From owner-freebsd-security Sun Mar 4 4:52:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from redlance.singingtree.com (pool.207.151.148.221.cinenet.net [207.151.148.221]) by hub.freebsd.org (Postfix) with ESMTP id D089637B719 for ; Sun, 4 Mar 2001 04:52:01 -0800 (PST) (envelope-from mikey@singingtree.com) Received: from localhost (mikey@localhost) by redlance.singingtree.com (8.11.2/8.11.2) with ESMTP id f24CpxS55597 for ; Sun, 4 Mar 2001 04:52:00 -0800 (PST) (envelope-from mikey@singingtree.com) Date: Sun, 4 Mar 2001 04:51:53 -0800 (PST) From: "Michael A. Dickerson" To: freebsd-security@freebsd.org Subject: "Input/output error" on a variety of devices Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello -security, something peculiar happened to a machine I'm responsible for today. The information in the "daily run output" and "security check output" email is all I have to go on: > Subject: myhost security check output > > checking setuid files and devices: > find: /dev/rda0: Input/output error > find: /dev/da0: Input/output error > find: /dev/rda0s1: Input/output error > find: /dev/rda0s1c: Input/output error > find: /dev/da0s1: Input/output error > find: /dev/rda0s1a: Input/output error > find: /dev/da0s1a: Input/output error > find: /dev/bpf0: Input/output error > find: /dev/card0: Input/output error > find: /dev/card1: Input/output error > find: /dev/card2: Input/output error > find: /dev/card3: Input/output error > find: /dev/kbd0: Input/output error > find: /dev/kmem: Input/output error > find: /dev/mem: Input/output error > find: /dev/tty: Input/output error > find: /dev/ugen0: Input/output error > find: /dev/uhid0: Input/output error > find: /dev/ulpt0: Input/output error > > checking for uids of 0: > tee: /dev/stderr: Input/output error > > checking for passwordless accounts: > tee: /dev/stderr: Input/output error > > sentry.cduniverse.com login failures: > tee: /dev/stderr: Input/output error > > sentry.cduniverse.com refused connections: > tee: /dev/stderr: Input/output error Clearly the 'find' didn't break on all devices, but if there's a pattern in the ones that failed, it eludes me. I suppose find was just trying to stat the nodes to get their permissions(?). At this point I was suspecting a full disk might be upsetting the kernel, since this machine logs for others (and a DoS attack would not be terribly surprising in this environment). However, the daily script thinks the disks are OK: > Subject: myhost daily run output > > Removing stale files from /var/preserve: > > Cleaning out old system announcements: > > Removing stale files from /var/rwho: > > Backup passwd and group files: > > Verifying group file syntax: > > Backing up mail aliases: > > Disk status: > Filesystem 1K-blocks Used Avail Capacity Mounted on > /dev/da0s1a 49583 33204 12413 73% / > /dev/da0s1f 7956270 713531 6606238 10% /usr > /dev/da0s1e 99183 7607 83642 8% /var > procfs 4 4 0 100% /proc > > Last dump(s) done (Dump '>' file systems): > > UUCP status: > > Network interface status: > netstat: kvm not available > ifnet: symbol not defined > > Local system status: > 1:59AM up 10 days, 19:03, 0 users, load averages: 0.07, 0.02, 0.00 ... and the rest (mailq and some local scripts) is normal. It seems the 'kvm not available' is not surprising if /dev/mem is broken somehow, and I'm guessing that ifnet's complaint was just spurious and caused by the first. With ssh failing to connect, there's not much more information I can get from this machine. It still responds to pings, but I've learned that the most brain damaged of kernels can still usually manage that: elsewhere# ssh -l mikey xx.yy.zz.ww Connection closed by xx.yy.zz.ww elsewhere# nmap -sS xx.yy.zz.ww Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on (xx.yy.zz.ww): (The 1522 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh Nmap run completed -- 1 IP address (1 host up) scanned in 30 seconds elsewhere# Anyway, my question is this: Has anybody ever seen anything resembling this behavior? Specifically, does it seem likely that this host was rooted? I'm thinking not, but I ask because this machines lives in a hostile environment and I have to be suspicious of anything weird that happens on that network. In fact, this was the hopefully "secure" machine which exists only to monitor and log for others (which may have been recently rooted through bind; we're still investigating). It seems that even if it was compromised, the attacker has probably locked himself out as well as me. Hopefully it was a hardware failure or pilot error and I'll be off to -stable. Looks like I'll be adding another log host for the log host.. Thanks very much, M. Dickerson -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBOqI6bxvDsQU/S3JEEQJmogCgpnY61LjUTLDEvNeeqS3390DlXMYAoKfQ ZjW6fiOnHDbb9m2dUct0GfdD =tnp9 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 4 5:34: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from office.admaster.pl (office.admaster.pl [212.160.251.44]) by hub.freebsd.org (Postfix) with ESMTP id AACE637B718 for ; Sun, 4 Mar 2001 05:33:51 -0800 (PST) (envelope-from s.zak@admaster.pl) Received: by office.admaster.pl (Postfix, from userid 1001) id AC0FE85BE8; Sun, 4 Mar 2001 14:33:32 +0100 (CET) From: Slawek Zak To: freebsd-security@freebsd.org Subject: Source address spec. for inetd.conf Date: 04 Mar 2001 14:33:32 +0100 Message-ID: <86ofvh8xqr.fsf@office.admaster.pl> Lines: 14 User-Agent: Gnus/5.090001 (Oort Gnus v0.01) XEmacs/21.1 (GTK) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What do you think of adding separate source address specification for daemons run from inetd? Something like: :service ... in OpenBSD. It would save some peple (including me) packet filter configuration on multihomed machines in many cases. /S To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 4 12:25:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id E0E7237B719; Sun, 4 Mar 2001 12:25:16 -0800 (PST) (envelope-from randy@psg.com) Received: from randy by rip.psg.com with local (Exim 3.16 #1) id 14Zf48-000HgW-00; Sun, 04 Mar 2001 12:25:16 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Kris Kennaway Cc: freebsd-security@freebsd.org Subject: Re: Is openssl properly integrated to the FreeBSD? References: Message-Id: Date: Sun, 04 Mar 2001 12:25:16 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> There is an application called CA.pl with documentation in >> /usr/src/crypto/apps/ directory and also it has a documentation (in >> /usr/src/crypto/doc/apps) but none of them installed. It could be >> installed in the /usr/bin or /usr/share/examples/ssl. Also there are lots >> of documentation in /usr/src/crypto/doc/apps/ in *.pod format but only the >> openssl.pod is installed? Any intention to integrate them to the FreeBSD >> man pages or handbook? Or should I go on to make a diff to incorporate. > > Uncomment the following in /usr/src/secure/lib/libcrypto: > > #.for section in 1 3 > #.for pod in ${POD${section}} > #.for target in ${pod:T:S/.pod/.${section}/g} > #MAN${section}+= ${target} > #CLEANFILES+= ${target} > #all-man: ${target} > #${target}: ${LCRYPTO_SRC}/../doc/${pod} > # pod2man ${LCRYPTO_SRC}/../doc/${pod} > ${target} > #.endfor > #.endfor > #.endfor > > and all the .pod documentation will be converted to manpages and > installed. It is not done by default because the OpenSSL manpages spam > copies of system manpages with openssl-specific utilities like passwd(1) two questions o if i want to install the binaries in as clean a fashion as possible, what's the hack? o might the decision on whether to install (destructive docs | binaries) be better made in make.conf? randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 4 15:11: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id 5977937B718; Sun, 4 Mar 2001 15:11:02 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2078166B09; Sun, 4 Mar 2001 15:11:02 -0800 (PST) Date: Sun, 4 Mar 2001 15:11:02 -0800 From: Kris Kennaway To: Randy Bush Cc: Kris Kennaway , freebsd-security@FreeBSD.org Subject: Re: Is openssl properly integrated to the FreeBSD? Message-ID: <20010304151101.B37701@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="BwCQnh7xodEAoBMC" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from randy@psg.com on Sun, Mar 04, 2001 at 12:25:16PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --BwCQnh7xodEAoBMC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 04, 2001 at 12:25:16PM -0800, Randy Bush wrote: > two questions >=20 > o if i want to install the binaries in as clean a fashion as possible, > what's the hack? I don't understand this question - the binaries are installed by the usual make install process. > o might the decision on whether to install (destructive docs | binaries) > be better made in make.conf? I'm MFCing an install knob today which will build and install the manpages if you want them, but they still clobber a lot of system manpages which we can't fix without a lot of surgery, so it's still not done by default. Kris --BwCQnh7xodEAoBMC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6osuFWry0BWjoQKURAi69AKCTTy62/dElVBftpBQ7F4ZuYI3MagCfeXIw XQGbn6ReGjWJBObfACdor40= =soV4 -----END PGP SIGNATURE----- --BwCQnh7xodEAoBMC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 0:49:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id E2C5137B718 for ; Mon, 5 Mar 2001 00:49:31 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 11046 invoked by uid 1000); 5 Mar 2001 08:49:08 -0000 Date: Mon, 5 Mar 2001 10:49:08 +0200 From: Peter Pentchev To: "Michael A. Dickerson" Cc: freebsd-security@freebsd.org Subject: Re: "Input/output error" on a variety of devices Message-ID: <20010305104907.A10970@ringworld.oblivion.bg> Mail-Followup-To: "Michael A. Dickerson" , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mikey@singingtree.com on Sun, Mar 04, 2001 at 04:51:53AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This looks like a hardware error to me - one or more of the disk sectors holding /dev was damaged, and the rest were left intact. Unfortunately, the ones that were damaged are the ones that contain some of the important system devices, so it's quite likely you're locked out of the system, console access too :( You might have to boot a rescue CD or something, then back up as much of the usable info as possible, and scrap the disk. G'luck, Peter -- Nostalgia ain't what it used to be. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 4:13: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx0.gmx.net (mx0.gmx.de [213.165.64.100]) by hub.freebsd.org (Postfix) with SMTP id 3E9BF37B718 for ; Mon, 5 Mar 2001 04:12:57 -0800 (PST) (envelope-from turbo23@gmx.net) Received: (qmail 9358 invoked by uid 0); 5 Mar 2001 12:12:56 -0000 Date: Mon, 5 Mar 2001 13:12:55 +0100 (MET) From: Thomas Vogt To: freebsd-security@FreeBSD.ORG Cc: kris@obsecurity.org MIME-Version: 1.0 Subject: Re: ssh tricks (was Re: ssh -t /bin/sh trick (was Re: ftp access) X-Priority: 3 (Normal) X-Authenticated-Sender: #0000627573@gmx.net X-Authenticated-IP: [195.179.116.24] Message-ID: <22165.983794375@www37.gmx.net> X-Mailer: WWW-Mail 1.5 (Global Message Exchange) X-Flags: 0001 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 28, 2001 at 06:36:08PM +0100, Torbjorn Kristoffersen wrote: >> Since the topic is 'ssh tricks', here's one that works with all >> versions of SSH I've used (openssh 2.3.0 as well): >>=20 >> home$ ssh -l username site /bin/sh -i >This is actually an old rsh trick in new clothes :-) >Kris An what exactly does this mean? Is it dangerous to have an interactive shell? I see that -i brings an interactive shell up. But i can't get the point. sorry. perhaps you can explain me this in a few worths. thnx regards thomas -- Sent through GMX FreeMail - http://www.gmx.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 6:42:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from candy.anet.ee (ns.anet.ee [212.49.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 81BE737B718 for ; Mon, 5 Mar 2001 06:42:03 -0800 (PST) (envelope-from igor@widespace.ee) Received: from widespace.ee (mars.widespace.ee [212.49.2.21]) by candy.anet.ee (8.11.3/8.11.3) with ESMTP id f25EfwX06970 for ; Mon, 5 Mar 2001 16:41:58 +0200 (GMT) Message-ID: <3AA3A55B.394D4D0E@widespace.ee> Date: Mon, 05 Mar 2001 16:40:27 +0200 From: Igor Malinin X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "security@FreeBSD.ORG" Subject: DNS service over TCP Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've set up a dns server (BIND 9.1.1rc2). All working fine except for some hosts cant do TCP connections on port 53. Firewall seems to be not the problem because I've made sucesfull connections from several hosts, all in different networks over internet. There is an example of host that can't connect to port 53 through TCP: http://www.nic.fr/zonecheck/english.html I've set logging on my firewall and see only ICMP packets coming from that host. I can't find logic in what hosts connects and what hosts don't. Anybody knows what can cause that and how to solve this? PS. I know nothing about UDP service availability for hosts where TCP service unavailable. My DNS server is ns.widespace.ee (212.49.2.20) if it would help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 7:24:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from C126508-B.rchdsn1.tx.home.com (c126508-b.rchdsn1.tx.home.com [24.7.19.88]) by hub.freebsd.org (Postfix) with ESMTP id D0A0637B718 for ; Mon, 5 Mar 2001 07:24:54 -0800 (PST) (envelope-from jdunfee@C126508-B.rchdsn1.tx.home.com) Received: (from jdunfee@localhost) by C126508-B.rchdsn1.tx.home.com (8.11.1/8.11.1) id f25FdDn13380; Mon, 5 Mar 2001 09:39:13 -0600 (CST) (envelope-from jdunfee) From: "Jonathan D. Dunfee" MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <15011.45857.351854.898433@C126508-B.rchdsn1.tx.home.com> Date: Mon, 5 Mar 2001 09:39:13 -0600 (CST) To: Dan Harnett Cc: Will Andrews , =?iso-8859-1?Q?R=E9mi_Guyomarch?= , freebsd-security@FreeBSD.ORG Subject: Re: sshd - @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ In-Reply-To: <20010302223302.A24506@mail.wzrd.com> References: <200103010819.JAA82842@gilberto.physik.rwth-aachen.de> <20010301102957.B55211@ringworld.oblivion.bg> <20010302064857.C54730@diabolic-cow.chatgris.net> <20010302192645.U17292@ohm.physics.purdue.edu> <20010302223302.A24506@mail.wzrd.com> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: Jonathan Dunfee Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, To expound on what Dan mentioned, the portable version of OpenSSH places (and references) configuration files according to the "--sysconfdir=3D" option that you give to the configure script. The default is ${prefix}/etc, which actually gives /usr/local/etc/ if '--prefix=3D' hasn't been set. I think the confusion occurs because most distributions and packages set this to /etc/ssh/ (FreeBSD and Redhat to name two). Jon Dan Harnett writes: > On Fri, Mar 02, 2001 at 07:26:45PM -0500, Will Andrews wrote: > > On Fri, Mar 02, 2001 at 06:48:57AM +0100, R=E9mi Guyomarch wrote: > > > No, it's FreeBSD-specific. > >=20 > > No. It's OpenSSH-specific. Please, go login to some Linux box wi= th > > OpenSSH installed and see for yourself. > >=20 >=20 > It's not OpenSSH-specific. OpenBSD puts it in /etc. It's really up= =20 > to the distributor. >=20 > -- > Dan Harnett >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 Jonathan D. Dunfee jdunfee@acm.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 10:10: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomahawk.SQUiSH.org (tomahawk.SQUiSH.org [216.55.63.252]) by hub.freebsd.org (Postfix) with ESMTP id 4AAC437B719 for ; Mon, 5 Mar 2001 10:09:58 -0800 (PST) (envelope-from dce@squish.org) Received: from SQUiSH.org (SQUiSH.org [216.55.63.252]) by tomahawk.SQUiSH.org (8.9.3/8.9.3) with ESMTP id KAA07490 for ; Mon, 5 Mar 2001 10:20:11 -0800 (PST) Date: Mon, 5 Mar 2001 10:20:11 -0800 (PST) From: dce To: security@FreeBSD.ORG Subject: 31337 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I have noticed the following ports open on my FreeBSD 4.2-STABLE machine 31337/tcp open Elite 6667/tcp open irc I have also noticed these open after CVSuping from 4.0-RELEASE to 4.2-STABLE... Is this normal? Has a rootkit been installed? Any information provided is greatly appreciated. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 10:13:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 9CCBD37B719 for ; Mon, 5 Mar 2001 10:13:53 -0800 (PST) (envelope-from traviso@RapidNet.com) Received: from localhost (traviso@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id LAA88369; Mon, 5 Mar 2001 11:13:46 -0700 (MST) Date: Mon, 5 Mar 2001 11:13:46 -0700 (MST) From: "Travis [Admin Team]" To: dce Cc: security@FreeBSD.ORG Subject: Re: 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 5 Mar 2001, dce wrote: > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > 31337/tcp open Elite > 6667/tcp open irc > > > I have also noticed these open after CVSuping from 4.0-RELEASE to > 4.2-STABLE... Is this normal? Has a rootkit been installed? Any > information provided is greatly appreciated. 31337 is the ol Back Orifice remote administration tool - they are just probing - silly kiddiez. Travis /* -=[ Travis Ogden ]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RapidNet Admin Team "Courage is not defined by those who Phone#: 605.341.3283 fought and did not fall, but by those ICQ#: 30220771 who fought, fell, and rose again." Mail: traviso@RapidNet.com Fax#: 605.348.1031 Web: www.RapidNet.com/~traviso 800#: 800.763.2525 ATTENTION! "RapidNet has moved to 330 Knollwood Drive, Rapid City, SD 57701." -=-=-=-=-=-=-=-=-=-=-=-=-=-[ traviso@rapidnet.com ]=-=-=-=-= */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 10:15:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 7A14937B718 for ; Mon, 5 Mar 2001 10:15:06 -0800 (PST) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id B62CC13614; Mon, 5 Mar 2001 13:15:05 -0500 (EST) Date: Mon, 5 Mar 2001 13:15:05 -0500 From: Chris Faulhaber To: dce Cc: security@FreeBSD.ORG Subject: Re: 31337 Message-ID: <20010305131505.A38341@peitho.fxp.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from dce@squish.org on Mon, Mar 05, 2001 at 10:20:11AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 05, 2001 at 10:20:11AM -0800, dce wrote: > Hello, >=20 > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine >=20 > 31337/tcp open Elite > 6667/tcp open irc >=20 > =20 > I have also noticed these open after CVSuping from 4.0-RELEASE to > 4.2-STABLE... Is this normal? Has a rootkit been installed? Any > information provided is greatly appreciated. First step would be to find out what programs have the above ports open (hint: use sockstat)... --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjqj16kACgkQObaG4P6BelBW7QCfUrlEEwlfDHtS8gDTSYMXe0oc gBwAn1qTqXwtOGAbpnh6n8HOPWy1RfQd =6Pa0 -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 10:41:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 7CADC37B71B for ; Mon, 5 Mar 2001 10:41:32 -0800 (PST) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Mon, 5 Mar 2001 10:41:31 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D69A@goofy.epylon.lan> From: Jason DiCioccio To: 'Chris Faulhaber' , dce Cc: security@FreeBSD.ORG Subject: RE: 31337 Date: Mon, 5 Mar 2001 10:41:26 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C0A5A3.E2435650" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C0A5A3.E2435650 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 heh, looks like an irc server to me. Try going to it with an IRC client. People running ircds do tend to use port 31337 as well. Cheers, - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH - -----Original Message----- From: Chris Faulhaber [mailto:jedgar@fxp.org] Sent: Monday, March 05, 2001 10:15 AM To: dce Cc: security@FreeBSD.ORG Subject: Re: 31337 On Mon, Mar 05, 2001 at 10:20:11AM -0800, dce wrote: > Hello, > > I have noticed the following ports open on my FreeBSD 4.2-STABLE > machine > > 31337/tcp open Elite > 6667/tcp open irc > > > I have also noticed these open after CVSuping from 4.0-RELEASE to > 4.2-STABLE... Is this normal? Has a rootkit been installed? Any > information provided is greatly appreciated. First step would be to find out what programs have the above ports open (hint: use sockstat)... - -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org - -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOqPeRFCmU62pemyaEQI3fwCgpaagO7T/oqKIqOxFjIwRVZBLNr0AoK1x KqUhA1cezzlctgz6K6xASmSI =k7k3 -----END PGP SIGNATURE-----  ------_=_NextPart_000_01C0A5A3.E2435650 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C0A5A3.E2435650-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 11:23:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id E2DFF37B718 for ; Mon, 5 Mar 2001 11:23:20 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id UAA02775; Mon, 5 Mar 2001 20:23:16 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: dce Cc: security@FreeBSD.ORG Subject: Re: 31337 References: From: Dag-Erling Smorgrav Date: 05 Mar 2001 20:23:15 +0100 In-Reply-To: dce's message of "Mon, 5 Mar 2001 10:20:11 -0800 (PST)" Message-ID: Lines: 15 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dce writes: > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > 31337/tcp open Elite > 6667/tcp open irc You're owned. Take your box off the net, take a backup, reinstall from trusted media (preferably original CD-ROMs from BSDI), transfer data (*no* executables, scripts or configuration files!) from backup. And get some security clue; the security(7) man page is a good place to start, though far from complete. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 11:26:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 4F08537B718 for ; Mon, 5 Mar 2001 11:26:15 -0800 (PST) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Mon, 5 Mar 2001 11:26:14 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D69D@goofy.epylon.lan> From: Jason DiCioccio To: 'Dag-Erling Smorgrav' , dce Cc: security@FreeBSD.ORG Subject: RE: 31337 Date: Mon, 5 Mar 2001 11:26:08 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Again, unless you added a few users on your system and one of them decided to run an irc server without asking you, i'd check lsof and see exactly who's running this.. Try irc'ing to the port also and find out where it's linked to etc. That could be useful if you really were 0wned. :) Cheers, - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH - -----Original Message----- From: Dag-Erling Smorgrav [mailto:des@ofug.org] Sent: Monday, March 05, 2001 11:23 AM To: dce Cc: security@FreeBSD.ORG Subject: Re: 31337 dce writes: > I have noticed the following ports open on my FreeBSD 4.2-STABLE > machine > > 31337/tcp open Elite > 6667/tcp open irc You're owned. Take your box off the net, take a backup, reinstall from trusted media (preferably original CD-ROMs from BSDI), transfer data (*no* executables, scripts or configuration files!) from backup. And get some security clue; the security(7) man page is a good place to start, though far from complete. DES - -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOqPov1CmU62pemyaEQI5xwCeJTWMkDr6xvL71IxpZa/CwfHE4RcAn2R3 kwE9EtpODaAYuNm3v3U9HJ+o =IpwS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 11:30:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id AF87537B718 for ; Mon, 5 Mar 2001 11:30:29 -0800 (PST) (envelope-from yurtesen@ispro.net.tr) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.11.2/8.11.2) with ESMTP id f25Jaa911532; Mon, 5 Mar 2001 21:36:36 +0200 (EET) (envelope-from yurtesen@ispro.net.tr) Date: Mon, 5 Mar 2001 21:36:36 +0200 (EET) From: Evren Yurtesen To: Dag-Erling Smorgrav Cc: dce , security@FreeBSD.ORG Subject: Re: 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org cant it be a person who has a shell and execute some daemons etc ? like ircd? why does he need to reinstall his system? Evren > dce writes: > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > 31337/tcp open Elite > > 6667/tcp open irc > > You're owned. Take your box off the net, take a backup, reinstall from > trusted media (preferably original CD-ROMs from BSDI), transfer data > (*no* executables, scripts or configuration files!) from backup. And > get some security clue; the security(7) man page is a good place to > start, though far from complete. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 11:44:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from hep.uchicago.edu (hep.uchicago.edu [128.135.102.20]) by hub.freebsd.org (Postfix) with ESMTP id ABA6437B718 for ; Mon, 5 Mar 2001 11:44:23 -0800 (PST) (envelope-from dsyphers@hep.uchicago.edu) Received: from localhost (dsyphers@localhost) by hep.uchicago.edu (8.11.3/8.11.3) with ESMTP id f25JiML377600 for ; Mon, 5 Mar 2001 13:44:22 -0600 (CST) Date: Mon, 5 Mar 2001 13:44:22 -0600 From: David Syphers To: Subject: sshd listening on port 6010 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anyone know why sshd listens on port 6010 when someone is ssh'd into a box? I generally use mindterm to remotely log in from a windows machine to my FreeBSD machine, but when using a UNIX machine to ssh in directly I noticed that netstat said something was listening on port 6010 and sockstat said that something was sshd. This doesn't happen when mindterm is used. The only reference I could find to port 6010 in the mailing archives were a few people who guessed that it had to do with X Windows, but that's not correct because X isn't even installed on this FreeBSD box. -David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 11:47:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id CBB6637B71B for ; Mon, 5 Mar 2001 11:46:35 -0800 (PST) (envelope-from danderse@cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id MAA09463; Mon, 5 Mar 2001 12:46:28 -0700 (MST) Message-Id: <200103051946.MAA09463@faith.cs.utah.edu> Subject: Re: sshd listening on port 6010 To: dsyphers@hep.uchicago.edu (David Syphers) Date: Mon, 5 Mar 2001 12:46:28 -0700 (MST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "David Syphers" at Mar 05, 2001 01:44:22 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It is correct, because it's still trying to do X11 forwarding in case you run any X apps on that box. If you don't like it, then disable X11 forwarding in your ssh config file, the system ssh config file, or on a per connection basis using the command line flags. -Dave Lo and behold, David Syphers once said: > > Does anyone know why sshd listens on port 6010 when someone is ssh'd into > a box? I generally use mindterm to remotely log in from a windows machine > to my FreeBSD machine, but when using a UNIX machine to ssh in directly I > noticed that netstat said something was listening on port 6010 and > sockstat said that something was sshd. This doesn't happen when mindterm > is used. The only reference I could find to port 6010 in the mailing > archives were a few people who guessed that it had to do with X Windows, > but that's not correct because X isn't even installed on this FreeBSD box. > > -David > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 11:47:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id DEB9237B718 for ; Mon, 5 Mar 2001 11:47:18 -0800 (PST) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Mon, 5 Mar 2001 11:47:17 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D69E@goofy.epylon.lan> From: Jason DiCioccio To: 'David Syphers' , freebsd-security@freebsd.org Subject: RE: sshd listening on port 6010 Date: Mon, 5 Mar 2001 11:47:13 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C0A5AD.135FE1F0" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C0A5AD.135FE1F0 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 X11 Forwarding uses it. But I don't think it's bound externally.. Just disable X11 forwarding if you dont want it. Cheers, - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com - -----Original Message----- From: David Syphers [mailto:dsyphers@hep.uchicago.edu] Sent: Monday, March 05, 2001 11:44 AM To: freebsd-security@freebsd.org Subject: sshd listening on port 6010 Does anyone know why sshd listens on port 6010 when someone is ssh'd into a box? I generally use mindterm to remotely log in from a windows machine to my FreeBSD machine, but when using a UNIX machine to ssh in directly I noticed that netstat said something was listening on port 6010 and sockstat said that something was sshd. This doesn't happen when mindterm is used. The only reference I could find to port 6010 in the mailing archives were a few people who guessed that it had to do with X Windows, but that's not correct because X isn't even installed on this FreeBSD box. - -David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOqPtsFCmU62pemyaEQLHbgCg6CoY1OYYfgCkSoSaJOX3q7vgBawAnjzQ qrSkPz6nIU6Nd/SZl3FahLXo =yCJr -----END PGP SIGNATURE----- ------_=_NextPart_000_01C0A5AD.135FE1F0 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C0A5AD.135FE1F0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 11:47:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (flutter.freebsd.dk [212.242.40.147]) by hub.freebsd.org (Postfix) with ESMTP id 5144837B718 for ; Mon, 5 Mar 2001 11:47:30 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.1/8.11.1) with ESMTP id f25JllB01868; Mon, 5 Mar 2001 20:47:47 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: David Syphers Cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd listening on port 6010 In-Reply-To: Your message of "Mon, 05 Mar 2001 13:44:22 CST." Date: Mon, 05 Mar 2001 20:47:47 +0100 Message-ID: <1866.983821667@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , David Syphers writes: >Does anyone know why sshd listens on port 6010 when someone is ssh'd into >a box? It's called "X11-forwarding" -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 11:50:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id EC5CE37B71B for ; Mon, 5 Mar 2001 11:50:24 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f25Jn9B02021; Mon, 5 Mar 2001 14:49:09 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Mon, 5 Mar 2001 14:49:04 -0500 (EST) From: Rob Simmons To: Jason DiCioccio Cc: "'Dag-Erling Smorgrav'" , dce , Subject: RE: 31337 In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA0166D69D@goofy.epylon.lan> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 lsof is a solaris utility. You want to use fstat in FreeBSD. Robert Simmons Systems Administrator http://www.wlcg.com/ On Mon, 5 Mar 2001, Jason DiCioccio wrote: > Again, unless you added a few users on your system and one of them > decided to run an irc server without asking you, i'd check lsof and > see exactly who's running this.. Try irc'ing to the port also and > find out where it's linked to etc. That could be useful if you really > were 0wned. :) > > Cheers, > -JD- > > > ------- > Jason DiCioccio > Evil Genius > Unix BOFH > > -----Original Message----- > From: Dag-Erling Smorgrav [mailto:des@ofug.org] > Sent: Monday, March 05, 2001 11:23 AM > To: dce > Cc: security@FreeBSD.ORG > Subject: Re: 31337 > > > dce writes: > > I have noticed the following ports open on my FreeBSD 4.2-STABLE > > machine > > > > 31337/tcp open Elite > > 6667/tcp open irc > > You're owned. Take your box off the net, take a backup, reinstall > from > trusted media (preferably original CD-ROMs from BSDI), transfer data > (*no* executables, scripts or configuration files!) from backup. And > get some security clue; the security(7) man page is a good place to > start, though far from complete. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------------ Output from gpg ------------ > gpg: Signature made Mon Mar 5 14:27:59 2001 EST using DSA key ID A97A6C9A > gpg: requesting key A97A6C9A from wwwkeys.us.pgp.net ... > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > gpg: Can't check signature: public key not found > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6o+21v8Bofna59hYRAsaEAKDFU8TJbML3jVZEnLtLjmaIEfabBQCeIWIJ 1IbLTRyMqIFRWZED7qwXOeU= =TnIU -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 11:56:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B014937B71A for ; Mon, 5 Mar 2001 11:56:16 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id UAA02981; Mon, 5 Mar 2001 20:56:09 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Rob Simmons Cc: Jason DiCioccio , dce , Subject: Re: 31337 References: From: Dag-Erling Smorgrav Date: 05 Mar 2001 20:56:09 +0100 In-Reply-To: Rob Simmons's message of "Mon, 5 Mar 2001 14:49:04 -0500 (EST)" Message-ID: Lines: 12 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rob Simmons writes: > lsof is a solaris utility. You want to use fstat in FreeBSD. No, lsof is independently maintained, and is in the ports tree (/usr/ports/sysutils/lsof/). FreeBSD has a similar but more lightweight utility named sockstat(1). Please learn to quote properly. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 12: 9: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 86BC537B71E for ; Mon, 5 Mar 2001 12:08:51 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f25K8Pe04811; Mon, 5 Mar 2001 12:08:25 -0800 (PST) Date: Mon, 5 Mar 2001 12:08:25 -0800 From: Alfred Perlstein To: Evren Yurtesen Cc: Dag-Erling Smorgrav , dce , security@FreeBSD.ORG Subject: Re: 31337 Message-ID: <20010305120825.W8663@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from yurtesen@ispro.net.tr on Mon, Mar 05, 2001 at 09:36:36PM +0200 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Evren Yurtesen [010305 11:30] wrote: > cant it be a person who has a shell and execute some daemons etc ? like > ircd? > > why does he need to reinstall his system? Because if the box is reporting port 31337 as the 'elite' service it means someone most likely has modified /etc/services which indicates that they have attained elevated privs somehow. > > Evren > > > dce writes: > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > > > 31337/tcp open Elite > > > 6667/tcp open irc > > > > You're owned. Take your box off the net, take a backup, reinstall from > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > (*no* executables, scripts or configuration files!) from backup. And > > get some security clue; the security(7) man page is a good place to > > start, though far from complete. > > > > DES > > -- > > Dag-Erling Smorgrav - des@ofug.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 12: 9:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id C5A9537B718 for ; Mon, 5 Mar 2001 12:09:31 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f25K9JX04837; Mon, 5 Mar 2001 12:09:19 -0800 (PST) Date: Mon, 5 Mar 2001 12:09:19 -0800 From: Alfred Perlstein To: Evren Yurtesen Cc: Dag-Erling Smorgrav , dce , security@FreeBSD.ORG Subject: Re: 31337 Message-ID: <20010305120919.X8663@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from yurtesen@ispro.net.tr on Mon, Mar 05, 2001 at 09:36:36PM +0200 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Evren Yurtesen [010305 11:30] wrote: > cant it be a person who has a shell and execute some daemons etc ? like > ircd? > > why does he need to reinstall his system? Oh, and as far as why a complete reinstall is a good idea, iss because you have _no idea_ as to how far the person has gone to install back doors in the system, only a complete reinstall has a good chance of fixing them all. > > Evren > > > dce writes: > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > > > 31337/tcp open Elite > > > 6667/tcp open irc > > > > You're owned. Take your box off the net, take a backup, reinstall from > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > (*no* executables, scripts or configuration files!) from backup. And > > get some security clue; the security(7) man page is a good place to > > start, though far from complete. > > > > DES > > -- > > Dag-Erling Smorgrav - des@ofug.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 12:13: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id BD04837B71B for ; Mon, 5 Mar 2001 12:13:05 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id VAA03102; Mon, 5 Mar 2001 21:13:01 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Alfred Perlstein Cc: Evren Yurtesen , dce , security@FreeBSD.ORG Subject: Re: 31337 References: <20010305120825.W8663@fw.wintelcom.net> From: Dag-Erling Smorgrav Date: 05 Mar 2001 21:13:00 +0100 In-Reply-To: Alfred Perlstein's message of "Mon, 5 Mar 2001 12:08:25 -0800" Message-ID: Lines: 10 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alfred Perlstein writes: > Because if the box is reporting port 31337 as the 'elite' service > it means someone most likely has modified /etc/services which > indicates that they have attained elevated privs somehow. No, this is nmap, which has its own ideas of assigned port numbers. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 12:14: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 8102D37B71A for ; Mon, 5 Mar 2001 12:13:58 -0800 (PST) (envelope-from danderse@cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id NAA11367; Mon, 5 Mar 2001 13:12:25 -0700 (MST) Message-Id: <200103052012.NAA11367@faith.cs.utah.edu> Subject: Re: 31337 To: bright@wintelcom.net (Alfred Perlstein) Date: Mon, 5 Mar 2001 13:12:25 -0700 (MST) Cc: yurtesen@ispro.net.tr (Evren Yurtesen), des@ofug.org (Dag-Erling Smorgrav), dce@squish.org (dce), security@FreeBSD.ORG In-Reply-To: <20010305120825.W8663@fw.wintelcom.net> from "Alfred Perlstein" at Mar 05, 2001 12:08:25 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's not correct. Nmap has the "Elite" service name built in to its nmap-services file. Mostly because of the obvious 5kr1p7 k11d13 name mapping. His /etc/services is probably just fine. -Dave Lo and behold, Alfred Perlstein once said: > > * Evren Yurtesen [010305 11:30] wrote: > > cant it be a person who has a shell and execute some daemons etc ? like > > ircd? > > > > why does he need to reinstall his system? > > Because if the box is reporting port 31337 as the 'elite' service > it means someone most likely has modified /etc/services which > indicates that they have attained elevated privs somehow. > > > > > > Evren > > > > > dce writes: > > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > > > > > 31337/tcp open Elite > > > > 6667/tcp open irc > > > > > > You're owned. Take your box off the net, take a backup, reinstall from > > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > > (*no* executables, scripts or configuration files!) from backup. And > > > get some security clue; the security(7) man page is a good place to > > > start, though far from complete. > > > > > > DES > > > -- > > > Dag-Erling Smorgrav - des@ofug.org > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 13: 9:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id E50CA37B718 for ; Mon, 5 Mar 2001 13:09:03 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2675E66E9B; Mon, 5 Mar 2001 13:09:03 -0800 (PST) Date: Mon, 5 Mar 2001 13:09:03 -0800 From: Kris Kennaway To: Thomas Vogt Cc: freebsd-security@FreeBSD.ORG, kris@obsecurity.org Subject: Re: ssh tricks (was Re: ssh -t /bin/sh trick (was Re: ftp access) Message-ID: <20010305130902.A85196@mollari.cthul.hu> References: <22165.983794375@www37.gmx.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <22165.983794375@www37.gmx.net>; from turbo23@gmx.net on Mon, Mar 05, 2001 at 01:12:55PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 05, 2001 at 01:12:55PM +0100, Thomas Vogt wrote: > On Wed, Feb 28, 2001 at 06:36:08PM +0100, Torbjorn Kristoffersen wrote: > >> Since the topic is 'ssh tricks', here's one that works with all > >> versions of SSH I've used (openssh 2.3.0 as well): > >>=3D20 > >> home$ ssh -l username site /bin/sh -i >=20 > >This is actually an old rsh trick in new clothes :-) >=20 > >Kris >=20 > An what exactly does this mean? Is it dangerous to have an interactive > shell? I see that -i brings an interactive shell up. But i can't get the = point. > sorry. perhaps you can explain me this in a few worths. > thnx It means exactly what's been said in previous messages: running sh -i or csh -i or whatever will cause the person to not show up in 'w' listings and so forth. It's not a security risk unless the admin forgets or doesn't know that people can be running commands when "not logged in" Kris --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6pABuWry0BWjoQKURAlc7AJ9A55YoRUSOc7R6s3Z3F8SgBJRRdgCg8mPo Khm7ULNwwRYbvmA/Jk/rcRE= =QdqO -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 13:46:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id B095E37B719 for ; Mon, 5 Mar 2001 13:46:11 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 32303 invoked by alias); 5 Mar 2001 21:46:41 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 5 Mar 2001 21:46:41 -0000 Message-ID: <002d01c0a5bd$a16f45c0$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: "Alfred Perlstein" , "David G. Andersen" Cc: "Evren Yurtesen" , "Dag-Erling Smorgrav" , "dce" , References: <200103052012.NAA11367@faith.cs.utah.edu> Subject: Re: 31337 Date: Mon, 5 Mar 2001 16:45:44 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org most probably a luser on the system is running ircd which doesn't need elevated privs because it is binding above port 1024, and they are also trying to do some "l33t hax0ring" of winboxen using Netbus's admin tool. ----- Original Message ----- From: "David G. Andersen" To: "Alfred Perlstein" Cc: "Evren Yurtesen" ; "Dag-Erling Smorgrav" ; "dce" ; Sent: Monday, March 05, 2001 3:12 PM Subject: Re: 31337 > That's not correct. Nmap has the "Elite" service name built in to > its nmap-services file. Mostly because of the obvious 5kr1p7 k11d13 > name mapping. His /etc/services is probably just fine. > > -Dave > > Lo and behold, Alfred Perlstein once said: > > > > * Evren Yurtesen [010305 11:30] wrote: > > > cant it be a person who has a shell and execute some daemons etc ? like > > > ircd? > > > > > > why does he need to reinstall his system? > > > > Because if the box is reporting port 31337 as the 'elite' service > > it means someone most likely has modified /etc/services which > > indicates that they have attained elevated privs somehow. > > > > > > > > > > Evren > > > > > > > dce writes: > > > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > > > > > > > 31337/tcp open Elite > > > > > 6667/tcp open irc > > > > > > > > You're owned. Take your box off the net, take a backup, reinstall from > > > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > > > (*no* executables, scripts or configuration files!) from backup. And > > > > get some security clue; the security(7) man page is a good place to > > > > start, though far from complete. > > > > > > > > DES > > > > -- > > > > Dag-Erling Smorgrav - des@ofug.org > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 14:13:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 8B9F437B718 for ; Mon, 5 Mar 2001 14:13:07 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f25MCvw45579; Mon, 5 Mar 2001 16:12:57 -0600 (CST) (envelope-from chris@jeah.net) Date: Mon, 5 Mar 2001 16:12:56 -0600 (CST) From: Chris Byrnes To: dce Cc: Subject: RE: 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Heh, an IRCD is running on the machine, EliteIRCD. + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) On Mon, 5 Mar 2001, dce wrote: > Hello, > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > 31337/tcp open Elite > 6667/tcp open irc > > > I have also noticed these open after CVSuping from 4.0-RELEASE to > 4.2-STABLE... Is this normal? Has a rootkit been installed? Any > information provided is greatly appreciated. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 14:17:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 9279C37B71B for ; Mon, 5 Mar 2001 14:17:22 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f25MGuH46030; Mon, 5 Mar 2001 16:16:57 -0600 (CST) (envelope-from chris@jeah.net) Date: Mon, 5 Mar 2001 16:16:56 -0600 (CST) From: Chris Byrnes To: Evren Yurtesen Cc: Dag-Erling Smorgrav , dce , Subject: Re: 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Heh, yeah, exactly. Sometimes people jump to conclusions too fast. It's just an IRCD. + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) On Mon, 5 Mar 2001, Evren Yurtesen wrote: > cant it be a person who has a shell and execute some daemons etc ? like > ircd? > > why does he need to reinstall his system? > > Evren > > > dce writes: > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > > > 31337/tcp open Elite > > > 6667/tcp open irc > > > > You're owned. Take your box off the net, take a backup, reinstall from > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > (*no* executables, scripts or configuration files!) from backup. And > > get some security clue; the security(7) man page is a good place to > > start, though far from complete. > > > > DES > > -- > > Dag-Erling Smorgrav - des@ofug.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 14:17:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 98EE337B718 for ; Mon, 5 Mar 2001 14:17:37 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f25MHLG46094; Mon, 5 Mar 2001 16:17:21 -0600 (CST) (envelope-from chris@jeah.net) Date: Mon, 5 Mar 2001 16:17:21 -0600 (CST) From: Chris Byrnes To: Rob Simmons Cc: Jason DiCioccio , "'Dag-Erling Smorgrav'" , dce , Subject: RE: 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org HEH. lsof is in FreeBSD, too. + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) On Mon, 5 Mar 2001, Rob Simmons wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > lsof is a solaris utility. You want to use fstat in FreeBSD. > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > > On Mon, 5 Mar 2001, Jason DiCioccio wrote: > > > Again, unless you added a few users on your system and one of them > > decided to run an irc server without asking you, i'd check lsof and > > see exactly who's running this.. Try irc'ing to the port also and > > find out where it's linked to etc. That could be useful if you really > > were 0wned. :) > > > > Cheers, > > -JD- > > > > > > ------- > > Jason DiCioccio > > Evil Genius > > Unix BOFH > > > > -----Original Message----- > > From: Dag-Erling Smorgrav [mailto:des@ofug.org] > > Sent: Monday, March 05, 2001 11:23 AM > > To: dce > > Cc: security@FreeBSD.ORG > > Subject: Re: 31337 > > > > > > dce writes: > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE > > > machine > > > > > > 31337/tcp open Elite > > > 6667/tcp open irc > > > > You're owned. Take your box off the net, take a backup, reinstall > > from > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > (*no* executables, scripts or configuration files!) from backup. And > > get some security clue; the security(7) man page is a good place to > > start, though far from complete. > > > > DES > > -- > > Dag-Erling Smorgrav - des@ofug.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > ------------ Output from gpg ------------ > > gpg: Signature made Mon Mar 5 14:27:59 2001 EST using DSA key ID A97A6C9A > > gpg: requesting key A97A6C9A from wwwkeys.us.pgp.net ... > > gpg: no valid OpenPGP data found. > > gpg: Total number processed: 0 > > gpg: Can't check signature: public key not found > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iD8DBQE6o+21v8Bofna59hYRAsaEAKDFU8TJbML3jVZEnLtLjmaIEfabBQCeIWIJ > 1IbLTRyMqIFRWZED7qwXOeU= > =TnIU > -----END PGP SIGNATURE----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 14:22: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from equinox.datasyrge.net (ool-18ba2d21.dyn.optonline.net [24.186.45.33]) by hub.freebsd.org (Postfix) with ESMTP id DA45037B718 for ; Mon, 5 Mar 2001 14:21:56 -0800 (PST) (envelope-from jslivko@datasyrge.net) Received: from localhost (jslivko@localhost) by equinox.datasyrge.net (8.9.3/8.9.3) with ESMTP id RAA13806; Mon, 5 Mar 2001 17:24:23 -0500 Date: Mon, 5 Mar 2001 17:24:23 -0500 (EST) From: "Jonathan M. Slivko" To: Chris Byrnes Cc: dce , security@FreeBSD.ORG Subject: RE: 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would just like to add that there is a port in the current ports collection which is called boserver which *emulates* a basic BO server and runs on port 31137, etc. However, while this may not be the case, I would just like to point out that someone other than dce may have installed the port, assuming that someone else has root access on the machine besides himself. However, if thats not the case and he didn't install the port himself, i'm not sure. However, I would be very cautious with the machine from now on, just in case it was comprimised, untill some kind of real viable proof is shown in this case. Just my 2 cents. -- Jonathan M. Slivko On Mon, 5 Mar 2001, Chris Byrnes wrote: > Heh, an IRCD is running on the machine, EliteIRCD. > > > + Chris Byrnes, chris@JEAH.net > + JEAH Communications > + 1-866-AWW-JEAH (Toll-Free) > > > On Mon, 5 Mar 2001, dce wrote: > > > Hello, > > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > 31337/tcp open Elite > > 6667/tcp open irc > > > > > > I have also noticed these open after CVSuping from 4.0-RELEASE to > > 4.2-STABLE... Is this normal? Has a rootkit been installed? Any > > information provided is greatly appreciated. > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Jonathan M. Slivko | | Global IRC Operator, AsylumNet IRC Networks | | Webpage: http://jslivko.datasyrge.net/ | | | |"Microsoft, is that some kind of toilet paper? | |"FreeeBSD: The Power to Serve -- www.freebsd.org" | |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 14:31:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id ACCE137B72F for ; Mon, 5 Mar 2001 14:31:05 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 32689 invoked by alias); 5 Mar 2001 22:31:04 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 5 Mar 2001 22:31:04 -0000 Message-ID: <005c01c0a5c3$e66bbcc0$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: "Chris Byrnes" , "Rob Simmons" Cc: "Jason DiCioccio" , "'Dag-Erling Smorgrav'" , "dce" , References: Subject: Re: 31337 Date: Mon, 5 Mar 2001 17:30:36 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [cowbert@huskyhype]:/usr/home/cowbert/dnetc$ locate lsof /usr/ports/sysutils/lsof as previously stated you can find it in the ports collection. ----- Original Message ----- From: "Chris Byrnes" To: "Rob Simmons" Cc: "Jason DiCioccio" ; "'Dag-Erling Smorgrav'" ; "dce" ; Sent: Monday, March 05, 2001 5:17 PM Subject: RE: 31337 > HEH. lsof is in FreeBSD, too. > > > + Chris Byrnes, chris@JEAH.net > + JEAH Communications > + 1-866-AWW-JEAH (Toll-Free) > > > On Mon, 5 Mar 2001, Rob Simmons wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > lsof is a solaris utility. You want to use fstat in FreeBSD. > > > > Robert Simmons > > Systems Administrator > > http://www.wlcg.com/ > > > > On Mon, 5 Mar 2001, Jason DiCioccio wrote: > > > > > Again, unless you added a few users on your system and one of them > > > decided to run an irc server without asking you, i'd check lsof and > > > see exactly who's running this.. Try irc'ing to the port also and > > > find out where it's linked to etc. That could be useful if you really > > > were 0wned. :) > > > > > > Cheers, > > > -JD- > > > > > > > > > ------- > > > Jason DiCioccio > > > Evil Genius > > > Unix BOFH > > > > > > -----Original Message----- > > > From: Dag-Erling Smorgrav [mailto:des@ofug.org] > > > Sent: Monday, March 05, 2001 11:23 AM > > > To: dce > > > Cc: security@FreeBSD.ORG > > > Subject: Re: 31337 > > > > > > > > > dce writes: > > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE > > > > machine > > > > > > > > 31337/tcp open Elite > > > > 6667/tcp open irc > > > > > > You're owned. Take your box off the net, take a backup, reinstall > > > from > > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > > (*no* executables, scripts or configuration files!) from backup. And > > > get some security clue; the security(7) man page is a good place to > > > start, though far from complete. > > > > > > DES > > > -- > > > Dag-Erling Smorgrav - des@ofug.org > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > ------------ Output from gpg ------------ > > > gpg: Signature made Mon Mar 5 14:27:59 2001 EST using DSA key ID A97A6C9A > > > gpg: requesting key A97A6C9A from wwwkeys.us.pgp.net ... > > > gpg: no valid OpenPGP data found. > > > gpg: Total number processed: 0 > > > gpg: Can't check signature: public key not found > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.4 (FreeBSD) > > Comment: For info see http://www.gnupg.org > > > > iD8DBQE6o+21v8Bofna59hYRAsaEAKDFU8TJbML3jVZEnLtLjmaIEfabBQCeIWIJ > > 1IbLTRyMqIFRWZED7qwXOeU= > > =TnIU > > -----END PGP SIGNATURE----- > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 14:59:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id 1B93237B718 for ; Mon, 5 Mar 2001 14:59:46 -0800 (PST) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: windows sockstat To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Mon, 5 Mar 2001 17:00:00 -0600 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 03/05/2001 04:51:53 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Forgive the off topic intrusion, but is there a windows NT/2K equivalent of sockstat ? It chagrins me that I must admin some PC's for security. TIA, George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 15: 3:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 0910F37B718 for ; Mon, 5 Mar 2001 15:03:29 -0800 (PST) (envelope-from marcr@closed-networks.com) Received: (qmail 9972 invoked by uid 1000); 5 Mar 2001 19:06:10 -0000 Date: Mon, 5 Mar 2001 19:06:10 +0000 From: Marc Rogers To: security@FreeBSD.ORG Subject: Re: 31337 Message-ID: <20010305190610.X341@shady.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from traviso@RapidNet.com on Mon, Mar 05, 2001 at 11:13:46AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 05, 2001 at 11:13:46AM -0700, Travis [Admin Team] wrote: > On Mon, 5 Mar 2001, dce wrote: > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > 31337/tcp open Elite > > 6667/tcp open irc > > > > I have also noticed these open after CVSuping from 4.0-RELEASE to > > 4.2-STABLE... Is this normal? Has a rootkit been installed? Any > > information provided is greatly appreciated. > > 31337 is the ol Back Orifice remote administration tool - they are > just probing - silly kiddiez. No I believe that he is saying they are open, not that someone is probing them. There is nothing legitimate that runs on those ports out of the box. Cvsuping will only close an open port if it changes the program that is opening it in the first place. Ie if its a trojaned system binary, then cvsuping and a subsequent make world will hopefully replace it. If its a separate program, say for example running from /dev/.hidden/rootkit, then only removing the startup mechanism, and killing the program will close it. I would reccomend that you install "lsof" and use it and judicial use of netstat to identify what ports are open, which programs are listening to them and where the files are located. Do not rely entirely on netstat or any program that was in siture prior to this occurance. They may have been tampered with (bear in mind your kernel may have been tampered with aswell / or there may be hostile modules loaded.). Fresh installs are your friend. In my experience 6667 on a machine that isnt legitimately running and ircd, is most likely to be an irc port bouncer. In which case your box has been taken over by kiddies, who are using it to conceal their identities as they irc. Running lsof and netstat periodically from cron will most likely reveal their locations (or the next box in the chain that they have taken). I would guess that 31337 is their backdoor, and 6667 is their portbouncer. if you need any further assistance, feel free to drop me a line. Marc Rogers Head of Network Operations & Security EDC Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 15:44:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 0643837B719 for ; Mon, 5 Mar 2001 15:44:41 -0800 (PST) (envelope-from christopher@schulte.org) Received: from ronayne.schulte.org (nb-22.netbriefings.com [204.72.185.22]) by poontang.schulte.org (8.9.3/8.9.3) with ESMTP id RAA06864; Mon, 5 Mar 2001 17:43:55 -0600 (CST) (envelope-from christopher@schulte.org) Message-Id: <5.0.2.1.0.20010305174329.00afdbc0@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Mon, 05 Mar 2001 17:43:46 -0600 To: George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG From: Christopher Schulte Subject: Re: windows sockstat In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org http://ntsecurity.nu/toolbox/inzider/ At 05:00 PM 3/5/2001 -0600, George.Giles@mcmail.vanderbilt.edu wrote: >Forgive the off topic intrusion, but is there a windows NT/2K equivalent of >sockstat ? > >It chagrins me that I must admin some PC's for security. > >TIA, >George > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 16:14: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 26DFA37B71D for ; Mon, 5 Mar 2001 16:14:04 -0800 (PST) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id TAA31449; Mon, 5 Mar 2001 19:14:02 -0500 (EST) (envelope-from str) Date: Mon, 5 Mar 2001 19:14:02 -0500 (EST) From: Igor Roshchin Message-Id: <200103060014.TAA31449@giganda.komkon.org> To: freebsd-security@freebsd.org Subject: Re: ssh tricks - user running sshd Cc: kris@obsecurity.org In-Reply-To: <20010305130902.A85196@mollari.cthul.hu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, there is another effectively similar, but probably less trackable way of doing the same. A user can run his own ssh daemon on a different (high-numbered) port, thus allowing himself to login without using the system's daemon. Since that user can configure the daemon so that no records are added to wtmp/utmp, and no logging is done to the system log. You can forbid running daemons by a policy, but it's rather difficult to make that completely impossible. Well, the point of this message is just to remind, that, as Kris said, there are many different things for an admin to remember. Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 17: 6:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mink.ath.cx (200-191-39-25-as.acessonet.com.br [200.191.39.25]) by hub.freebsd.org (Postfix) with ESMTP id 9696B37B719 for ; Mon, 5 Mar 2001 17:06:11 -0800 (PST) (envelope-from tirloni@techie.com) Received: from mink (mink [127.0.0.1]) by mink.ath.cx (Postfix) with ESMTP id 162F72F9; Mon, 5 Mar 2001 22:08:19 -0300 (BRT) Date: Mon, 5 Mar 2001 22:08:19 -0300 (BRT) From: "Giovanni P. Tirloni" X-X-Sender: To: Cc: Subject: Re: 31337 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi folks, Just to add some extra info I'd like to say that I've seen nmap reporting such open ports a lot of times while doing port scans on my machines and friend's machines too. Mainly I was certifying myself of which ports I had left open after a _fresh_ install so, IMO, this is something related to nmap itself reporting such ports wrongly and not with any kind of h4x0r 4ct1v1ty. Perhaps, in some way, FreeBSD sends some kind of packet with options that make nmap report it that way. I really don't know. I'm just guessing and as those machines were not connected to the Internet I'm sure that they were not compromised. Another strange thing is that nmap reposts those ports as open only when port scanning throught the LAN/Internet and doesn't report them if I nmap the host from itself (loopback). Looks too abstract for me too. If could send us more info about the actual situation of his machine (if it was a fresh install, if it has many users, etc) that would clarify the story. Just my two cents. -- Giovanni Picoli Tirloni tirloni@techie.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 17:22:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id 5076B37B719 for ; Mon, 5 Mar 2001 17:22:43 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 10165 invoked by uid 1000); 6 Mar 2001 01:22:41 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 Mar 2001 01:22:41 -0000 Date: Mon, 5 Mar 2001 19:22:41 -0600 (CST) From: Mike Silbersack To: "Giovanni P. Tirloni" Cc: Subject: Re: 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 5 Mar 2001, Giovanni P. Tirloni wrote: > Hi folks, > > Just to add some extra info I'd like to say that I've seen nmap reporting > such open ports a lot of times while doing port scans on my machines and > friend's machines too. > > Mainly I was certifying myself of which ports I had left open after a > _fresh_ install so, IMO, this is something related to nmap itself > reporting such ports wrongly and not with any kind of h4x0r 4ct1v1ty. > Perhaps, in some way, FreeBSD sends some kind of packet with options > that make nmap report it that way. I really don't know. BIND likes to use a port in area above 1024 for outgoing queries, so you're going to see nmap hit that pretty consistantly. Other than that, I don't think you should be seeing any false positives. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 18:24:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from turtle.looksharp.net (cc360882-a.strhg1.mi.home.com [24.2.221.22]) by hub.freebsd.org (Postfix) with ESMTP id 8980437B718 for ; Mon, 5 Mar 2001 18:24:38 -0800 (PST) (envelope-from bsdx@looksharp.net) Received: from localhost (bsdx@localhost) by turtle.looksharp.net (8.11.1/8.11.1) with ESMTP id f262R4J15181; Mon, 5 Mar 2001 21:27:05 -0500 (EST) (envelope-from bsdx@looksharp.net) Date: Mon, 5 Mar 2001 21:27:04 -0500 (EST) From: Adam To: "Riley J. McIntire" Cc: "Aaron D.Gifford" , Subject: RE: ftp access In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 1 Mar 2001, Riley J. McIntire wrote: >> -----Original Message----- >> From: owner-freebsd-security@FreeBSD.ORG >> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Aaron D.Gifford >> Sent: Thursday, March 01, 2001 9:02 AM >> To: freebsd-security@FreeBSD.ORG >> Subject: RE: ftp access > >> >> I would caution folks from putting /sbin/nologin into /etc/shells >> in order to >> create FTP-only accounts. I would instead suggest you create a link to >> /sbin/nologin and call it something like /sbin/ftponly and put >> THAT shell in >> your /etc/shells file and use it as the shell for your FTP-only users. > >Would this be a problem? > >root@aji# lls /sbin/ftp_only >-rwxr-xr-x 1 root wheel - 48 Mar 1 13:23 /sbin/ftp_only* > >root@aji# cat /sbin/ftp_only >echo This account is for ftp only >ftp localhost >root@aji# grep ftp_only /etc > >root@aji# grep ftp /etc/shells >/sbin/ftp_only > >Then a telnet would show the motd and: > >This account is for ftp only >Connected to localhost. >220 aji.wilshire.net FTP server (Version 6.00LS) ready. >Name (localhost:username): What happens if they have a valid ftp account, login, and run !sh ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 18:38: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0B18937B719 for ; Mon, 5 Mar 2001 18:38:00 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA13318; Mon, 5 Mar 2001 18:36:22 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda13316; Mon Mar 5 18:36:09 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f262a3n68963; Mon, 5 Mar 2001 18:36:03 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdq68961; Mon Mar 5 18:35:56 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f262Zs094331; Mon, 5 Mar 2001 18:35:54 -0800 (PST) Message-Id: <200103060235.f262Zs094331@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdg91885; Mon Mar 5 18:34:54 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Alfred Perlstein Cc: Evren Yurtesen , Dag-Erling Smorgrav , dce , security@FreeBSD.ORG Subject: Re: 31337 In-reply-to: Your message of "Mon, 05 Mar 2001 12:09:19 PST." <20010305120919.X8663@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 05 Mar 2001 18:34:52 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010305120919.X8663@fw.wintelcom.net>, Alfred Perlstein writes: > * Evren Yurtesen [010305 11:30] wrote: > > cant it be a person who has a shell and execute some daemons etc ? like > > ircd? > > > > why does he need to reinstall his system? > > Oh, and as far as why a complete reinstall is a good idea, iss because > you have _no idea_ as to how far the person has gone to install back > doors in the system, only a complete reinstall has a good chance of > fixing them all. ... then install tripwire. This will help identify changed files. Not a perfect solution, as tripwire can be circumvented, but it is more difficult. Then keep a copy of your database offline and/or sign your database. Alternatively run at securelevel > 0. Once again not a perfect solution. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC > > > > > > > > Evren > > > > > dce writes: > > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machin > e > > > > > > > > 31337/tcp open Elite > > > > 6667/tcp open irc > > > > > > You're owned. Take your box off the net, take a backup, reinstall from > > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > > (*no* executables, scripts or configuration files!) from backup. And > > > get some security clue; the security(7) man page is a good place to > > > start, though far from complete. > > > > > > DES > > > -- > > > Dag-Erling Smorgrav - des@ofug.org > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 18:40:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id CCB0437B727 for ; Mon, 5 Mar 2001 18:40:46 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA13328; Mon, 5 Mar 2001 18:39:22 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda13326; Mon Mar 5 18:39:11 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f262d6M68981; Mon, 5 Mar 2001 18:39:06 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdF68967; Mon Mar 5 18:38:54 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f262crC01056; Mon, 5 Mar 2001 18:38:53 -0800 (PST) Message-Id: <200103060238.f262crC01056@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdz98947; Mon Mar 5 18:38:04 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Chris Byrnes Cc: Evren Yurtesen , Dag-Erling Smorgrav , dce , security@FreeBSD.ORG Subject: Re: 31337 In-reply-to: Your message of "Mon, 05 Mar 2001 16:16:56 CST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 05 Mar 2001 18:38:04 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Chris Byrn es writes: > Heh, yeah, exactly. Sometimes people jump to conclusions too fast. > > It's just an IRCD. The problem is that you don't know whether the system has been rooted or not. As such the prudent thing is to assume that the system has been rooted. > > > + Chris Byrnes, chris@JEAH.net > + JEAH Communications > + 1-866-AWW-JEAH (Toll-Free) Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC > > > On Mon, 5 Mar 2001, Evren Yurtesen wrote: > > > cant it be a person who has a shell and execute some daemons etc ? like > > ircd? > > > > why does he need to reinstall his system? > > > > Evren > > > > > dce writes: > > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machin > e > > > > > > > > 31337/tcp open Elite > > > > 6667/tcp open irc > > > > > > You're owned. Take your box off the net, take a backup, reinstall from > > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > > (*no* executables, scripts or configuration files!) from backup. And > > > get some security clue; the security(7) man page is a good place to > > > start, though far from complete. > > > > > > DES > > > -- > > > Dag-Erling Smorgrav - des@ofug.org > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 19: 0:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 1562537B718 for ; Mon, 5 Mar 2001 19:00:07 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id DAA05293; Tue, 6 Mar 2001 03:59:53 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Adam Cc: "Riley J. McIntire" , "Aaron D.Gifford" , Subject: Re: ftp access References: From: Dag-Erling Smorgrav Date: 06 Mar 2001 03:59:52 +0100 In-Reply-To: Adam's message of "Mon, 5 Mar 2001 21:27:04 -0500 (EST)" Message-ID: Lines: 8 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Adam writes: > What happens if they have a valid ftp account, login, and run !sh ? They get a shell on the box they're FTPing from. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 19: 5:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 6683D37B718 for ; Mon, 5 Mar 2001 19:05:16 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f2633nx90545; Mon, 5 Mar 2001 21:03:49 -0600 (CST) (envelope-from chris@jeah.net) Date: Mon, 5 Mar 2001 21:03:49 -0600 (CST) From: Chris Byrnes To: Cy Schubert - ITSD Open Systems Group Cc: Evren Yurtesen , Dag-Erling Smorgrav , dce , Subject: Re: 31337 In-Reply-To: <200103060238.f262crC01056@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Heh, yeah, exactly. Sometimes people jump to conclusions too fast. > > > > It's just an IRCD. > > The problem is that you don't know whether the system has been rooted > or not. As such the prudent thing is to assume that the system has > been rooted. I suppose, however, it could easily be a user running an IRC server on a box. The box admin (dce) doesn't understand what an IRC server is, and why it has opened ports. Before doing anything drastic on a production box, I like to try to work through possible simpler resolutions to the problem. + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 19:14:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 4E9E237B71A for ; Mon, 5 Mar 2001 19:14:16 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f263EKL15344 for ; Mon, 5 Mar 2001 22:14:21 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Mon, 5 Mar 2001 22:14:15 -0500 (EST) From: Rob Simmons To: Subject: tripwire Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What are the benefits/disadvantages between the two tripwire ports and the tripwirish aide port? Robert Simmons Systems Administrator http://www.wlcg.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6pFYLv8Bofna59hYRAr6uAKCsvX7B1ybtgYmT9rYnjWOQF9+9HQCZAe7s lb5iB8UXdlCtIlVI+jTDzEM= =uKX3 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 19:59:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 9F9BC37B718 for ; Mon, 5 Mar 2001 19:59:51 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id TAA13500; Mon, 5 Mar 2001 19:59:44 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda13498; Mon Mar 5 19:59:40 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f263xZU69401; Mon, 5 Mar 2001 19:59:35 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdI69399; Mon Mar 5 19:58:58 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f263wvE34816; Mon, 5 Mar 2001 19:58:57 -0800 (PST) Message-Id: <200103060358.f263wvE34816@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdL34546; Mon Mar 5 19:58:04 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Rob Simmons Cc: freebsd-security@FreeBSD.ORG Subject: Re: tripwire In-reply-to: Your message of "Mon, 05 Mar 2001 22:14:15 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 05 Mar 2001 19:58:03 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Rob Simmon s writes: > What are the benefits/disadvantages between the two tripwire ports and the > tripwirish aide port? Tripwire 1.3.1 fixes a number of bugs found in tripwire 1.2, however the licenses are different. I personally haven't encountered the bugs but the people at Tripwiresecurity say that they are there. The commercial version, Version 2, which Tripwresecurity has made the Linux version of the source available, which I might port to FreeBSD as well, adds new signatures, improves memory utilisation reducing paging and increases the number of files that can be monitored before tripwire dies. It also has an interface to the Tripwire console, which allows a central security administrator to monitor 100-200 UNIX and NT systems, freeing up UNIX and NT admin staff to do more rewarding work. I will be discussing the Tripwire version 2 license with someone at tripwire tomorrow. Functionally Aide is smaller and faster. It supports different signatures, however it lacks an interactive mode, e.g. you need to specify which files have changed on the command line or rebuild the database from scratch. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 20:40:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from pluto.senet.com.au (pluto.senet.com.au [203.56.239.150]) by hub.freebsd.org (Postfix) with ESMTP id A12AE37B718 for ; Mon, 5 Mar 2001 20:40:53 -0800 (PST) (envelope-from glewis@misty.eyesbeyond.com) Received: from misty.eyesbeyond.com (c22-fr-p128.senet.com.au [172.16.22.129]) by pluto.senet.com.au (8.11.0/8.11.0) with ESMTP id f264en561653; Tue, 6 Mar 2001 15:10:49 +1030 (CST) (envelope-from glewis@misty.eyesbeyond.com) Received: (from glewis@localhost) by misty.eyesbeyond.com (8.9.3/8.9.3) id PAA34397; Tue, 6 Mar 2001 15:10:47 +1030 (CST) (envelope-from glewis) Date: Tue, 6 Mar 2001 15:10:47 +1030 From: Greg Lewis To: Cy Schubert - ITSD Open Systems Group Cc: Rob Simmons , freebsd-security@FreeBSD.ORG Subject: Re: tripwire Message-ID: <20010306151047.A34281@misty.eyesbeyond.com> References: <200103060358.f263wvE34816@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103060358.f263wvE34816@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Mon, Mar 05, 2001 at 07:58:03PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 05, 2001 at 07:58:03PM -0800, Cy Schubert - ITSD Open Systems Group wrote: > The commercial version, Version 2, which Tripwresecurity has made the > Linux version of the source available, which I might port to FreeBSD as > well, adds new signatures, improves memory utilisation reducing paging > and increases the number of files that can be monitored before tripwire > dies. It also has an interface to the Tripwire console, which allows a > central security administrator to monitor 100-200 UNIX and NT systems, > freeing up UNIX and NT admin staff to do more rewarding work. There were patches to get it working under FreeBSD posted to the list, should be able to find it in the archives, but I can't remember the location of the patches off the top of my head. Also, there was recently a posting saying that FreeBSD support was being integrated into the Tripwire CVS repository. -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Mobile: 0419 868 494 Information Technology Web : http://www.eyesbeyond.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 21:24:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from monarch.prairienet.org (monarch.prairienet.org [192.17.3.5]) by hub.freebsd.org (Postfix) with SMTP id 6E6E137B718 for ; Mon, 5 Mar 2001 21:24:54 -0800 (PST) (envelope-from dtalk@prairienet.org) Received: (qmail 17070 invoked from network); 6 Mar 2001 05:24:48 -0000 Received: from slip-66.prairienet.org (HELO littleblue.spotnet.org) (192.17.3.86) by monarch.prairienet.org with SMTP; 6 Mar 2001 05:24:48 -0000 Received: from localhost (dtalk@localhost) by littleblue.spotnet.org (8.11.0/8.9.3) with ESMTP id f265Oju01410; Mon, 5 Mar 2001 23:24:46 -0600 X-Authentication-Warning: littleblue.spotnet.org: dtalk owned process doing -bs Date: Mon, 5 Mar 2001 23:24:34 -0600 (CST) From: David Talkington X-Sender: To: "Jonathan D. Dunfee" Cc: Dan Harnett , Will Andrews , =?iso-8859-1?Q?R=E9mi_Guyomarch?= , Subject: Re: sshd - @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ In-Reply-To: <15011.45857.351854.898433@C126508-B.rchdsn1.tx.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Jonathan D. Dunfee wrote: >To expound on what Dan mentioned, the portable version of OpenSSH >places (and references) configuration files according to the >"--sysconfdir=" option that you give to the configure script. The >default is ${prefix}/etc, which actually gives /usr/local/etc/ if >'--prefix=' hasn't been set. Christoph - You didn't say which ssh distribution you installed (SSH Communications or OpenSSH). OpenSSH won't overwrite existing hostkeys, and I'd be surprised if the SSH Communications package did. So ... if you're using OpenSSH, then my guess is that you configured it with defaults -- and got what Jonathan describes above, which means it doesn't know where your original keys are. Copy them from /etc/ssh to /usr/local/etc, and you'll be back in business. Alternatively, rebuild it using './configure --sysconfdir=/etc/ssh'. Hope this helps -d - -- David Talkington Prairienet dtalk@prairienet.org 217-244-1962 PGP key: http://www.prairienet.org/~dtalk/dt000823.asc -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOqR0nb1ZYOtSwT+tAQGg5wf/YJazQLW7Agi5uofFkL7nXTi7QIfsPQyj txhqhwD6VPONIrfr/+8rHDGrgEP7RuS6uYLl23yglRYhRrsrHvu7txF7kyq3M4K/ N9OJSJAx36YUp+TGI8Bx2KG2CC7gwPTO3ajuhrLBMjZW6uTpSumKfmSxTnlFvC2S c5E+sUI62J2RLYC6gl2QXoxjNcrMuB7m/tae6PjtZJ2gUDjG9AUb7QQubWznltwD 7lR2YJFlpY8QN5ICTnXgQz5OzBryvPqvSxd61qpsAMfvd/K08EHteBPqC5ZW06qk BEtRVY1i1T7k+76tX+OTA52qKnPMEp4TG2tF+MPZM4tFHPIGllrUXA== =lC/R -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 22:49:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id 0D28037B719 for ; Mon, 5 Mar 2001 22:49:23 -0800 (PST) (envelope-from pherman@frenchfries.net) Received: from husten.security.at12.de (dial-213-168-88-172.netcologne.de [213.168.88.172]) by mr200.netcologne.de (Mirapoint) with ESMTP id ACD30494; Tue, 6 Mar 2001 07:49:19 +0100 (CET) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.2/8.11.2) with ESMTP id f266n5J08458; Tue, 6 Mar 2001 07:49:06 +0100 (CET) (envelope-from pherman@frenchfries.net) Date: Tue, 6 Mar 2001 07:49:05 +0100 (CET) From: Paul Herman To: Greg Lewis Cc: Cy Schubert - ITSD Open Systems Group , Rob Simmons , Subject: Re: tripwire In-Reply-To: <20010306151047.A34281@misty.eyesbeyond.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 6 Mar 2001, Greg Lewis wrote: > On Mon, Mar 05, 2001 at 07:58:03PM -0800, Cy Schubert - ITSD Open Systems Group wrote: > > The commercial version, Version 2, which Tripwresecurity has made > > the Linux version of the source available, which I might port to > > FreeBSD as well, > > There were patches to get it working under FreeBSD posted to the > list, should be able to find it in the archives, but I can't > remember the location of the patches off the top of my head. I should just add, this is for the Open Source version of Tripwire only, not the super duper commercial version which Cy was talking about. Open Source version 2.3.1 has _just_ been released (see tripwire.org/sourceforge for downloads) and includes support for FreeBSD. As for the commercial version, I don't see why it wouldn't work under Linux-emu, but Cy probably has more experience with that than I do. -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 23:24:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 657AB37B719 for ; Mon, 5 Mar 2001 23:24:47 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 18092 invoked by uid 1000); 6 Mar 2001 07:24:20 -0000 Date: Tue, 6 Mar 2001 09:24:20 +0200 From: Peter Pentchev To: Dag-Erling Smorgrav Cc: Adam , "Riley J. McIntire" , "Aaron D.Gifford" , freebsd-security@FreeBSD.ORG Subject: Re: ftp access Message-ID: <20010306092420.A17428@ringworld.oblivion.bg> Mail-Followup-To: Dag-Erling Smorgrav , Adam , "Riley J. McIntire" , "Aaron D.Gifford" , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Tue, Mar 06, 2001 at 03:59:52AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 06, 2001 at 03:59:52AM +0100, Dag-Erling Smorgrav wrote: > Adam writes: > > What happens if they have a valid ftp account, login, and run !sh ? > > They get a shell on the box they're FTPing from. ..which happens to be the box they logged in *to*, since /usr/bin/ftp is effectively their login shell. Yes, that's bad. G'luck, Peter -- I've heard that this sentence is a rumor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 5 23:28:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 8013337B719 for ; Mon, 5 Mar 2001 23:28:37 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id XAA13942; Mon, 5 Mar 2001 23:27:49 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda13940; Mon Mar 5 23:27:32 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f267RRc70152; Mon, 5 Mar 2001 23:27:27 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdh70146; Mon Mar 5 23:27:05 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f267R5i79360; Mon, 5 Mar 2001 23:27:05 -0800 (PST) Message-Id: <200103060727.f267R5i79360@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdk79354; Mon Mar 5 23:26:23 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Paul Herman Cc: Greg Lewis , Cy Schubert - ITSD Open Systems Group , Rob Simmons , freebsd-security@FreeBSD.ORG Subject: Re: tripwire In-reply-to: Your message of "Tue, 06 Mar 2001 07:49:05 +0100." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 05 Mar 2001 23:26:23 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Paul Herman writes: > On Tue, 6 Mar 2001, Greg Lewis wrote: > > > On Mon, Mar 05, 2001 at 07:58:03PM -0800, Cy Schubert - ITSD Open Systems G > roup wrote: > > > The commercial version, Version 2, which Tripwresecurity has made > > > the Linux version of the source available, which I might port to > > > FreeBSD as well, > > > > There were patches to get it working under FreeBSD posted to the > > list, should be able to find it in the archives, but I can't > > remember the location of the patches off the top of my head. > > I should just add, this is for the Open Source version of Tripwire > only, not the super duper commercial version which Cy was talking > about. Open Source version 2.3.1 has _just_ been released (see > tripwire.org/sourceforge for downloads) and includes support for > FreeBSD. I should have a port ready in a couple of days, no later than by the end of the week. > > As for the commercial version, I don't see why it wouldn't work under > Linux-emu, but Cy probably has more experience with that than I do. I should be able to get my hands on a copy of the Linux version early next fiscal year (April). Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 6 0:19:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 2B4C937B723 for ; Tue, 6 Mar 2001 00:19:07 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 6 Mar 2001 00:17:08 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f268J5L16977; Tue, 6 Mar 2001 00:19:05 -0800 (PST) (envelope-from cjc) Date: Tue, 6 Mar 2001 00:18:59 -0800 From: "Crist J. Clark" To: Mike Silbersack Cc: "Giovanni P. Tirloni" , freebsd-security@FreeBSD.ORG Subject: Re: 31337 Message-ID: <20010306001859.B1367@cjc-desktop.users.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from silby@silby.com on Mon, Mar 05, 2001 at 07:22:41PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 05, 2001 at 07:22:41PM -0600, Mike Silbersack wrote: > > On Mon, 5 Mar 2001, Giovanni P. Tirloni wrote: > > > Hi folks, > > > > Just to add some extra info I'd like to say that I've seen nmap reporting > > such open ports a lot of times while doing port scans on my machines and > > friend's machines too. > > > > Mainly I was certifying myself of which ports I had left open after a > > _fresh_ install so, IMO, this is something related to nmap itself > > reporting such ports wrongly and not with any kind of h4x0r 4ct1v1ty. > > Perhaps, in some way, FreeBSD sends some kind of packet with options > > that make nmap report it that way. I really don't know. > > BIND likes to use a port in area above 1024 for outgoing queries, so > you're going to see nmap hit that pretty consistantly. Other than that, I > don't think you should be seeing any false positives. It is _rarely_ going to be opening TCP sockets and when it does, it will be the one initiating them so they will not appear open to a connect() scan. UDP false positives... Yeah, that can happen a lot. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 6 2:43:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from t0ad.eng.eircom.net (t0ad.eng.eircom.net [159.134.242.251]) by hub.freebsd.org (Postfix) with ESMTP id 2638F37B718 for ; Tue, 6 Mar 2001 02:43:24 -0800 (PST) (envelope-from davidd@t0ad.eng.eircom.net) Received: (from davidd@localhost) by t0ad.eng.eircom.net (8.10.1/8.10.1) id f26BbYO11448; Tue, 6 Mar 2001 11:37:34 GMT Date: Tue, 6 Mar 2001 11:37:33 +0000 From: David Dorgan To: cjclark@alum.mit.edu Cc: Mike Silbersack , "Giovanni P. Tirloni" , freebsd-security@FreeBSD.ORG Subject: Re: 31337 Message-ID: <20010306113733.A21329@eircom.net> References: <20010306001859.B1367@cjc-desktop.users.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20010306001859.B1367@cjc-desktop.users.reflexcom.com>; from cjclark@reflexnet.net on Tue, Mar 06, 2001 at 12:18:59AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There is more than a handful of messages here which are just speculation on what this is. Simple solution try and irc to localhost, simple solution two...try a bo client against the machine...as somebody has mentioned there are bo emulators which work quite well and you would not need root to use them, lsof is your friend. Issue two I'M not sure total reposts of large messages which aren't following up on arguments made are required. -- "Never settle with words what you can settle with a flamethrower" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 6 3:24:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from snoopie.yi.org (dsl-64-193-123-121.telocity.com [64.193.123.121]) by hub.freebsd.org (Postfix) with ESMTP id DE74937B71A for ; Tue, 6 Mar 2001 03:24:12 -0800 (PST) (envelope-from root@snoopie.yi.org) Received: by snoopie.yi.org (Postfix, from userid 0) id CC5148E; Tue, 6 Mar 2001 05:24:11 -0600 (CST) To: freebsd-security@FreeBSD.ORG Message-Id: <20010306112411.CC5148E@snoopie.yi.org> Date: Tue, 6 Mar 2001 05:24:11 -0600 (CST) From: root@snoopie.yi.org (Charlie Root) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth c0e9dc2c unsubscribe freebsd-security root@snoopie.yi.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 6 10:27:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by hub.freebsd.org (Postfix) with ESMTP id 2498137B71A for ; Tue, 6 Mar 2001 10:27:36 -0800 (PST) (envelope-from rjmcintire@earthlink.net) Received: from emilyd ([64.161.77.242]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0G9S00KD9GF8DG@mta6.snfc21.pbi.net> for freebsd-security@FreeBSD.ORG; Tue, 6 Mar 2001 10:23:32 -0800 (PST) Date: Tue, 06 Mar 2001 10:23:32 -0800 From: "Riley J. McIntire" Subject: RE: ftp access In-reply-to: <20010306092420.A17428@ringworld.oblivion.bg> To: Peter Pentchev , Dag-Erling Smorgrav Cc: Adam , "Aaron D.Gifford" , freebsd-security@FreeBSD.ORG Message-id: MIME-version: 1.0 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Importance: Normal X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Priority: 3 (Normal) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > On Tue, Mar 06, 2001 at 03:59:52AM +0100, Dag-Erling Smorgrav wrote: > > Adam writes: > > > What happens if they have a valid ftp account, login, and run !sh ? > > > > They get a shell on the box they're FTPing from. > > ..which happens to be the box they logged in *to*, since /usr/bin/ftp > is effectively their login shell. Yes, that's bad. > > G'luck, > Peter No, looks to me like the shell is piped (not sure this is exactly how it works...) through the login shell (ftp_only). It gives an error: root@worm# telnet aji Trying 10.100.100.100... Connected to aji Escape character is '^]'. FreeBSD/i386 (aji) (ttyp2) login: rjm Password: Last login: Tue Mar 6 10:06:20 from worm Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.2-RELEASE (AJI) #0: Sat Dec 9 13:27:56 PST 2000 // motd display snipped You have new mail. This account is for ftp only Connected to localhost. 220 aji FTP server (Version 6.00LS) ready. Name (localhost:rjm): 331 Password required for rjm. Password: 230 User rjm logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> !/bin/sh ftp: /sbin/ftp_only: Exec format error ftp> ! ftp: /sbin/ftp_only: Exec format error Riley To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 6 18: 6: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from monarch.prairienet.org (monarch.prairienet.org [192.17.3.5]) by hub.freebsd.org (Postfix) with SMTP id CF32E37B718 for ; Tue, 6 Mar 2001 18:05:58 -0800 (PST) (envelope-from dtalk@prairienet.org) Received: (qmail 10638 invoked from network); 7 Mar 2001 02:05:56 -0000 Received: from slip-42.prairienet.org (HELO littleblue.spotnet.org) (192.17.3.62) by monarch.prairienet.org with SMTP; 7 Mar 2001 02:05:56 -0000 Received: from localhost (dtalk@localhost) by littleblue.spotnet.org (8.11.0/8.9.3) with ESMTP id f2725r301113 for ; Tue, 6 Mar 2001 20:05:56 -0600 X-Authentication-Warning: littleblue.spotnet.org: dtalk owned process doing -bs Date: Tue, 6 Mar 2001 20:05:49 -0600 (CST) From: David Talkington X-Sender: To: Subject: [OT] cordless keyboards Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- My apologies for the OT. After spotting a Logitech cordless keyboard in use in one department that I maintain, I scoured the web looking for information about the possibility of interception of its signals. I've found nothing. Does anyone know how difficult it might be to sniff one of these devices? Logitech marketing info claims that it's "digitally secure", but without third-party information to back this up, my innately paranoid nature remains cautious, given its 6-10 foot range (more than enough to span cubicles or even apartments). - -d - -- David Talkington Prairienet dtalk@prairienet.org 217-244-1962 PGP key: http://www.prairienet.org/~dtalk/dt000823.asc -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOqWXgL1ZYOtSwT+tAQETlgf9Gmu/FQHnkIgfcYnV3ATMSGyF3jNeRINr Z4yBDhPM1R8kiw9blexUTFuxMOlemDGAMSEEWt9fxh6CYcGWSG7+5LcDERBGauqn SgFJdbHGCmFBOAcw53fJAlZUWLUKIyuQWk7ppUcFDOM41vFyhY4JHG89vGhAq57D YDod9fmcFx2o9TrhonR8JHTqD+bQG6BbqYsZoIwGH46raw7tqBQxHFb/3GDGa0fU EVQmE8kTT9iab8UjItOOfeg3m/4ijilAYhYNZMlB+7ZYXZoVLsVR5WKE0cvRSU5s iAprByzkDSqWwChpijN8y3DKPSft2mzg+zhWb6jWYqENp471u/DvVg== =Y1KT -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 6 18:20:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtppop3pub.verizon.net (smtppop3pub.gte.net [206.46.170.22]) by hub.freebsd.org (Postfix) with ESMTP id 85DF837B718 for ; Tue, 6 Mar 2001 18:20:49 -0800 (PST) (envelope-from res03db2@gte.net) Received: from gte.net (evrtwa1-ar4-4-34-145-186.dsl.gtei.net [4.34.145.186]) by smtppop3pub.verizon.net with ESMTP ; id UAA118882670 Tue, 6 Mar 2001 20:16:03 -0600 (CST) Received: (from res03db2@localhost) by gte.net (8.9.3/8.9.3) id SAA46662; Tue, 6 Mar 2001 18:20:45 -0800 (PST) (envelope-from res03db2@gte.net) Date: Tue, 6 Mar 2001 18:20:45 -0800 From: Robert Clark To: David Talkington Cc: freebsd-security@FreeBSD.ORG Subject: Re: [OT] cordless keyboards Message-ID: <20010306182045.A46579@darkstar.gte.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from dtalk@prairienet.org on Tue, Mar 06, 2001 at 08:05:49PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think my brother's keyboard has a dip switch under it. It might take a while to work through all the combinations, but not too long. [RC] On Tue, Mar 06, 2001 at 08:05:49PM -0600, David Talkington wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > > My apologies for the OT. After spotting a Logitech cordless keyboard > in use in one department that I maintain, I scoured the web looking > for information about the possibility of interception of its signals. > I've found nothing. > > Does anyone know how difficult it might be to sniff one of these > devices? Logitech marketing info claims that it's "digitally secure", > but without third-party information to back this up, my innately > paranoid nature remains cautious, given its 6-10 foot range (more than > enough to span cubicles or even apartments). > > - -d > > - -- > David Talkington > Prairienet > dtalk@prairienet.org > 217-244-1962 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 6 18:27:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from monarch.prairienet.org (monarch.prairienet.org [192.17.3.5]) by hub.freebsd.org (Postfix) with SMTP id 8102137B718 for ; Tue, 6 Mar 2001 18:27:47 -0800 (PST) (envelope-from dtalk@prairienet.org) Received: (qmail 19846 invoked from network); 7 Mar 2001 02:27:44 -0000 Received: from slip-42.prairienet.org (HELO littleblue.spotnet.org) (192.17.3.62) by monarch.prairienet.org with SMTP; 7 Mar 2001 02:27:44 -0000 Received: from localhost (dtalk@localhost) by littleblue.spotnet.org (8.11.0/8.9.3) with ESMTP id f272RfS01285; Tue, 6 Mar 2001 20:27:43 -0600 X-Authentication-Warning: littleblue.spotnet.org: dtalk owned process doing -bs Date: Tue, 6 Mar 2001 20:27:38 -0600 (CST) From: David Talkington X-Sender: To: Robert Clark Cc: Subject: Re: [OT] cordless keyboards In-Reply-To: <20010306182045.A46579@darkstar.gte.