb.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41E796DC.2090102@icyb.net.ua> cc: freebsd-security@freebsd.org Subject: Re: debugging encrypted part of isakmp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 14:07:06 -0000 On Fri, Jan 14, 2005 at 11:54:36AM +0200, Andriy Gapon wrote: > Are there any tools to decode encrypted part of isakmp provided that > identities of both peers are known to me and that I am able to observe > the whole exchange ? man 8 isakmpd: %%% -L Enable IKE packet capture. When this option is given, isakmpd will capture to file an unencrypted copy of the negotiation pack- ets it is sending and receiveing. This file can later be read by tcpdump(8) and other utilities using pcap(3). %%% Regards, BMS From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 15:21:59 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB3A316A4CE for ; Fri, 14 Jan 2005 15:21:59 +0000 (GMT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E77A43D2D for ; Fri, 14 Jan 2005 15:21:59 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 81661652FE; Fri, 14 Jan 2005 15:21:57 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 36227-02-2; Fri, 14 Jan 2005 15:21:57 +0000 (GMT) Received: from empiric.dek.spc.org (unknown [213.210.24.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 699AB65218; Fri, 14 Jan 2005 15:21:56 +0000 (GMT) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id AC7336132; Fri, 14 Jan 2005 15:22:22 +0000 (GMT) Date: Fri, 14 Jan 2005 15:22:22 +0000 From: Bruce M Simpson To: Andriy Gapon Message-ID: <20050114152222.GG57985@empiric.icir.org> Mail-Followup-To: Andriy Gapon , freebsd-security@freebsd.org References: <41E796DC.2090102@icyb.net.ua> <20050114140709.GD57985@empiric.icir.org> <41E7DAC3.3050707@icyb.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41E7DAC3.3050707@icyb.net.ua> cc: freebsd-security@freebsd.org Subject: Re: debugging encrypted part of isakmp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 15:21:59 -0000 On Fri, Jan 14, 2005 at 04:44:19PM +0200, Andriy Gapon wrote: > So, I am looking for the easiest way to decrypt isakmp packets using > both packet data and information like pre-shared keys, certificates etc. There's probably not a lot that you can do here, short of turning on all the debugging switches you can find for the opaque IKE implementation you're dealing with; unless the isakmp decoder in tcpdump were modified to accept keying material. We already do this for AH, ESP, TCP-MD5 but not IKE itself as that's a non-trivial task. Regards, BMS From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 15:30:35 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A76CE16A4CE for ; Fri, 14 Jan 2005 15:30:35 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27DE743D1F for ; Fri, 14 Jan 2005 15:30:35 +0000 (GMT) (envelope-from af.dingo@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so357639rna for ; Fri, 14 Jan 2005 07:30:34 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=FNsTtN2UBXjMwNkwBbW2XbkrXbl4otFx7i2CsajUdYHRaYb50CiFtbafqP6lyqOI2Qfm4rZfqz0/NWZPI9FS1q5Jpse01N+ziKlT7fuKGbousmERHy2lsxUjLzVDGsSjoUnS2tWFi4mj42C/5HfM7L27x7WdYhJbEKMYKYoiEYs= Received: by 10.38.151.15 with SMTP id y15mr45636rnd; Fri, 14 Jan 2005 07:30:34 -0800 (PST) Received: by 10.38.10.67 with HTTP; Fri, 14 Jan 2005 07:30:34 -0800 (PST) Message-ID: Date: Fri, 14 Jan 2005 10:30:34 -0500 From: Jeff Quast To: JohnG In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: cc: FreeBSD-security@freebsd.org Subject: Re: Intrusion Suspected, Advice Sought X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jeff Quast List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 15:30:35 -0000 On Thu, 6 Jan 2005 20:29:20 -0800, JohnG wrote: > I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband connection. > I have reason to think my system has been tampered with. Security > features in Mac OS X have been left unlocked (Preference Pane - Users) > even though a master lock has always been set in the Security > Preference Pane. This locks all other important preference panes which > could be tampered with. Also permissions have been reset at every boot > in my working directory. I've worked on this machine for about 17 > months, and I know its rhythms and what should be what. The permissions > problem is persistent and new. I do not think I am being paranoid or > alarmist. I have always had a NAT router, commercial firewall, and > virus protection. > > The only thing I can think of is a hidden *nix program from a > downloaded program (shareware/freeware) (I have scanned all packages > for viruses). I am almost positive it did not come via e-mail. I say > almost because I have been receiving odd e-mails that are totally blank > and have no information I can find. Conceivably, it could have been a > hacker. If so, that person was very skillful in getting in and only > left small traces of poking around. > > I assume your advice will be to do a clean re-install of both system > and programs. My question is how do I re-import the data from full > backup (probably also containing whatever it is) without further > jeopardizing my system? Any other advice, tips, or pointers to FreeBSD > programs I could run on Mac would be greatly appreciated. > > John Scherb Try the tools lsof and netstat to examine all open files and sockets for anything suspicious. However, I too have had subtle permission problems with Mac OSX, and I too do not think there is any real reason for concern. -- :wq! From owner-freebsd-security@FreeBSD.ORG Sat Jan 15 11:47:19 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A6E816A4CE for ; Sat, 15 Jan 2005 11:47:19 +0000 (GMT) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04AA743D31 for ; Sat, 15 Jan 2005 11:47:16 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-2.free.fr (Postfix) with ESMTP id 809DBC097; Sat, 15 Jan 2005 12:47:14 +0100 (CET) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 