From owner-freebsd-security Sun Jul 1 4: 6:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from moutvdom00.kundenserver.de (moutvdom00.kundenserver.de [195.20.224.149]) by hub.freebsd.org (Postfix) with ESMTP id 1355537B408 for ; Sun, 1 Jul 2001 04:06:40 -0700 (PDT) (envelope-from moritz@jodeit.org) Received: from [195.20.224.204] (helo=mrvdom00.schlund.de) by moutvdom00.kundenserver.de with esmtp (Exim 2.12 #2) id 15Gf3m-0008Fx-00 for freebsd-security@freebsd.org; Sun, 1 Jul 2001 13:06:38 +0200 Received: from pd9e314fc.dip.t-dialin.net ([217.227.20.252] helo=cypher.local) by mrvdom00.schlund.de with esmtp (Exim 2.12 #2) id 15Gf2u-0007Mw-00 for freebsd-security@FreeBSD.org; Sun, 1 Jul 2001 13:05:44 +0200 Received: (from moritz@localhost) by cypher.local (8.11.4/8.11.4) id f61B5mr00436 for freebsd-security@FreeBSD.org; Sun, 1 Jul 2001 13:05:48 +0200 (CEST) (envelope-from moritz) Date: Sun, 1 Jul 2001 13:05:48 +0200 From: Moritz Jodeit To: freebsd-security@FreeBSD.org Subject: Ports security announcements Message-ID: <20010701130548.A421@cypher.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, is there a mailing list, where all security announcements of the ports collection are going? I only found freebsd-security-notifications, which seems to be for announcements of the base system only. Thanks in advance, Moritz Jodeit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 1 4: 9:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 2F2B337B403 for ; Sun, 1 Jul 2001 04:09:28 -0700 (PDT) (envelope-from Olivier.Nicole@ait.ac.th) Received: from bazooka.cs.ait.ac.th (on@bazooka.cs.ait.ac.th [192.41.170.2]) by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f61BD8p74007; Sun, 1 Jul 2001 18:13:09 +0700 (ICT) From: Olivier Nicole Received: (from on@localhost) by bazooka.cs.ait.ac.th (8.8.5/8.8.5) id SAA24295; Sun, 1 Jul 2001 18:09:12 +0700 (ICT) Date: Sun, 1 Jul 2001 18:09:12 +0700 (ICT) Message-Id: <200107011109.SAA24295@bazooka.cs.ait.ac.th> To: moritz@jodeit.org Cc: freebsd-security@FreeBSD.ORG In-reply-to: <20010701130548.A421@cypher.local> (message from Moritz Jodeit on Sun, 1 Jul 2001 13:05:48 +0200) Subject: Re: Ports security announcements Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This list also annouce security patches for the ports Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 1 7:54:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 38AB837B401 for ; Sun, 1 Jul 2001 07:54:31 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id QAA16186; Sun, 1 Jul 2001 16:54:24 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: George.Giles@mcmail.vanderbilt.edu Cc: Peter Pentchev , freebsd-security@FreeBSD.ORG Subject: Re: What is ipfw telling me ? References: From: Dag-Erling Smorgrav Date: 01 Jul 2001 16:54:23 +0200 In-Reply-To: Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org George.Giles@mcmail.vanderbilt.edu writes: > It makes me think that somehow a proxy attack is going on. It makes *me* think your box is misconfigured. It also makes me think you're not providing sufficient information for anyone to diagnose and solve your problem. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 1 14:11: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-9.dsl.lsan03.pacbell.net [64.165.226.9]) by hub.freebsd.org (Postfix) with ESMTP id CBA2E37B403 for ; Sun, 1 Jul 2001 14:11:06 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5B27F66B23; Sun, 1 Jul 2001 14:11:05 -0700 (PDT) Date: Sun, 1 Jul 2001 14:11:05 -0700 From: Kris Kennaway To: Moritz Jodeit Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ports security announcements Message-ID: <20010701141104.A40726@xor.obsecurity.org> References: <20010701130548.A421@cypher.local> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ibTvN161/egqYuK8" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010701130548.A421@cypher.local>; from moritz@jodeit.org on Sun, Jul 01, 2001 at 01:05:48PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jul 01, 2001 at 01:05:48PM +0200, Moritz Jodeit wrote: > Hi, >=20 > is there a mailing list, where all security announcements of the ports=20 > collection are going? I only found freebsd-security-notifications, which = seems > to be for announcements of the base system only. No, that list is for both. Kris --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7P5HnWry0BWjoQKURAn2wAKDwGDKZo4AZKJUFqRaX6B4jHJymiwCgmeR2 VETHeqUEBvgyZ+V4kqS/KRM= =WUiG -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 1 16:39: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.rcsntx.swbell.net (mta5.rcsntx.swbell.net [151.164.30.29]) by hub.freebsd.org (Postfix) with ESMTP id 697A137B401 for ; Sun, 1 Jul 2001 16:38:56 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta5.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GFT00CDKIVV54@mta5.rcsntx.swbell.net> for freebsd-security@freebsd.org; Sun, 1 Jul 2001 18:35:55 -0500 (CDT) Date: Sun, 01 Jul 2001 18:36:54 -0500 From: Ryan Subject: help with missing files To: freebsd-security@freebsd.org Message-id: <001201c10286$b60af850$01000001@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: multipart/alternative; boundary="----=_NextPart_000_000F_01C1025C.CCFDDAC0" X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000F_01C1025C.CCFDDAC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have chrooted apache+php but am having simple problems like not being = able to exec uptime. uptime has been moved to /usr/serv/apache/usr/bin/uptime.. Well anyways heres my lil php line im tring to get running I get no errors from php, just doesnt show anything.. I realize it = needs a shell to execute so /usr/serv/apache/bin/bash and /usr/serv/apache/usr/etc/shells is setup correctly. Would there be = something that im missing? Im frustruated right now.. Its something to do with the chroot env. What am i missing?? thanks Ryan ryanpek@swbell.net ------=_NextPart_000_000F_01C1025C.CCFDDAC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I have chrooted apache+php but am = having simple=20 problems like not being able to exec uptime.
uptime has been moved to=20 /usr/serv/apache/usr/bin/uptime..
Well anyways heres my lil php line im = tring to get=20 running
<?php passthru ( "uptime" ); = ?>
 
I get no errors from php, just doesnt = show=20 anything..  I realize it needs a shell to execute so=20 /usr/serv/apache/bin/bash
and /usr/serv/apache/usr/etc/shells is = setup=20 correctly.  Would there be something that im missing? Im = frustruated=20 right now..
Its something to do with the chroot = env.  What=20 am i missing??
 
thanks
Ryan
ryanpek@swbell.net
 
 
------=_NextPart_000_000F_01C1025C.CCFDDAC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 1 16:57:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 03DEC37B401 for ; Sun, 1 Jul 2001 16:57:30 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f6200pU57650; Sun, 1 Jul 2001 20:00:51 -0400 (EDT) Date: Sun, 1 Jul 2001 20:00:51 -0400 (EDT) From: Ralph Huntington To: Ryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: help with missing files In-Reply-To: <001201c10286$b60af850$01000001@mhx800> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Excuse me, but how is this a FreeBSD security question? I would suggest asking this question on a PHP list. On Sun, 1 Jul 2001, Ryan wrote: > I have chrooted apache+php but am having simple problems like not being able to exec uptime. > uptime has been moved to /usr/serv/apache/usr/bin/uptime.. > Well anyways heres my lil php line im tring to get running > > > I get no errors from php, just doesnt show anything.. I realize it needs a shell to execute so /usr/serv/apache/bin/bash > and /usr/serv/apache/usr/etc/shells is setup correctly. Would there be something that im missing? Im frustruated right now.. > Its something to do with the chroot env. What am i missing?? > > thanks > Ryan > ryanpek@swbell.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 1 22:58:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from corp2.cbn.net.id (corp2.cbn.net.id [202.158.3.25]) by hub.freebsd.org (Postfix) with ESMTP id 7816537B401 for ; Sun, 1 Jul 2001 22:58:26 -0700 (PDT) (envelope-from dDnurhad@ThePentagon.com) Received: from dd (unknown [202.158.58.10]) by corp2.cbn.net.id (Postfix) with SMTP id 682BF66E54 for ; Mon, 2 Jul 2001 12:56:30 +0700 (JAVT) Message-ID: <022301c10331$dcb031e0$010a0a0a@dd> From: "dD" To: References: <029701c0f67c$38eeb700$131fa8c0@skynick> Subject: Ctrl_ALT_DEL Date: Mon, 2 Jul 2001 13:01:22 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How can I do to prevent someone hit Ctrl+alt+del in FBSD 4.2? dD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 1 23:18:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.rcsntx.swbell.net (mta5.rcsntx.swbell.net [151.164.30.29]) by hub.freebsd.org (Postfix) with ESMTP id 13DE137B401 for ; Sun, 1 Jul 2001 23:18:46 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta5.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GFU00AS41E76Y@mta5.rcsntx.swbell.net> for freebsd-security@freebsd.org; Mon, 2 Jul 2001 01:15:43 -0500 (CDT) Date: Mon, 02 Jul 2001 01:16:42 -0500 From: Ryan Subject: chroot question To: freebsd-security@freebsd.org Message-id: <000c01c102be$900f7b20$01000001@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: multipart/alternative; boundary="----=_NextPart_000_0009_01C10294.A7165AC0" X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0009_01C10294.A7165AC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I need uptime for a chroot.. i keep getting this msg in my error logs uptime: bad namelist it wont run inside my jail any suggestions? maybe a file files im = missing besides the ones listed when 'ldd uptime' ryanpek@swbell.net ------=_NextPart_000_0009_01C10294.A7165AC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I need uptime for a = chroot..