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Robert Clark wrote: >> Does anyone know how difficult it might be to sniff one of these >> devices? Logitech marketing info claims that it's "digitally secure", >I think my brother's keyboard has a dip switch under it. > >It might take a while to work through all the combinations, but >not too long. Logitech claims that the device uses a "randomly set digital security code". It's synchronized by pressing a button on the receiver, and then a "connect" button on the bottom of the keyboard. This is operationally similar to the way some cars' keyless entry transmitters are initialized. - -d - -- David Talkington Prairienet dtalk@prairienet.org 217-244-1962 PGP key: http://www.prairienet.org/~dtalk/dt000823.asc -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOqWcnb1ZYOtSwT+tAQGTzAf/RT6vcKURw4FZ+IycXM1ONIBxf9N+rt7V F3PV/fA4OAyxuw15Nb1u/eJaQDjkTZc1o/RlnUQvzyAI7OSe/MrmzMSoIk2uxEeA PnDTWmpA5oxw6t/FYkD8TVaXc+tDeFwbXJL2xrHxknHDpx0EKEah+2NjwXfsc6mJ Xt0cuNaW06tj68T0Us2jwPasSWXceE/07ZvwAuy0VQj6w2GRLs1ReS+dMSm9Qw8X E5b+Q8+dOAM91QR+/vnKJIP3UDKs2frGujLkmbK8BnsnPvUP5Bx9G2UkDy9V24E/ YX38KgbsqNOBs8khvWU7Oa6wQcb0j5eN73+F7m6Al845305m188AhA== =KrV7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 6 20:57: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 6C21837B719 for ; Tue, 6 Mar 2001 20:57:03 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f274v5Y59453; Tue, 6 Mar 2001 23:57:05 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Tue, 6 Mar 2001 23:57:01 -0500 (EST) From: Rob Simmons To: David Talkington Cc: Robert Clark , Subject: Re: [OT] cordless keyboards In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Logitech uses a 10bit ID that is assigned to the base station/mouse/keyboard at the factory. I don't believe there is any type of encryption. I would not recommend the Logitech, they don't have very good range. I have had much better luck with the Intel version. The Intel has a much better range, plus they have a wireless gamepad option. As for sniffing thier signal, I think it would be quite easy to do to either one. Here is the frequency range, all you need is a scanner. Intel: Transmitter/Receiver Frequency Range: 902.5MHz-927MHz Logitech: http://www.logitech.com/cf/support/1029.cfm Robert Simmons Systems Administrator http://www.wlcg.com/ On Tue, 6 Mar 2001, David Talkington wrote: > Robert Clark wrote: > > >> Does anyone know how difficult it might be to sniff one of these > >> devices? Logitech marketing info claims that it's "digitally secure", > > >I think my brother's keyboard has a dip switch under it. > > > >It might take a while to work through all the combinations, but > >not too long. > > Logitech claims that the device uses a "randomly set digital security > code". It's synchronized by pressing a button on the receiver, and > then a "connect" button on the bottom of the keyboard. This is > operationally similar to the way some cars' keyless entry transmitters > are initialized. > > -d > > -- > David Talkington > Prairienet > dtalk@prairienet.org > 217-244-1962 > > PGP key: http://www.prairienet.org/~dtalk/dt000823.asc > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------------ Output from gpg ------------ > gpg: Signature made Tue Mar 6 21:27:41 2001 EST using RSA key ID 52C13FAD > gpg: Good signature from "" > gpg: aka "David Michael Talkington" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > gpg: Fingerprint: 61 E7 50 60 05 BA A6 18 11 2B ED 4A EE 48 70 F4 > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6pb+hv8Bofna59hYRApkNAJ976ysHKSBg2sMqrMA761nNjWb5BQCgkyFs B0NsY4+mjSBk80XZsAFzQK0= =wdUW -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 6 23:46:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailc.telia.com (mailc.telia.com [194.22.190.4]) by hub.freebsd.org (Postfix) with ESMTP id C350237B71A for ; Tue, 6 Mar 2001 23:46:28 -0800 (PST) (envelope-from watchman@ludd.luth.se) Received: from d1o906.telia.com (d1o906.telia.com [195.252.36.241]) by mailc.telia.com (8.11.2/8.11.0) with ESMTP id f277kQV19851; Wed, 7 Mar 2001 08:46:26 +0100 (CET) Received: from ludd.luth.se (h12n1fls20o906.telia.com [213.64.92.12]) by d1o906.telia.com (8.8.8/8.8.8) with ESMTP id IAA20826; Wed, 7 Mar 2001 08:46:26 +0100 (CET) Message-ID: <3AA5E750.E50DDEDF@ludd.luth.se> Date: Wed, 07 Mar 2001 08:46:24 +0100 From: Joachim =?iso-8859-1?Q?Str=F6mbergson?= Organization: Acne X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en-US MIME-Version: 1.0 To: David Talkington Cc: freebsd-security@FreeBSD.ORG Subject: Re: [OT] cordless keyboards References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hola! David Talkington wrote: > My apologies for the OT. After spotting a Logitech cordless keyboard > in use in one department that I maintain, I scoured the web looking > for information about the possibility of interception of its signals. > I've found nothing. > > Does anyone know how difficult it might be to sniff one of these > devices? Logitech marketing info claims that it's "digitally secure", > but without third-party information to back this up, my innately > paranoid nature remains cautious, given its 6-10 foot range (more than > enough to span cubicles or even apartments). I'm a very happy owner of a cordless mouse and keyboard combo (one of the best buys I've ever done). My board is not equipped with any dip switches. Instead (as reported by others) both the mouse, the keyboard and the base station has a "connect"-button that is supposed to synch/identify the devices with eachother. One odd thing to note. It seems that if you don't do this, the base station will accept signals from any mouse/keyboard. At my former job the managers sitting next to each other complained that they constantly stole the mouse pointer from each other(!). This was Logitech baords and mice. -- Cheers! Joachim - Alltid i harmonisk svängning --- FairLight ------ FairLight ------ FairLight ------ FairLight --- Joachim Strömbergson ASIC SoC designer, nice to CUTE animals Phone: +46(0)31 - 27 98 47 Web: http://www.ludd.luth.se/~watchman --------------- Spamfodder: regeringen@regeringen.se --------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 6:36:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from nol.co.za (nol.co.za [196.33.45.2]) by hub.freebsd.org (Postfix) with ESMTP id CDA9A37B719 for ; Wed, 7 Mar 2001 06:36:24 -0800 (PST) (envelope-from tim@nol.co.za) Received: from cafe2.sz.co.za ([196.33.45.155] helo=cafe2.nol.co.za) by nol.co.za with esmtp (Exim 3.13 #1) id 14af2X-000DaW-00 for freebsd-security@freebsd.org; Wed, 07 Mar 2001 16:35:45 +0200 Message-Id: <5.0.2.1.2.20010307163300.02020040@196.33.45.2> X-Sender: tim@196.33.45.2 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 07 Mar 2001 16:34:18 +0200 To: freebsd-security@freebsd.org From: "Timothy S. Bowers" Subject: TOS ipfw Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Has anyone seen ipfw limit bandwidth on TOS (Type Of Service) ? Any help in the right direction would help :) Thanks, Timothy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 6:44:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id D85B237B719 for ; Wed, 7 Mar 2001 06:44:02 -0800 (PST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f27Ef4634900; Wed, 7 Mar 2001 16:41:04 +0200 (EET) (envelope-from ru) Date: Wed, 7 Mar 2001 16:41:04 +0200 From: Ruslan Ermilov To: "Timothy S. Bowers" Cc: freebsd-security@FreeBSD.ORG Subject: Re: TOS ipfw Message-ID: <20010307164104.C97252@sunbay.com> Mail-Followup-To: "Timothy S. Bowers" , freebsd-security@FreeBSD.ORG References: <5.0.2.1.2.20010307163300.02020040@196.33.45.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.2.20010307163300.02020040@196.33.45.2>; from tim@nol.co.za on Wed, Mar 07, 2001 at 04:34:18PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 07, 2001 at 04:34:18PM +0200, Timothy S. Bowers wrote: > Hello, > > Has anyone seen ipfw limit bandwidth on TOS (Type Of Service) ? > Any help in the right direction would help :) > -CURRENT ipfw(8) can do this: : iptos spec : Match if the IP header contains the comma separated list : of service types specified in spec. The supported IP : types of service are: : lowdelay (IPTOS_LOWDELAY), throughput (IPTOS_THROUGHPUT), : reliability (IPTOS_RELIABILITY), mincost (IPTOS_MINCOST), : congestion (IPTOS_CE). The absence of a particular type : may be denoted with a `!'. This way, you can pass IP packets with a given TOS through a certain DUMMYNET pipe for bandwidth limitation. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 8:12: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from bjorn.goddamnbastard.org (c1283020-a.hrvy1.il.home.com [24.183.37.152]) by hub.freebsd.org (Postfix) with SMTP id 43C6537B718 for ; Wed, 7 Mar 2001 08:11:56 -0800 (PST) (envelope-from ryanb@bjorn.goddamnbastard.org) Received: (qmail 7433 invoked by uid 1000); 7 Mar 2001 16:05:14 -0000 Date: Wed, 7 Mar 2001 10:05:13 -0600 From: ryanb To: freebsd-security@FreeBSD.org Subject: Re: bugtraq inetd DoS exploit *PFFT* Message-ID: <20010307100513.K59551@bjorn.goddamnbastard.org> References: <20010227105017.A74709@albury.net> <20010226183621.O12721@marius.org> <20010227115151.A85764@albury.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20010227115151.A85764@albury.net>; from nicks@albury.net on Tue, Feb 27, 2001 at 11:51:51AM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 27, 2001 at 11:51:51AM +1100, Nick Slager wrote: > erm, thanks, I do realise this. The advantage of the -C flag is being > able to specify the maximum times a given service can be invoked from a > single IP, ensuring services are still available for other clients. You can do that from inetd.conf as well. nowait/// See inetd.conf(5) for more info. - ryan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 8:15:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.unila.ac.id (ns1.unila.ac.id [202.158.47.162]) by hub.freebsd.org (Postfix) with SMTP id 45ECF37B718 for ; Wed, 7 Mar 2001 08:15:10 -0800 (PST) (envelope-from riki@maiser.unila.ac.id) Received: (qmail 806 invoked from network); 7 Mar 2001 16:17:45 -0000 Received: from maiser.unila.ac.id (192.168.1.2) by ns1.unila.ac.id with SMTP; 7 Mar 2001 16:17:45 -0000 Received: from localhost (riki@localhost) by maiser.unila.ac.id (8.9.3/8.9.3) with ESMTP id XAA17451 for ; Wed, 7 Mar 2001 23:13:21 +0700 (JAVT) (envelope-from riki@maiser.unila.ac.id) Date: Wed, 7 Mar 2001 23:13:21 +0700 (JAVT) From: Q Yai QQ Cc: freebsd-security@FreeBSD.ORG Subject: Re: bugtraq inetd DoS exploit *PFFT* In-Reply-To: <20010307100513.K59551@bjorn.goddamnbastard.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hay guys,. can i see some example remote exploit for FreeBSD 3.x and 4.x ??/ thank;s >>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<< riki@unila.ac.id visit my homepage and sign my guestbook http://unilanet.unila.ac.id/~qq --------------------------------------- --------------------------------------- & __& &__ // \\ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 10:46: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from gdmckee.local (pc-62-30-209-11-so.blueyonder.co.uk [62.30.209.11]) by hub.freebsd.org (Postfix) with ESMTP id EDE1F37B718; Wed, 7 Mar 2001 10:45:58 -0800 (PST) (envelope-from freebsd@gdmckee.com) Received: from [192.168.0.5] (helo=p300) by gdmckee.local with smtp (Exim 3.22 #1) id 14aiwV-0001FI-00; Wed, 07 Mar 2001 18:45:47 +0000 Message-ID: <001501c0a736$e284cb00$0500a8c0@gdmckee.local> From: "G D McKee" To: "Ruslan Ermilov" , "Timothy S. Bowers" Cc: References: <5.0.2.1.2.20010307163300.02020040@196.33.45.2> <20010307164104.C97252@sunbay.com> Subject: Re: TOS ipfw Date: Wed, 7 Mar 2001 18:46:13 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Does anyone have any knowledge of setting this up, or know of any good documentation? Is it also possible to perform bandwidth allocation to single IP addresses as well - would be handy to emulation a V90 modem. Gordon ----- Original Message ----- From: "Ruslan Ermilov" To: "Timothy S. Bowers" Cc: Sent: Wednesday, March 07, 2001 2:41 PM Subject: Re: TOS ipfw > On Wed, Mar 07, 2001 at 04:34:18PM +0200, Timothy S. Bowers wrote: > > Hello, > > > > Has anyone seen ipfw limit bandwidth on TOS (Type Of Service) ? > > Any help in the right direction would help :) > > > -CURRENT ipfw(8) can do this: > > : iptos spec > : Match if the IP header contains the comma separated list > : of service types specified in spec. The supported IP > : types of service are: > : lowdelay (IPTOS_LOWDELAY), throughput (IPTOS_THROUGHPUT), > : reliability (IPTOS_RELIABILITY), mincost (IPTOS_MINCOST), > : congestion (IPTOS_CE). The absence of a particular type > : may be denoted with a `!'. > > This way, you can pass IP packets with a given TOS through a certain > DUMMYNET pipe for bandwidth limitation. > > > Cheers, > -- > Ruslan Ermilov Oracle Developer/DBA, > ru@sunbay.com Sunbay Software AG, > ru@FreeBSD.org FreeBSD committer, > +380.652.512.251 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 11: 7:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 9BCB037B718; Wed, 7 Mar 2001 11:07:09 -0800 (PST) (envelope-from christopher@schulte.org) Received: from ronayne.schulte.org (nb-22.netbriefings.com [204.72.185.22]) by poontang.schulte.org (8.9.3/8.9.3) with ESMTP id NAA06468; Wed, 7 Mar 2001 13:06:52 -0600 (CST) (envelope-from christopher@schulte.org) Message-Id: <5.0.2.1.0.20010307125057.00af5268@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 07 Mar 2001 13:06:39 -0600 To: "G D McKee" , "Ruslan Ermilov" , "Timothy S. Bowers" From: Christopher Schulte Subject: Re: TOS ipfw Cc: In-Reply-To: <001501c0a736$e284cb00$0500a8c0@gdmckee.local> References: <5.0.2.1.2.20010307163300.02020040@196.33.45.2> <20010307164104.C97252@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:46 PM 3/7/2001 +0000, G D McKee wrote: >Is it also possible to perform bandwidth allocation to single IP addresses >as well - would be handy to emulation a V90 modem. Sure, something like this might do you good... /sbin/ipfw add pipe 1 ip from foo.bar.ip.here to any /sbin/ipfw add pipe 1 ip from any to foo.bar.ip.here /sbin/ipfw pipe 1 config bw 45Kbit/s delay 150ms Which would create a 45kbit pipe for all inbound and outbound traffic for said foo ip, and add 150 ms of latency to packet delivery. You can do more fancy things with other dummynet options: `man dummynet` or http://www.iet.unipi.it/~luigi/ip_dummynet/ >Gordon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 13:29:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from bdr-xcon.matchlogic.com (mail.matchlogic.com [205.216.147.127]) by hub.freebsd.org (Postfix) with ESMTP id 81FDF37B71A for ; Wed, 7 Mar 2001 13:29:14 -0800 (PST) (envelope-from cdanfort@matchlogic.com) Received: by mail.matchlogic.com with Internet Mail Service (5.5.2653.19) id ; Wed, 7 Mar 2001 14:28:26 -0700 Message-ID: <5FE9B713CCCDD311A03400508B8B301305F47C8A@bdr-xcln.is.matchlogic.com> From: Craig Danforth To: "'freebsd-security@freebsd.org'" Subject: subscribe Date: Wed, 7 Mar 2001 14:28:24 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 16: 2:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from eterna.binary.net (eterna.binary.net [216.229.0.25]) by hub.freebsd.org (Postfix) with ESMTP id 8E22F37B719 for ; Wed, 7 Mar 2001 16:02:24 -0800 (PST) (envelope-from nathan@binary.net) Received: from matrix.binary.net (postfix@matrix.binary.net [216.229.0.2]) by eterna.binary.net (8.11.2/8.9.1) with ESMTP id f2801gu87533 for ; Wed, 7 Mar 2001 18:01:42 -0600 (CST) Received: by matrix.binary.net (Postfix, from userid 1007) id 82EA383467; Wed, 7 Mar 2001 18:02:22 -0600 (CST) Date: Wed, 7 Mar 2001 19:02:22 -0500 From: Nathan Dorfman To: freebsd-security@freebsd.org Subject: ipfw or ipf? Message-ID: <20010307190222.A72795@rtfm.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, What should I know before deciding on one of ipf or IPFW for a -stable machine protecting a small network? From what I recall, ipf had a few advantages like kernel-space NAT, keeping TCP state, and portability. What does IPFW do better than ipf? Are there any gross downsides to either? Thanks. -- Nathan Dorfman [http://www.rtfm.net] "The light at the end of the tunnel is the headlight of an approaching train." --/usr/games/fortune To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 16:11:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 96EFD37B719 for ; Wed, 7 Mar 2001 16:11:34 -0800 (PST) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id VAA05148; Wed, 7 Mar 2001 21:11:31 -0300 (ART) From: Fernando Schapachnik Message-Id: <200103080011.VAA05148@ns1.via-net-works.net.ar> Subject: Re: ipfw or ipf? In-Reply-To: <20010307190222.A72795@rtfm.net> "from Nathan Dorfman at Mar 7, 2001 07:02:22 pm" To: Nathan Dorfman Date: Wed, 7 Mar 2001 21:11:31 -0300 (ART) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Nathan Dorfman escribió: > Hi all, > > What should I know before deciding on one of ipf or IPFW for > a -stable machine protecting a small network? > > >From what I recall, ipf had a few advantages like kernel-space > NAT, keeping TCP state, and portability. What does IPFW do > better than ipf? Are there any gross downsides to either? On the other hand ipfw can do traffic shaping. On FreeBSD you can build an "invisible" firewall with ipfw doing bridging. AFAIK, you can't do that with FreeBSD+ipf, althought is possible with OpenBSD+ipf. I have both on a very high concept. Good luck! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 16:29:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id AAA3E37B719 for ; Wed, 7 Mar 2001 16:29:43 -0800 (PST) (envelope-from christopher@schulte.org) Received: from ronayne.schulte.org (nb-22.netbriefings.com [204.72.185.22]) by poontang.schulte.org (8.9.3/8.9.3) with ESMTP id SAA20711; Wed, 7 Mar 2001 18:29:24 -0600 (CST) (envelope-from christopher@schulte.org) Message-Id: <5.0.2.1.0.20010307181400.0336ed18@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 07 Mar 2001 18:29:10 -0600 To: Fernando Schapachnik , Nathan Dorfman From: Christopher Schulte Subject: Re: ipfw or ipf? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200103080011.VAA05148@ns1.via-net-works.net.ar> References: <20010307190222.A72795@rtfm.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:11 PM 3/7/2001 -0300, Fernando Schapachnik wrote: >On the other hand ipfw can do traffic shaping. On FreeBSD you can >build an "invisible" firewall with ipfw doing bridging. ipfw + dummynet + bridging is exactly what I use for my firewall. It's fast, stable, easy to manage, powerful and I'd recommend it to anyone wanting to secure a small network using FreeBSD and 2 NICs. Ipfw does has the ability to keep a tcp states. I can't speak for NAT or portability. I have used ipf on at least OpenBSD and Solaris. It probably can be compiled on many more. ipfw is beautiful - two nics just hop into promisc mode. One connects to the 'internal' network, the other to possibly a router or public switch. Then using the firewall/shaping rules defined with ipfw traffic is transparently passed (or dropped/rejected) from the external network to machines on the inside via software bridging. Not to mention, you can do sophisticated traffic limiting at the same time. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 17:48:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from alchemistry.net (alchemistry.net [160.79.102.254]) by hub.freebsd.org (Postfix) with ESMTP id CDE1837B719 for ; Wed, 7 Mar 2001 17:48:34 -0800 (PST) (envelope-from mail@krel.org) Received: from [192.168.0.1] (helo=ilya) by alchemistry.net with asmtp (TLSv1:RC4-MD5:128) (Exim 3.21 #6) id 14apXe-000E7C-00 for freebsd-security@freebsd.org; Wed, 07 Mar 2001 20:48:34 -0500 Message-ID: <013c01c0a771$e80f3e30$0100a8c0@ilya> From: "Ilya" To: References: <5FE9B713CCCDD311A03400508B8B301305F47C8A@bdr-xcln.is.matchlogic.com> Subject: vpn vs natd Date: Wed, 7 Mar 2001 20:48:42 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As far as i know there is no way to make vpn work through many-to-one nat. Only many-tomany will work. I currently have at home one-to-many (windows clients through freebsd router), now that i need vpn, i got a second public ip. Is it somehow possible to setup that all truffic from certin private ip on my lan would go out as using my new ip? which i guess will reside on same network card, whoch hosts current public ip. is it also possible to do without breaking the config i have now? so i am thinking, many-to-one nat for all windows clients except one, and many-to-many for only one specific private ip. how can i do it? thx a lot. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 18: 7: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 215B137B719 for ; Wed, 7 Mar 2001 18:06:56 -0800 (PST) (envelope-from jflowers@ezo.net) Received: from savvyd (c3-1a119.neo.rr.com [24.93.230.119]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id VAA18702; Wed, 7 Mar 2001 21:07:23 -0500 (EST) Message-ID: <004001c0a773$bfe11210$22b197ce@ezo.net> From: "Jim Flowers" To: "Ilya" , References: <5FE9B713CCCDD311A03400508B8B301305F47C8A@bdr-xcln.is.matchlogic.com> <013c01c0a771$e80f3e30$0100a8c0@ilya> Subject: Re: vpn vs natd Date: Wed, 7 Mar 2001 21:01:53 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You can do VPN and many to one NAT if you use the SKIP port. It takes a throrough understanding of both but you essentially use rules in IPFW to determine what uses VPN and what uses NATD. Search the mailing lists for SKIP where I listed both the criterea and methodology. There is probably a way to do something similar with IPSec but I haven't spent the time to know how to do it. ----- Original Message ----- From: "Ilya" To: Sent: Wednesday, March 07, 2001 8:48 PM Subject: vpn vs natd > As far as i know there is no way to make vpn work through many-to-one nat. > Only many-tomany will work. I currently have at home one-to-many (windows > clients through freebsd router), now that i need vpn, i got a second public > ip. Is it somehow possible to setup that all truffic from certin private ip > on my lan would go out as using my new ip? which i guess will reside on same > network card, whoch hosts current public ip. is it also possible to do > without breaking the config i have now? > so i am thinking, many-to-one nat for all windows clients except one, and > many-to-many for only one specific private ip. > how can i do it? > > thx a lot. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 18:31:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5584937B719 for ; Wed, 7 Mar 2001 18:31:20 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA22113; Wed, 7 Mar 2001 18:30:17 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda22111; Wed Mar 7 18:30:09 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f282U4202816; Wed, 7 Mar 2001 18:30:04 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdHN2802; Wed Mar 7 18:29:11 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f282T8E27412; Wed, 7 Mar 2001 18:29:08 -0800 (PST) Message-Id: <200103080229.f282T8E27412@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdl26844; Wed Mar 7 18:28:48 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Christopher Schulte Cc: Fernando Schapachnik , Nathan Dorfman , freebsd-security@FreeBSD.ORG Subject: Re: ipfw or ipf? In-reply-to: Your message of "Wed, 07 Mar 2001 18:29:10 CST." <5.0.2.1.0.20010307181400.0336ed18@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 07 Mar 2001 18:28:48 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <5.0.2.1.0.20010307181400.0336ed18@pop.schulte.org>, Christopher Sch ulte writes: > At 09:11 PM 3/7/2001 -0300, Fernando Schapachnik wrote: > >On the other hand ipfw can do traffic shaping. On FreeBSD you can > >build an "invisible" firewall with ipfw doing bridging. > > ipfw + dummynet + bridging is exactly what I use for my firewall. It's > fast, stable, easy to manage, powerful and I'd recommend it to anyone > wanting to secure a small network using FreeBSD and 2 NICs. > > Ipfw does has the ability to keep a tcp states. I can't speak for NAT or > portability. I have used ipf on at least OpenBSD and Solaris. It probably > can be compiled on many more. > > ipfw is beautiful - two nics just hop into promisc mode. One connects to > the 'internal' network, the other to possibly a router or public > switch. Then using the firewall/shaping rules defined with ipfw traffic is > transparently passed (or dropped/rejected) from the external network to > machines on the inside via software bridging. > > Not to mention, you can do sophisticated traffic limiting at the same time. On the flip side IP Filter gives FTP, RCMD, and Real Audio proxies. The last two are inconsequential, unless you firewall your workstation, like I do at work, and perform Kerberos rsh (krsh) to systems you manage. The FTP proxy allows you to support PORT (active) FTP through your firewall. Not all FTP clients support passive FTP. Not all users are smart enough to remember to use passive FTP. Its been reported that the state engine in IP Filter is more mature and more restrictive because of the checks it does for TCP packets being within the TCP window. I'm not sure whether IPFW does the same. I have built firewalls based on IP Filter for filtering and NAT, specifically using IPF's FTP proxy, while using IPFW's dummynet. Both IPFW and IPF are excellent firewalls. The beauty of FreeBSD, unlike the other operating systems, is that you get BOTH. Two different tools in your toolbox for two slightly different jobs. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 7 23:54:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 76EC937B719 for ; Wed, 7 Mar 2001 23:54:43 -0800 (PST) (envelope-from craig@allmaui.com) Received: from allmaui.com (c756043-a.stcla1.sfba.home.com [24.20.23.203]) by allmaui.com (8.8.8/8.8.5) with ESMTP id CAA20509 for ; Thu, 8 Mar 2001 02:54:41 -0500 Message-ID: <3AA73B79.94509AB0@allmaui.com> Date: Wed, 07 Mar 2001 23:57:45 -0800 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: ipmon via syslog Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When ever my log roles over there is a four hour lag. That is, no logging for the first four hours of the new log file. Any suggestions? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 1:55:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f173.law7.hotmail.com [216.33.237.173]) by hub.freebsd.org (Postfix) with ESMTP id 04CC737B719 for ; Thu, 8 Mar 2001 01:55:24 -0800 (PST) (envelope-from ntvsunix@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 8 Mar 2001 01:55:19 -0800 Received: from 209.53.55.186 by lw7fd.law7.hotmail.msn.com with HTTP; Thu, 08 Mar 2001 09:55:19 GMT X-Originating-IP: [209.53.55.186] From: "Some Person" To: freebsd-security@FreeBSD.ORG Subject: Re: ipmon via syslog Date: Thu, 08 Mar 2001 09:55:19 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 08 Mar 2001 09:55:19.0893 (UTC) FILETIME=[E2986050:01C0A7B5] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Personally, I prefer to log ipmon into a seperate file... touch /var/log/ipmon.log Then I run ipmon with -vD /var/log/ipmon.log from rc.conf And I also newsyslog the ipmon.log file accordingly.. I know this doesn't help, but just an insight on another way to do it.. ;) > >When ever my log roles over there is a four hour lag. >That is, no logging for the first four hours of the new log file. > >Any suggestions? > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 2:10: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id B81F837B719 for ; Thu, 8 Mar 2001 02:09:57 -0800 (PST) (envelope-from craig@allmaui.com) Received: from allmaui.com (c756043-a.stcla1.sfba.home.com [24.20.23.203]) by allmaui.com (8.8.8/8.8.5) with ESMTP id FAA20639; Thu, 8 Mar 2001 05:09:51 -0500 Message-ID: <3AA75B26.B2C62001@allmaui.com> Date: Thu, 08 Mar 2001 02:12:54 -0800 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "tjk@tksoft.com" Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: ipmon via syslog References: <200103080951.BAA26560@uno.tksoft.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That dosen't seem reasonable. are you saying that I need to know when it roles over and then manually restart syslogd? I am starting ipmon on boot up via ipmon -s -a -D my syslog.conf has this line: local0.* /var/log/ipf.log newsyslog.conf: /var/log/ipf.log 600 40 1024 * Z /var/run/ipmon.pid "tjk@tksoft.com" wrote: > You need to restart (or send a HUP to) syslogd. > > Other applications which generate log entries (and don't > go through syslogd), might need their own restarts. E.g. > httpd. > > /etc/syslog.conf tells you the syslogd controlled files. > > Troy > > > > > When ever my log roles over there is a four hour lag. > > That is, no logging for the first four hours of the new log file. > > > > Any suggestions? > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 3:13:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 5AD6F37B71A for ; Thu, 8 Mar 2001 03:13:35 -0800 (PST) (envelope-from craig@allmaui.com) Received: from allmaui.com (c756043-a.stcla1.sfba.home.com [24.20.23.203]) by allmaui.com (8.8.8/8.8.5) with ESMTP id GAA13842; Thu, 8 Mar 2001 06:13:32 -0500 Message-ID: <3AA76A15.44C9BB29@allmaui.com> Date: Thu, 08 Mar 2001 03:16:37 -0800 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "tjk@tksoft.com" Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: ipmon via syslog References: <200103081111.DAA28826@uno.tksoft.