247DC407C; Sat, 15 Jan 2005 12:47:09 +0100 (CET) Date: Sat, 15 Jan 2005 12:47:09 +0100 From: Jeremie Le Hen To: Bill Moran Message-ID: <20050115114709.GB18414@obiwan.tataz.chchile.org> References: <41E6D3EE.5090205@cloudview.com> <20050113221947.GC46977@obiwan.tataz.chchile.org> <41E78BCA.2080903@e-card.bg> <20050114111705.38c8f955.vlady@sun-fish.com> <20050114085000.37369544.wmoran@potentialtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050114085000.37369544.wmoran@potentialtech.com> User-Agent: Mutt/1.5.6i cc: Vladimir Terziev cc: freebsd-security@freebsd.org cc: jeremie@le-hen.org Subject: Re: Listening outside ipfw / program interface to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jan 2005 11:47:19 -0000 On Fri, Jan 14, 2005 at 08:50:00AM -0500, Bill Moran wrote: > Vladimir Terziev wrote: > > > > > I have an old FreeBSD 4.3 and the man page of ipfirewall(4) > > describes the C api for manipulation of IP filtering rules. I'm not > > sure the C api interface in 4.10 is still the same as in 4.3, but i > > suggest you to try. Just find the man page from somewhere. > > http://www.freebsd.org/cgi/man.cgi?query=ipfirewall&apropos=0&sektion=4&manpath=FreeBSD+4.3-RELEASE&format=html Note that this stale manual page must be used carefully. There must be serious reasons to remove the whole content of a manual page in a system such a FreeBSD. The last commit in the RELENG_4 branch by luigi removes most of the content with the following commit log: << MFC: Remove stale information from these two manpage, and point the readers tothe one up-to-date page which is ipfw(8). >> Regards, [1] http://www.freebsd.org/cgi/cvsweb.cgi/src/share/man/man4/ipfirewall.4?only_with_tag=RELENG_4 -- Jeremie Le Hen jeremie@le-hen.org From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 14:44:24 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E52CC16A4CE for ; Fri, 14 Jan 2005 14:44:24 +0000 (GMT) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 373C243D48 for ; Fri, 14 Jan 2005 14:44:23 +0000 (GMT) (envelope-from avg@icyb.net.ua) Received: from [212.40.38.87] (oddity.topspin.kiev.ua [212.40.38.87]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id QAA19317; Fri, 14 Jan 2005 16:44:19 +0200 (EET) (envelope-from avg@icyb.net.ua) Message-ID: <41E7DAC3.3050707@icyb.net.ua> Date: Fri, 14 Jan 2005 16:44:19 +0200 From: Andriy Gapon User-Agent: Mozilla Thunderbird 1.0 (X11/20041230) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bruce M Simpson References: <41E796DC.2090102@icyb.net.ua> <20050114140709.GD57985@empiric.icir.org> In-Reply-To: <20050114140709.GD57985@empiric.icir.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 15 Jan 2005 15:30:13 +0000 cc: freebsd-security@freebsd.org Subject: Re: debugging encrypted part of isakmp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 14:44:25 -0000 on 14.01.2005 16:07 Bruce M Simpson said the following: > On Fri, Jan 14, 2005 at 11:54:36AM +0200, Andriy Gapon wrote: > man 8 isakmpd: > > %%% > -L Enable IKE packet capture. When this option is given, isakmpd > will capture to file an unencrypted copy of the negotiation pack- > ets it is sending and receiveing. This file can later be read by > tcpdump(8) and other utilities using pcap(3). > %%% > The problem is it is not isakmpd. Here's more information: I am trying to reverse-engineer asymmetric xauth/mode cfg exchange between third-party VPN/ipsec client and server. I know all configuration parameters for both, but I don't have any access to internal workings. At this point, I also have too little information to successfully emulate either side, but I know what phase1 mode they use and what key material they have. So, I am looking for the easiest way to decrypt isakmp packets using both packet data and information like pre-shared keys, certificates etc. -- Andriy Gapon From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 15:53:09 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20F3C16A4CE for ; Fri, 14 Jan 2005 15:53:09 +0000 (GMT) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E94F43D1F for ; Fri, 14 Jan 2005 15:53:07 +0000 (GMT) (envelope-from avg@icyb.net.ua) Received: from [212.40.38.87] (oddity.topspin.kiev.ua [212.40.38.87]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id RAA21057; Fri, 14 Jan 2005 17:53:01 +0200 (EET) (envelope-from avg@icyb.net.ua) Message-ID: <41E7EADC.7080104@icyb.net.ua> Date: Fri, 14 Jan 2005 17:53:00 +0200 From: Andriy Gapon User-Agent: Mozilla Thunderbird 1.0 (X11/20041230) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bruce M Simpson References: <41E796DC.2090102@icyb.net.ua> <20050114140709.GD57985@empiric.icir.org> <41E7DAC3.3050707@icyb.net.ua> <20050114152222.GG57985@empiric.icir.org> In-Reply-To: <20050114152222.GG57985@empiric.icir.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 15 Jan 2005 15:30:13 +0000 cc: freebsd-security@freebsd.org Subject: Re: debugging encrypted part of isakmp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 15:53:09 -0000 on 14.01.2005 17:22 Bruce M Simpson said the following: > On Fri, Jan 14, 2005 at 04:44:19PM +0200, Andriy Gapon wrote: > >>So, I am looking for the easiest way to decrypt isakmp packets using >>both packet data and information like pre-shared keys, certificates etc. > > > There's probably not a lot that you can do here, short of turning on all > the debugging switches you can find for the opaque IKE implementation > you're dealing with; unless the isakmp decoder in tcpdump were modified > to accept keying material. We already do this for AH, ESP, TCP-MD5 but > not IKE itself as that's a non-trivial task. I see. I think it should not be too hard theoretically to write a program that would do such decryption offline, using code from isakmpd or racoon, and playing for both sides to deduce internal state/random values that original parties used. But that's definitely a lot of work. -- Andriy Gapon