i keep getting this msg in my error=20 logs
 
uptime: bad namelist
 
it wont run inside my jail any = suggestions? maybe a=20 file files im missing besides the ones listed when 'ldd = uptime'
 
ryanpek@swbell.net
 
------=_NextPart_000_0009_01C10294.A7165AC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 1 23:22:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp8.xs4all.nl (smtp8.xs4all.nl [194.109.127.134]) by hub.freebsd.org (Postfix) with ESMTP id C0D8737B408 for ; Sun, 1 Jul 2001 23:22:36 -0700 (PDT) (envelope-from wkb@freebie.xs4all.nl) Received: from freebie.xs4all.nl (freebie.xs4all.nl [213.84.32.253]) by smtp8.xs4all.nl (8.9.3/8.9.3) with ESMTP id IAA03587; Mon, 2 Jul 2001 08:22:35 +0200 (CEST) Received: (from wkb@localhost) by freebie.xs4all.nl (8.11.4/8.11.3) id f626MYV03864; Mon, 2 Jul 2001 08:22:34 +0200 (CEST) (envelope-from wkb) Date: Mon, 2 Jul 2001 08:22:34 +0200 From: Wilko Bulte To: dD Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ctrl_ALT_DEL Message-ID: <20010702082234.A3842@freebie.xs4all.nl> References: <029701c0f67c$38eeb700$131fa8c0@skynick> <022301c10331$dcb031e0$010a0a0a@dd> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <022301c10331$dcb031e0$010a0a0a@dd>; from dDnurhad@ThePentagon.com on Mon, Jul 02, 2001 at 01:01:22PM -0700 X-OS: FreeBSD 4.3-STABLE X-PGP: finger wilko@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 02, 2001 at 01:01:22PM -0700, dD wrote: > How can I do to prevent someone hit Ctrl+alt+del in FBSD 4.2? options SC_DISABLE_REBOOT # disable reboot key sequence -- | / o / / _ Arnhem, The Netherlands email: wilko@FreeBSD.org |/|/ / / /( (_) Bulte http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 2 0:17:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from sunny.pacific.net.sg (sunny.pacific.net.sg [203.120.90.127]) by hub.freebsd.org (Postfix) with ESMTP id 8E1CB37B403 for ; Mon, 2 Jul 2001 00:17:24 -0700 (PDT) (envelope-from nchee_hoong@pacific.net.sg) Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85]) by sunny.pacific.net.sg with ESMTP id f626Nbr16368; Mon, 2 Jul 2001 14:23:37 +0800 (SGT) Received: from pacific.net.sg ([203.208.143.50]) by pop1.pacific.net.sg with ESMTP id PAA10029; Mon, 2 Jul 2001 15:17:21 +0800 (SGT) Message-ID: <3B40214E.3B429453@pacific.net.sg> Date: Mon, 02 Jul 2001 15:22:54 +0800 From: Kelvin Ng Chee Hoong X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: zh-TW,en MIME-Version: 1.0 To: Wilko Bulte Cc: dD , freebsd-security@FreeBSD.ORG Subject: Re: Ctrl_ALT_DEL References: <029701c0f67c$38eeb700$131fa8c0@skynick> <022301c10331$dcb031e0$010a0a0a@dd> <20010702082234.A3842@freebie.xs4all.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Wilko ; Could you tell me where do you get list of options available which offered by FBSD 4.2 ? I read on GENERIC kernel but there is no SC_DISABLE_REBOOT options in that file . Wilko Bulte wrote: > On Mon, Jul 02, 2001 at 01:01:22PM -0700, dD wrote: > > How can I do to prevent someone hit Ctrl+alt+del in FBSD 4.2? > > options SC_DISABLE_REBOOT # disable reboot key sequence > > -- > | / o / / _ Arnhem, The Netherlands email: wilko@FreeBSD.org > |/|/ / / /( (_) Bulte http://www.FreeBSD.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 2 0:19:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 4BD9B37B401 for ; Mon, 2 Jul 2001 00:19:29 -0700 (PDT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f627NKp77300; Mon, 2 Jul 2001 14:23:20 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id OAA09291; Mon, 2 Jul 2001 14:19:18 +0700 (ICT) Date: Mon, 2 Jul 2001 14:19:18 +0700 (ICT) Message-Id: <200107020719.OAA09291@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: nchee_hoong@pacific.net.sg Cc: wkb@freebie.xs4all.nl, dDnurhad@ThePentagon.com, freebsd-security@FreeBSD.ORG In-reply-to: <3B40214E.3B429453@pacific.net.sg> (message from Kelvin Ng Chee Hoong on Mon, 02 Jul 2001 15:22:54 +0800) Subject: Re: Ctrl_ALT_DEL References: <029701c0f67c$38eeb700$131fa8c0@skynick> <022301c10331$dcb031e0$010a0a0a@dd> <20010702082234.A3842@freebie.xs4all.nl> <3B40214E.3B429453@pacific.net.sg> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Could you tell me where do you get list of options available which offered by >FBSD 4.2 ? I read on GENERIC kernel but there is no SC_DISABLE_REBOOT options in >that file . /usr/src/sys/i386/conf/LINT Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 2 0:21: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.focalnetworks.net (alpha.focalnetworks.net [209.135.104.32]) by hub.freebsd.org (Postfix) with SMTP id 7227337B403 for ; Mon, 2 Jul 2001 00:20:58 -0700 (PDT) (envelope-from project10@alpha.focalnetworks.net) Received: (qmail 40019 invoked by uid 1000); 2 Jul 2001 07:25:38 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Jul 2001 07:25:38 -0000 Date: Mon, 2 Jul 2001 03:25:38 -0400 (EDT) From: Shawn Lussier To: Kelvin Ng Chee Hoong Cc: Wilko Bulte , dD , Subject: Re: Ctrl_ALT_DEL In-Reply-To: <3B40214E.3B429453@pacific.net.sg> Message-ID: <20010702032507.H39976-100000@alpha.focalnetworks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kelvin, Try looking in the 'LINT' file, which contains all kernel options. -Shawn On Mon, 2 Jul 2001, Kelvin Ng Chee Hoong wrote: > Hi Wilko ; > Could you tell me where do you get list of options available which offered by > FBSD 4.2 ? I read on GENERIC kernel but there is no SC_DISABLE_REBOOT options in > that file . > > Wilko Bulte wrote: > > > On Mon, Jul 02, 2001 at 01:01:22PM -0700, dD wrote: > > > How can I do to prevent someone hit Ctrl+alt+del in FBSD 4.2? > > > > options SC_DISABLE_REBOOT # disable reboot key sequence > > > > -- > > | / o / / _ Arnhem, The Netherlands email: wilko@FreeBSD.org > > |/|/ / / /( (_) Bulte http://www.FreeBSD.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 2 2:25:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id F2F1037B401 for ; Mon, 2 Jul 2001 02:25:38 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id NAA54011; Mon, 2 Jul 2001 13:25:18 +0400 (MSD) Message-ID: <006001c102d8$e9736590$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: "Ryan" Cc: Subject: Re: chroot question Date: Mon, 2 Jul 2001 13:25:18 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org See the Files section of this man page: ---------------------------------------------------------------------------------------- UPTIME(1) FreeBSD General Commands Manual UPTIME(1) NAME uptime - show how long system has been running SYNOPSIS uptime DESCRIPTION The uptime utility displays the current time, the length of time the sys- tem has been up, the number of users, and the load average of the system over the last 1, 5, and 15 minutes. FILES /kernel system name list --------------------------------------------------------------------------------------------------------------------- do you have /kernel ? NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru -----Original Message----- From: Ryan To: freebsd-security@FreeBSD.ORG Date: 2 èþëÿ 2001 ã. 10:19 Subject: chroot question I need uptime for a chroot.. i keep getting this msg in my error logs uptime: bad namelist it wont run inside my jail any suggestions? maybe a file files im missing besides the ones listed when 'ldd uptime' ryanpek@swbell.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 2 2:50: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.xs4all.nl (smtp4.xs4all.nl [194.109.6.50]) by hub.freebsd.org (Postfix) with ESMTP id E735437B406 for ; Mon, 2 Jul 2001 02:49:49 -0700 (PDT) (envelope-from wkb@xs4all.nl) Received: from webmail4.xs4all.nl (webmail4.xs4all.nl [194.109.127.38]) by smtp4.xs4all.nl (8.9.3/8.9.3) with ESMTP id LAA17201; Mon, 2 Jul 2001 11:49:11 +0200 (CEST) Received: (from nobody@localhost) by webmail4.xs4all.nl (8.11.1/8.11.1) id f629nuZ61379; Mon, 2 Jul 2001 11:49:56 +0200 (CEST) (envelope-from wkb@xs4all.nl) X-Authentication-Warning: webmail4.xs4all.nl: nobody set sender to wkb@xs4all.nl using -f Received: from 161.114.88.76 (SquirrelMail authenticated user wkb) by webmail.xs4all.nl with HTTP; Mon, 2 Jul 2001 11:49:56 +0200 (CEST) Message-ID: <11199.161.114.88.76.994067396.squirrel@webmail.xs4all.nl> Date: Mon, 2 Jul 2001 11:49:56 +0200 (CEST) Subject: Re: Ctrl_ALT_DEL From: "Wilko Bulte" To: In-Reply-To: <3B40214E.3B429453@pacific.net.sg> References: <3B40214E.3B429453@pacific.net.sg> Cc: , , X-Mailer: SquirrelMail (version 1.1.3 [cvs]) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Hi Wilko ; > Could you tell me where do you get list of options available which > offered by > FBSD 4.2 ? I read on GENERIC kernel but there is no SC_DISABLE_REBOOT > options in that file . See /sys/i386/conf/LINT > Wilko Bulte wrote: > >> On Mon, Jul 02, 2001 at 01:01:22PM -0700, dD wrote: >> > How can I do to prevent someone hit Ctrl+alt+del in FBSD 4.2? >> >> options SC_DISABLE_REBOOT # disable reboot key sequence >> >> -- >> | / o / / _ Arnhem, The Netherlands email: >> wilko@FreeBSD.org |/|/ / / /( (_) Bulte >> http://www.FreeBSD.org >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message -- | / o / / _ Arnhem, The Netherlands email: wilko@FreeBSD.org |/|/ / / /( (_) Bulte http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 2 7:24:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by hub.freebsd.org (Postfix) with ESMTP id 3D1C037B407; Mon, 2 Jul 2001 07:24:44 -0700 (PDT) (envelope-from domas.mituzas@delfi.lt) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.3/8.11.1) with ESMTP id f62ESEs23507; Mon, 2 Jul 2001 14:28:14 GMT X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Mon, 2 Jul 2001 14:28:14 +0000 (GMT) From: Domas Mituzas X-X-Sender: To: Cc: Subject: strange inetd behaviour Message-ID: <20010702141425.Y17965-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I noticed some strange inetd behaviour in slight load. We have written our custom pop3 load balancer, that is started from inetd as: pop3 stream tcp nowait/1024/256 creator /usr/local/libexec/p3p p3p User database is really constant (no changes during last 3 months, since last world rebuild :) The problem is that during ps observations I found root 82248 0.0 0.6 1996 752 ?? S 4:02PM 0:00.01 p3p: foo@1.2.3.4 <--> 5.6.7.8 (p3p) instead of creator 82248 0.0 0.6 1996 752 ?? S 4:02PM 0:00.01 p3p: foo@1.2.3.4 <--> 5.6.7.8 (p3p) This means there's some privillege escalation and that is a Bad Thing (tm). Or there is ps bug. Or there's inetd bug. Or there's any system bug. It's really difficult to reproduce, maybe I'll try to add some hooks to my software to do some environment checking if getuid()==0. But maybe there are some issues untold about existance of such bugs or.. features? -- Cheers, Domas {lt.freebsd.org|delfi.lt} systems guy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 2 12:16:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 5E1AA37B401 for ; Mon, 2 Jul 2001 12:16:48 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 8654 invoked by uid 0); 2 Jul 2001 19:16:47 -0000 Received: from pd950883d.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.61) by mail.gmx.net (mp020-rz3) with SMTP; 2 Jul 2001 19:16:47 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA13766 for freebsd-security@freebsd.org; Mon, 2 Jul 2001 19:27:20 +0200 Date: Mon, 2 Jul 2001 19:27:20 +0200 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: chroot question Message-ID: <20010702192720.P17514@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <000c01c102be$900f7b20$01000001@mhx800> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <000c01c102be$900f7b20$01000001@mhx800>; from ryanpek@swbell.net on Mon, Jul 02, 2001 at 01:16:42AM -0500 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ please turn HTML off when sending to public lists ] On Mon, Jul 02, 2001 at 01:16 -0500, Ryan wrote: > > I need uptime for a chroot.. > i keep getting this msg in my error logs > > uptime: bad namelist Is your userland in sync with your kernel? Did you upgrade all the jail code as well as the world after upgrading the kernel? Read "man 8 jail mergemaster" again on how to populate and update a jail environment! It works here and in other locations: $ ps ww$$ PID TT STAT TIME COMMAND 75633 p1 SsJ 0:00.37 /usr/local/bin/bash $ uptime 7:23PM up 28 days, 22:01, 7 users, load averages: 0.00, 0.03, 0.00 virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 3 7:44:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 3EF8C37B401 for ; Tue, 3 Jul 2001 07:44:26 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f63EjRU24402 for ; Tue, 3 Jul 2001 10:45:27 -0400 (EDT) Date: Tue, 3 Jul 2001 10:45:27 -0400 (EDT) From: Ralph Huntington To: freebsd-security@FreeBSD.ORG Subject: firewall question In-Reply-To: <20010702192720.P17514@speedy.gsinet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The dmesg command shows a lot of these: ipfw: -1 Refuse TCP W.X.Y.Z:0 A.B.C.D:0 in via fxp0 ipfw: -1 Refuse TCP S.T.U.V:0 A.B.C.D:0 in via fxp0 (The uppercase letters represent the ip addresses) There are no rules in ipfw blocking packets from addresses W.X.Y.Z or S.T.U.V to host A.B.C.D. Can someone tell me what is going on here? Thank in advance. -=r=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 3 8:24: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f220.pav1.hotmail.com [64.4.31.220]) by hub.freebsd.org (Postfix) with ESMTP id 79DB137B403 for ; Tue, 3 Jul 2001 08:23:58 -0700 (PDT) (envelope-from bsdforumen@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 3 Jul 2001 08:23:58 -0700 Received: from 212.30.183.2 by pv1fd.pav1.hotmail.msn.com with HTTP; Tue, 03 Jul 2001 15:23:58 GMT X-Originating-IP: [212.30.183.2] From: "Magdalinin Kirill" To: freebsd-security@freebsd.org Subject: weird messages Date: Tue, 03 Jul 2001 19:23:58 +0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 03 Jul 2001 15:23:58.0372 (UTC) FILETIME=[2E0E3E40:01C103D4] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, can anyone explain what the following system console messages might mean: Jun 29 19:43:34 myserver ftpd[4429]: /etc/pwd.db: No such file or directory Jun 30 15:12:12 myserver ftpd[4961]: /etc/pwd.db: No such file or directory In the /var/log/ftpd.log they are among normal user commands (as they look to me) The box is 4.1 release, some users can access it via ftp and have their own cgi-bin directories. Thanks, Kirill Magdalinin bsdforumen@hotmail.com _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 3 8:37:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 24C0237B408 for ; Tue, 3 Jul 2001 08:37:32 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 77082 invoked by uid 1000); 3 Jul 2001 15:42:06 -0000 Date: Tue, 3 Jul 2001 18:42:06 +0300 From: Peter Pentchev To: Magdalinin Kirill Cc: freebsd-security@freebsd.org Subject: Re: weird messages Message-ID: <20010703184206.A76046@ringworld.oblivion.bg> Mail-Followup-To: Magdalinin Kirill , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bsdforumen@hotmail.com on Tue, Jul 03, 2001 at 07:23:58PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 03, 2001 at 07:23:58PM +0400, Magdalinin Kirill wrote: > Hello, > > can anyone explain what the following system > console messages might mean: > > Jun 29 19:43:34 myserver ftpd[4429]: /etc/pwd.db: > No such file or directory > Jun 30 15:12:12 myserver ftpd[4961]: /etc/pwd.db: > No such file or directory > > In the /var/log/ftpd.log they are among normal user commands > (as they look to me) > > The box is 4.1 release, some users can access it via ftp > and have their own cgi-bin directories. If you allow anonymous user logins, or some of your users are chroot'd during ftp logins, then this means that somebody has logged in, has been successfully chroot'd, and has tried to retrieve an /etc/pwd.db file from within a chroot environment, where you have probably not put such a file :) G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 3 8:38:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 8B0E037B403 for ; Tue, 3 Jul 2001 08:38:33 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id MAA97667; Tue, 3 Jul 2001 12:39:35 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Tue, 3 Jul 2001 12:39:35 -0300 From: Fernando Schapachnik To: Magdalinin Kirill Cc: freebsd-security@FreeBSD.ORG Subject: Re: weird messages Message-ID: <20010703123935.D67153@ns1.via-net-works.net.ar> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from bsdforumen@hotmail.com on Tue, Jul 03, 2001 at 07:23:58PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, Magdalinin Kirill escribió: > Hello, > > can anyone explain what the following system > console messages might mean: > > Jun 29 19:43:34 myserver ftpd[4429]: /etc/pwd.db: > No such file or directory > Jun 30 15:12:12 myserver ftpd[4961]: /etc/pwd.db: > No such file or directory Seems like you don't have etc/pwd.db in your ftp chrooted environment (just a guess). Good luck. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 3 8:46:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (Postfix) with ESMTP id 2C16D37B401 for ; Tue, 3 Jul 2001 08:46:33 -0700 (PDT) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.11.1/8.11.1) id f63FkQ405319; Tue, 3 Jul 2001 10:46:26 -0500 (CDT) Date: Tue, 3 Jul 2001 10:46:26 -0500 From: "Matthew D. Fuller" To: Peter Pentchev Cc: Magdalinin Kirill , freebsd-security@FreeBSD.ORG Subject: Re: weird messages Message-ID: <20010703104625.D25927@futuresouth.com> References: <20010703184206.A76046@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010703184206.A76046@ringworld.oblivion.bg>; from roam@orbitel.bg on Tue, Jul 03, 2001 at 06:42:06PM +0300 X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 03, 2001 at 06:42:06PM +0300, a little birdie told me that Peter Pentchev remarked > On Tue, Jul 03, 2001 at 07:23:58PM +0400, Magdalinin Kirill wrote: > > > > Jun 29 19:43:34 myserver ftpd[4429]: /etc/pwd.db: > > No such file or directory > > Jun 30 15:12:12 myserver ftpd[4961]: /etc/pwd.db: > > No such file or directory > > If you allow anonymous user logins, or some of your users are > chroot'd during ftp logins, then this means that somebody > has logged in, has been successfully chroot'd, and has tried > to retrieve an /etc/pwd.db file from within a chroot environment, > where you have probably not put such a file :) To expand: It's most likely NOT someone trying to fetch it, it's ftpd trying to find it. Think uid -> username mappings in 'ls'. -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Unix Systems Administrator | fullermd@futuresouth.com Specializing in FreeBSD | http://www.over-yonder.net/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 3 9: 1:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id E7C7D37B405 for ; Tue, 3 Jul 2001 09:01:07 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id UAA16469 for ; Tue, 3 Jul 2001 20:01:03 +0400 (MSD) Message-ID: <02fb01c103d9$5cd60140$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: Subject: Re: weird messages Date: Tue, 3 Jul 2001 20:01:03 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This could be somebody willing to exploit last glob vulnerability in ftpd (SA-01:33) - it exploited very long directory names started with '~' (the same as $HOME in bash). In order for exploit to work attacker must have an ftp account with /etc/pwd.db reacheable . In 3 days after exploit was released, i found 5 such messages in /var/log/messages. Read the advisory, and see if you are vulnerable! NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru -----Original Message----- From: Matthew D. Fuller To: Peter Pentchev Cc: Magdalinin Kirill ; freebsd-security@FreeBSD.ORG Date: 3 èþëÿ 2001 ã. 19:47 Subject: Re: weird messages > >To expand: >It's most likely NOT someone trying to fetch it, it's ftpd trying to find >it. Think uid -> username mappings in 'ls'. > > > >-- >Matthew Fuller (MF4839) | fullermd@over-yonder.net >Unix Systems Administrator | fullermd@futuresouth.com >Specializing in FreeBSD | http://www.over-yonder.net/ > >"The only reason I'm burning my candle at both ends, is because I > haven't figured out how to light the middle yet" > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 3 22:19:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 5194A37B408 for ; Tue, 3 Jul 2001 22:19:38 -0700 (PDT) (envelope-from mike@sentex.net) Received: (from root@localhost) by cage.simianscience.com (8.11.4/8.11.2) id f645Jbp07285 for security@freebsd.org; Wed, 4 Jul 2001 01:19:37 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.4/8.11.2av) with ESMTP id f645JTj07269 for ; Wed, 4 Jul 2001 01:19:30 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010704010924.00abbdf8@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 04 Jul 2001 01:19:28 -0400 To: security@freebsd.org From: Mike Tancsa Subject: ipfw via gif interface ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is there any reason why the ipfw rule count log logamount 20000 all from any to any via gif0 would not work when traffic is indeed passing through gif0 ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 4 0:52:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from snipe.mail.pas.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62]) by hub.freebsd.org (Postfix) with ESMTP id 2707337B405 for ; Wed, 4 Jul 2001 00:52:24 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.140.168.Dial1.SanJose1.Level3.net [209.245.140.168]) by snipe.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id AAA20267; Wed, 4 Jul 2001 00:52:08 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f647PYH01823; Wed, 4 Jul 2001 00:25:34 -0700 (PDT) (envelope-from cjc) Date: Wed, 4 Jul 2001 00:25:34 -0700 From: "Crist J. Clark" To: Ralph Huntington Cc: freebsd-security@FreeBSD.ORG Subject: Re: firewall question Message-ID: <20010704002534.D1476@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010702192720.P17514@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rjh@mohawk.net on Tue, Jul 03, 2001 at 10:45:27AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 03, 2001 at 10:45:27AM -0400, Ralph Huntington wrote: > The dmesg command shows a lot of these: > > ipfw: -1 Refuse TCP W.X.Y.Z:0 A.B.C.D:0 in via fxp0 > ipfw: -1 Refuse TCP S.T.U.V:0 A.B.C.D:0 in via fxp0 > > (The uppercase letters represent the ip addresses) > > There are no rules in ipfw blocking packets from addresses W.X.Y.Z or > S.T.U.V to host A.B.C.D. Can someone tell me what is going on here? FINE POINTS o There is one kind of packet that the firewall will always discard, that is a TCP packet's fragment with a fragment offset of one. This is a valid packet, but it only has one use, to try to circumvent firewalls. When logging is enabled, these packets are reported as being dropped by rule -1. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 4 0:57:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 17AF837B407 for ; Wed, 4 Jul 2001 00:57:31 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id LAA40865; Wed, 4 Jul 2001 11:57:26 +0400 (MSD) Message-ID: <041701c1045e$f805a140$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: , "Mike Tancsa" Subject: Re: ipfw via gif interface ? Date: Wed, 4 Jul 2001 11:57:26 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "indeed" is not a good word, output from "ipfw show" and "tcpdump -i gif0" would be more convincing. Happy debug NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru -----Original Message----- From: Mike Tancsa To: security@FreeBSD.ORG Date: 4 èþëÿ 2001 ã. 9:20 Subject: ipfw via gif interface ? > >Is there any reason why the ipfw rule > >count log logamount 20000 all from any to any via gif0 > >would not work when traffic is indeed passing through gif0 ? > > ---Mike >-------------------------------------------------------------------- >Mike Tancsa, tel +1 519 651 3400 >Network Administration, mike@sentex.net >Sentex Communications www.sentex.net >Cambridge, Ontario Canada www.sentex.net/mike > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 4 1: 8: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.elbayu.com (mail.elbayu.com [12.16.41.112]) by hub.freebsd.org (Postfix) with ESMTP id 03C5B37B407 for ; Wed, 4 Jul 2001 01:07:57 -0700 (PDT) (envelope-from eleanor_19@hotmail.com) Received: from oemcomputer [12.21.14.148] by mail.elbayu.com (SMTPD32-6.06) id AFCE12330136; Wed, 04 Jul 2001 04:03:42 -0300 Message-Id: Date: Wed, 4 Jul 2001 03:10:18 -0300 X-Priority: 3 From: "Eleanor Davis" Reply-To: eleanor_19@hotmail.com X-Mailer: Email Collector & Sender by SBZ systems To: A-L.Heim@t-online.de MIME-Version: 1.0 Subject: my pic that i told you =) Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8Bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org the finest girls and models over the net http://www.erawtic.org/ FOR FREE!!! give them a look.. what can lose? i dont have much to say.. its not needed.. you will like them, beliveme att. Eleanor http://www.erawtic.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 4 1:16:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.121.12]) by hub.freebsd.org (Postfix) with ESMTP id 70D2E37B403 for ; Wed, 4 Jul 2001 01:16:26 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.140.168.Dial1.SanJose1.Level3.net [209.245.140.168]) by harrier.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id BAA15242; Wed, 4 Jul 2001 01:16:24 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f648GNv02156; Wed, 4 Jul 2001 01:16:23 -0700 (PDT) (envelope-from cjc) Date: Wed, 4 Jul 2001 01:16:23 -0700 From: "Crist J. Clark" To: cjclark@alum.mit.edu Cc: Ralph Huntington , freebsd-security@FreeBSD.ORG Subject: Re: firewall question Message-ID: <20010704011623.G1476@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010702192720.P17514@speedy.gsinet> <20010704002534.D1476@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010704002534.D1476@blossom.cjclark.org>; from cristjc@earthlink.net on Wed, Jul 04, 2001 at 12:25:34AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 04, 2001 at 12:25:34AM -0700, Crist J. Clark wrote: > On Tue, Jul 03, 2001 at 10:45:27AM -0400, Ralph Huntington wrote: > > The dmesg command shows a lot of these: > > > > ipfw: -1 Refuse TCP W.X.Y.Z:0 A.B.C.D:0 in via fxp0 > > ipfw: -1 Refuse TCP S.T.U.V:0 A.B.C.D:0 in via fxp0 > > > > (The uppercase letters represent the ip addresses) > > > > There are no rules in ipfw blocking packets from addresses W.X.Y.Z or > > S.T.U.V to host A.B.C.D. Can someone tell me what is going on here? > > FINE POINTS > o There is one kind of packet that the firewall will always discard, > that is a TCP packet's fragment with a fragment offset of one. This > is a valid packet, but it only has one use, to try to circumvent > firewalls. When logging is enabled, these packets are reported as > being dropped by rule -1. Yuck, following up my own post. Anyway, I just wanted to note that I committed a fix to CURRENT that actually logs first fragments as fragments (PR 23446). It should make logs of -1 rules a little more clear. I plan to MFC it in a few days. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 4 1:49: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 9527137B401 for ; Wed, 4 Jul 2001 01:49:01 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id JAA19126; Tue, 3 Jul 2001 09:26:40 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma019118; Tue, 3 Jul 01 09:26:17 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA25805; Tue, 3 Jul 2001 09:26:16 -0500 (CDT) Message-ID: <3B41D60A.79D8E6F7@centtech.com> Date: Tue, 03 Jul 2001 09:26:18 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Joseph Gleason Cc: Joseph Gleason , freebsd-security@freebsd.org Subject: Re: 3 nics - 1 bridge - 2 ips - bad? References: <3B3A0DD7.87EDC7E@centtech.com> <006101c0ff2c$4d75bee0$0a2d2d0a@battleship> <3B3A17A9.5ADF75BA@centtech.com> <002201c0ff2e$fe7c4770$0a2d2d0a@battleship> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just FYI, it works great! Thanks.. Joseph Gleason wrote: > > I was wrong! Don't listen to my lies! > > I am told that bridging can indeed be enabled and disabled per port via some > sysctl call. > > With bridge compiled into the kernel: > > sysctl -A |grep bridge should give you the approriate parameter to play > with. > > ----- Original Message ----- > From: "Eric Anderson" > To: "Joseph Gleason" > Cc: > Sent: Wednesday, June 27, 2001 13:28 > Subject: Re: 3 nics - 1 bridge - 2 ips - bad? > > > Thanks for the response.. I think you're correct here, I don't see > > anyway to only enable 2 out of 3 interfaces for bridging. Darn. Oh > > well, thanks! > > > > > > > > Joseph Gleason wrote: > > > > > > I think you might have a problem with the bridging. > > > > > > I'm not sure if you can bridge xl0 and xl1 without including xl2. I > could > > > be wrong > > > And you might be able to pull something off with IPFW rules to exclude > xl2 > > > from the bridging, but I wouldn't trust it. > > > > > > What you want certainly looks like two separate and possibly > incompatible > > > tasks. My advise would be have two machines do this if at all possible. > > > Machine one being your ethernet bridge. Machine two being the gateway > to > > > your protected network. > > > > > > ----- Original Message ----- > > > From: "Eric Anderson" > > > To: > > > Sent: Wednesday, June 27, 2001 12:46 > > > Subject: 3 nics - 1 bridge - 2 ips - bad? > > > > > > > Lets say I have 3 NIC's in a machine running FreeBSD 4.2. > > > > Is it possible to have this sort of configuration: > > > > xl0 - 200.200.200.200 - [interface 1 of bridge0] > > > > xl1 - NO IP - [interface 2 of bridge0] > > > > xl2 - 192.168.10.10 - not part of any bridge > > > > > > > > the 200.200.200.200 number is of course made up, but signifies an > > > > interface on the unprotected net. The 192.168.10.10 interface is also > > > > made up, showing an interface on the protected internal net. Now, the > > > > xl1 interface is bridged to xl0, creating a port for passing thru to > the > > > > unprotected net that xl0 is on. Is there any inherent security flaws > in > > > > this configuration (besides having a possible computer plug into the > xl1 > > > > port and not being behind a firewall), assuming it works at all? > > > > > > > > Thanks in advance.. > > > > > > > > Eric > > > > <-- SNIP --> -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 4 6:11:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id D1E9837B401 for ; Wed, 4 Jul 2001 06:11:14 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f64DCOx47233; Wed, 4 Jul 2001 09:12:24 -0400 (EDT) Date: Wed, 4 Jul 2001 09:12:24 -0400 (EDT) From: Ralph Huntington To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: firewall question In-Reply-To: <20010704002534.D1476@blossom.cjclark.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you vwery much. I should have found that myself. -=r=- On Wed, 4 Jul 2001, Crist J. Clark wrote: > On Tue, Jul 03, 2001 at 10:45:27AM -0400, Ralph Huntington wrote: > > > > ipfw: -1 Refuse TCP W.X.Y.Z:0 A.B.C.D:0 in via fxp0 > > ipfw: -1 Refuse TCP S.T.U.V:0 A.B.C.D:0 in via fxp0 > > FINE POINTS > o There is one kind of packet that the firewall will always discard, > that is a TCP packet's fragment with a fragment offset of one. This > is a valid packet, but it only has one use, to try to circumvent > firewalls. When logging is enabled, these packets are reported as > being dropped by rule -1. > > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 5 10:28: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fdma.com (mail.fdma.com [216.241.67.73]) by hub.freebsd.org (Postfix) with ESMTP id A3E8337B427 for ; Thu, 5 Jul 2001 10:27:59 -0700 (PDT) (envelope-from scheidell@fdma.com) Received: from MIKELT (mikelt.fdma.lan [10.1.1.40]) by mail.fdma.com (8.11.3/8.11.3) with SMTP id f65HRmN39917 for ; Thu, 5 Jul 2001 13:27:48 -0400 (EDT) Message-ID: <007401c10577$cf94d810$2801010a@fdma.com> From: "Michael Scheidell" To: References: Subject: Re: my pic that i told you =) Date: Thu, 5 Jul 2001 13:27:47 -0400 Organization: Florida Datamation, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org And THAT is running freebsd? Wierdest firewall Iever saw. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 5 13:16:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from priv-edtnes12-hme0.telusplanet.net (fepout4.telus.net [199.185.220.239]) by hub.freebsd.org (Postfix) with ESMTP id EACE837B401 for ; Thu, 5 Jul 2001 13:16:29 -0700 (PDT) (envelope-from aaron@alsopproductions.com) Received: from [161.184.134.245] by priv-edtnes12-hme0.telusplanet.net (InterMail vM.4.01.03.10 201-229-121-110) with SMTP id <20010705201614.TUZK663.priv-edtnes12-hme0.telusplanet.net@[161.184.134.245]> for ; Thu, 5 Jul 2001 14:16:14 -0600 Message-ID: <002701c1058f$b3f19220$30004bac@www.circ.ca> From: "Aaron K. Alsop" To: Received: from no.name.available by [161.184.134.245] via smtpd (for smtp.telusplanet.net [199.185.220.249]) with SMTP; 5 Jul 2001 20:17:04 UT Subject: Date: Thu, 5 Jul 2001 14:18:49 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0024_01C1055D.693D3180" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0024_01C1055D.693D3180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_0024_01C1055D.693D3180 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
------=_NextPart_000_0024_01C1055D.693D3180-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 5:45:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.wplus.net (relay.wplus.net [195.131.52.179]) by hub.freebsd.org (Postfix) with ESMTP id 5486837B406 for ; Fri, 6 Jul 2001 05:45:21 -0700 (PDT) (envelope-from ricsLtd@hotmail.com) Received: from relay1.wplus.net (smtp.wplus.net [195.131.52.143]) by relay.wplus.net (8.9.1/8.9.1/wplus.2) with ESMTP id QAA41858 for ; Fri, 6 Jul 2001 16:45:19 +0400 (MSD) From: ricsLtd@hotmail.com X-Real-To: Received: from Olga (ip94-78.dialup.wplus.net [195.131.94.78]) by relay1.wplus.net (8.9.1/8.9.1/wplus.2) with SMTP id QAA72395 for ; Fri, 6 Jul 2001 16:45:18 +0400 (MSD) Date: Fri, 6 Jul 2001 16:45:18 +0400 (MSD) Message-Id: <200107061245.QAA72395@relay1.wplus.net> To: X-Mailer: PersMail 3.1 Mime-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Looking for the contract or permanent IT staff? We can recruit Russian IT professionals for you? Have a look at www.ricsltd.co.uk. We have a lot to offer! You will be impressed with our services, low fees as well as quality of programmers. If you have any questions please do not hesitate to contact us: info@ricsltd.co.uk Regards, Andrei Nikonorov ________________________________ Sent by "PersMail 3.1" (freeware) ÇÀÎ "ÀÑÓ-Èìïóëüñ": Áèçíåñ-ñïðàâî÷íèêè è áàçû äàííûõ "Ýëåêòðîííàÿ áèáëèîòåêà õóäîæåñòâåííîé ëèòåðàòóðû" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 8: 5:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from gate2.ldn.ubswarburg.com (gate2.ldn.ubswarburg.com [139.149.1.38]) by hub.freebsd.org (Postfix) with ESMTP id 61B1237B408 for ; Fri, 6 Jul 2001 08:05:12 -0700 (PDT) (envelope-from Khalil.Haddad@ubs.com) Received: (from smap@localhost) by gate2.ldn.ubswarburg.com (8.8.8/8.8.8) id QAA07872 for ; Fri, 6 Jul 2001 16:01:17 +0100 (BST) From: Khalil.Haddad@ubs.com Received: from (nine.ubswarburg.com [192.168.0.4]) by gate2 via smap (V2.0) id xma007820; Fri, 6 Jul 2001 16:01:10 +0100 Received: from ln4p1013pos.ldn.swissbank.com (virscan2 [192.168.0.4]) by virscan2.swissbank.com (8.8.8/8.8.8) with ESMTP id PAA08406 for ; Fri, 6 Jul 2001 15:03:12 GMT Received: from ln4p1528.ldn.swissbank.com (ln4p1528.ldn.swissbank.com [172.16.232.54]) by ln4p1013pos.ldn.swissbank.com (8.8.8/8.8.8) with ESMTP id QAA08192 for ; Fri, 6 Jul 2001 16:02:20 +0100 (BST) Received: from ps3p84.par.swissbank.com (ps3p84.par.swissbank.com [155.145.25.41]) by ln4p1528.ldn.swissbank.com (8.8.6 (PHNE_14041)/8.8.6/WDR gamma evision: 1.4 $) with ESMTP id QAA29015 for ; Fri, 6 Jul 2001 16:02:19 +0100 (BST) Received: from localhost (root@localhost) by ps3p84.par.swissbank.com (8.8.6 (PHNE_14041)/8.8.6/WDR gamma evision: 1.4 $) with ESMTP id RAA08599 for ; Fri, 6 Jul 2001 17:02:18 +0200 (METDST) X-OpenMail-Hops: 1 Date: Fri, 6 Jul 2001 17:02:17 +0200 Message-Id: Subject: Hiding Versions MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline; filename="BDY.TXT" ;Creation-Date="Fri, 6 Jul 2001 17:02:16 +0200" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello all, After visiting this web site : www.netcraft.com, I discovered that it is possible to trace version changes of OS, apache or php. Example : FreeBSD Apache/1.3.9 (Unix) mod_perl/1.20 4-Dec-2000 195.92.95.5 Netcraft unknown Apache/1.3.9 (Unix) mod_perl/1.20 3-Dec-2000 195.92.95.5 Netcraft FreeBSD Apache/1.3.9 (Unix) mod_perl/1.20 19-Nov-2000 195.92.95.5 Planet Online unknown Apache/1.3.9 (Unix) mod_perl/1.20 18-Nov-2000 195.92.95.5 Planet Online FreeBSD Apache/1.3.9 (Unix) mod_perl/1.20 14-Nov-2000 195.92.95.5 Planet Online FreeBSD Apache/1.3.9 (Unix) mod_perl/1.20 15-Sep-1999 195.188.192.5 Netcraft Ltd FreeBSD Apache/1.3.6 (Unix) mod_perl/1.20 2-Jul-1999 195.188.192.5 Netcraft Ltd FreeBSD Apache/1.3.6 (Unix) mod_perl/1.18 9-Jun-1999 195.188.192.5 Netcraft Ltd FreeBSD Apache/1.3.4 (Unix) mod_perl/1.18 26-May-1999 195.188.192.5 Netcraft Ltd I wanted to know how this was possible, if FreeBSD stores version history somewhere. What should I do to secure this and how, because knowing that anyone can get the history of version changes on your system doesn't make you fell secure... By the way, the output for my server gives me Apache/1.3.19 but i have upgraded to 1.3.20 recently, why hasn't this been taken in consideration? (i used ports to upgrade) Thank you for your help. Khalil To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 8:10:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 6E20837B409 for ; Fri, 6 Jul 2001 08:10:08 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 3101 invoked by uid 1000); 6 Jul 2001 15:14:35 -0000 Date: Fri, 6 Jul 2001 18:14:35 +0300 From: Peter Pentchev To: Khalil.Haddad@ubs.