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for your help. Do you see any problems with my current setup as outlined below? "tjk@tksoft.com" wrote: > It depends. > > You might have a cron entry for rotating logs with "newsyslog." In > that case you could specify the daemon to send a signal to, in the > /etc/newsyslog.conf file. > > The /etc/newsyslog.conf has lines like this: > > /var/log/ipf.log 664 3 5000 604800 Z /var/run/syslog.pid > > This would send a HUP signal to syslog when the logs are rotated. > (at 5 Mb, not more often than once a week). > > Troy > > > > > That dosen't seem reasonable. > > are you saying that I need to know when it roles over and then manually > > restart syslogd? > > > > I am starting ipmon on boot up via > > > > ipmon -s -a -D > > > > > > my syslog.conf has this line: > > > > local0.* /var/log/ipf.log > > > > newsyslog.conf: > > > > /var/log/ipf.log 600 40 1024 * Z > > /var/run/ipmon.pid > > > > > > > > "tjk@tksoft.com" wrote: > > > > > You need to restart (or send a HUP to) syslogd. > > > > > > Other applications which generate log entries (and don't > > > go through syslogd), might need their own restarts. E.g. > > > httpd. > > > > > > /etc/syslog.conf tells you the syslogd controlled files. > > > > > > Troy > > > > > > > > > > > When ever my log roles over there is a four hour lag. > > > > That is, no logging for the first four hours of the new log file. > > > > > > > > Any suggestions? > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 3:20:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from uno.tksoft.com (dsl-hki4-56.dial.inet.fi [213.28.171.56]) by hub.freebsd.org (Postfix) with ESMTP id 30F7F37B729 for ; Thu, 8 Mar 2001 03:20:41 -0800 (PST) (envelope-from tjk@tksoft.com) Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id DAA28826; Thu, 8 Mar 2001 03:11:24 -0800 From: "tjk@tksoft.com" Message-Id: <200103081111.DAA28826@uno.tksoft.com> Subject: Re: ipmon via syslog To: craig@allmaui.com (Craig Cowen) Date: Thu, 8 Mar 2001 03:11:23 -0800 (PST) Cc: tjk@tksoft.com (tjk@tksoft.com), freebsd-security@FreeBSD.ORG (freebsd-security@FreeBSD.ORG) In-Reply-To: <3AA75B26.B2C62001@allmaui.com> from "Craig Cowen" at Mar 08, 2001 02:12:54 AM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It depends. You might have a cron entry for rotating logs with "newsyslog." In that case you could specify the daemon to send a signal to, in the /etc/newsyslog.conf file. The /etc/newsyslog.conf has lines like this: /var/log/ipf.log 664 3 5000 604800 Z /var/run/syslog.pid This would send a HUP signal to syslog when the logs are rotated. (at 5 Mb, not more often than once a week). Troy > > That dosen't seem reasonable. > are you saying that I need to know when it roles over and then manually > restart syslogd? > > I am starting ipmon on boot up via > > ipmon -s -a -D > > > my syslog.conf has this line: > > local0.* /var/log/ipf.log > > newsyslog.conf: > > /var/log/ipf.log 600 40 1024 * Z > /var/run/ipmon.pid > > > > "tjk@tksoft.com" wrote: > > > You need to restart (or send a HUP to) syslogd. > > > > Other applications which generate log entries (and don't > > go through syslogd), might need their own restarts. E.g. > > httpd. > > > > /etc/syslog.conf tells you the syslogd controlled files. > > > > Troy > > > > > > > > When ever my log roles over there is a four hour lag. > > > That is, no logging for the first four hours of the new log file. > > > > > > Any suggestions? > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 4:30:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id C1C7A37B718 for ; Thu, 8 Mar 2001 04:30:30 -0800 (PST) (envelope-from rbeer@uni-goettingen.de) Received: from partner.uni-psych.gwdg.de ([134.76.136.114]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14azYp-0006d2-00 for freebsd-security@freebsd.org; Thu, 08 Mar 2001 13:30:28 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: Date: Thu, 8 Mar 2001 13:30:19 +0100 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: security-notification endless loop Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Howdy! A couple of times I've tried to subscribe freebsd-security-notifications but whenever I try I'm getting a confirmation request. When I reply to the confirmation request I'm gettinge another one and guess what happens when I reply to that one ... What's going on??? Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 6: 8:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 7FC2537B71A for ; Thu, 8 Mar 2001 06:08:36 -0800 (PST) (envelope-from mitayai@dreaming.org) Received: from localhost (mitayai@localhost) by castle.dreaming.org (8.11.2/8.11.2) with ESMTP id f28E8Pf81315 for ; Thu, 8 Mar 2001 09:08:25 -0500 (EST) (envelope-from mitayai@dreaming.org) Date: Thu, 8 Mar 2001 09:08:25 -0500 (EST) From: Will Mitayai Keeso Rowe To: Subject: strange messages Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I noticed the following messages in my logs... anything i should be worried about? Is there a way to log this better next time so i can get IPs and such? Regards, Mit Weirdness: Mar 7 00:07:55 machine rpc.statd: invalid hostname to sm_stat: ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^! PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P Mar 7 00:07:55 machine /kernel: -^PM-^PM-^P System: FreeBSD machine 4.2-STABLE FreeBSD 4.2-STABLE #3: Mon Feb 19 11:19:05 EST 2001 root@machine:/usr/obj/usr/src/sys/machine i386 -- --- Will Mitayai Keeso Rowe Toronto, Ontario, Canada mitayai@dreaming.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 6:11:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ohm.physics.purdue.edu (ohm.physics.purdue.edu [128.210.146.32]) by hub.freebsd.org (Postfix) with ESMTP id 7E7CA37B719 for ; Thu, 8 Mar 2001 06:11:23 -0800 (PST) (envelope-from will@physics.purdue.edu) Received: (from will@localhost) by ohm.physics.purdue.edu (8.11.2/8.9.3) id f28ED3g47884; Thu, 8 Mar 2001 09:13:03 -0500 (EST) (envelope-from will@physics.purdue.edu) X-Authentication-Warning: ohm.physics.purdue.edu: will set sender to will@physics.purdue.edu using -f Date: Thu, 8 Mar 2001 09:13:03 -0500 From: Will Andrews To: Will Mitayai Keeso Rowe Cc: freebsd-security@FreeBSD.ORG Subject: Re: strange messages Message-ID: <20010308091303.I45561@ohm.physics.purdue.edu> Reply-To: Will Andrews References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="vs0rQTeTompTJjtd" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mitayai@dreaming.org on Thu, Mar 08, 2001 at 09:08:25AM -0500 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --vs0rQTeTompTJjtd Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 08, 2001 at 09:08:25AM -0500, Will Mitayai Keeso Rowe wrote: > Mar 7 00:07:55 machine rpc.statd: invalid hostname to sm_stat: ^X=F7=FF= =BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF=BF^[=F7= =FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^! > PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > Mar 7 00:07:55 machine /kernel: -^PM-^PM-^P Linux script kiddie running a Linux rpc.statd exploit on your box that (surprise!) doesn't work on FreeBSD. :-) --=20 wca --vs0rQTeTompTJjtd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p5NsF47idPgWcsURAu+bAJ9ZP2wMUuxPhB7H7I+zgAkGPiMxBACfRaQ5 S6VkKySzwaiRa0ayGFw7YIs= =VB1+ -----END PGP SIGNATURE----- --vs0rQTeTompTJjtd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 6:15:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from nol.co.za (nol.co.za [196.33.45.2]) by hub.freebsd.org (Postfix) with ESMTP id 1125F37B718 for ; Thu, 8 Mar 2001 06:15:05 -0800 (PST) (envelope-from tim@nol.co.za) Received: from cafe2.sz.co.za ([196.33.45.155] helo=cafe2.nol.co.za) by nol.co.za with esmtp (Exim 3.13 #1) id 14b1Ba-000Mg3-00 for freebsd-security@FreeBSD.ORG; Thu, 08 Mar 2001 16:14:35 +0200 Message-Id: <5.0.2.1.2.20010308161131.00a54540@196.33.45.2> X-Sender: tim@196.33.45.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 08 Mar 2001 16:13:11 +0200 To: freebsd-security@FreeBSD.ORG From: "Timothy S. Bowers" Subject: netwatch Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anyone know if Netwatch, the linux bandwidth monitoring program has been ported to FreeBSD? Is there maby an alternative ? something better than Trafshow ? Thanks! Timothy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 6:23: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from uno.tksoft.com (dsl-hki4-56.dial.inet.fi [213.28.171.56]) by hub.freebsd.org (Postfix) with ESMTP id 31E2C37B719 for ; Thu, 8 Mar 2001 06:22:56 -0800 (PST) (envelope-from tjk@tksoft.com) Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id GAA02075; Thu, 8 Mar 2001 06:28:32 -0800 From: "tjk@tksoft.com" Message-Id: <200103081428.GAA02075@uno.tksoft.com> Subject: Re: strange messages To: mitayai@dreaming.org (Will Mitayai Keeso Rowe) Date: Thu, 8 Mar 2001 06:28:32 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Will Mitayai Keeso Rowe" at Mar 08, 2001 09:08:25 AM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org rpc.statd has known problems. Please look at http://www.cert.org/ and look for rpc.statd. I would be concerned, but that's me. Most RPC services are just big holes, when opened to the Internet. (My opinion. If you disagree, I already agree with you. Fine.) Troy > > > I noticed the following messages in my logs... anything i should be > worried about? Is there a way to log this better next time so i can get > IPs and such? > > Regards, > Mit > > Weirdness: > > Mar 7 00:07:55 machine rpc.statd: invalid hostname to sm_stat: ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^! ! > PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > Mar 7 00:07:55 machine /kernel: -^PM-^PM-^P > > System: > > FreeBSD machine 4.2-STABLE FreeBSD 4.2-STABLE #3: Mon Feb 19 11:19:05 EST > 2001 root@machine:/usr/obj/usr/src/sys/machine i386 > > > -- > --- > Will Mitayai Keeso Rowe > Toronto, Ontario, Canada > mitayai@dreaming.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 6:26:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from Samizdat.uucom.com (samizdat.uucom.com [198.202.217.54]) by hub.freebsd.org (Postfix) with ESMTP id 6821337B71A for ; Thu, 8 Mar 2001 06:26:55 -0800 (PST) (envelope-from cshenton@OutBounderInc.com) Received: (from cshenton@localhost) by Samizdat.uucom.com (8.9.3/8.9.3) id JAA11758; Thu, 8 Mar 2001 09:26:37 -0500 (EST) To: Christopher Schulte Cc: Fernando Schapachnik , Nathan Dorfman , freebsd-security@FreeBSD.ORG Subject: Re: ipfw or ipf? References: <20010307190222.A72795@rtfm.net> <5.0.2.1.0.20010307181400.0336ed18@pop.schulte.org> From: Chris Shenton Date: 08 Mar 2001 09:26:37 -0500 In-Reply-To: Christopher Schulte's message of "Wed, 07 Mar 2001 18:29:10 -0600" Message-ID: Lines: 14 User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 07 Mar 2001 18:29:10 -0600, Christopher Schulte said: Christopher> ipfw is beautiful - two nics just hop into promisc mode. Christopher> One connects to the 'internal' network, the other to Christopher> possibly a router or public switch. Then using the Christopher> firewall/shaping rules defined with ipfw traffic is Christopher> transparently passed (or dropped/rejected) from the Christopher> external network to machines on the inside via software Christopher> bridging. Has anyone set up a pair of FreeBSD firewallowing boxes with VRRP (new in ports) to provide fail-over redundancy? I hate being dependent on a single point of failure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 6:36:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 8D9D537B719 for ; Thu, 8 Mar 2001 06:36:20 -0800 (PST) (envelope-from mit@mitayai.net) Received: from cr592943a (host-177.creativehouse.maxlink.com [216.221.214.177]) by castle.dreaming.org (8.11.2/8.11.2) with SMTP id f28Ea6004668; Thu, 8 Mar 2001 09:36:10 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: , "Will Mitayai Keeso Rowe" , Cc: Subject: RE: strange messages Date: Thu, 8 Mar 2001 09:33:30 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <200103081428.GAA02075@uno.tksoft.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Acording to CERT (the latest statd message seems to be http://www.kb.cert.org/vuls/id/34043) FreeBSD is not vulnerable to rpc.statd problems. But, i still have a question... how can i better log attempts to hack my machine's rpc.statd? It would be nice to have an IP of the connecting box so i can see if they are doing it remotely or by an account on my machine. -Mit :-----Original Message----- :From: tjk@tksoft.com [mailto:tjk@tksoft.com] :Sent: March 8, 2001 09:29 AM :To: Will Mitayai Keeso Rowe :Cc: freebsd-security@FreeBSD.ORG :Subject: Re: strange messages : : :rpc.statd has known problems. : :Please look at http://www.cert.org/ and look for rpc.statd. : :I would be concerned, but that's me. : :Most RPC services are just big holes, when opened to the :Internet. (My opinion. If you disagree, I already agree with you. Fine.) : : : :Troy : :> :> :> I noticed the following messages in my logs... anything i should be :> worried about? Is there a way to log this better next time so i can get :> IPs and such? :> :> Regards, :> Mit :> :> Weirdness: :> :> Mar 7 00:07:55 machine rpc.statd: invalid hostname to sm_stat: :^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x :%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P :M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ :PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- :^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM :-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P :M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ :PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- :^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM :-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P :M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ :PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- :^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM :-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^! :! :> PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P :> Mar 7 00:07:55 machine /kernel: -^PM-^PM-^P :> :> System: :> :> FreeBSD machine 4.2-STABLE FreeBSD 4.2-STABLE #3: Mon Feb 19 11:19:05 EST :> 2001 root@machine:/usr/obj/usr/src/sys/machine i386 :> :> :> -- :> --- :> Will Mitayai Keeso Rowe :> Toronto, Ontario, Canada :> mitayai@dreaming.org :> :> :> To Unsubscribe: send mail to majordomo@FreeBSD.org :> with "unsubscribe freebsd-security" in the body of the message :> : : : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 6:37:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id 8E6ED37B719 for ; Thu, 8 Mar 2001 06:37:40 -0800 (PST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.2/8.11.2) with ESMTP id f28EbJk98023; Thu, 8 Mar 2001 09:37:20 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Thu, 8 Mar 2001 09:37:18 -0500 (EST) From: Matt Piechota To: Ilya Cc: Subject: Re: vpn vs natd In-Reply-To: <013c01c0a771$e80f3e30$0100a8c0@ilya> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 7 Mar 2001, Ilya wrote: > As far as i know there is no way to make vpn work through many-to-one nat. > Only many-tomany will work. I currently have at home one-to-many (windows > clients through freebsd router), now that i need vpn, i got a second public > ip. Is it somehow possible to setup that all truffic from certin private ip > on my lan would go out as using my new ip? which i guess will reside on same > network card, whoch hosts current public ip. is it also possible to do > without breaking the config i have now? > so i am thinking, many-to-one nat for all windows clients except one, and > many-to-many for only one specific private ip. > how can i do it? You may not need the second IP. For my work's vpn, the server IP is constant, so I have natd set up to direct any incoming traffic from $SERVER_IP to a particular internal IP. It's fairly crufty, and could be considered unsecure (IP spoofing), but it does work. Anyone have a suggestion of a better way? Would ipfw with the state stuff enabled do the same job? -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 6:39:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from ohm.physics.purdue.edu (ohm.physics.purdue.edu [128.210.146.32]) by hub.freebsd.org (Postfix) with ESMTP id 64FFF37B718 for ; Thu, 8 Mar 2001 06:39:15 -0800 (PST) (envelope-from will@physics.purdue.edu) Received: (from will@localhost) by ohm.physics.purdue.edu (8.11.2/8.9.3) id f28EeuF48093; Thu, 8 Mar 2001 09:40:56 -0500 (EST) (envelope-from will@physics.purdue.edu) X-Authentication-Warning: ohm.physics.purdue.edu: will set sender to will@physics.purdue.edu using -f Date: Thu, 8 Mar 2001 09:40:55 -0500 From: Will Andrews To: Will Mitayai Keeso Rowe Cc: tjk@tksoft.com, Will Mitayai Keeso Rowe , will@physics.purdue.edu, freebsd-security@FreeBSD.ORG Subject: Re: strange messages Message-ID: <20010308094055.L45561@ohm.physics.purdue.edu> Reply-To: Will Andrews References: <200103081428.GAA02075@uno.tksoft.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="m+jEI8cDoTn6Mu9E" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mit@mitayai.net on Thu, Mar 08, 2001 at 09:33:30AM -0500 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --m+jEI8cDoTn6Mu9E Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 08, 2001 at 09:33:30AM -0500, Will Mitayai Keeso Rowe wrote: > Acording to CERT (the latest statd message seems to be > http://www.kb.cert.org/vuls/id/34043) > FreeBSD is not vulnerable to rpc.statd problems. >=20 > But, i still have a question... how can i better log attempts to hack my > machine's rpc.statd? It would be nice to have an IP of the connecting box= so > i can see if they are doing it remotely or by an account on my machine. Tcpwrappers or ipfw? What good is this information? --=20 wca --m+jEI8cDoTn6Mu9E Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p5n3F47idPgWcsURAkd+AJ9KnJHY9Tl6l2Z8g/asqH7xXJHloACeLDQ6 KU2gigN+L+L62nGzDL1S5xQ= =SSBo -----END PGP SIGNATURE----- --m+jEI8cDoTn6Mu9E-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 6:41:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 13BCE37B718 for ; Thu, 8 Mar 2001 06:41:25 -0800 (PST) (envelope-from mit@mitayai.net) Received: from cr592943a (host-177.creativehouse.maxlink.com [216.221.214.177]) by castle.dreaming.org (8.11.2/8.11.2) with SMTP id f28EfM007157; Thu, 8 Mar 2001 09:41:22 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "Will Andrews" Cc: , "Will Mitayai Keeso Rowe" , Subject: RE: strange messages Date: Thu, 8 Mar 2001 09:38:46 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010308094055.L45561@ohm.physics.purdue.edu> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org if someone was trying to exploit your machine, wouldn't you want to know where they were doing it from, especially wrt inside or outside the network? :-----Original Message----- :From: Will Andrews [mailto:will@physics.purdue.edu] :Sent: March 8, 2001 09:41 AM :To: Will Mitayai Keeso Rowe :Cc: tjk@tksoft.com; Will Mitayai Keeso Rowe; will@physics.purdue.edu; :freebsd-security@FreeBSD.ORG :Subject: Re: strange messages : : :On Thu, Mar 08, 2001 at 09:33:30AM -0500, Will Mitayai Keeso Rowe wrote: :> Acording to CERT (the latest statd message seems to be :> http://www.kb.cert.org/vuls/id/34043) :> FreeBSD is not vulnerable to rpc.statd problems. :> :> But, i still have a question... how can i better log attempts to hack my :> machine's rpc.statd? It would be nice to have an IP of the :connecting box so :> i can see if they are doing it remotely or by an account on my machine. : :Tcpwrappers or ipfw? What good is this information? : :-- :wca : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 6:45:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from ohm.physics.purdue.edu (ohm.physics.purdue.edu [128.210.146.32]) by hub.freebsd.org (Postfix) with ESMTP id AD4A437B718 for ; Thu, 8 Mar 2001 06:45:47 -0800 (PST) (envelope-from will@physics.purdue.edu) Received: (from will@localhost) by ohm.physics.purdue.edu (8.11.2/8.9.3) id f28ElaT48138; Thu, 8 Mar 2001 09:47:36 -0500 (EST) (envelope-from will@physics.purdue.edu) X-Authentication-Warning: ohm.physics.purdue.edu: will set sender to will@physics.purdue.edu using -f Date: Thu, 8 Mar 2001 09:47:36 -0500 From: Will Andrews To: Will Mitayai Keeso Rowe Cc: Will Andrews , tjk@tksoft.com, Will Mitayai Keeso Rowe , freebsd-security@FreeBSD.ORG Subject: Re: strange messages Message-ID: <20010308094732.M45561@ohm.physics.purdue.edu> Reply-To: Will Andrews References: <20010308094055.L45561@ohm.physics.purdue.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VLAOICcq5m4DWEYr" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mit@mitayai.net on Thu, Mar 08, 2001 at 09:38:46AM -0500 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --VLAOICcq5m4DWEYr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 08, 2001 at 09:38:46AM -0500, Will Mitayai Keeso Rowe wrote: > if someone was trying to exploit your machine, wouldn't you want to know > where they were doing it from, especially wrt inside or outside the netwo= rk? This information could be spoofed, and even then it doesn't tell you who's doing it. I'd hope you have a good firewall anyways. The only reason I've never seen this message on my own system is because my firewall blocks it. --=20 wca --VLAOICcq5m4DWEYr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p5uEF47idPgWcsURApZKAJ9Z+zBKCOmj8yrU2Oh2Bh/gJiUrJwCghbRy e3UXKl3s+OP1FtKi02u1XUQ= =3KKT -----END PGP SIGNATURE----- --VLAOICcq5m4DWEYr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 7:40:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 5A1C337B71A for ; Thu, 8 Mar 2001 07:40:19 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f28Fe8m43913; Thu, 8 Mar 2001 07:40:08 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: "Will Andrews" , "Will Mitayai Keeso Rowe" Cc: Subject: RE: strange messages Date: Thu, 8 Mar 2001 07:40:08 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010308091303.I45561@ohm.physics.purdue.edu> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Will Andrews > Sent: Thursday, March 08, 2001 6:13 AM > To: Will Mitayai Keeso Rowe > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: strange messages > > > On Thu, Mar 08, 2001 at 09:08:25AM -0500, Will Mitayai Keeso Rowe wrote: > > Mar 7 00:07:55 machine rpc.statd: invalid hostname to sm_stat: > ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8 > x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^! > > PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > Mar 7 00:07:55 machine /kernel: -^PM-^PM-^P > > Linux script kiddie running a Linux rpc.statd exploit on your box that > (surprise!) doesn't work on FreeBSD. :-) > No, I don't think so, because I get that error on my NFS server too and I know who's on that box and what they're running (unless this is a remote exploit) I can certainly block the port (#?) via my firewall but I don't think that's it. I think it's a problem that's been ignored and written off as an attempted exploit on many boxes. YMMV, OF Mar 6 18:26:19 mls rpc.statd: invalid hostname to sm_stat: ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1 37x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P Mar 6 18:26:19 mls /kernel: M-^PM-^P > -- > wca > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 7:44:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from nebula.cybercable.fr (d217.dhcp212-126.cybercable.fr [212.198.126.217]) by hub.freebsd.org (Postfix) with ESMTP id E195737B718 for ; Thu, 8 Mar 2001 07:44:37 -0800 (PST) (envelope-from mux@qualys.com) Received: (from mux@localhost) by nebula.cybercable.fr (8.11.3/8.11.3) id f28FiBv01667; Thu, 8 Mar 2001 16:44:12 +0100 (CET) (envelope-from mux) Date: Thu, 8 Mar 2001 16:44:06 +0100 From: Maxime Henrion To: security@freebsd.org Cc: "oldfart@gtonet" Subject: Re: strange messages Message-ID: <20010308164406.A383@nebula.cybercable.fr> References: <20010308091303.I45561@ohm.physics.purdue.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from oldfart@gtonet.net on Thu, Mar 08, 2001 at 07:40:08AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org oldfart@gtonet wrote: > > Linux script kiddie running a Linux rpc.statd exploit on your box that > > (surprise!) doesn't work on FreeBSD. :-) > > No, I don't think so, because I get that error on my NFS server too and I > know who's on that box and what they're running (unless this is a remote > exploit) It *is* a remote exploit. Maxime -- Don't be fooled by cheap finnish imitations ; BSD is the One True Code Key fingerprint = F9B6 1D5A 4963 331C 88FC CA6A AB50 1EF2 8CBE 99D6 Public Key : http://www.epita.fr/~henrio_m/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 8: 9:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 4ADAD37B719 for ; Thu, 8 Mar 2001 08:08:46 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f28G8jm44054 for ; Thu, 8 Mar 2001 08:08:46 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: Subject: RE: strange messages Date: Thu, 8 Mar 2001 08:08:45 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010308164406.A383@nebula.cybercable.fr> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > -----Original Message----- > From: Maxime Henrion [mailto:mux@qualys.com] > Sent: Thursday, March 08, 2001 7:44 AM > To: security@freebsd.org > Cc: oldfart@gtonet > Subject: Re: strange messages > > > oldfart@gtonet wrote: > > > Linux script kiddie running a Linux rpc.statd exploit on your box that > > > (surprise!) doesn't work on FreeBSD. :-) > > > > No, I don't think so, because I get that error on my NFS server > too and I > > know who's on that box and what they're running (unless this is a remote > > exploit) > It *is* a remote exploit. > > Maxime Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat respectively, at my firewall. If this *is* indeed an attempted exploit I *should* be dropping the packets and logging where it came from if it's not spoofed. If I *do* end up with more of those errors then that should prove it's *not* an exploit attempt, right? Only time will tell, OF > -- > Don't be fooled by cheap finnish imitations ; BSD is the One True Code > Key fingerprint = F9B6 1D5A 4963 331C 88FC CA6A AB50 1EF2 8CBE 99D6 > Public Key : http://www.epita.fr/~henrio_m/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 8:14:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id 9E0F337B719 for ; Thu, 8 Mar 2001 08:14:29 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 62E2066B37; Thu, 8 Mar 2001 08:14:28 -0800 (PST) Date: Thu, 8 Mar 2001 08:14:28 -0800 From: Kris Kennaway To: Ragnar Beer Cc: freebsd-security@FreeBSD.ORG Subject: Re: security-notification endless loop Message-ID: <20010308081428.A84970@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="KsGdsel6WgEHnImy" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rbeer@uni-goettingen.de on Thu, Mar 08, 2001 at 01:30:19PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 08, 2001 at 01:30:19PM +0100, Ragnar Beer wrote: > Howdy! A couple of times I've tried to subscribe=20 > freebsd-security-notifications but whenever I try I'm getting a=20 > confirmation request. When I reply to the confirmation request I'm=20 > gettinge another one and guess what happens when I reply to that one=20 > ... What's going on??? Sounds like you're replying to the confirmation with text that includes a "subscribe" request. Without seeing an email transcript it's impossible to say. Kris --KsGdsel6WgEHnImy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p6/kWry0BWjoQKURAqjiAKCU2gGQUWwoLDnykRmwyvcGY6DAgQCbBg+O Uq1gdKFiOAdwI6J2NgYDMYc= =OV06 -----END PGP SIGNATURE----- --KsGdsel6WgEHnImy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 8:17:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id 8C0B937B71B for ; Thu, 8 Mar 2001 08:17:40 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3DFF166BCD; Thu, 8 Mar 2001 08:17:40 -0800 (PST) Date: Thu, 8 Mar 2001 08:17:40 -0800 From: Kris Kennaway To: "oldfart@gtonet" Cc: Will Andrews , Will Mitayai Keeso Rowe , freebsd-security@FreeBSD.ORG Subject: Re: strange messages Message-ID: <20010308081740.B84970@mollari.cthul.hu> References: <20010308091303.I45561@ohm.physics.purdue.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ftEhullJWpWg/VHq" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from oldfart@gtonet.net on Thu, Mar 08, 2001 at 07:40:08AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ftEhullJWpWg/VHq Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 08, 2001 at 07:40:08AM -0800, oldfart@gtonet wrote: > > Linux script kiddie running a Linux rpc.statd exploit on your box that > > (surprise!) doesn't work on FreeBSD. :-) > > >=20 > No, I don't think so, because I get that error on my NFS server too and I > know who's on that box and what they're running (unless this is a remote > exploit) I can certainly block the port (#?) via my firewall but I don't > think that's it. I think it's a problem that's been ignored and written o= ff > as an attempted exploit on many boxes. No, it IS an inapplicable remote rpc.statd exploit which never applied to FreeBSD. Notice all of the %x and %n operators in the string they're sending; these are the signatures of a format string bug, which the Linux rpc.statd suffered from, but which is different code to what BSD uses and therefore not an applicable vulnerability, and nothing more than an annoyance unless you have Linux systems you haven't updated in a while. > Mar 6 18:26:19 mls rpc.statd: invalid hostname to sm_stat: > ^X=F7=FF=BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7= =FF=BF^[=F7=FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1 > 37x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM- Kris --ftEhullJWpWg/VHq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p7CjWry0BWjoQKURApVnAJ9bmBHFGvkje3brUMfsl06xG8IoLACgip8G I4mq2jc1Sd/5/ishUMHDQ5k= =F3K7 -----END PGP SIGNATURE----- --ftEhullJWpWg/VHq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 8:26:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id EDB7437B718 for ; Thu, 8 Mar 2001 08:26:43 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f28GQsP29639; Thu, 8 Mar 2001 11:26:54 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Thu, 8 Mar 2001 11:26:51 -0500 (EST) From: Rob Simmons To: Chris Shenton Cc: Subject: Re: ipfw or ipf? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm having trouble finding the port of VRRP. I also looked in the LINT file on a freshly cvsup'd STABLE box and didn't see anything there either. Virtual router redundancy protocol would be quite nice, it would solve a number of network problems that I have. Could you point me to where you saw the port of vrrp? Robert Simmons Systems Administrator http://www.wlcg.com/ On 8 Mar 2001, Chris Shenton wrote: > On Wed, 07 Mar 2001 18:29:10 -0600, Christopher Schulte said: > > Christopher> ipfw is beautiful - two nics just hop into promisc mode. > Christopher> One connects to the 'internal' network, the other to > Christopher> possibly a router or public switch. Then using the > Christopher> firewall/shaping rules defined with ipfw traffic is > Christopher> transparently passed (or dropped/rejected) from the > Christopher> external network to machines on the inside via software > Christopher> bridging. > > Has anyone set up a pair of FreeBSD firewallowing boxes with VRRP (new > in ports) to provide fail-over redundancy? I hate being dependent on > a single point of failure. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p7LOv8Bofna59hYRArCLAJ9G7sTfpvQjLSf3l0iQ9dJqJfSdnwCfRhBq 50D2g9/zEuBGL/86up9aYDk= =EmEt -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 8:28:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 22E5D37B71A for ; Thu, 8 Mar 2001 08:28:05 -0800 (PST) (envelope-from rbeer@uni-goettingen.de) Received: from partner.uni-psych.gwdg.de ([134.76.136.114]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14b3Gl-0004TD-00; Thu, 08 Mar 2001 17:28:03 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: In-Reply-To: <20010308081428.A84970@mollari.cthul.hu> References: <20010308081428.A84970@mollari.cthul.hu> Date: Thu, 8 Mar 2001 17:27:57 +0100 To: Kris Kennaway From: Ragnar Beer Subject: Re: security-notification endless loop Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Oops, problem solved! I didn't realize that the "auth" line is broken by Eudora and continues on the next line so I didn't include my email address in the reply. Thanks, Kris! I wouldn't have realized if you hadn't asked for the transcripts! :) Ragnar > > >*** PGP Signature Status: not verified (signing key missing) >*** Signer: 0x68E840A5 >*** Signed: N/A at N/A >*** Verified: 08.03.2001 at 17:15 Uhr > >On Thu, Mar 08, 2001 at 01:30:19PM +0100, Ragnar Beer wrote: >> Howdy! A couple of times I've tried to subscribe >> freebsd-security-notifications but whenever I try I'm getting a >> confirmation request. When I reply to the confirmation request I'm >> gettinge another one and guess what happens when I reply to that one >> ... What's going on??? > >Sounds like you're replying to the confirmation with text that >includes a "subscribe" request. Without seeing an email transcript >it's impossible to say. > >Kris >ris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 8:28: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 6A59D37B719 for ; Thu, 8 Mar 2001 08:27:59 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f28GRwm44153 for ; Thu, 8 Mar 2001 08:27:59 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: Subject: RE: strange messages Date: Thu, 8 Mar 2001 08:27:58 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010308081740.B84970@mollari.cthul.hu> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well so far it's just been a few minutes and already the firewall caught an IP from .tw (210.68.55.97) port scanning 111, the entire class-C prolly. Man, my logs show *LOTS* of those errors, if those were all exploit attempts there's been a bunch of busy-little-linux-weenies(TM). Time will tell, OF > -----Original Message----- > From: Kris Kennaway [mailto:kris@obsecurity.org] > Sent: Thursday, March 08, 2001 8:18 AM > To: oldfart@gtonet > Cc: Will Andrews; Will Mitayai Keeso Rowe; freebsd-security@FreeBSD.ORG > Subject: Re: strange messages > > > On Thu, Mar 08, 2001 at 07:40:08AM -0800, oldfart@gtonet wrote: > > > > Linux script kiddie running a Linux rpc.statd exploit on your box that > > > (surprise!) doesn't work on FreeBSD. :-) > > > > > > > No, I don't think so, because I get that error on my NFS server > too and I > > know who's on that box and what they're running (unless this is a remote > > exploit) I can certainly block the port (#?) via my firewall but I don't > > think that's it. I think it's a problem that's been ignored and > written off > > as an attempted exploit on many boxes. > > No, it IS an inapplicable remote rpc.statd exploit which never applied > to FreeBSD. Notice all of the %x and %n operators in the string > they're sending; these are the signatures of a format string bug, > which the Linux rpc.statd suffered from, but which is different code > to what BSD uses and therefore not an applicable vulnerability, and > nothing more than an annoyance unless you have Linux systems you > haven't updated in a while. > > > Mar 6 18:26:19 mls rpc.statd: invalid hostname to sm_stat: > > > ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8 > x%236x%n%1 > > > 37x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM- > > > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM- > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 8:31:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2]) by hub.freebsd.org (Postfix) with ESMTP id DABB237B719 for ; Thu, 8 Mar 2001 08:31:09 -0800 (PST) (envelope-from mcambria@avaya.com) Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2650.21) id ; Thu, 8 Mar 2001 11:30:57 -0500 Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7064C27@rerun.lucentctc.com> From: "Cambria, Mike" To: "'security@freebsd.org'" Subject: Which KAME SNAP in 4.3? Date: Thu, 8 Mar 2001 11:30:52 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anyone know which KAME SNAP (at least for Ipv4 IPSec) will be in FreeBSD 4.3? Did ALTQ make it (possibly a redundant question)? Thanks, MikeC Michael C. Cambria Avaya Inc. Former Enterprise Networks Group of Lucent Technologies Voice: (978) 287 - 2807 300 Baker Avenue Fax: (978) 381 - 6415 Concord, Massachusetts 01742 Internet: mcambria@avaya.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 9: 1:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id BFF6C37B719 for ; Thu, 8 Mar 2001 09:01:21 -0800 (PST) (envelope-from jflowers@ezo.net) Received: from savvyd (c3-1a119.neo.rr.com [24.93.230.119]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id MAA16120; Thu, 8 Mar 2001 12:03:42 -0500 (EST) Message-ID: <008501c0a7f0$b3254e10$22b197ce@ezo.net> From: "Jim Flowers" To: "Ilya Krel" , References: <5FE9B713CCCDD311A03400508B8B301305F47C8A@bdr-xcln.is.matchlogic.com> <013c01c0a771$e80f3e30$0100a8c0@ilya> <004001c0a773$bfe11210$22b197ce@ezo.net> <000f01c0a789$eb3dd4f0$0100a8c0@ilya> Subject: Re: vpn vs natd Date: Thu, 8 Mar 2001 11:56:19 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Skip on two gateway boxes connect two networks together, over the Internet if desired, tunneling from the one box to the other. The networks behind the gateways can be public or private. Either or both of the boxes can also be running natd on a many to one basis. Ipfw is used to divert packets to the natd process usually by an any to any match. Skip is implemented in a shim between ipfw and the external network interface. The technique is to preceed the natd divert rule with rules that match packets that are to be transmitted over the VPN and, therefore, should not be diverted to ipfw. The technique can be extended to as many nodes (each with a network behind it) as you want for the VPN. By stand-alone - yes you have to partner with other skip-aware devices and that pretty much means Sun, FreeBSD and Linux. ----- Original Message ----- From: "Ilya Krel" To: "Jim Flowers" Sent: Wednesday, March 07, 2001 11:40 PM Subject: Re: vpn vs natd > i probably didnt thoughly understadn skip yet ;) but it seems like it a > stand alone solution. What I have is a corporate VPN (altiga/cisco) an NT > client, a BSD router with nat. What i want to do is allow this client > (altiga) to go through my router without the packets being raped by nat, > which happens according to cisco in a many-to-one environment. > please do correct me if i am wrong about skip. > > ----- Original Message ----- > From: "Jim Flowers" > To: "Ilya" ; > Sent: Wednesday, March 07, 2001 9:01 PM > Subject: Re: vpn vs natd > > > > You can do VPN and many to one NAT if you use the SKIP port. It takes a > > throrough understanding of both but you essentially use rules in IPFW to > > determine what uses VPN and what uses NATD. Search the mailing lists for > > SKIP where I listed both the criterea and methodology. > > > > There is probably a way to do something similar with IPSec but I haven't > > spent the time to know how to do it. > > > > ----- Original Message ----- > > From: "Ilya" > > To: > > Sent: Wednesday, March 07, 2001 8:48 PM > > Subject: vpn vs natd > > > > > > > As far as i know there is no way to make vpn work through many-to-one > nat. > > > Only many-tomany will work. I currently have at home one-to-many > (windows > > > clients through freebsd router), now that i need vpn, i got a second > > public > > > ip. Is it somehow possible to setup that all truffic from certin private > > ip > > > on my lan would go out as using my new ip? which i guess will reside on > > same > > > network card, whoch hosts current public ip. is it also possible to do > > > without breaking the config i have now? > > > so i am thinking, many-to-one nat for all windows clients except one, > and > > > many-to-many for only one specific private ip. > > > how can i do it? > > > > > > thx a lot. > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 9: 6:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id 1284737B718 for ; Thu, 8 Mar 2001 09:06:54 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A279F66BC4; Thu, 8 Mar 2001 09:06:53 -0800 (PST) Date: Thu, 8 Mar 2001 09:06:53 -0800 From: Kris Kennaway To: "Cambria, Mike" Cc: "'security@freebsd.org'" Subject: Re: Which KAME SNAP in 4.3? Message-ID: <20010308090653.A86055@mollari.cthul.hu> References: <3A6D367EA1EFD4118C9B00A0C9DD99D7064C27@rerun.lucentctc.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A6D367EA1EFD4118C9B00A0C9DD99D7064C27@rerun.lucentctc.com>; from mcambria@avaya.com on Thu, Mar 08, 2001 at 11:30:52AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 08, 2001 at 11:30:52AM -0500, Cambria, Mike wrote: >=20 > Does anyone know which KAME SNAP (at least for Ipv4 IPSec) will be in > FreeBSD 4.3? Unchanged from 4.2, except for bug fixes. > Did ALTQ make it (possibly a redundant question)? No. Kris --ReaqsoxgOBHFXBhH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p7wtWry0BWjoQKURArEeAKDLw5L+oy6mwXxLR5hCkOd++bUS+QCgial3 WF0tdjC/26bo6H6+NYs7QCs= =YdVX -----END PGP SIGNATURE----- --ReaqsoxgOBHFXBhH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 9:27:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id B732737B719 for ; Thu, 8 Mar 2001 09:27:23 -0800 (PST) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14b4Bw-0000AC-00; Thu, 08 Mar 2001 10:27:08 -0700 Message-ID: <3AA7C0EC.51E9ECEA@softweyr.com> Date: Thu, 08 Mar 2001 10:27:08 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Rob Simmons Cc: Chris Shenton , freebsd-security@FreeBSD.ORG Subject: Re: ipfw or ipf? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rob Simmons wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'm having trouble finding the port of VRRP. I also looked in the LINT > file on a freshly cvsup'd STABLE box and didn't see anything there either. > Virtual router redundancy protocol would be quite nice, it would solve a > number of network problems that I have. > > Could you point me to where you saw the port of vrrp? Did you update your ports collection when you cvsupped? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 9:33:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from black.purplecat.net (ns1.purplecat.net [209.16.228.148]) by hub.freebsd.org (Postfix) with ESMTP id C104F37B719 for ; Thu, 8 Mar 2001 09:33:29 -0800 (PST) (envelope-from peter@black.purplecat.net) Received: from localhost (peter@localhost) by black.purplecat.net (8.8.8/8.8.8) with ESMTP id MAA28013 for ; Thu, 8 Mar 2001 12:35:47 -0500 (EST) (envelope-from peter@black.purplecat.net) Date: Thu, 8 Mar 2001 12:35:47 -0500 (EST) From: Peter Brezny To: freebsd-security@freebsd.org Subject: New to Snort. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm new to using snort, and would like to know if this is the appropriate place to ask questions about the allert logs it generates. For example, What does all this mean? [**] MISC source port 53 to <1023 [**] 03/08-05:16:23.823888 193.75.177.1:53 -> 209.16.228.148:53 UDP TTL:42 TOS:0x0 ID:54352 IpLen:20 DgmLen:61 Len: 41 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ am i in big trouble? Thanks in advance. Peter Brezny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 9:40:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id C0C0337B71B for ; Thu, 8 Mar 2001 09:40:05 -0800 (PST) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14b4NI-0000AL-00; Thu, 08 Mar 2001 10:38:52 -0700 Message-ID: <3AA7C3AC.42537D68@softweyr.com> Date: Thu, 08 Mar 2001 10:38:52 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Will Andrews Cc: Will Mitayai Keeso Rowe , tjk@tksoft.com, Will Mitayai Keeso Rowe , freebsd-security@FreeBSD.ORG Subject: Re: strange messages References: <200103081428.GAA02075@uno.tksoft.com> <20010308094055.L45561@ohm.physics.purdue.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Will Andrews wrote: > > On Thu, Mar 08, 2001 at 09:33:30AM -0500, Will Mitayai Keeso Rowe wrote: > > Acording to CERT (the latest statd message seems to be > > http://www.kb.cert.org/vuls/id/34043) > > FreeBSD is not vulnerable to rpc.statd problems. > > > > But, i still have a question... how can i better log attempts to hack my > > machine's rpc.statd? It would be nice to have an IP of the connecting box so > > i can see if they are doing it remotely or by an account on my machine. > > Tcpwrappers or ipfw? What good is this information? ipfilter + ipmon. You can use this information to track down their ISP and get their account pulled, working up the chain if you have to. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 10: 3:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.biographix.com (mail.biographix.com [207.236.111.133]) by hub.freebsd.org (Postfix) with ESMTP id 5531F37B718 for ; Thu, 8 Mar 2001 10:03:16 -0800 (PST) (envelope-from eperrin@bigorbit.com) Received: from bottleneck2000 ([192.168.1.12]) by mail.biographix.com (8.11.1/8.11.1) with SMTP id f28I0i310953; Thu, 8 Mar 2001 13:00:44 -0500 (EST) Message-ID: <02b601c0a7fa$c5cccd90$0c01a8c0@bottleneck2000> From: "Elliott Perrin" To: "Wes Peters" , "Rob Simmons" Cc: "Chris Shenton" , References: <3AA7C0EC.51E9ECEA@softweyr.com> Subject: Re: ipfw or ipf? Date: Thu, 8 Mar 2001 13:08:25 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have not updated my ports collection here at work, but would be interested to know where I can get source for vrrp. I tried the FBSD site but it is not yet listed in the ports section. Any ideas? ----- Original Message ----- From: "Wes Peters" To: "Rob Simmons" Cc: "Chris Shenton" ; Sent: Thursday, March 08, 2001 12:27 PM Subject: Re: ipfw or ipf? > Rob Simmons wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > I'm having trouble finding the port of VRRP. I also looked in the LINT > > file on a freshly cvsup'd STABLE box and didn't see anything there either. > > Virtual router redundancy protocol would be quite nice, it would solve a > > number of network problems that I have. > > > > Could you point me to where you saw the port of vrrp? > > Did you update your ports collection when you cvsupped? > > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > wes@softweyr.com http://softweyr.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 10: 8:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 0D5E337B719 for ; Thu, 8 Mar 2001 10:08:10 -0800 (PST) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f28I7tj27026; Thu, 8 Mar 2001 10:07:55 -0800 Date: Thu, 8 Mar 2001 10:07:55 -0800 From: Brooks Davis To: "oldfart@gtonet" Cc: security@FreeBSD.ORG Subject: Re: strange messages Message-ID: <20010308100755.A13090@Odin.AC.HMC.Edu> References: <20010308164406.A383@nebula.cybercable.fr> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jRHKVT23PllUwdXP" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from oldfart@gtonet.net on Thu, Mar 08, 2001 at 08:08:45AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 08, 2001 at 08:08:45AM -0800, oldfart@gtonet wrote: > Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be > portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat > respectively, at my firewall. If this *is* indeed an attempted exploit I > *should* be dropping the packets and logging where it came from if it's n= ot > spoofed. If I *do* end up with more of those errors then that should prove > it's *not* an exploit attempt, right? Blocking port 111 is a good idea, but blocking 1011 and 1022 is pointless. RPC services bind to an arbitrary port and then register it with the portmapper. There is no way to be sure that a given RPC service will end up on the same port next time you boot. It's quite trivial to probe for RPC services without portmapper's help. By blocking portmapper, you will probably avoid the more stupid exploits, but you may still see errors due to scans after reboot. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --jRHKVT23PllUwdXP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6p8p6XY6L6fI4GtQRAllcAJ4hhLZeCJDSLI2NP3a1fAgZY9diZgCcCOJP nofuRVpFDFINSg6jLMKuIjg= =KbxK -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 10:27:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id ED75737B718 for ; Thu, 8 Mar 2001 10:27:16 -0800 (PST) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f28IRBW38962 for ; Thu, 8 Mar 2001 13:27:11 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.0.2.1.0.20010308130831.03074aa0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 08 Mar 2001 13:21:01 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: "write only" fs/files ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We are looking at a new network backup system and are throwing around a number of scenarios. We have a mix of co-location servers and want to provide a backup service to those who do not provide their own built in tape drives. One of the ideas thrown about was some sort of one way backup system on a large disk store. For UNIX users, rsync over ssh to a unique userID per server is one thought. For Win32 boxes, some combo of samba perhaps through PTPTP. One additional feature that would be nice to have would be to provide one way backups somehow. i.e. the client machine dumps its data to the backup server either into a dump file or tar file or sync'd file system via rsync. But, for security purposes, it would be nice to somehow mark that data once uploaded as being inaccessible to the client machine. This way if their box gets compromised after the backup, they dont have access to the data before it gets offloaded to tape. Comments ? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 10:28:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 9D71737B719 for ; Thu, 8 Mar 2001 10:28:08 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f28IS8m44588 for ; Thu, 8 Mar 2001 10:28:09 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: Subject: RE: strange messages Date: Thu, 8 Mar 2001 10:28:07 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010308100755.A13090@Odin.AC.HMC.Edu> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Brooks Davis > Sent: Thursday, March 08, 2001 10:08 AM > To: oldfart@gtonet > Cc: security@FreeBSD.ORG > Subject: Re: strange messages > > > On Thu, Mar 08, 2001 at 08:08:45AM -0800, oldfart@gtonet wrote: > > Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be > > portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat > > respectively, at my firewall. If this *is* indeed an attempted exploit I > > *should* be dropping the packets and logging where it came from > if it's not > > spoofed. If I *do* end up with more of those errors then that > should prove > > it's *not* an exploit attempt, right? > > Blocking port 111 is a good idea, but blocking 1011 and 1022 is > pointless. RPC services bind to an arbitrary port and then register it > with the portmapper. There is no way to be sure that a given RPC > service will end up on the same port next time you boot. It's quite > trivial to probe for RPC services without portmapper's help. By > blocking portmapper, you will probably avoid the more stupid exploits, > but you may still see errors due to scans after reboot. > > -- Brooks > Yeah, luckily, I run FreeBSD so I don't have to reboot much and most exploits are for Linux. }:-)> It's not bad(TM) to block all ports that you don't need open, anyway, and since I only NFS to my local LAN blocking it sounded right. I mainly wanted to see if that would stop the error messages in question. A more permanent solution can be implemented at a later date. Can those RPC services be FORCED to run on a certain port or is that just superfluous because portmapper is blocked? It would make filtering/logging/reporting/busting easier. Thanks, OF > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 10:35: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 8886C37B718 for ; Thu, 8 Mar 2001 10:35:01 -0800 (PST) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f28IZ0O30782; Thu, 8 Mar 2001 10:35:00 -0800 Date: Thu, 8 Mar 2001 10:35:00 -0800 From: Brooks Davis To: "oldfart@gtonet" Cc: security@FreeBSD.ORG Subject: Re: strange messages Message-ID: <20010308103500.C13090@Odin.AC.HMC.Edu> References: <20010308100755.A13090@Odin.AC.HMC.Edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wxDdMuZNg1r63Hyj" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from oldfart@gtonet.net on Thu, Mar 08, 2001 at 10:28:07AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --wxDdMuZNg1r63Hyj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 08, 2001 at 10:28:07AM -0800, oldfart@gtonet wrote: > Yeah, luckily, I run FreeBSD so I don't have to reboot much and most > exploits are for Linux. }:-)> It's not bad(TM) to block all ports that you > don't need open, anyway, and since I only NFS to my local LAN blocking it > sounded right. I mainly wanted to see if that would stop the error messag= es > in question. A more permanent solution can be implemented at a later date. > Can those RPC services be FORCED to run on a certain port or is that just > superfluous because portmapper is blocked? It would make > filtering/logging/reporting/busting easier. A close firewall configuration could work if implemented correctly, but the ports RPC services bind to are the same ones your outbound TCP connections are bound to so you'll need stateful firewalling to make it work. You can force NFS to use only it's reserved port (see /etc/defaults/rc.conf), but generally you can't dictate where RPC services bind. You're best bet is to disable rpc.statd unless you are actually using it. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --wxDdMuZNg1r63Hyj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6p9DTXY6L6fI4GtQRAsx2AJ4q/kMmZng2+3Or3y7ZELEdGsUmJACeMgk8 G9iwbpAK58ece2ELUId5UxU= =sL/7 -----END PGP SIGNATURE----- --wxDdMuZNg1r63Hyj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 10:45:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6]) by hub.freebsd.org (Postfix) with ESMTP id BCFC137B718 for ; Thu, 8 Mar 2001 10:45:46 -0800 (PST) (envelope-from sjohn@airlinksys.com) Received: from ns2.airlinksys.com (ns2.airlinksys.com [216.70.12.3]) by mailhub.airlinksys.com (Postfix) with ESMTP id 3144353501 for ; Thu, 8 Mar 2001 12:45:37 -0600 (CST) Received: by ns2.airlinksys.com (Postfix, from userid 1000) id BDEB65D8E; Thu, 8 Mar 2001 12:45:36 -0600 (CST) Date: Thu, 8 Mar 2001 12:45:36 -0600 From: Scott Johnson To: security@freebsd.org Subject: Re: strange messages Message-ID: <20010308124536.A23112@ns2.airlinksys.com> Reply-To: Scott Johnson Mail-Followup-To: security@freebsd.org References: <20010308164406.A383@nebula.cybercable.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from oldfart@gtonet.net on Thu, Mar 08, 2001 at 08:08:45AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoth oldfart@gtonet on Thu, Mar 08, 2001 at 08:08:45AM -0800: > > Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be > portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat > respectively, at my firewall. If this *is* indeed an attempted exploit I > *should* be dropping the packets and logging where it came from if it's not > spoofed. If I *do* end up with more of those errors then that should prove > it's *not* an exploit attempt, right? RPC ports are dynamically assigned, and portmapper (rpcbind) is the process that gives out the addresses for rpc services. So blocking the port used today won't work, since it may be different the next time the process starts. Which goes to show: You should be denying everything by default at your firewall, and allowing only what you need. What if the attempt (assuming this was a remote exploit attempt) was successful? You'd be a day late. -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 10:46:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from k2.jozsef.kando.hu (k2.jozsef.kando.hu [193.224.40.3]) by hub.freebsd.org (Postfix) with SMTP id C5A8637B71C for ; Thu, 8 Mar 2001 10:46:39 -0800 (PST) (envelope-from bra@fsn.hu) Received: (qmail 22572 invoked by uid 1000); 8 Mar 2001 18:46:37 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Mar 2001 18:46:37 -0000 Date: Thu, 8 Mar 2001 19:46:37 +0100 (CET) From: Attila Nagy X-X-Sender: To: Mike Tancsa Cc: Subject: Re: "write only" fs/files ? In-Reply-To: <5.0.2.1.0.20010308130831.03074aa0@marble.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, > For UNIX users, rsync over ssh to a unique userID per server is one > thought. For Win32 boxes, some combo of samba perhaps through PTPTP. There is rsync for windows too. Or to be correct it is written for UNIX, but somebody compiled it for win32... You can even use rsync over ssh with windows (like with putty's plink, or something similar). > This way if their box gets compromised after the backup, they dont > have access to the data before it gets offloaded to tape. If you choose to use rsync over ssh you can use the following method: - use RSA (or DSA) keys to authenticate. Since you are going to do regular backups this is the standard case, because in this way you won't have to give passwords - on the backup server place an authorized_keys file into the users' home: ~backupuser001/.ssh/authorized_keys(2 in the DSA case): command="rsync --server -vlgtpr --delete . \ /datadir/",no-port-forwarding,no-X11-forwarding,no-agent-forwarding, \ no-pty [key] - on the client make an RSA (DSA) key with no password and do the backup in this way: # rsync --delete -va -e ssh / backupuser001@backupserver:/datadir/ - after everything works OK, place the above into cron or a user triggered file and mail its output to anybody. - on the backupserver make a backup of the backup :) I mean copy all the files to another directory [tape], with a timestamp, or anything, so you can make sure that the files couldn't be overwritten maliciously. You could use for the latter task UFS's coming snapshot function, but I think it is wise to wait with that yet... ps: if you need extra protection and manual backups, you can use password protected keys, and/or you can authenticate with rsync too... Hope this helps, -------------------------------------------------------------------------- Attila Nagy e-mail: Attila.Nagy@fsn.hu Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 10:59:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id B0D6637B718 for ; Thu, 8 Mar 2001 10:59:10 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id SAA27293; Thu, 8 Mar 2001 18:58:39 GMT Message-ID: <3AA7D65D.C27251B9@algroup.co.uk> Date: Thu, 08 Mar 2001 18:58:37 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: "write only" fs/files ? References: <5.0.2.1.0.20010308130831.03074aa0@marble.sentex.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Tancsa wrote: > > We are looking at a new network backup system and are throwing around a > number of scenarios. We have a mix of co-location servers and want to > provide a backup service to those who do not provide their own built in > tape drives. One of the ideas thrown about was some sort of one way backup > system on a large disk store. For UNIX users, rsync over ssh to a unique > userID per server is one thought. For Win32 boxes, some combo of samba > perhaps through PTPTP. > > One additional feature that would be nice to have would be to provide one > way backups somehow. i.e. the client machine dumps its data to the backup > server either into a dump file or tar file or sync'd file system via > rsync. But, for security purposes, it would be nice to somehow mark that > data once uploaded as being inaccessible to the client machine. This way > if their box gets compromised after the backup, they dont have access to > the data before it gets offloaded to tape. > > Comments ? stunnelled amanda with strong authentication. http://www.stunnel.org/ http://www.amanda.org/ i've never used 'doze clients but i'm told they work. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 11:13:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 3CB6737B719 for ; Thu, 8 Mar 2001 11:13:16 -0800 (PST) (envelope-from christopher@schulte.org) Received: from ronayne.schulte.org (nb-22.netbriefings.com [204.72.185.22]) by poontang.schulte.org (8.9.3/8.9.3) with ESMTP id NAA61359; Thu, 8 Mar 2001 13:12:55 -0600 (CST) (envelope-from christopher@schulte.org) Message-Id: <5.0.2.1.0.20010308130833.00adec88@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 08 Mar 2001 13:12:41 -0600 To: Brooks Davis , "oldfart@gtonet" From: Christopher Schulte Subject: Re: strange messages Cc: security@FreeBSD.ORG In-Reply-To: <20010308103500.C13090@Odin.AC.HMC.Edu> References: <20010308100755.A13090@Odin.AC.HMC.Edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:35 AM 3/8/2001 -0800, Brooks Davis wrote: >but the ports RPC services bind to are the same ones your outbound >TCP connections are bound to so you'll need stateful firewalling >to make it work. You can convince the kernel to use a more user-defined port range(s) for dynamic outbound connections with a few sysctl vars, thus making firewall confs a bit easier to craft and maintain: `sysctl -a | grep portrange` >You can force NFS to use only it's reserved port >(see /etc/defaults/rc.conf), but generally you can't dictate where RPC >services bind. You're best bet is to disable rpc.statd unless you are >actually using it. It's always a good idea to turn a service off if you're not using it. ;p >-- Brooks > >-- >Any statement of the form "X is the one, true Y" is FALSE. >PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 11:34: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 0BB4737B718 for ; Thu, 8 Mar 2001 11:34:02 -0800 (PST) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f28JXlQ08840; Thu, 8 Mar 2001 11:33:47 -0800 Date: Thu, 8 Mar 2001 11:33:47 -0800 From: Brooks Davis To: Christopher Schulte Cc: "oldfart@gtonet" , security@FreeBSD.ORG Subject: Re: strange messages Message-ID: <20010308113347.A7928@Odin.AC.HMC.Edu> References: <20010308100755.A13090@Odin.AC.HMC.Edu> <20010308103500.C13090@Odin.AC.HMC.Edu> <5.0.2.1.0.20010308130833.00adec88@pop.schulte.