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hiding Versions Message-ID: <20010706181435.E700@ringworld.oblivion.bg> Mail-Followup-To: Khalil.Haddad@ubs.com, freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Khalil.Haddad@ubs.com on Fri, Jul 06, 2001 at 05:02:17PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jul 06, 2001 at 05:02:17PM +0200, Khalil.Haddad@ubs.com wrote: > Hello all, > > After visiting this web site : www.netcraft.com, I discovered that it > is possible to trace version changes of OS, apache or php. > > Example : > FreeBSD Apache/1.3.9 (Unix) mod_perl/1.20 4-Dec-2000 195.92.95.5 > Netcraft > unknown Apache/1.3.9 (Unix) mod_perl/1.20 3-Dec-2000 195.92.95.5 > Netcraft > FreeBSD Apache/1.3.9 (Unix) mod_perl/1.20 19-Nov-2000 195.92.95.5 > Planet Online > unknown Apache/1.3.9 (Unix) mod_perl/1.20 18-Nov-2000 195.92.95.5 > Planet Online > FreeBSD Apache/1.3.9 (Unix) mod_perl/1.20 14-Nov-2000 195.92.95.5 > Planet Online > FreeBSD Apache/1.3.9 (Unix) mod_perl/1.20 15-Sep-1999 195.188.192.5 > Netcraft Ltd > FreeBSD Apache/1.3.6 (Unix) mod_perl/1.20 2-Jul-1999 195.188.192.5 > Netcraft Ltd > FreeBSD Apache/1.3.6 (Unix) mod_perl/1.18 9-Jun-1999 195.188.192.5 > Netcraft Ltd > FreeBSD Apache/1.3.4 (Unix) mod_perl/1.18 26-May-1999 195.188.192.5 > Netcraft Ltd > > I wanted to know how this was possible, if FreeBSD stores version > history somewhere. What should I do to secure this and how, because > knowing that anyone can get the history of version changes on your > system doesn't make you fell secure... They can only track history in the sense of storing information obtained by somebody performing a query on the given date. This list just means that somebody has done those queries on May 26, 1999, June 9, 1999 etc, and the Netcraft database has stored the results. If nobody has been interested in *your* server, Netcraft would not have any information stored about it. It is the Netcraft database, not your OS, that keeps history. > By the way, the output for my server gives me Apache/1.3.19 but i have > upgraded to 1.3.20 recently, why hasn't this been taken in > consideration? (i used ports to upgrade) Maybe no one has performed a Netcraft query for your server since you upgraded. G'luck, Peter -- I am the meaning of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 10:53:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id E400937B403 for ; Fri, 6 Jul 2001 10:53:44 -0700 (PDT) (envelope-from pulsewidth@gmx.net) Received: (qmail 30361 invoked by uid 0); 6 Jul 2001 17:53:42 -0000 Received: from unknown (HELO soap) (144.137.8.217) by mail.gmx.net (mail04) with SMTP; 6 Jul 2001 17:53:42 -0000 Date: Sat, 07 Jul 2001 04:00:36 +1000 To: freebsd-security@freebsd.org From: aphex Subject: Re: Hiding Versions X-Mailer: Opera 5.11 build 904 X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <20010706175344.E400937B403@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 7/07/2001 1:14:35 AM, Peter Pentchev wrote: >On Fri, Jul 06, 2001 at 05:02:17PM +0200, Khalil.Haddad@ubs.com wrote: >> Hello all, >> >> After visiting this web site : www.netcraft.com, I discovered that it >> is possible to trace version changes of OS, apache or php. [snip] >> By the way, the output for my server gives me Apache/1.3.19 but i have >> upgraded to 1.3.20 recently, why hasn't this been taken in >> consideration? (i used ports to upgrade) > >Maybe no one has performed a Netcraft query for your server since >you upgraded. > >G'luck, >Peter I've been able to fool netcraft.com into saying I run a different webserver, but am still unable to hide the fact that I'm running freebsd. Would you happen to know how they get this information? no banners on any services display the fact that im running freebsd so I'm guessing its got to do with tcp/ip fingerprints. Anyway at all to hide this? Regards, --> aphex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 11: 5:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from famine.OCF.Berkeley.EDU (famine.OCF.Berkeley.EDU [128.32.191.92]) by hub.freebsd.org (Postfix) with ESMTP id CDCBA37B401 for ; Fri, 6 Jul 2001 11:05:42 -0700 (PDT) (envelope-from malcolm@ocf.berkeley.edu) Received: from localhost (malcolm@localhost) by famine.OCF.Berkeley.EDU (8.9.3/8.9.3) with ESMTP id LAA12650; Fri, 6 Jul 2001 11:05:40 -0700 (PDT) X-Authentication-Warning: famine.OCF.Berkeley.EDU: malcolm owned process doing -bs Date: Fri, 6 Jul 2001 11:05:40 -0700 (PDT) From: Malcolm To: aphex Cc: Subject: Re: Hiding Versions In-Reply-To: <20010706175344.E400937B403@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How'd you fool netcraft.com with regard to the webserver? -Malcolm Tomorrow, at 4:00am, aphex kvetched: > 7/07/2001 1:14:35 AM, Peter Pentchev wrote: > > >On Fri, Jul 06, 2001 at 05:02:17PM +0200, Khalil.Haddad@ubs.com wrote: > >> Hello all, > >> > >> After visiting this web site : www.netcraft.com, I discovered that it > >> is possible to trace version changes of OS, apache or php. > [snip] > >> By the way, the output for my server gives me Apache/1.3.19 but i have > >> upgraded to 1.3.20 recently, why hasn't this been taken in > >> consideration? (i used ports to upgrade) > > > >Maybe no one has performed a Netcraft query for your server since > >you upgraded. > > > >G'luck, > >Peter > > I've been able to fool netcraft.com into saying I run a different webserver, but am still unable to hide the fact that I'm running freebsd. > Would you happen to know how they get this information? no banners on any services display the fact that im running freebsd so I'm guessing > its got to do with tcp/ip fingerprints. Anyway at all to hide this? > > Regards, > > --> aphex > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 11: 7:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from globalrelay.com (h216-18-71-77.gtcust.grouptelecom.net [216.18.71.77]) by hub.freebsd.org (Postfix) with ESMTP id 5426E37B403 for ; Fri, 6 Jul 2001 11:07:36 -0700 (PDT) (envelope-from lists@globalrelay.net) Received: from [10.2.0.6] (HELO hpvl4002) by globalrelay.com (CommuniGate Pro SMTP 3.4.7) with SMTP id 550038; Fri, 06 Jul 2001 11:07:35 -0700 Message-ID: <01e401c10646$9305e900$0600020a@frontend> From: "Eric Parusel" To: , "aphex" References: <20010706175344.E400937B403@hub.freebsd.org> Subject: Re: Hiding Versions Date: Fri, 6 Jul 2001 11:07:52 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > 7/07/2001 1:14:35 AM, Peter Pentchev wrote: > > >On Fri, Jul 06, 2001 at 05:02:17PM +0200, Khalil.Haddad@ubs.com wrote: > >> Hello all, > >> > >> After visiting this web site : www.netcraft.com, I discovered that it > >> is possible to trace version changes of OS, apache or php. > [snip] > >> By the way, the output for my server gives me Apache/1.3.19 but i have > >> upgraded to 1.3.20 recently, why hasn't this been taken in > >> consideration? (i used ports to upgrade) > > > >Maybe no one has performed a Netcraft query for your server since > >you upgraded. > > > >G'luck, > >Peter > > I've been able to fool netcraft.com into saying I run a different webserver, but am still unable to hide the fact that I'm running freebsd. > Would you happen to know how they get this information? no banners on any services display the fact that im running freebsd so I'm guessing > its got to do with tcp/ip fingerprints. Anyway at all to hide this? > > Regards, > > --> aphex I'm behind a firewall system, and netcraft.com reports my OS as Unknown... With only port 80 and 443 open to the outside, it probably doesn't have enough info to figure out what OS I'm running. Try firewalling, it's a good idea anyways :) Now how did you fool netcraft.com into saying that you run a different webserver? Later, Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 12:30:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.32]) by hub.freebsd.org (Postfix) with ESMTP id 7145737B403 for ; Fri, 6 Jul 2001 12:30:01 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp4.hushmail.com (Postfix) with ESMTP id 679792FD5; Fri, 6 Jul 2001 12:29:34 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id MAA30700; Fri, 6 Jul 2001 12:29:34 -0700 From: appleseed@hushmail.com Message-Id: <200107061929.MAA30700@user7.hushmail.com> Date: Fri, 6 Jul 2001 12:06:35 -0500 (PDT) Cc: Khalil.Haddad@ubs.com To: freebsd-security@FreeBSD.ORG Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_wqTfrGhjiEbulCjGyoebZhzAceFJAXTb" Subject: Re: Hiding Versions Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_wqTfrGhjiEbulCjGyoebZhzAceFJAXTb Content-type: text/plain Sup =) You recently wrote this: >After visiting this web site : www.netcraft.com, I discovered that it >is possible to trace version changes of OS, apache or php. > *snip* >I wanted to know how this was possible, if FreeBSD stores version >history somewhere. What should I do to secure this and how, because >knowing that anyone can get the history of version changes on your >system doesn't make you fell secure... > >By the way, the output for my server gives me Apache/1.3.19 but i have >upgraded to 1.3.20 recently, why hasn't this been taken in >consideration? (i used ports to upgrade) > >Thank you for your help. > >Khalil Well, netcraft uses a query to the webserver then reads the header of the response looking for the 'Server' string. Defined in rfc1945 the 'Server' header variable/value pair describes the webserver software running on the target host. I've only audited certain segments of the apache server (and dont run apache myself) so I am not sure if they allow you to redefine the Server string sent with request responses. However, if they are fully rfc1945 compliant they will allow you to redefine the 'Server' string. =) As far as the operating system goes netcraft performs tcp/ip fingerprinting on the target host to determine OS information. If you want to block this information snag yourself a good firewall (pitch IPF here cuz it rockz!) and load up a good ruleset. I wont tell you how I define my ruleset, but, you are better off determining what is best for you. I will say that certain tricks will disturb nmap and friend's logic while constructing a remote operating system fingerprint. Good luck =) northern_ Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_wqTfrGhjiEbulCjGyoebZhzAceFJAXTb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 13:59:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.jesters-court.net (dsl254-098-227.nyc1.dsl.speakeasy.net [216.254.98.227]) by hub.freebsd.org (Postfix) with SMTP id 8025137B405 for ; Fri, 6 Jul 2001 13:59:36 -0700 (PDT) (envelope-from webmaster@yclan.net) Received: from nazone ([129.21.142.12]) by mail.jesters-court.net (AppleShare IP Mail Server 6.3.1) id 480 via TCP with SMTP; Fri, 06 Jul 2001 17:00:01 -0400 Message-ID: <003801c1065e$c4724480$0c8e1581@yclan.net> From: "Jason Burdick" To: References: <200107061929.MAA30700@user7.hushmail.com> Subject: Re: Hiding Versions Date: Fri, 6 Jul 2001 17:01:03 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hiding version strings is very pointless. The only use is to let admins be a tad bit more lazy in patching so s'kiddies, who only look for version strings for exploit purposes, will pass by the box. This doesn't stop someone with a clue, so it's a waste of time. Patch the box correctly, and you'll have less problems. Besides, Netcraft is cool. It's nice to see that I have the second longest uptime on campus. :) This has been discussed many times before, check the list archives. Jason Burdick System Administrator, Jester's Court Communications To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 14: 3:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.confusion.net (dementia.confusion.net [205.166.119.16]) by hub.freebsd.org (Postfix) with ESMTP id 900F537B405 for ; Fri, 6 Jul 2001 14:03:14 -0700 (PDT) (envelope-from stuyman@euphoria.confusion.net) Received: from localhost (localhost [127.0.0.1]) by euphoria.confusion.net (8.11.2/8.11.2) with SMTP id f66L1vZ07962; Fri, 6 Jul 2001 14:01:58 -0700 (PDT) Date: Fri, 6 Jul 2001 14:01:57 -0700 (PDT) From: Laurence Berland To: Jason Burdick Cc: security@FreeBSD.ORG Subject: Re: Hiding Versions In-Reply-To: <003801c1065e$c4724480$0c8e1581@yclan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As much as it's not all that good in terms of security, changing version strings will keep the kiddies from ever bothering, which is good just because it stops them from filling your logs quite as much... On Fri, 6 Jul 2001, Jason Burdick wrote: > Hiding version strings is very pointless. The only use is to let admins be > a tad bit more lazy in patching so s'kiddies, who only look for version > strings for exploit purposes, will pass by the box. This doesn't stop > someone with a clue, so it's a waste of time. Patch the box correctly, and > you'll have less problems. > > Besides, Netcraft is cool. It's nice to see that I have the second longest > uptime on campus. :) > > This has been discussed many times before, check the list archives. > > Jason Burdick > System Administrator, Jester's Court Communications > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 14: 7:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from thedarkside.nl (cc52103-a.assen1.dr.nl.home.com [212.120.69.13]) by hub.freebsd.org (Postfix) with ESMTP id 659A137B406 for ; Fri, 6 Jul 2001 14:07:37 -0700 (PDT) (envelope-from serkoon@thedarkside.nl) Received: (from root@localhost) by thedarkside.nl (?/8.9.3) id f66L6Ko29820; Fri, 6 Jul 2001 23:06:20 +0200 (CEST) (envelope-from serkoon) From: serkoon Received: (from root@localhost) by thedarkside.nl (?/8.9.3av) id f66L6HQ29812; Fri, 6 Jul 2001 23:06:17 +0200 (CEST) (envelope-from serkoon) Date: Fri, 6 Jul 2001 23:06:17 +0200 (CEST) Message-Id: <200107062106.f66L6HQ29812@thedarkside.nl> To: security@freebsd.org, webmaster@yclan.net Subject: Re: Hiding Versions In-Reply-To: <003801c1065e$c4724480$0c8e1581@yclan.net> X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 15:58:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.32]) by hub.freebsd.org (Postfix) with ESMTP id 2268037B403 for ; Fri, 6 Jul 2001 15:58:40 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp4.hushmail.com (Postfix) with ESMTP id AA2652F13; Fri, 6 Jul 2001 15:58:12 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id PAA17921; Fri, 6 Jul 2001 15:58:11 -0700 From: appleseed@hushmail.com Message-Id: <200107062258.PAA17921@user7.hushmail.com> Date: Fri, 6 Jul 2001 15:27:13 -0500 (PDT) Cc: webmaster@yclan.net To: security@FreeBSD.ORG Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_YBPLbQWwjhwPiBoijQekzShaTmecRUse" Subject: Re: Hiding Versions Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_YBPLbQWwjhwPiBoijQekzShaTmecRUse Content-type: text/plain Wait a sec.. at some point in time u actually wrote: >Hiding version strings is very pointless. The only use is to let admins >be >a tad bit more lazy in patching so s'kiddies, who only look for version >strings for exploit purposes, will pass by the box. This doesn't stop >someone with a clue, so it's a waste of time. Patch the box correctly, > and >you'll have less problems. > >Besides, Netcraft is cool. It's nice to see that I have the second >longest >uptime on campus. :) > >This has been discussed many times before, check the list archives. Im not responding to flame, but, this is silly. Hiding the version is very relevant. It is blatantly ignorant to say that any kind of action that elevates security is in itself moot. For example say I find a new bug in WallyWebserver version X. Lets assume I am your average blackhat who codes some decent exploits but does little more than root servers for personal amusement (gee this personality is rare). More than likely the first thing I do after testing the bug on my LAN is develop a simple scanner that snags the banner of webservers at random IPs across the net for statistical analysis. What I will then do is process the numbers to determine my overall ratio of WallyWebserver X to other servers thus giving me an estimate of the total number of potential targets I may find in the wild. Next thing I would do is attempt to exploit this vulnerability on several different platforms to broaden my range of targets. This would be a case where the aggressor is by no means a script kiddie. In fact, types of situations such as this arise quite more often than we tend realize. Should we allow the individual access to information on our machine? Absolutely not. In information warfare obviously the less data our enemies have the less vulnerable we become. Example number two is even more prevalent. Script kiddie hangs out on IRC with various hackers of various levels of skill. He happens to hang with just the right people and gets 0day for SuperNeet Webserver version X2. He has a target predefined via some previous confrontation with the owner/ admin of the site. First thing he will do is try to see if the server is running the vulnerable software. You may be patched for known exploits but what about the 0day you dont hear about? Sure, the kiddie may try the exploit anyways. We see this every day while our UNIX servers are being attacked by unicode exploitation tools. But, many people will determine the server software information before risking exposure or losing a rootshell/proxy due to attack complaints by an unpenetrated target. If we misdirect the aggressor via placed data it can minimize our vulnerability in both situations. There is no reason why we should dismiss this as a viable tactic of defense. Sure it may not stop someone who is determined to penetrate you or die trying. In that case however you still must have the wisdom to give the attacker as little as possible. As far as patching is concerned... you cant patch your environment.. BTW, we are all impressed with your uptime ;-) northern_ Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_YBPLbQWwjhwPiBoijQekzShaTmecRUse-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 16:30: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.orem.verio.net (gatekeeper.orem.verio.net [192.41.0.8]) by hub.freebsd.org (Postfix) with ESMTP id 80ABD37B411 for ; Fri, 6 Jul 2001 16:29:58 -0700 (PDT) (envelope-from hart@orem.verio.net) Received: from mx.dmz.orem.verio.net (mx.dmz.orem.verio.net [10.1.1.10]) by gatekeeper.orem.verio.net (Postfix) with ESMTP id 1FF683BF13D for ; Fri, 6 Jul 2001 17:29:58 -0600 (MDT) Received: from localhost (hart@localhost) by mx.dmz.orem.verio.net (8.11.1/8.11.1) with ESMTP id f66NTsa28377; Fri, 6 Jul 2001 17:29:54 -0600 (MDT) (envelope-from hart@mx.dmz.orem.verio.net) Date: Fri, 6 Jul 2001 17:29:54 -0600 (MDT) From: Paul Hart To: Laurence Berland Cc: Subject: Re: Hiding Versions In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 6 Jul 2001, Laurence Berland wrote: > As much as it's not all that good in terms of security, changing version > strings will keep the kiddies from ever bothering, which is good just > because it stops them from filling your logs quite as much... You sure about that? I know of many web servers on a UNIX systems that fully advertise their Apache-on-UNIX banner messages and still receive numerous attempts to break in using exploits for Microsoft's IIS. That's not to mention the repeated attempts to break in to FreeBSD or Solaris machines using a exploit for LPRng on Linux, either. Removing or falsifying version strings may fool some rational attackers, but it seems many kiddies will ram the exploit against ANY machine that's listening on port 80 regardless of the operating system it's running or what the banner messages say. Paul Hart -- Paul Robert Hart hart@orem.verio.net Jul ner lbh ernqvat guvf? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 18:40:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id ABEE637B405 for ; Fri, 6 Jul 2001 18:40:31 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id LAA14914; Sat, 7 Jul 2001 11:36:02 +1000 (EST) From: Darren Reed Message-Id: <200107070136.LAA14914@caligula.anu.edu.au> Subject: Re: Hiding Versions To: stuyman@confusion.net (Laurence Berland) Date: Sat, 7 Jul 2001 11:36:02 +1000 (Australia/ACT) Cc: webmaster@yclan.net (Jason Burdick), security@FreeBSD.ORG In-Reply-To: from "Laurence Berland" at Jul 06, 2001 02:01:57 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Why are you even bothering with this thread? If someone wants to know what version of the OS you're running they'll just use nmap. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 20: 7:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.hushmail.com (smtp1.hushmail.com [64.40.111.31]) by hub.freebsd.org (Postfix) with ESMTP id B2A8637B403 for ; Fri, 6 Jul 2001 20:07:15 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp1.hushmail.com (Postfix) with ESMTP id 21F7213767; Fri, 6 Jul 2001 20:06:48 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id UAA05876; Fri, 6 Jul 2001 20:06:48 -0700 From: appleseed@hushmail.com Message-Id: <200107070306.UAA05876@user7.hushmail.com> Date: Fri, 6 Jul 2001 20:00:33 -0500 (PDT) Cc: avalon@coombs.anu.edu.au To: security@freebsd.org Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_lTmLWmnsDpRLcFSIWlzHFUjiDRiZjveq" Subject: Re: Hiding Versions Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_lTmLWmnsDpRLcFSIWlzHFUjiDRiZjveq Content-type: text/plain u recently typed something to the effect of: >Why are you even bothering with this thread? > >If someone wants to know what version of the OS you're running they'll >just use nmap. > Not if the server is on an internal LAN and the gateway routes requests to its port 80 to that internal machine. Heh.. northern_ Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_lTmLWmnsDpRLcFSIWlzHFUjiDRiZjveq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 20:11: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 2CF8937B401 for ; Fri, 6 Jul 2001 20:11:00 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id NAA19379; Sat, 7 Jul 2001 13:10:55 +1000 (EST) From: Darren Reed Message-Id: <200107070310.NAA19379@caligula.anu.edu.au> Subject: Re: Hiding Versions To: appleseed@hushmail.com Date: Sat, 7 Jul 2001 13:10:55 +1000 (Australia/ACT) Cc: avalon@coombs.anu.edu.au, security@FreeBSD.ORG In-Reply-To: <200107070306.UAA05876@user7.hushmail.com> from "appleseed@hushmail.com" at Jul 06, 2001 08:00:33 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from appleseed@hushmail.com, sie said: > > --Hushpart_boundary_lTmLWmnsDpRLcFSIWlzHFUjiDRiZjveq > Content-type: text/plain > > u recently typed something to the effect of: > >Why are you even bothering with this thread? > > > >If someone wants to know what version of the OS you're running they'll > >just use nmap. > > > Not if the server is on an internal LAN and the gateway > routes requests to its port 80 to that internal machine. > Heh.. wrong. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 20:19:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.32]) by hub.freebsd.org (Postfix) with ESMTP id A9A2F37B408 for ; Fri, 6 Jul 2001 20:19:52 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp4.hushmail.com (Postfix) with ESMTP id 0FC112F33; Fri, 6 Jul 2001 20:19:24 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id UAA11446; Fri, 6 Jul 2001 20:19:23 -0700 From: appleseed@hushmail.com Message-Id: <200107070319.UAA11446@user7.hushmail.com> Date: Fri, 6 Jul 2001 20:09:10 -0500 (PDT) Cc: avalon@coombs.anu.edu.au To: security@freebsd.org Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_tzHfCvuSGTsVhIivvROvBWCnVvnHQrHw" Subject: Re: Hiding Versions Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_tzHfCvuSGTsVhIivvROvBWCnVvnHQrHw Content-type: text/plain >wrong. Okay, I'm running a gateway A. A receives packets incoming on the internet interface to port 80 and forwards the request on the condition that its a proper SYN packet with keep-state enabled disallowing fragmentation etc. Verified, the data is forwarded via NAT to the internal machine B at port X assumed to be an integer greater than maximum privledge port and less than maximum allowed TCP port. -- request --> [ A:80 .nat.->] ---> [B:X .httpd.] B's firewall rules verify what the router already knows and sends back the proper packet. I've never had nmap verify the OS of a system based on this setup. Ever. With all due respect prove me wrong. northern_ P.S. I was hoping you would respond the way u did, since, if u did not we both know i wouldnt be using ipf anymore ;-) Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_tzHfCvuSGTsVhIivvROvBWCnVvnHQrHw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 20:25:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 6CC3237B40A for ; Fri, 6 Jul 2001 20:25:38 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 18237 invoked by uid 1000); 7 Jul 2001 03:25:37 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Jul 2001 03:25:37 -0000 Date: Fri, 6 Jul 2001 22:25:37 -0500 (CDT) From: Mike Silbersack To: Cc: , Subject: Re: Hiding Versions In-Reply-To: <200107070319.UAA11446@user7.hushmail.com> Message-ID: <20010706222359.H18136-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 6 Jul 2001 appleseed@hushmail.com wrote: > >wrong. > Okay, I'm running a gateway A. A receives packets incoming > on the internet interface to port 80 and forwards the request > on the condition that its a proper SYN packet with keep-state > enabled disallowing fragmentation etc. Verified, the data > is forwarded via NAT to the internal machine B at port X > assumed to be an integer greater than maximum privledge > port and less than maximum allowed TCP port. > -- request --> [ A:80 .nat.->] ---> [B:X .httpd.] > B's firewall rules verify what the router already knows and > sends back the proper packet. > I've never had nmap verify the OS of a system based on this > setup. Ever. > With all due respect prove me wrong. > northern_ > P.S. I was hoping you would respond the way u did, since, if u > did not we both know i wouldnt be using ipf anymore ;-) There are programs other than nmap, you know. You should be able to determine the OS version of a system by the syn-ack response alone; nmap just likes more info. And your setup seems too clever for it's own good. I doubt you're really protecting anything. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 20:30: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.hushmail.com (smtp1.hushmail.com [64.40.111.31]) by hub.freebsd.org (Postfix) with ESMTP id 5D6C637B403 for ; Fri, 6 Jul 2001 20:30:02 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp1.hushmail.com (Postfix) with ESMTP id BDF8B13759; Fri, 6 Jul 2001 20:29:34 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id UAA26107; Fri, 6 Jul 2001 20:29:34 -0700 From: appleseed@hushmail.com Message-Id: <200107070329.UAA26107@user7.hushmail.com> Date: Fri, 6 Jul 2001 20:24:45 -0500 (PDT) Cc: silby@silby.com To: security@freebsd.org Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_obElYzAbHgfwmjRvREOciJCAmIZuipQc" Subject: Re: Hiding Versions Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_obElYzAbHgfwmjRvREOciJCAmIZuipQc Content-type: text/plain >There are programs other than nmap, you know. You should be able to >determine the OS version of a system by the syn-ack response alone; >nmap >just likes more info. >And your setup seems too clever for it's own good. I doubt you're really >protecting anything. > >Mike "Silby" Silbersack Werd, I know. Ack prediction is patched to be 100% as randomized as my software will allow. I apologize I should have included that in the statement. So what if im not protecting anything. If you want to be the best you can't not test every angle, right? =-/ =) northern_ Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_obElYzAbHgfwmjRvREOciJCAmIZuipQc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 6 21:35:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.32]) by hub.freebsd.org (Postfix) with ESMTP id 56BE237B407 for ; Fri, 6 Jul 2001 21:35:29 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp4.hushmail.com (Postfix) with ESMTP id 91CE62F21; Fri, 6 Jul 2001 21:35:01 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id VAA13412; Fri, 6 Jul 2001 21:35:00 -0700 From: appleseed@hushmail.com Message-Id: <200107070435.VAA13412@user7.hushmail.com> Date: Fri, 6 Jul 2001 21:30:07 -0500 (PDT) Cc: avalon@coombs.anu.edu.au To: security@freebsd.org Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_NLvQRvVhmWWOfqyddgJflfANAXCMkgYG" Subject: Re: Hiding Versions (personal) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_NLvQRvVhmWWOfqyddgJflfANAXCMkgYG