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <5.0.2.1.0.20010308130833.00adec88@pop.schulte.org>; from christopher@schulte.org on Thu, Mar 08, 2001 at 01:12:41PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 08, 2001 at 01:12:41PM -0600, Christopher Schulte wrote: > You can convince the kernel to use a more user-defined port range(s) for= =20 > dynamic outbound connections with a few sysctl vars, thus making firewall= =20 > confs a bit easier to craft and maintain: >=20 > `sysctl -a | grep portrange` Is there some actual documentation on what these do somewhere? Just being able to limit the range of arbitrary ports don't do anything, but I can't see what else you could do with these. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6p96aXY6L6fI4GtQRAsW6AKDgvjNPfnypduzN1pESNWkCT6m2QQCgiBPI fmNeYoJPZW7BoCwehmd0RUU= =Du3l -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 11:48:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id E593C37B718 for ; Thu, 8 Mar 2001 11:48:08 -0800 (PST) (envelope-from christopher@schulte.org) Received: from ronayne.schulte.org (nb-22.netbriefings.com [204.72.185.22]) by poontang.schulte.org (8.9.3/8.9.3) with ESMTP id NAA62542; Thu, 8 Mar 2001 13:48:03 -0600 (CST) (envelope-from christopher@schulte.org) Message-Id: <5.0.2.1.0.20010308134342.02761e70@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 08 Mar 2001 13:47:49 -0600 To: Brooks Davis From: Christopher Schulte Subject: Re: strange messages Cc: "oldfart@gtonet" , security@FreeBSD.ORG In-Reply-To: <20010308113347.A7928@Odin.AC.HMC.Edu> References: <5.0.2.1.0.20010308130833.00adec88@pop.schulte.org> <20010308100755.A13090@Odin.AC.HMC.Edu> <20010308103500.C13090@Odin.AC.HMC.Edu> <5.0.2.1.0.20010308130833.00adec88@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:33 AM 3/8/2001 -0800, Brooks Davis wrote: >On Thu, Mar 08, 2001 at 01:12:41PM -0600, Christopher Schulte wrote: > > You can convince the kernel to use a more user-defined port range(s) for > > dynamic outbound connections with a few sysctl vars, thus making firewall > > confs a bit easier to craft and maintain: > > > > `sysctl -a | grep portrange` > >Is there some actual documentation on what these do somewhere? Just >being able to limit the range of arbitrary ports don't do anything, but >I can't see what else you could do with these. If you told the kernel to initiate all outbound connections between say ports 2000-4000, then you wouldn't have to worry about filtering lower ports, to kick those pesky rpc services - which as was mentioned cannot always be told to live on a user defined port. As far as docs: Yah, do a man on ip(4) or http://people.freebsd.org/~adrian/sysctl.descriptions >-- Brooks > >-- >Any statement of the form "X is the one, true Y" is FALSE. >PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 11:51:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 7F0D237B718 for ; Thu, 8 Mar 2001 11:51:18 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f28JoXX43606; Thu, 8 Mar 2001 14:50:33 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Thu, 8 Mar 2001 14:50:29 -0500 (EST) From: Rob Simmons To: Adam Laurie Cc: Mike Tancsa , Subject: Re: "write only" fs/files ? In-Reply-To: <3AA7D65D.C27251B9@algroup.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There isn't a windows client for amanda. What you have to do is use smbclient and gnutar. The windows section of your amanda backup will be the weak link since the passwords are only encrypted with NT1. For the *nix boxen, stunnel is a good idea. Kerberos v4 is supported in amanda, which can be used for authentication as well as encrypting the dump itself. Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 8 Mar 2001, Adam Laurie wrote: > Mike Tancsa wrote: > > > > We are looking at a new network backup system and are throwing around a > > number of scenarios. We have a mix of co-location servers and want to > > provide a backup service to those who do not provide their own built in > > tape drives. One of the ideas thrown about was some sort of one way backup > > system on a large disk store. For UNIX users, rsync over ssh to a unique > > userID per server is one thought. For Win32 boxes, some combo of samba > > perhaps through PTPTP. > > > > One additional feature that would be nice to have would be to provide one > > way backups somehow. i.e. the client machine dumps its data to the backup > > server either into a dump file or tar file or sync'd file system via > > rsync. But, for security purposes, it would be nice to somehow mark that > > data once uploaded as being inaccessible to the client machine. This way > > if their box gets compromised after the backup, they dont have access to > > the data before it gets offloaded to tape. > > > > Comments ? > > stunnelled amanda with strong authentication. > > http://www.stunnel.org/ > http://www.amanda.org/ > > i've never used 'doze clients but i'm told they work. > > cheers, > Adam > -- > Adam Laurie Tel: +44 (20) 8742 0755 > A.L. Digital Ltd. Fax: +44 (20) 8742 5995 > Voysey House http://www.thebunker.net > Barley Mow Passage http://www.aldigital.co.uk > London W4 4GB mailto:adam@algroup.co.uk > UNITED KINGDOM PGP key on keyservers > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p+KJv8Bofna59hYRAgaaAKCFqlxScevbMknOYnz48PCSvcMNqgCfTaCa YKeqAZyTIPnWazMEsHDm9AI= =XnDo -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 12:12:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 4336337B719 for ; Thu, 8 Mar 2001 12:12:14 -0800 (PST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f28KeU275330; Thu, 8 Mar 2001 14:40:31 -0600 (CST) (envelope-from nick@rogness.net) Date: Thu, 8 Mar 2001 14:40:30 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: New to Snort. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 8 Mar 2001, Peter Brezny wrote: > I'm new to using snort, and would like to know if this is the appropriate > place to ask questions about the allert logs it generates. Send questions to snort-users@lists.sourceforge.net (mailing list). > > For example, What does all this mean? > > [**] MISC source port 53 to <1023 [**] > 03/08-05:16:23.823888 193.75.177.1:53 -> 209.16.228.148:53 > UDP TTL:42 TOS:0x0 ID:54352 IpLen:20 DgmLen:61 > Len: 41 That is a packet from your network to another machine. It just happens to be a DNS packet (UDP) and the other numbers are just the packet header info. > > am i in big trouble? No. You can check out http://www.snort.org for more info. Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 13:30:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from news.IAEhv.nl (news.iae.nl [212.61.26.37]) by hub.freebsd.org (Postfix) with ESMTP id 9123337B71C for ; Thu, 8 Mar 2001 13:30:17 -0800 (PST) (envelope-from Arjan.deVet@adv.iae.nl) Received: (from uucp@localhost) by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id WAA05290 for security@freebsd.org; Thu, 8 Mar 2001 22:30:15 +0100 (MET) Received: by adv.devet.org (Postfix, from userid 100) id 2C53D462F; Thu, 8 Mar 2001 22:30:00 +0100 (CET) Date: Thu, 8 Mar 2001 22:30:00 +0100 To: security@freebsd.org Subject: Re: ipfw or ipf? Message-ID: <20010308222959.A91060@adv.devet.org> References: <5.0.2.1.0.20010307181400.0336ed18@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Newsgroups: list.freebsd.security In-Reply-To: <200103080229.f282T8E27412@cwsys.cwsent.com> Organization: Eindhoven, the Netherlands From: Arjan.deVet@adv.iae.nl (Arjan de Vet) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article <200103080229.f282T8E27412@cwsys.cwsent.com> Cy Schubert wrote: >Its been reported that the state engine in IP Filter is more mature and >more restrictive because of the checks it does for TCP packets being >within the TCP window. I'm not sure whether IPFW does the same. See the following paper by Guido van Rooij for more information about 'TCP packets being within the TCP window': http://home.iae.nl/users/guido/papers/tcp_filtering.ps.gz Arjan -- Arjan de Vet, Eindhoven, The Netherlands URL: http://www.iae.nl/users/devet/ for PGP key: finger devet@iae.nl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 13:42:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id 2D56B37B719 for ; Thu, 8 Mar 2001 13:42:09 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D375466BC4; Thu, 8 Mar 2001 13:42:08 -0800 (PST) Date: Thu, 8 Mar 2001 13:42:08 -0800 From: Kris Kennaway To: Peter Brezny Cc: freebsd-security@freebsd.org Subject: Re: New to Snort. Message-ID: <20010308134208.D88665@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="11Y7aswkeuHtSBEs" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from peter@black.purplecat.net on Thu, Mar 08, 2001 at 12:35:47PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --11Y7aswkeuHtSBEs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Mar 08, 2001 at 12:35:47PM -0500, Peter Brezny wrote: > am i in big trouble? No: snort is a tool for identifying packets which match certain rules. Which ruleset you use determines what types of packets it will match, and these can be arbitrary, even unrelated to security. Like all tools, snort is only useful if you understand what it's telling you and what it means. The rulesets which snort ships with tend to generate a large number of false positives, especially on busy networks. You either need to tune them by hand, or use a more restrictive ruleset (I use and recommend the ArachNIDS ruleset from www.whitehats.com/ids -- but the same conditions apply as described above, for example on my DSL line at home I get an nmap ping (usually spoofed) about every 3 seconds from someone. If I was a cluebie I'd probably be in a blind panic about someone trying to hack my box, but instead I know it's just someone who desperately wants to get a response out of my IP address for port scanning purposes, perhaps because they don't know how to use nmap properly. Since I have a properly configured firewall, I have nothing to worry about from this rule, and in fact I've removed it to keep my log file size sane.) As noted by the other respondant, snort questions should go to the snort-users list. Kris --11Y7aswkeuHtSBEs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p/ywWry0BWjoQKURAvAbAJ9fSnhw3P4em6yBP94Cwft62hwVpgCgzgMz Nr7uDe8gURwHGmudhCFHZq0= =S1zn -----END PGP SIGNATURE----- --11Y7aswkeuHtSBEs-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 13:45:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtppop3pub.verizon.net (smtppop3pub.gte.net [206.46.170.22]) by hub.freebsd.org (Postfix) with ESMTP id 4740537B71A for ; Thu, 8 Mar 2001 13:45:53 -0800 (PST) (envelope-from res03db2@gte.net) Received: from gte.net (evrtwa1-ar4-4-34-145-186.dsl.gtei.net [4.34.145.186]) by smtppop3pub.verizon.net with ESMTP ; id PAA126542646 Thu, 8 Mar 2001 15:41:01 -0600 (CST) Received: (from res03db2@localhost) by gte.net (8.9.3/8.9.3) id NAA49853; Thu, 8 Mar 2001 13:45:48 -0800 (PST) (envelope-from res03db2@gte.net) Date: Thu, 8 Mar 2001 13:45:48 -0800 From: Robert Clark To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: "write only" fs/files ? Message-ID: <20010308134548.B49818@darkstar.gte.net> References: <5.0.2.1.0.20010308130831.03074aa0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <5.0.2.1.0.20010308130831.03074aa0@marble.sentex.ca>; from mike@sentex.net on Thu, Mar 08, 2001 at 01:21:01PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It would be nice to figure out what it would take to "flatten" a windows filesystem so that you'd feel comfortable everything could be restored. (Except for the positional dependent files.) I've seen this done on W98, but not anything later. Of course, it'd be nice to be able to do the same sort of thing with UNIX as well. (Not much to do I know.) [RC] On Thu, Mar 08, 2001 at 01:21:01PM -0500, Mike Tancsa wrote: > > We are looking at a new network backup system and are throwing around a > number of scenarios. We have a mix of co-location servers and want to > provide a backup service to those who do not provide their own built in > tape drives. One of the ideas thrown about was some sort of one way backup > system on a large disk store. For UNIX users, rsync over ssh to a unique > userID per server is one thought. For Win32 boxes, some combo of samba > perhaps through PTPTP. > > One additional feature that would be nice to have would be to provide one > way backups somehow. i.e. the client machine dumps its data to the backup > server either into a dump file or tar file or sync'd file system via > rsync. But, for security purposes, it would be nice to somehow mark that > data once uploaded as being inaccessible to the client machine. This way > if their box gets compromised after the backup, they dont have access to > the data before it gets offloaded to tape. > > Comments ? > > ---Mike > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 13:51:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from nu.binary.net (nu.binary.net [216.229.0.6]) by hub.freebsd.org (Postfix) with ESMTP id 1828F37B71A for ; Thu, 8 Mar 2001 13:51:35 -0800 (PST) (envelope-from nathan@binary.net) Received: from matrix.binary.net (postfix@matrix.binary.net [216.229.0.2]) by nu.binary.net (8.11.2/8.9.0) with ESMTP id f28Lu8i79424; Thu, 8 Mar 2001 15:56:08 -0600 (CST) Received: by matrix.binary.net (Postfix, from userid 1007) id 672A98348A; Thu, 8 Mar 2001 15:51:30 -0600 (CST) Date: Thu, 8 Mar 2001 16:51:29 -0500 From: Nathan Dorfman To: cjclark@alum.mit.edu Cc: Mike Silbersack , "Giovanni P. Tirloni" , freebsd-security@FreeBSD.ORG Subject: Re: 31337 Message-ID: <20010308165129.A4252@rtfm.net> References: <20010306001859.B1367@cjc-desktop.users.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <20010306001859.B1367@cjc-desktop.users.reflexcom.com>; from Crist J. Clark on Tue, Mar 06, 2001 at 12:18:59AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It is _rarely_ going to be opening TCP sockets and when it does, it > will be the one initiating them so they will not appear open to a > connect() scan. The odds of it happening with two unrelated connections are probably one in a gazillion, but you can apparently connect to the ephemeral port assigned to a connect() caller: nathan@matrix:~% telnet localhost 1265 Trying 127.0.0.1... Connected to localhost.binary.net. Escape character is '^]'. ^] telnet> ^Z Suspended nathan@matrix:~% sockstat | grep 1265 nathan telnet 7273 3 tcp 127.0.0.1.1265 127.0.0.1.1265 nathan@matrix:~% > -- > Crist J. Clark cjclark@alum.mit.edu -- Nathan Dorfman [http://www.rtfm.net] "The light at the end of the tunnel is the headlight of an approaching train." --/usr/games/fortune To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 14:10:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6]) by hub.freebsd.org (Postfix) with ESMTP id 1D01B37B719 for ; Thu, 8 Mar 2001 14:10:34 -0800 (PST) (envelope-from sjohn@airlinksys.com) Received: from ns2.airlinksys.com (ns2.airlinksys.com [216.70.12.3]) by mailhub.airlinksys.com (Postfix) with ESMTP id DB4CE53501 for ; Thu, 8 Mar 2001 16:10:32 -0600 (CST) Received: by ns2.airlinksys.com (Postfix, from userid 1000) id F08BE5D94; Thu, 8 Mar 2001 16:10:31 -0600 (CST) Date: Thu, 8 Mar 2001 16:10:31 -0600 From: Scott Johnson To: freebsd-security@freebsd.org Subject: Re: New to Snort. Message-ID: <20010308161031.A23872@ns2.airlinksys.com> Reply-To: Scott Johnson Mail-Followup-To: freebsd-security@freebsd.org References: <20010308134208.D88665@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010308134208.D88665@mollari.cthul.hu>; from kris@obsecurity.org on Thu, Mar 08, 2001 at 01:42:08PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoth Kris Kennaway on Thu, Mar 08, 2001 at 01:42:08PM -0800: > On Thu, Mar 08, 2001 at 12:35:47PM -0500, Peter Brezny wrote: > > am i in big trouble? > > No: snort is a tool for identifying packets which match certain rules. > Which ruleset you use determines what types of packets it will match, > and these can be arbitrary, even unrelated to security. Like all > tools, snort is only useful if you understand what it's telling you > and what it means. > > The rulesets which snort ships with tend to generate a large number of > false positives, especially on busy networks. You either need to tune > them by hand, or use a more restrictive ruleset (I use and recommend > the ArachNIDS ruleset from www.whitehats.com/ids I down the latest vision.conf from whitehats every night using a script called update-vision.sh. Find it at: http://www.whitehats.com/ids/index.html The script grabs the latest signature file, then removes entries already in your current libraries. In addition, I have modified the script to use my own custom ruletypes, so I can have stuff I deem important handled differently from stuff I don't consider important. Basically I filter the rules through sed to translate the standard built-in ruletype (alert) to one of my own, and selectively change some IDS #'s to other ruletypes depending on how I want it logged. Some I just comment out, because they're just noise. This is important, since I use syslog to pass me the alerts in real time. Nothing sucks more than a flood of alerts from scans. On the other had, a message on my terminal for something important I like a lot. -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 15: 2: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.marketnews.com (mail.economeister.com [205.183.200.2]) by hub.freebsd.org (Postfix) with ESMTP id 3AE1737B718 for ; Thu, 8 Mar 2001 15:01:57 -0800 (PST) (envelope-from mharding@marketnews.com) Received: from mharding ([205.183.200.45]) by mail.marketnews.com (8.11.0/8.9.3) with SMTP id f28N1Wj98727; Thu, 8 Mar 2001 18:01:32 -0500 (EST) From: "Mason Harding" To: "Nathan Dorfman" , Subject: RE: ipfw or ipf? Date: Thu, 8 Mar 2001 17:55:23 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20010307190222.A72795@rtfm.net> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I run both IPF and IPFW, they can work together beautifully. I use IPF as my main Statefull packet filter, and IPFW with Dummynet for traffic shaping. Also I use squid for transparent HTTP proxying, and bridging for my DMZ ports(need to be on the same network as the LAN). It gets confusing, but it works perfectly :) Mason -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Nathan Dorfman Sent: Wednesday, March 07, 2001 7:02 PM To: freebsd-security@FreeBSD.ORG Subject: ipfw or ipf? Hi all, What should I know before deciding on one of ipf or IPFW for a -stable machine protecting a small network? >From what I recall, ipf had a few advantages like kernel-space NAT, keeping TCP state, and portability. What does IPFW do better than ipf? Are there any gross downsides to either? Thanks. -- Nathan Dorfman [http://www.rtfm.net] "The light at the end of the tunnel is the headlight of an approaching train." --/usr/games/fortune To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 17:36:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail50.fg.online.no (mail50-s.fg.online.no [148.122.161.50]) by hub.freebsd.org (Postfix) with ESMTP id 7636737B718 for ; Thu, 8 Mar 2001 17:36:21 -0800 (PST) (envelope-from crazy-b@netcom.no) Received: from ti35a21-0063.dialup.online.no (ti35a21-0063.dialup.online.no [130.67.176.191]) by mail50.fg.online.no (8.9.3/8.9.3) with ESMTP id CAA02838; Fri, 9 Mar 2001 02:36:15 +0100 (MET) Date: Fri, 9 Mar 2001 02:25:00 +0100 From: Gaute Gullesen X-Mailer: The Bat! (v1.49) Personal Reply-To: Gaute Gullesen X-Priority: 3 (Normal) Message-ID: <16863425663.20010309022500@netcom.no> To: David Talkington Cc: freebsd-security@freebsd.org Subject: Re: [OT] cordless keyboards In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wednesday, March 07, 2001, 3:05:49 AM, David Talkington wrote: > My apologies for the OT. After spotting a Logitech cordless keyboard > in use in one department that I maintain, I scoured the web looking > for information about the possibility of interception of its signals. > I've found nothing. > Does anyone know how difficult it might be to sniff one of these > devices? Logitech marketing info claims that it's "digitally secure", > but without third-party information to back this up, my innately > paranoid nature remains cautious, given its 6-10 foot range (more than > enough to span cubicles or even apartments). still off topic, but maybe a good reminder, when we're getting into "that" secure systems. not only equipment designed to emit radio signals do so. all your other gear cause electromagnetic radiation aswell. monitor images, serial transmissions, etc. can be picked up from a distance. my point: if your workers are inclined to sniff that wireless keyboard, you should know it doesnt take much more work, and not much more sophisticated equipment to sniff a regular keyboard. i've tested that myself. - crazy-b ================================================================ Gaute Gullesen phone: +47 922 48 107 Fingerprint: AF90 7B96 9835 AA26 4DCC D4F7 1B82 110C B5DF 00B1 Support the antiSecurity movement!: http://anti.security.is/ ================================================================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 8 20:37:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 95BB237B71A for ; Thu, 8 Mar 2001 20:37:39 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 8 Mar 2001 20:35:33 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f294arm41257; Thu, 8 Mar 2001 20:36:53 -0800 (PST) (envelope-from cjc) Date: Thu, 8 Mar 2001 20:36:32 -0800 From: "Crist J. Clark" To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: "write only" fs/files ? Message-ID: <20010308203632.Q1367@cjc-desktop.users.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <5.0.2.1.0.20010308130831.03074aa0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.0.20010308130831.03074aa0@marble.sentex.ca>; from mike@sentex.net on Thu, Mar 08, 2001 at 01:21:01PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 08, 2001 at 01:21:01PM -0500, Mike Tancsa wrote: [snip] > One additional feature that would be nice to have would be to provide one > way backups somehow. i.e. the client machine dumps its data to the backup > server either into a dump file or tar file or sync'd file system via > rsync. But, for security purposes, it would be nice to somehow mark that > data once uploaded as being inaccessible to the client machine. This way > if their box gets compromised after the backup, they dont have access to > the data before it gets offloaded to tape. Figure out how to have the files created with the uappnd flag set or set uchg immediately after they finish a dump. Run the backup server at elevated securelevel. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 9 1:54:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from gyw.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 7343937B71D for ; Fri, 9 Mar 2001 01:54:08 -0800 (PST) (envelope-from tjk@tksoft.com) Received: from uno.tksoft.com (smtp3.tksoft.com [192.168.50.56] (may be forged)) by as.tksoft.com (8.8.8/8.8.8) with ESMTP id CAA11727; Thu, 8 Mar 2001 02:01:09 -0800 Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id BAA26560; Thu, 8 Mar 2001 01:51:34 -0800 From: "tjk@tksoft.com" Message-Id: <200103080951.BAA26560@uno.tksoft.com> Subject: Re: ipmon via syslog To: craig@allmaui.com (Craig Cowen) Date: Thu, 8 Mar 2001 01:51:33 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG (freebsd-security@FreeBSD.ORG) In-Reply-To: <3AA73B79.94509AB0@allmaui.com> from "Craig Cowen" at Mar 07, 2001 11:57:45 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You need to restart (or send a HUP to) syslogd. Other applications which generate log entries (and don't go through syslogd), might need their own restarts. E.g. httpd. /etc/syslog.conf tells you the syslogd controlled files. Troy > > When ever my log roles over there is a four hour lag. > That is, no logging for the first four hours of the new log file. > > Any suggestions? > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 9 1:54:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from gyw.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 0BC1D37B71A for ; Fri, 9 Mar 2001 01:54:08 -0800 (PST) (envelope-from tjk@tksoft.com) Received: from uno.tksoft.com (smtp3.tksoft.com [192.168.50.56] (may be forged)) by as.tksoft.com (8.8.8/8.8.8) with ESMTP id DAA16350; Thu, 8 Mar 2001 03:31:16 -0800 Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id DAA28826; Thu, 8 Mar 2001 03:11:24 -0800 From: "tjk@tksoft.com" Message-Id: <200103081111.DAA28826@uno.tksoft.com> Subject: Re: ipmon via syslog To: craig@allmaui.com (Craig Cowen) Date: Thu, 8 Mar 2001 03:11:23 -0800 (PST) Cc: tjk@tksoft.com (tjk@tksoft.com), freebsd-security@FreeBSD.ORG (freebsd-security@FreeBSD.ORG) In-Reply-To: <3AA75B26.B2C62001@allmaui.com> from "Craig Cowen" at Mar 08, 2001 02:12:54 AM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It depends. You might have a cron entry for rotating logs with "newsyslog." In that case you could specify the daemon to send a signal to, in the /etc/newsyslog.conf file. The /etc/newsyslog.conf has lines like this: /var/log/ipf.log 664 3 5000 604800 Z /var/run/syslog.pid This would send a HUP signal to syslog when the logs are rotated. (at 5 Mb, not more often than once a week). Troy > > That dosen't seem reasonable. > are you saying that I need to know when it roles over and then manually > restart syslogd? > > I am starting ipmon on boot up via > > ipmon -s -a -D > > > my syslog.conf has this line: > > local0.* /var/log/ipf.log > > newsyslog.conf: > > /var/log/ipf.log 600 40 1024 * Z > /var/run/ipmon.pid > > > > "tjk@tksoft.com" wrote: > > > You need to restart (or send a HUP to) syslogd. > > > > Other applications which generate log entries (and don't > > go through syslogd), might need their own restarts. E.g. > > httpd. > > > > /etc/syslog.conf tells you the syslogd controlled files. > > > > Troy > > > > > > > > When ever my log roles over there is a four hour lag. > > > That is, no logging for the first four hours of the new log file. > > > > > > Any suggestions? > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 9 3: 5:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from xocah.holywar.net (xocah.holywar.net [211.232.152.22]) by hub.freebsd.org (Postfix) with SMTP id 07B8037B71F for ; Fri, 9 Mar 2001 03:05:53 -0800 (PST) (envelope-from tsoi@xocah.holywar.net) Received: (qmail 3609 invoked by uid 101); 9 Mar 2001 11:05:47 -0000 Date: Fri, 9 Mar 2001 20:05:47 +0900 From: "ho-sang, yoon" To: misc@openbsd.org Cc: freebsd-security@freebsd.org Subject: IPsec between OpenBSD and FreeBSD Message-ID: <20010309200546.A1386@xocah.holywar.