Content-type: text/plain I would just like to make a comment of a personal nature regarding the recent postings I have sent to this mailing list. The intentions behind these postings were never to show any irreverence towards Mr. Reed whose firewall project I highly respect and admire. However, it was to prove that OS detection is a serious and imperative issue in any manifestation. Despite the connotation embedded in a message of this nature I am not and will not be apologetic for being tough on issues of importance to myself, and, which I believe should be of importance to the security community conglomerate. Intelligence gathering comes in many forms and it is my hope and my true intention to provide the general community with the knowledge it needs to progress in a world where security is no longer a luxury, but, a dire necessity. Finally, I hope developers and engineers like Mr. Reed are devoted to this goal working together to continue a tradition where the creation of powerful and stable solutions for our security issues is primary. Thank you, Northern_ Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_NLvQRvVhmWWOfqyddgJflfANAXCMkgYG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 4:10:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 701AA37B405 for ; Sat, 7 Jul 2001 04:10:15 -0700 (PDT) (envelope-from rich@rdrose.org) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id MAA12802 for ; Sat, 7 Jul 2001 12:10:14 +0100 Date: Sat, 7 Jul 2001 12:10:14 +0100 (BST) From: rich@rdrose.org X-Sender: rik@pkl.net To: security@FreeBSD.ORG Subject: Re: Hiding Versions In-Reply-To: <200107070319.UAA11446@user7.hushmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 6 Jul 2001 appleseed@hushmail.com wrote: > I've never had nmap verify the OS of a system based on this > setup. Ever. Would it be of any help in confusing nmap (and the like) to add rules such as: block return-rst in log quick on tun0 proto tcp all flags FUP block return-rst in log quick on tun0 proto tcp all flags FSRPAU or am i fooling myself? rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 6:32:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from surf.iae.nl (surf.iae.nl [212.61.20.2]) by hub.freebsd.org (Postfix) with ESMTP id 4267637B409 for ; Sat, 7 Jul 2001 06:32:49 -0700 (PDT) (envelope-from ascheepe@iae.nl) Received: by surf.iae.nl (Postfix, from userid 22499) id 7F59FBFD1F; Sat, 7 Jul 2001 15:32:47 +0200 (CEST) Date: Sat, 7 Jul 2001 15:32:47 +0200 From: Axel Scheepers To: freebsd-security@freebsd.org Subject: Firewall and ftp service Message-ID: <20010707153247.A78448@surf.iae.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi everybody, I hope I'm not being really off topic with this one but it's been troubling me for a while now. I'm looking for a way to provide acces to an ftpserver, my current network layout looks like this: Cable Modem ------> Gateway ---------> http/ftp server | | +------------> private http/ftp/sql server | | +------------> my workstation The gateway does natd and ipf since the other servers have private adresses. The problem now is that whenever I connect to my ftp servers from the outside, the server is unable to set up a data connection, because it wants to connect on a port > 1024, which is blocked by my firewall(and I want to leave it that way). Natd does the following: natd -redirect_port tcp 192.168.0.5:20 20 -redirect_port 192.168.0.5:21 21 which redirects the traffic to my public ftp server. As I see it there can be 2 problems with this setup; 1) The server wants to initiate the data connection at a port > 1024 and/or 2) The server still somehow reports 192.168.0.5 as its address to the clients. I have tried to connect with the option passive is off, which I thought should force the server to stay on port 21 for tha data connection, but it didn't work. :( Can/will somebody help on getting this done the proper way ? I just want to use ipfilter, if possible, and I don't like to install a ftp proxy for this. Greetings, Axel Scheepers Unix System Administrator VIA NET.WORKS Nederland http://www.vianetworks.nl ascheepers@vianetworks.nl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 11:39: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.121.50]) by hub.freebsd.org (Postfix) with ESMTP id 59C7A37B408 for ; Sat, 7 Jul 2001 11:39:02 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.133.129.Dial1.SanJose1.Level3.net [209.245.133.129]) by avocet.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id LAA19693; Sat, 7 Jul 2001 11:38:56 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f67IcsT08288; Sat, 7 Jul 2001 11:38:54 -0700 (PDT) (envelope-from cjc) Date: Sat, 7 Jul 2001 11:38:49 -0700 From: "Crist J. Clark" To: Axel Scheepers Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall and ftp service Message-ID: <20010707113849.C408@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010707153247.A78448@surf.iae.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010707153247.A78448@surf.iae.nl>; from ascheepe@surf.iae.nl on Sat, Jul 07, 2001 at 03:32:47PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 07, 2001 at 03:32:47PM +0200, Axel Scheepers wrote: I'll say it again, FTP is eeeevul. > Hi everybody, > I hope I'm not being really off topic with this one but > it's been troubling me for a while now. > I'm looking for a way to provide acces to an ftpserver, my current > network layout looks like this: > > Cable Modem ------> Gateway ---------> http/ftp server > | > | > +------------> private http/ftp/sql server > | > | > +------------> my workstation > > The gateway does natd and ipf since the other servers have private > adresses. natd(8) and ipf(8) or natd(8) and ipfw(8)? I'd recommend either using, natd(8) and ipfw(8) or ipnat(8) and ipf(8), and not mixing and matching. There are sometimes reasons to run ipf(8) and ipfw(8) at the same time, but when you need to proxy FTP, there is too much room for confusion and weird interactions. > The problem now is that whenever I connect to my > ftp servers from the outside, the server is unable to set up a > data connection, because it wants to connect on a port > 1024, which > is blocked by my firewall(and I want to leave it that way). > Natd does the following: > natd -redirect_port tcp 192.168.0.5:20 20 -redirect_port 192.168.0.5:21 21 > which redirects the traffic to my public ftp server. > > As I see it there can be 2 problems with this setup; > 1) The server wants to initiate the data connection at a port > 1024 and/or > 2) The server still somehow reports 192.168.0.5 as its address to the clients. > > I have tried to connect with the option passive is off, which I thought > should force the server to stay on port 21 for tha data connection, but > it didn't work. :( OK, one more time on how FTP generally works. Everyone knows the client connects to the server on port 21. That's easy. Now as for the data connection, there are two modes, PORT (active) and PASV (passive). In PORT, the client tells the server what port it will be listening on and the _server_ then (usually) connects to the _client_ with a source port of 20 and the arbitrary high port ("ephermeral") the client gave the server as the destination. In PASV, the server tells the client what port it will be listening on, usually an arbitrary high, ephermeral port, and the client then connects with a ephemeral port source to the ephemeral destination. And we should point out that in both modes the server and client are passing not only the port number back and forth, but actually the IP address to connect to as well. So, the moral of the story is that FTP is an absolute bitch to work with if you have a firewall or NAT'ing gateway between the client and server. You need an application layer proxy for the connection. Redirection alone will not cut it. > Can/will somebody help on getting this done the proper way ? > I just want to use ipfilter, if possible, and I don't like to install > a ftp proxy for this. Oops. You are really using ipf(8). IPFilter has an FTP proxy built-in. However, use ipnat(8) and not natd(8) with ipf(8). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 11:52:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx0.gmx.net (mx0.gmx.net [213.165.64.100]) by hub.freebsd.org (Postfix) with SMTP id 8A83937B403 for ; Sat, 7 Jul 2001 11:52:13 -0700 (PDT) (envelope-from MichaelNottebrock@gmx.net) Received: (qmail 4678 invoked by uid 0); 7 Jul 2001 18:52:12 -0000 Date: Sat, 7 Jul 2001 20:52:12 +0200 (MEST) From: Michael Nottebrock To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="========GMXBoundary1199994531932" Subject: IPSEC & TCP sequence number generation X-Priority: 3 (Normal) X-Authenticated-Sender: #0000443188@gmx.net X-Authenticated-IP: [217.4.105.75] Message-ID: <1199.994531932@www25.gmx.net> X-Mailer: WWW-Mail 1.5 (Global Message Exchange) X-Flags: 0001 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a MIME encapsulated multipart message - please use a MIME-compliant e-mail program to open it. Dies ist eine mehrteilige Nachricht im MIME-Format - bitte verwenden Sie zum Lesen ein MIME-konformes Mailprogramm. --========GMXBoundary1199994531932 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I recently recompiled my FreeBSD 4.3-STABLE kernel with options IPSEC options IPSEC_ESP options IPSEC_DEBUG in order to experiment with a IPSEC-VPN. When I scanned myself from a few remote machines today, I noticed that nmap -O reports a tcp sequence prediction class "trivial time dependency", difficulty=0 (trivial joke), before enabling IPSEC it used to be all 9's. Has anyone else experienced this? Have I overlooked something or is this normal behaviour? Greetings, Michael Nottebrock -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net GMX Tipp: Machen Sie Ihr Hobby zu Geld bei unserem Partner 1&1! http://profiseller.de/info/index.php3?ac=OM.PS.PS003K00596T0409a --========GMXBoundary1199994531932 Content-Type: application/octet-stream; name=" " Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=" " --========GMXBoundary1199994531932-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 12:13:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from stuart.microshaft.org (ns1.microshaft.org [208.201.249.2]) by hub.freebsd.org (Postfix) with ESMTP id 9687C37B403 for ; Sat, 7 Jul 2001 12:13:38 -0700 (PDT) (envelope-from jono@stuart.microshaft.org) Received: (from jono@localhost) by stuart.microshaft.org (8.9.3/8.9.3) id MAA93848; Sat, 7 Jul 2001 12:13:35 -0700 (PDT) (envelope-from jono) Date: Sat, 7 Jul 2001 12:13:34 -0700 From: "Jon O ." To: Michael Nottebrock Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSEC & TCP sequence number generation Message-ID: <20010707121334.A85498@networkcommand.com> Reply-To: "jono@networkcommand.com" References: <1199.994531932@www25.gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <1199.994531932@www25.gmx.net>; from MichaelNottebrock@gmx.net on Sat, Jul 07, 2001 at 08:52:12PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is very interesting, but let's make sure the test enviroment is not providing this type of result. I tested this with: nmap -sT -O -v -v Can you provide the full nmap args you are using? The machine I nmap'ed has IPSEC turned on and running. It gave me all 9's. Now, I'm thinking lots of these home DSL/Cable modem gateways use pathetic tcp sequence algorithms. Could it be the nmap you used got data from this device instead of your FreeBSD box? Are you using an Alcatel DSL modem or something similar that runs in *Bridge* mode? Thanks, Jon On 07-Jul-2001, Michael Nottebrock wrote: > I recently recompiled my FreeBSD 4.3-STABLE kernel with > > options IPSEC > options IPSEC_ESP > options IPSEC_DEBUG > > in order to experiment with a IPSEC-VPN. > > When I scanned myself from a few remote machines today, I noticed that > nmap -O reports a tcp sequence prediction class "trivial time dependency", > difficulty=0 (trivial joke), before enabling IPSEC it used to be all 9's. > Has anyone else experienced this? Have I overlooked something or is this > normal behaviour? > > > Greetings, > > Michael Nottebrock > > -- > GMX - Die Kommunikationsplattform im Internet. > http://www.gmx.net > > GMX Tipp: > > Machen Sie Ihr Hobby zu Geld bei unserem Partner 1&1! > http://profiseller.de/info/index.php3?ac=OM.PS.PS003K00596T0409a To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 12:56:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx0.gmx.net (mx0.gmx.net [213.165.64.100]) by hub.freebsd.org (Postfix) with SMTP id 33A7837B401 for ; Sat, 7 Jul 2001 12:56:46 -0700 (PDT) (envelope-from MichaelNottebrock@gmx.net) Received: (qmail 5781 invoked by uid 0); 7 Jul 2001 19:56:45 -0000 Date: Sat, 7 Jul 2001 21:56:44 +0200 (MEST) From: Michael Nottebrock To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="========GMXBoundary9805994535804" Subject: Re: IPSEC & TCP sequence number generation X-Priority: 3 (Normal) X-Authenticated-Sender: #0000443188@gmx.net X-Authenticated-IP: [217.4.105.75] Message-ID: <9805.994535804@www34.gmx.net> X-Mailer: WWW-Mail 1.5 (Global Message Exchange) X-Flags: 0001 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a MIME encapsulated multipart message - please use a MIME-compliant e-mail program to open it. Dies ist eine mehrteilige Nachricht im MIME-Format - bitte verwenden Sie zum Lesen ein MIME-konformes Mailprogramm. --========GMXBoundary9805994535804 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Oh dear. Never forget to turn verbosity on, like they always say. Obviously, nmap likes to use the _first_ open port to do the fingerprinting. In my case, that port is being redirected to a windows box. Closed the port, got my usual all 9's back. Maybe here's some other way to do a little statistics-forgery, northern_? ;) Sorry for that un', folks, and also sorry for that CRAP my free webmail provider I'm temporarily stuck with is going to append to this message. Greetings, Michael Nottebrock -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net GMX Tipp: Machen Sie Ihr Hobby zu Geld bei unserem Partner 1&1! http://profiseller.de/info/index.php3?ac=OM.PS.PS003K00596T0409a --========GMXBoundary9805994535804 Content-Type: application/octet-stream; name=" " Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=" " --========GMXBoundary9805994535804-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 14:50:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from asp-be1.staff.onr.com (asp-be1.staff.onr.com [207.200.33.4]) by hub.freebsd.org (Postfix) with ESMTP id 1E3B037B401 for ; Sat, 7 Jul 2001 14:50:51 -0700 (PDT) (envelope-from jshelton@onr.com) X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: sendmail Date: Sat, 7 Jul 2001 16:50:02 -0500 Message-ID: <75F330F302C37E44AA23DDB66F85CF1304072F@asp-be1.staff.onr.