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry for second question today, I tried this for entire day, but there's no light on me. Changed algorithm, changed key, ... but all was a vain. Can anybody help me out? (I tried manual keying not using racoon or isakmpd) First, just AH, o. in OpenBSD ipsecadm new ah -spi 1000 -src a.a.a.a -dst b.b.b.b -auth sha1 \ -key 1234567890123456789012345678901234567890 ipsecadm new ah -spi 3e9 -dst a.a.a.a -src b.b.b.b -auth sha1 \ -key 1234567890123456789012345678901234567890 ipsecadm flow -dst b.b.b.b -proto ah -addr a.a.a.a \ 255.255.255.255 b.b.b.b 255.255.255.255 -out -require ipsecadm flow -dst a.a.a.a -proto ah -addr b.b.b.b \ 255.255.255.255 a.a.a.a 255.255.255.255 -in -require o. in FreeBSD add b.b.b.b a.a.a.a ah-old 1001 -A keyed-md5 "1234567890123456"; add a.a.a.a b.b.b.b ah-old 4096 -A keyed-md5 "1234567890123456"; spdadd b.b.b.b a.a.a.a any -P out ipsec \ ah/transport/b.b.b.b-a.a.a.a/require; spdadd a.a.a.a b.b.b.b any -P in ipsec \ ah/transport/a.a.a.a-b.b.b.b/require; result, checked tcpdump, and found that packets received in real on both host, but 'checksum mismatch' errors, so pinging is not established. Second, just ESP, o. in OpenBSD ipsecadm new esp -enc blf -spi 1000 -dst b.b.b.b -src a.a.a.a \ -key 12349876432167890192837465098273 ipsecadm new esp -enc blf -spi 3e9 -dst a.a.a.a -src b.b.b.b \ -key 12349876432167890192837465098273 ipsecadm flow -dst b.b.b.b -proto esp -addr a.a.a.a \ 255.255.255.255 b.b.b.b 255.255.255.255 -out -require ipsecadm flow -dst a.a.a.a -proto esp -addr b.b.b.b \ 255.255.255.255 a.a.a.a 255.255.255.255 -in -require o. in FreeBSD add b.b.b.b a.a.a.a esp 1001 -E blowfish-cbc \ "12349876432167890192837465098273"; add a.a.a.a b.b.b.b esp 4096 -E blowfish-cbc \ "12349876432167890192837465098273"; spdadd b.b.b.b a.a.a.a any -P out ipsec \ esp/transport/b.b.b.b-a.a.a.a/require; spdadd a.a.a.a b.b.b.b any -P in ipsec \ esp/transport/a.a.a.a-b.b.b.b/require; result, same as above 'ah only' case, but different error, 'bad pad length' error in tcpdump checking. Any help will be greatly appreciated, * Please CC to me, I'm not on this list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 9 3:58:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from empire.hwh.nl (empire.hwh.nl [212.61.50.34]) by hub.freebsd.org (Postfix) with ESMTP id 0505537B719 for ; Fri, 9 Mar 2001 03:58:33 -0800 (PST) (envelope-from remy@hwh.nl) Received: (from uucp@localhost) by empire.hwh.nl (8.11.2/1.00) id f29BwDJ57830; Fri, 9 Mar 2001 12:58:13 +0100 (CET) (envelope-from remy@hwh.nl) Received: from snoopy.sv.hwh.nl(192.168.1.3) by empire.hwh.nl via smap (V1.3 HWH v1.6d) id sma057789; Fri Mar 9 12:56:20 2001 Message-ID: <017a01c0a890$82873570$35323dd4@hwh.nl> From: "Remy Wetzels" To: "ho-sang, yoon" , Cc: References: <20010309200546.A1386@xocah.holywar.net> Subject: Re: IPsec between OpenBSD and FreeBSD Date: Fri, 9 Mar 2001 13:00:18 +0100 Organization: HWH multimedia support bv MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: "ho-sang, yoon" > Sorry for second question today, > I tried this for entire day, but there's no light on me. > Changed algorithm, changed key, ... but all was a vain. > Can anybody help me out? (I tried manual keying not using racoon or isakmpd) > > First, just AH, > > o. in OpenBSD > > ipsecadm new ah -spi 1000 -src a.a.a.a -dst b.b.b.b -auth sha1 \ > -key 1234567890123456789012345678901234567890 > [CUT INFO] > o. in FreeBSD > > add b.b.b.b a.a.a.a ah-old 1001 -A keyed-md5 "1234567890123456"; The difference is that OpenBSD keys are in HEX and FreeBSD are in ASCII (or v.v.?, can't remember exactly). We got IPsec running here between OpenBSD and FreeBSD, no problem at all... - Remy. -- Remy Wetzels, Director R & D remy@hwh.nl HWH multimedia support bv info@hwh.nl POBox 6535, 5600 HM Eindhoven, The Netherlands. WWW: http://www.hwh.nl/ Tel: +31-40-2467127 Fax: +31-40-2460265 WAP: http://www.hwh.nl/wml/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 9 4:11:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id B0FAB37B719 for ; Fri, 9 Mar 2001 04:11:08 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id VAA01512; Fri, 9 Mar 2001 21:10:32 +0900 (JST) To: "ho-sang, yoon" Cc: misc@openbsd.org, freebsd-security@freebsd.org In-reply-to: tsoi's message of Fri, 09 Mar 2001 20:05:47 JST. <20010309200546.A1386@xocah.holywar.net> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPsec between OpenBSD and FreeBSD From: itojun@iijlab.net Date: Fri, 09 Mar 2001 21:10:31 +0900 Message-ID: <1510.984139831@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Sorry for second question today, >I tried this for entire day, but there's no light on me. >Changed algorithm, changed key, ... but all was a vain. >Can anybody help me out? (I tried manual keying not using racoon or isakmpd) > >First, just AH, > >o. in OpenBSD > >ipsecadm new ah -spi 1000 -src a.a.a.a -dst b.b.b.b -auth sha1 \ >-key 1234567890123456789012345678901234567890 > >ipsecadm new ah -spi 3e9 -dst a.a.a.a -src b.b.b.b -auth sha1 \ >-key 1234567890123456789012345678901234567890 > >ipsecadm flow -dst b.b.b.b -proto ah -addr a.a.a.a \ >255.255.255.255 b.b.b.b 255.255.255.255 -out -require >ipsecadm flow -dst a.a.a.a -proto ah -addr b.b.b.b \ >255.255.255.255 a.a.a.a 255.255.255.255 -in -require > > >o. in FreeBSD > >add b.b.b.b a.a.a.a ah-old 1001 -A keyed-md5 "1234567890123456"; >add a.a.a.a b.b.b.b ah-old 4096 -A keyed-md5 "1234567890123456"; >spdadd b.b.b.b a.a.a.a any -P out ipsec \ >ah/transport/b.b.b.b-a.a.a.a/require; >spdadd a.a.a.a b.b.b.b any -P in ipsec \ >ah/transport/a.a.a.a-b.b.b.b/require; the key to IPsec configuration is to use EXACTLY the same configuration on both ends. if there's any difference, you have no chance to make them interoperate. there are three mistakes at least: - openbsd side is using new AH (RFC2402), while freebsd side is using old AH (RFC1826). i suggest you to use new AH for both ends. - openbsd side is using sha1 (= hmac-sha1) and freebsd side is using keyed-md5. you can pick either of them, but you really need to use the same thing for both ends. - key does not match in both ends. FreeBSD key in the above is ascii string, which would be 0x31323334... if written in binary form. openbsd side uses binary form. you need to use the same value, as binary. the easiest way is to use hexadecimal form for both ends, like: openbsd: -key 1234567890123456789012345678901234567890 freebsd: -A hmac-sha1 0x1234567890123456789012345678901234567890 i omit the analysis for esp case. carefully check if ALL the configuration items are the same, and if not, change them so that they meet up. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 9 4:42:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id A433B37B718 for ; Fri, 9 Mar 2001 04:42:29 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id MAA28884; Fri, 9 Mar 2001 12:41:00 GMT Message-ID: <3AA8CF5B.17AFBCB8@algroup.co.uk> Date: Fri, 09 Mar 2001 12:40:59 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Rob Simmons Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: "write only" fs/files ? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rob Simmons wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > There isn't a windows client for amanda. What you have to do is use > smbclient and gnutar. The windows section of your amanda backup will be > the weak link since the passwords are only encrypted with NT1. > Ah. However, it doesn't need to be weakened for NT - I've tunnelled samba mounts through SSH so it should be possible with stunnel as well. > For the *nix boxen, stunnel is a good idea. Kerberos v4 is supported in > amanda, which can be used for authentication as well as encrypting the > dump itself. stunnel also supports client cert authentication. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 9 11:22:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.unila.ac.id (ns1.unila.ac.id [202.158.47.162]) by hub.freebsd.org (Postfix) with SMTP id 149A037B71A for ; Fri, 9 Mar 2001 11:21:57 -0800 (PST) (envelope-from riki@maiser.unila.ac.id) Received: (qmail 1728 invoked from network); 9 Mar 2001 19:24:38 -0000 Received: from maiser.unila.ac.id (192.168.1.2) by ns1.unila.ac.id with SMTP; 9 Mar 2001 19:24:38 -0000 Received: from localhost (riki@localhost) by maiser.unila.ac.id (8.9.3/8.9.3) with ESMTP id CAA40090; Sat, 10 Mar 2001 02:20:18 +0700 (JAVT) (envelope-from riki@maiser.unila.ac.id) Date: Sat, 10 Mar 2001 02:20:18 +0700 (JAVT) From: Q Yai QQ To: security@FreeBSD.ORG Cc: security@FreeBSD.ORG Subject: OOT In-Reply-To: <20010308222959.A91060@adv.devet.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hai guys,.. how to display expire user,. so ,. if any body login to server,.. messages will appear some kind like this: "your expiration date is mm-dd-yy" i am very thank if u can explian to me,.. >>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<< riki@unila.ac.id visit my homepage and sign my guestbook http://unilanet.unila.ac.id/~qq --------------------------------------- --------------------------------------- & __& &__ // \\ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 9 14:19:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 2A92437B719 for ; Fri, 9 Mar 2001 14:19:19 -0800 (PST) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f29MIpw09239; Fri, 9 Mar 2001 17:18:51 -0500 (EST) Date: Fri, 9 Mar 2001 17:18:51 -0500 (EST) From: Trevor Johnson To: Q Yai QQ Cc: Subject: Re: OOT In-Reply-To: Message-ID: <20010309170206.E7303-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > hai guys,.. Hi! > how to display expire user,. > > so ,. if any body login to server,.. > > messages will appear some kind like this: > > "your expiration date is mm-dd-yy" # pw user mod -e 10-mar-2001 -n username Please follow up on -questions, if necessary. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 9 15:54:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from monarch.prairienet.org (monarch.prairienet.org [192.17.3.5]) by hub.freebsd.org (Postfix) with SMTP id 36B5337B71A for ; Fri, 9 Mar 2001 15:54:44 -0800 (PST) (envelope-from dtalk@prairienet.org) Received: (qmail 10666 invoked from network); 9 Mar 2001 23:54:38 -0000 Received: from slip-46.prairienet.org (HELO littleblue.spotnet.org) (192.17.3.66) by monarch.prairienet.org with SMTP; 9 Mar 2001 23:54:38 -0000 Received: from localhost (dtalk@localhost) by littleblue.spotnet.org (8.11.0/8.9.3) with ESMTP id f29NsaT09996; Fri, 9 Mar 2001 17:54:37 -0600 X-Authentication-Warning: littleblue.spotnet.org: dtalk owned process doing -bs Date: Fri, 9 Mar 2001 17:54:32 -0600 (CST) From: David Talkington X-Sender: To: Gaute Gullesen Cc: Subject: Re: [OT] cordless keyboards In-Reply-To: <16863425663.20010309022500@netcom.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Gaute Gullesen wrote: >my point: if your workers are inclined to sniff that wireless >keyboard, you should know it doesnt take much more work, and not much >more sophisticated equipment to sniff a regular keyboard. i've tested >that myself. Good point. Thanks to all who offered thoughts. I have access to two sets, one trackball-only and one mouse/keyboard, and have discovered that the pointing devices are, in fact, interoperable between the two transmitters. That's cause enough for concern about the keyboard. By the way, how often is this list's archive updated? I lost the 12 hours of mail following my original post, and when I tried to check the archives for the thread, found no mention of this topic. - -d - -- David Talkington Prairienet dtalk@prairienet.org 217-244-1962 PGP key: http://www.prairienet.org/~dtalk/dt000823.asc -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOqltO71ZYOtSwT+tAQFiZQf/ZMqSJBFyH5Y62AU0iz0BfnGmsgR5d8T+ dLoUCQnxx2AWtWQCy1PJH14wrXhbOwxmwGnz7Zhasci9TLXzRzzAfNaRVkOAc4R6 nStvWRNlT9ZJ0OYxcrRmxN2vLxFvFC7zMx7Vbfi1cN/bLK1jiEbwXQi2olEFxbC2 tbS5dontKUiVFvVJbe99bjnLpH8UJtXd01QRgwxsN5D8yor1ODuP8+0WyKMqx9i9 hz4ALp9t0z03BSiwkU1cseJaRghtRKlAe1UiI7rPX+mfvO8o7RJYGVODAUHgjAhK 06p75op1fEmD67F5MwALSdW4AAqxWcsR9lxzGLP77bfCQ5jXW/oTzA== =XWGW -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 9 16: 3: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (a0g1355ly34tj.bc.hsia.telus.net [216.232.252.235]) by hub.freebsd.org (Postfix) with ESMTP id E98DC37B718 for ; Fri, 9 Mar 2001 16:03:06 -0800 (PST) (envelope-from sreid@sea-to-sky.net) Received: by grok.example.net (Postfix, from userid 1000) id 2421721334A; Fri, 9 Mar 2001 16:02:19 -0800 (PST) Date: Fri, 9 Mar 2001 16:02:18 -0800 From: Steve Reid To: Will Mitayai Keeso Rowe Cc: freebsd-security@FreeBSD.ORG Subject: Re: strange messages Message-ID: <20010309160218.A3423@grok.bc.hsia.telus.net> References: <200103081428.GAA02075@uno.tksoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Will Mitayai Keeso Rowe on Thu, Mar 08, 2001 at 09:33:30AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 08, 2001 at 09:33:30AM -0500, Will Mitayai Keeso Rowe wrote: > But, i still have a question... how can i better log attempts to hack my > machine's rpc.statd? It would be nice to have an IP of the connecting box so > i can see if they are doing it remotely or by an account on my machine. I believe Snort will detect this and many other things. That's exactly what IDS'es are for. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 9 16: 8:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from monarch.prairienet.org (monarch.prairienet.org [192.17.3.5]) by hub.freebsd.org (Postfix) with SMTP id 56ED637B718 for ; Fri, 9 Mar 2001 16:08:14 -0800 (PST) (envelope-from dtalk@prairienet.org) Received: (qmail 12955 invoked from network); 10 Mar 2001 00:08:12 -0000 Received: from slip-46.prairienet.org (HELO littleblue.spotnet.org) (192.17.3.66) by monarch.prairienet.org with SMTP; 10 Mar 2001 00:08:12 -0000 Received: from localhost (dtalk@localhost) by littleblue.spotnet.org (8.11.0/8.9.3) with ESMTP id f2A089v10117; Fri, 9 Mar 2001 18:08:10 -0600 X-Authentication-Warning: littleblue.spotnet.org: dtalk owned process doing -bs Date: Fri, 9 Mar 2001 18:08:05 -0600 (CST) From: David Talkington X-Sender: To: Gaute Gullesen Cc: Subject: Re: [OT] cordless keyboards In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- David Talkington wrote: >By the way, how often is this list's archive updated? I lost the 12 >hours of mail following my original post, and when I tried to check >the archives for the thread, found no mention of this topic. My apologies; I found my answer. - -d - -- David Talkington Prairienet dtalk@prairienet.org 217-244-1962 PGP key: http://www.prairienet.org/~dtalk/dt000823.asc -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOqlwab1ZYOtSwT+tAQELEwf+OfUAzHJCqaZb5NOIWcT4QifZdill5N22 n6RU+62d6ofx8oZFBGV/jxEjf6wzkE5JWzfaXMWppoWZoFmMxsNPLUNy60UgkCW2 N85FB3HPsHdX/RDODWWdpov8B0o8YGyriBuxB4M8u8YP+9/kBr7EMoSSyWUrs/9F EV2isbrZTWW2LjYY5ct2t44xNMg7XDcDx2SPfN5sn6tj9FPit7wWyxUrQ9aP5SFe hmhKGKFNP4qFw/kz1sHsC6Kg0xnOkEcTAcil25oo8YA/qa05zeCPSCpwaeh2JSgP 84BX2S5H+9mTRZ24hpr4vwF6ULiA6J42MPhMns0pdprC/4dXSlBGCA== =+tSB -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 10 17:26:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from white.imgsrc.co.jp (ns.imgsrc.co.jp [210.226.20.2]) by hub.freebsd.org (Postfix) with ESMTP id 534FE37B779 for ; Sat, 10 Mar 2001 17:26:36 -0800 (PST) (envelope-from kuriyama@imgsrc.co.jp) Received: from waterblue.imgsrc.co.jp (kuriyama@waterblue.imgsrc.co.jp [210.226.20.160]) by white.imgsrc.co.jp (8.11.2/8.11.0) with ESMTP id f2B1QOT20189; Sun, 11 Mar 2001 10:26:25 +0900 (JST) Date: Sun, 11 Mar 2001 10:26:22 +0900 Message-ID: <7m66hhm6yp.wl@waterblue.imgsrc.co.jp> From: Jun Kuriyama To: "Elliott Perrin" Cc: Subject: VRRP port In-Reply-To: <02b601c0a7fa$c5cccd90$0c01a8c0@bottleneck2000> References: <3AA7C0EC.51E9ECEA@softweyr.com> <02b601c0a7fa$c5cccd90$0c01a8c0@bottleneck2000> User-Agent: Wanderlust/2.4.1 (Stand By Me) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) MULE XEmacs/21.1 (patch 14) (Cuyahoga Valley) (i386--freebsd) MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu") Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 8 Mar 2001 18:03:36 GMT, Elliott Perrin wrote: > I have not updated my ports collection here at work, but would be interested to know where > I can get source for vrrp. I tried the FBSD site but it is not yet listed in the ports > section. Any ideas? VRRP port is stored in PR, not yet committed. Please see: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=25276 -- Jun Kuriyama // IMG SRC, Inc. // FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 10 20:18:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from VL-MS-MR001.sc1.videotron.ca (relais.videotron.ca [24.201.245.36]) by hub.freebsd.org (Postfix) with ESMTP id 981EB37B71A for ; Sat, 10 Mar 2001 20:18:42 -0800 (PST) (envelope-from matt@m2.qc.ca) Received: from m2.qc.ca ([24.200.45.122]) by VL-MS-MR001.sc1.videotron.ca (Netscape Messaging Server 4.15) with ESMTP id GA0MN504.C9J for ; Sat, 10 Mar 2001 23:18:41 -0500 Message-ID: <3AAAFD65.8662806C@m2.qc.ca> Date: Sat, 10 Mar 2001 23:21:57 -0500 From: Mathieu Mourez X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.1 i686) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: security-digest V5 #71 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, The homepage for VRRPd for Linux is: http://w3.arobas.net/~jetienne/vrrpd/index.html I've found a version ported to FreeBSD at: ftp://ftp.dev.express.ru/pub/FreeBSD/utils/vrrpd.tgz Cheers, - Matt - ----- Original Message ----- Date: Thu, 8 Mar 2001 13:08:25 -0500 From: "Elliott Perrin" Subject: Re: ipfw or ipf? I have not updated my ports collection here at work, but would be interested to know where I can get source for vrrp. I tried the FBSD site but it is not yet listed in the ports section. Any ideas? +----------------------------------------------------------+ | Mathieu Mourez matt@loki.home.m2.qc.ca | | BOFH 514.996.9626 | | 655F 2C89 9A33 60BB 5C88 65FC ED45 8A55 D735 42D8 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 10 20:35:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.unixathome.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 47B7837B718 for ; Sat, 10 Mar 2001 20:35:19 -0800 (PST) (envelope-from dan@langille.org) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ns1.unixathome.org (8.11.1/8.11.1) with ESMTP id f2B4ZHw04676; Sun, 11 Mar 2001 17:35:18 +1300 (NZDT) (envelope-from dan@langille.org) Message-Id: <200103110435.f2B4ZHw04676@ns1.unixathome.org> From: "Dan Langille" Organization: novice in training To: security@freebsd.org Date: Sun, 11 Mar 2001 17:35:16 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: temp files for security/logcheck Reply-To: dan@langille.org Cc: dan@langille.org X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The port security/logcheck creates /usr/local/etc/tmp[1] and chmod's it to 700. It does that because the temp files it creates and uses need to be relativly secure. It writes out several files that could cause problems if a user made links, etc. Does anyone see any issues which we need to deal with? e.g. the security of this directory, the name of this directory... [1] - Prior to a recent port change, it used /usr/local/etc/tmp -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php got any work? I'm looking for some. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 10 20:45: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from ohm.physics.purdue.edu (ohm.physics.purdue.edu [128.210.146.32]) by hub.freebsd.org (Postfix) with ESMTP id 5828C37B718 for ; Sat, 10 Mar 2001 20:45:05 -0800 (PST) (envelope-from will@physics.purdue.edu) Received: (from will@localhost) by ohm.physics.purdue.edu (8.11.2/8.9.3) id f2B4lGw61014; Sat, 10 Mar 2001 23:47:16 -0500 (EST) (envelope-from will@physics.purdue.edu) X-Authentication-Warning: ohm.physics.purdue.edu: will set sender to will@physics.purdue.edu using -f Date: Sat, 10 Mar 2001 23:47:16 -0500 From: Will Andrews To: Dan Langille Cc: security@FreeBSD.ORG Subject: Re: temp files for security/logcheck Message-ID: <20010310234716.S45561@ohm.physics.purdue.edu> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , Dan Langille , security@FreeBSD.ORG References: <200103110435.f2B4ZHw04676@ns1.unixathome.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="+cdUESGy8E0PQTBL" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103110435.f2B4ZHw04676@ns1.unixathome.org>; from dan@langille.org on Sun, Mar 11, 2001 at 05:35:16PM +1300 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --+cdUESGy8E0PQTBL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 11, 2001 at 05:35:16PM +1300, Dan Langille wrote: > The port security/logcheck creates /usr/local/etc/tmp[1] and chmod's it= =20 > to 700. It does that because the temp files it creates and uses need to= =20 > be relativly secure. It writes out several files that could cause proble= ms=20 > if a user made links, etc. >=20 > Does anyone see any issues which we need to deal with? e.g. the=20 > security of this directory, the name of this directory... If logcheck needs secure tempfiles, it can chmod them. Or if it needs a dir to itself, it can have a /usr/local/var/tmp/logcheck/ directory. --=20 wca --+cdUESGy8E0PQTBL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6qwNUF47idPgWcsURAj7KAJsErCuY4CvKu1Xp2V/0W9YmzHfT8ACfY8c6 ZTasLdWuj5dF4KdMBetFsDE= =1GeG -----END PGP SIGNATURE----- --+cdUESGy8E0PQTBL-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 10 20:45:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 0767237B718 for ; Sat, 10 Mar 2001 20:45:21 -0800 (PST) (envelope-from petef@hex.databits.net) Received: (qmail 68310 invoked by uid 1001); 11 Mar 2001 04:45:19 -0000 Date: Sat, 10 Mar 2001 23:45:19 -0500 From: Pete Fritchman To: Dan Langille Cc: security@freebsd.org Subject: Re: temp files for security/logcheck Message-ID: <20010310234519.A68252@databits.net> References: <200103110435.f2B4ZHw04676@ns1.unixathome.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103110435.f2B4ZHw04676@ns1.unixathome.org>; from dan@langille.org on Sun, Mar 11, 2001 at 05:35:16PM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It seems logical that the port should just use ${TMPDIR}/.logcheck/ or something of that nature. Does it need to be there permenately? Or can it just be created/deleted when the program is started/stopped? I saw the thread on -ports earlier but didn't get a chance to respond. -pete ++ 11/03/01 17:35 +1300 - Dan Langille: >The port security/logcheck creates /usr/local/etc/tmp[1] and chmod's it >to 700. It does that because the temp files it creates and uses need to >be relativly secure. It writes out several files that could cause problems >if a user made links, etc. > >Does anyone see any issues which we need to deal with? e.g. the >security of this directory, the name of this directory... > >[1] - Prior to a recent port change, it used /usr/local/etc/tmp > >-- >Dan Langille >pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php >got any work? I'm looking for some. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- Pete Fritchman Databits Network Services, Inc. finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 10 20:48:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.unixathome.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 73F7D37B71A for ; Sat, 10 Mar 2001 20:48:04 -0800 (PST) (envelope-from dan@langille.org) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ns1.unixathome.org (8.11.1/8.11.1) with ESMTP id f2B4lww04741; Sun, 11 Mar 2001 17:47:59 +1300 (NZDT) (envelope-from dan@langille.org) Message-Id: <200103110447.f2B4lww04741@ns1.unixathome.org> From: "Dan Langille" Organization: novice in training To: Pete Fritchman Date: Sun, 11 Mar 2001 17:47:58 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: temp files for security/logcheck Reply-To: dan@langille.org Cc: security@freebsd.org In-reply-to: <20010310234519.A68252@databits.net> References: <200103110435.f2B4ZHw04676@ns1.unixathome.org>; from dan@langille.org on Sun, Mar 11, 2001 at 05:35:16PM +1300 X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org AFAIK, the files disappear each time the script is run: umask 077 rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then echo "Log files exist in $TMPDIR directory that cannot be removed. This may be an attempt to spoof the log checker." \ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN exit 1 fi On 10 Mar 2001, at 23:45, Pete Fritchman wrote: > It seems logical that the port should just use ${TMPDIR}/.logcheck/ or > something of that nature. Does it need to be there permenately? Or can > it just be created/deleted when the program is started/stopped? I saw > the thread on -ports earlier but didn't get a chance to respond. > > -pete > > ++ 11/03/01 17:35 +1300 - Dan Langille: > >The port security/logcheck creates /usr/local/etc/tmp[1] and chmod's it > >to 700. It does that because the temp files it creates and uses need to > >be relativly secure. It writes out several files that could cause problems > >if a user made links, etc. > > > >Does anyone see any issues which we need to deal with? e.g. the > >security of this directory, the name of this directory... > > > >[1] - Prior to a recent port change, it used /usr/local/etc/tmp > > > >-- > >Dan Langille > >pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php > >got any work? I'm looking for some. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > -- > Pete Fritchman > Databits Network Services, Inc. > finger petef@databits.net for PGP key > > -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php got any work? I'm looking for some. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 10 22:49:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61]) by hub.freebsd.org (Postfix) with ESMTP id A0D5737B719 for ; Sat, 10 Mar 2001 22:49:47 -0800 (PST) (envelope-from jomor@ahpcns.com) Received: from ahpcns.com (localhost [127.0.0.1]) by shorty.ahpcns.com (Postfix) with ESMTP id 752FC3A4C7 for ; Sun, 11 Mar 2001 00:49:45 -0600 (CST) Message-ID: <3AAB2008.E35A125D@ahpcns.com> Date: Sun, 11 Mar 2001 00:49:45 -0600 From: jomor Organization: ahpcns X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.5-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: IPSEC tunnel & setkey, How do I tell if setkey worked? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm finally trying to get a VPN set up between home (DSL) and work (T-1). I've been running FreeBSD on my home firewall for a few years and now I want it to be an IPSEC tunnel endpoint. The other end will be another freeBSD box first, and maybe eventually a Watchguard firebox2 firewall "appliance". I'm testing off-line for now. I haven't been able to find any info on integrating my ipfw rules with the tunnel so I've got test boxes set up in an "open" firewall config. I figure I'll get the tunnel up first and then break it while I try different ipfw rules. My kernels have the IPSEC and IPSEC_ESP options included. I have the following "/etc/ipsec.conf" files Host 1 add 192.168.98.17 192.168.98.19 esp 1000 -m tunnel -E des-cbc "testtest" ; add 192.168.98.19 192.168.98.17 esp 1001 -m tunnel -E des-cbc "testtest" ; spdadd 172.18.0.0/24 172.18.10.0/24 any -P out ipsec esp/tunnel/192.168.98.19-192.168.98.17/require ; spdadd 172.18.10.0/24 172.18.0.0/24 any -P in ipsec esp/tunnel/192.168.98.17-192.168.98.19/require ; Host 2 add 192.168.98.17 192.168.98.19 esp 1000 -m tunnel -E des-cbc "testtest"; add 192.168.98.19 192.169.98.17 esp 1001 -m tunnel -E des-cbc "testtest"; spdadd 172.18.10.0/24 172.18.0.0/24 any -P out ipsec esp/tunnel/192.168.98.17-192.168.98.19/require ; spdadd 172.18.0.0/24 172.18.10.0/24 any -P in ipsec esp/tunnel/192.168.98.19-192.168.98.17/require ; both are running with gateway enabled, firewall "OPEN" and natd running. The 192.168.98.x addresses are what would normally be their public interfaces. "setkey -f /etc/ipsec.conf" runs without generating any errors, "setkey -D" and "setkey -D -P" display my entries OK, but I was expecting to see "netstat -nr" to show routes for the tunnel , or "ifconfig -a" to show some change in at least one of my "gifn" interfaces but I'm not seeing it. So I thought I'd run "gifconfig", "ifconfig" and "route add" to set up the tunnel first (modifying the ipsec.conf files to use the gif0 addresses). While that did set up a functioning tunnel, I didn't see any evidence of encryption happening. The tunnel kept working even if I ran setkey on only one of the endpoints. What am I missing (or doing wrong)? Things have been a little more complex than they need to be since one of my test "fiewalls" is a laptop and getting two PCMCIA Ethernet cards to work at the same time has been a challenge. All help is much appreciated. tia ...jgm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 10 22:53:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id CE35E37B718 for ; Sat, 10 Mar 2001 22:53:46 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7744466EF6; Sat, 10 Mar 2001 22:53:46 -0800 (PST) Date: Sat, 10 Mar 2001 22:53:46 -0800 From: Kris Kennaway To: Dan Langille Cc: Pete Fritchman , security@freebsd.org Subject: Re: temp files for security/logcheck Message-ID: <20010310225345.A14180@mollari.cthul.hu> References: <200103110435.f2B4ZHw04676@ns1.unixathome.org>; <20010310234519.A68252@databits.net> <200103110447.f2B4lww04741@ns1.unixathome.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103110447.f2B4lww04741@ns1.unixathome.org>; from dan@langille.org on Sun, Mar 11, 2001 at 05:47:58PM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 11, 2001 at 05:47:58PM +1300, Dan Langille wrote: > AFAIK, the files disappear each time the script is run: >=20 > umask 077 > rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$=20 [...] Blah, that's an insecure way to create files in $TMPDIR (which is usually /tmp). It needs to use mktemp(1). Kris --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6qyD5Wry0BWjoQKURAgttAJ9+w1p/1Q4GroTPduDbUIailWwaRwCg/Aiu mSWpHt+hC0L43PQH/7n941Q= =B5IU -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 10 23: 2:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from greg.cex.ca (h207-230-249-123.dccnet.com [207.230.249.123]) by hub.freebsd.org (Postfix) with SMTP id 254E037B718 for ; Sat, 10 Mar 2001 23:02:34 -0800 (PST) (envelope-from gregw-freebsd-security@greg.cex.ca) Received: (qmail 26527 invoked by uid 1001); 11 Mar 2001 07:08:43 -0000 Date: Sat, 10 Mar 2001 23:08:43 -0800 From: Greg White To: FreeBSD Security Subject: Re: temp files for security/logcheck Message-ID: <20010310230843.A26101@greg.cex.ca> Mail-Followup-To: FreeBSD Security References: <200103110435.f2B4ZHw04676@ns1.unixathome.org>; <20010310234519.A68252@databits.net> <200103110447.f2B4lww04741@ns1.unixathome.org> <20010310225345.A14180@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010310225345.A14180@mollari.cthul.hu>; from kris@obsecurity.org on Sat, Mar 10, 2001 at 10:53:46PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 10, 2001 at 10:53:46PM -0800, Kris Kennaway wrote: > On Sun, Mar 11, 2001 at 05:47:58PM +1300, Dan Langille wrote: > > AFAIK, the files disappear each time the script is run: > > > > umask 077 > > rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ > > [...] > > Blah, that's an insecure way to create files in $TMPDIR (which is > usually /tmp). It needs to use mktemp(1). > > Kris It is in general, but not in this case. The script and the directory are mode 0700 -- this makes it difficult for it to be insecure. $TMPDIR is explicitly set. -- Greg White Those who make peaceful revolution impossible will make violent revolution inevitable. -- John F. Kennedy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 10 23:58:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.unixathome.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id DB9FD37B719 for ; Sat, 10 Mar 2001 23:58:39 -0800 (PST) (envelope-from dan@langille.org) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ns1.unixathome.org (8.11.1/8.11.1) with ESMTP id f2B7wcw05889 for ; Sun, 11 Mar 2001 20:58:38 +1300 (NZDT) (envelope-from dan@langille.org) Message-Id: <200103110758.f2B7wcw05889@ns1.unixathome.org> From: "Dan Langille" Organization: novice in training To: freebsd-security@freebsd.org Date: Sun, 11 Mar 2001 20:58:37 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: temp files for security/logcheck Reply-To: dan@langille.org In-reply-to: <20010310230843.A26101@greg.cex.ca> References: <20010310225345.A14180@mollari.cthul.hu>; from kris@obsecurity.org on Sat, Mar 10, 2001 at 10:53:46PM -0800 X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 10 Mar 2001, at 23:08, Greg White wrote: > On Sat, Mar 10, 2001 at 10:53:46PM -0800, Kris Kennaway wrote: > > On Sun, Mar 11, 2001 at 05:47:58PM +1300, Dan Langille wrote: > > > AFAIK, the files disappear each time the script is run: > > > > > > umask 077 > > > rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ > > > > [...] > > > > Blah, that's an insecure way to create files in $TMPDIR (which is > > usually /tmp). It needs to use mktemp(1). > > > > Kris > > It is in general, but not in this case. The script and the directory are > mode 0700 -- this makes it difficult for it to be insecure. $TMPDIR is > explicitly set. Well, unless I hear otherwise, I'll leave the port as is. Perhaps using /usr/local/var/tmp/logcheck/ is a better idea. But until we come up with a formal policy, I'll leave this for a future improvement. Thanks folks. -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php got any work? I'm looking for some. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message