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: sendmail Thread-Index: AcEHLwmR1eE6ZHLMEdW5GQCQJ2/U9A== From: "John Shelton" To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ahoy. I'd rather not run sendmail just yet. Where do I do what to the thing with the whatsit so that the sendmail daemon doesn't start during normal boot? thanks. ~john To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 14:55: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from home.com (c1737881-a.plano1.tx.home.com [65.10.46.29]) by hub.freebsd.org (Postfix) with ESMTP id 07F4C37B401 for ; Sat, 7 Jul 2001 14:54:59 -0700 (PDT) (envelope-from mcbrune@home.com) Received: (from mcbrune@localhost) by home.com (8.11.4/8.11.4) id f67Llxs00812; Sat, 7 Jul 2001 16:47:59 -0500 (CDT) (envelope-from mcbrune) From: mcbrune Message-Id: <200107072147.f67Llxs00812@home.com> Subject: Re: sendmail In-Reply-To: <75F330F302C37E44AA23DDB66F85CF1304072F@asp-be1.staff.onr.com> To: John Shelton Date: Sat, 7 Jul 2001 16:47:59 -0500 (CDT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL92 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Edit /etc/rc.conf. Add the line sendmail_enable="NO" Corey [ Charset ISO-8859-1 unsupported, converting... ] > ahoy. > I'd rather not run sendmail just yet. Where do I do what to the thing > with the whatsit so that the sendmail daemon doesn't start during normal > boot? > > thanks. > ~john > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 15:20:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 1584837B403 for ; Sat, 7 Jul 2001 15:20:20 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f67MKJ613641 for security@freebsd.org; Sat, 7 Jul 2001 18:20:19 -0400 (EDT) (envelope-from str) Date: Sat, 7 Jul 2001 18:20:19 -0400 (EDT) From: Igor Roshchin Message-Id: <200107072220.f67MKJ613641@giganda.komkon.org> To: security@freebsd.org Subject: wtmp corrupted - ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! I've just found that my wtmp file is corrupted. (See the output of last(1) below). Is this a bug or is it a sign of somebody trying to clear his trace ? (This is on 4.3-RELEASE). Are there any tools around which allow to easily read a corrupted wtmp ? thanks, Igor 50.85 200.191. 3408 Wed Dec 31 19:00 still logged in 50.85 200.191. 3378 Wed Dec 31 19:00 still logged in 5.134 63.29.16 3378ftp Wed Dec 31 19:00 still logged in .112 38.16.82 3359str Wed Dec 31 19:00 still logged in 56.169 212.57.1 3313 Wed Dec 31 19:00 still logged in 56.169 212.57.1 3313ftp Wed Dec 31 19:00 still logged in 176.69 211.133. 3058 Wed Dec 31 19:00 still logged in 8.215 213.44.5 3058ftp Wed Dec 31 19:00 still logged in 7.228 202.225. 3042 Wed Dec 31 19:00 still logged in 8.215 213.44.5 3042ftp Wed Dec 31 19:00 still logged in 8.215 213.44.5 3005 Wed Dec 31 19:00 still logged in 98.203 217.80.1 2976 Wed Dec 31 19:00 still logged in 8.215 213.44.5 2974 Wed Dec 31 19:00 still logged in 98.203 217.80.1 2976ftp Wed Dec 31 19:00 still logged in 148.201 200.236. 2974ftp Wed Dec 31 19:00 still logged in To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 15:32:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id AE29A37B401 for ; Sat, 7 Jul 2001 15:32:41 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 590 invoked by uid 1000); 7 Jul 2001 22:32:57 -0000 Date: Sun, 8 Jul 2001 00:32:57 +0200 From: "Karsten W. Rohrbach" To: mcbrune Cc: John Shelton , security@FreeBSD.ORG Subject: Re: sendmail Message-ID: <20010708003257.A240@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , mcbrune , John Shelton , security@FreeBSD.ORG References: <75F330F302C37E44AA23DDB66F85CF1304072F@asp-be1.staff.onr.com> <200107072147.f67Llxs00812@home.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107072147.f67Llxs00812@home.com>; from mcbrune@home.com on Sat, Jul 07, 2001 at 04:47:59PM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable mcbrune(mcbrune@home.com)@2001.07.07 16:47:59 +0000: > Edit /etc/rc.conf. Add the line > sendmail_enable=3D"NO" this should be the default for the release. /k >=20 > Corey >=20 >=20 > [ Charset ISO-8859-1 unsupported, converting... ] > > ahoy. > > I'd rather not run sendmail just yet. Where do I do what to the thing > > with the whatsit so that the sendmail daemon doesn't start during normal > > boot? > >=20 > > thanks. > > ~john > >=20 > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > It's not that perl programmers are idiots, it's that the language rewards > idiotic behavior in a way that no other language or tool has ever done.= =20 > --Erik Naggum=20 KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --oyUTqETQ0mS9luUI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7R44ZM0BPTilkv0YRAja2AKCaDhwUxHP9Niz/NWx7zxFU/lUmlQCgwGM1 dcfHF5BuxG2pGhgw+0r+kTA= =F0mV -----END PGP SIGNATURE----- --oyUTqETQ0mS9luUI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 15:55:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id CF0C137B406 for ; Sat, 7 Jul 2001 15:55:41 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f67MteA15656; Sat, 7 Jul 2001 18:55:40 -0400 (EDT) (envelope-from str) Date: Sat, 7 Jul 2001 18:55:40 -0400 (EDT) From: Igor Roshchin Message-Id: <200107072255.f67MteA15656@giganda.komkon.org> To: security@FreeBSD.ORG, str@giganda.komkon.org Subject: Re: wtmp corrupted - ? In-Reply-To: <200107072220.f67MKJ613641@giganda.komkon.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry, I just discovered, that it happened due to the disk partition being filled up at some point, and wtmp became corrupted. This brings another thought: it might be a good feature if login(1) would be able to determine the disk space shortage, make a note for that in wtmp, and stop logging until the disk space becomes available (pretty much the way syslogd(8) handles such situation). Regards, Igor I wrote earlier: > Date: Sat, 7 Jul 2001 18:20:19 -0400 (EDT) > From: Igor Roshchin > To: security@FreeBSD.ORG > Subject: wtmp corrupted - ? > > > Hello! > > I've just found that my wtmp file is corrupted. > (See the output of last(1) below). > Is this a bug or is it a sign of somebody trying to clear his trace ? > (This is on 4.3-RELEASE). > > Are there any tools around which allow to easily read a corrupted wtmp ? > > thanks, > > Igor > > 50.85 200.191. 3408 Wed Dec 31 19:00 still logged in > 50.85 200.191. 3378 Wed Dec 31 19:00 still logged in > 5.134 63.29.16 3378ftp Wed Dec 31 19:00 still logged in > .112 38.16.82 3359str Wed Dec 31 19:00 still logged in > 56.169 212.57.1 3313 Wed Dec 31 19:00 still logged in > 56.169 212.57.1 3313ftp Wed Dec 31 19:00 still logged in > 176.69 211.133. 3058 Wed Dec 31 19:00 still logged in > 8.215 213.44.5 3058ftp Wed Dec 31 19:00 still logged in > 7.228 202.225. 3042 Wed Dec 31 19:00 still logged in > 8.215 213.44.5 3042ftp Wed Dec 31 19:00 still logged in > 8.215 213.44.5 3005 Wed Dec 31 19:00 still logged in > 98.203 217.80.1 2976 Wed Dec 31 19:00 still logged in > 8.215 213.44.5 2974 Wed Dec 31 19:00 still logged in > 98.203 217.80.1 2976ftp Wed Dec 31 19:00 still logged in > 148.201 200.236. 2974ftp Wed Dec 31 19:00 still logged in > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 18:44:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.121.50]) by hub.freebsd.org (Postfix) with ESMTP id 6C79C37B420 for ; Sat, 7 Jul 2001 18:44:24 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.244.106.149.Dial1.SanJose1.Level3.net [209.244.106.149]) by avocet.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id SAA22925; Sat, 7 Jul 2001 18:44:16 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f681iF009555; Sat, 7 Jul 2001 18:44:15 -0700 (PDT) (envelope-from cjc) Date: Sat, 7 Jul 2001 18:44:14 -0700 From: "Crist J. Clark" To: Igor Roshchin Cc: security@FreeBSD.ORG Subject: Re: wtmp corrupted - ? Message-ID: <20010707184414.H408@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200107072220.f67MKJ613641@giganda.komkon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107072220.f67MKJ613641@giganda.komkon.org>; from str@giganda.komkon.org on Sat, Jul 07, 2001 at 06:20:19PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 07, 2001 at 06:20:19PM -0400, Igor Roshchin wrote: > > Hello! > > I've just found that my wtmp file is corrupted. > (See the output of last(1) below). > Is this a bug or is it a sign of somebody trying to clear his trace ? > (This is on 4.3-RELEASE). > > Are there any tools around which allow to easily read a corrupted wtmp ? I had this problem on a Solaris box. A poorly written app would not log people off properly and eventually consume all ttys. People could then not log in. The admin of the box discovered that if she, # cp /dev/null /var/adm/wtmp It would "fix" the problem, and people could get in. *Grrr* Anyway I ended up with some damaged files. I built a quick C program to read the file and then just used head(1) and tail(1) to recover what was recoverable. The contents of a wtmp file are simple and defined in wtmp(5) (just cut and paste). It would also be pretty easy to write a Perl script to do it. Sorry, I don't have the little program with me at the moment. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 7 22: 9:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from a.mx.clublinux.org (h216-170-019-162.adsl.navix.net [216.170.19.162]) by hub.freebsd.org (Postfix) with SMTP id 20D4837B403 for ; Sat, 7 Jul 2001 22:09:32 -0700 (PDT) (envelope-from steve@clublinux.org) Received: (qmail 6194 invoked from network); 8 Jul 2001 04:08:03 -0000 Received: from unknown (HELO clublinux.org) (192.168.33.33) by mail.internal with SMTP; 8 Jul 2001 04:08:03 -0000 Message-ID: <3B47EC3A.2734754F@clublinux.org> Date: Sun, 08 Jul 2001 00:14:34 -0500 From: steve X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.6 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: IPFilter/IPNat and rdr Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, First off, I'm quite new to FreeBSD and I hope I chose the correct list to mail to. In order to help teach myself FreeBSD, I'm recreating my home firewall using FreeBSD(ipfilter/ipnat) instead of Linux (ipchains). I'm using the 4.3 RELEASE of FreeBSD. I have a web server behind the firewall that I want to allow people to access from the outside. After reading the IPFilter How-To, this seems fairly easy: ipnat.rules ----------- rdr ep0 216.170.19.162/32 port 80 -> 192.168.1.100 port 80 ipfilter.rules -------------- pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 flags S keep state keep frags However, because NAT occurs before the filtering, I can no longer have a rule to prevent packets from the outside that contain a destination IP on my internal network from passing through my firewall and entering my internal network like this: block in quick on ep0 from any to 192.168.0.0/16 I realize that packets with a source or destination of 192.168.0.0/16 should be dropped by routers on the internet, but I know this doesn't always happen as our firewall at work has recorded such packets in the past. Am I mis-understanding how IPFilter/IPNat work together correctly? If so, is there a way around this problem? If not, would the following provide the protection I'm looking for while still allowing people to access my web server from the outside? pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 flags S keep state keep frags block in quick on ep0 from any to 192.168.0.0/16 This would prevent any packet from the outside with a destination address of my internal network from passing through the firewall unless it was specifically going to port 80 on my web server right? Please CC me on any replies as I'm not currently subscribed to the list. Thanks in advance, Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message