From owner-freebsd-questions Tue Jan 2 19:34: 5 2001 From owner-freebsd-questions@FreeBSD.ORG Tue Jan 2 19:34:03 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-56-41.knology.net [24.214.56.41]) by hub.freebsd.org (Postfix) with ESMTP id 7BE3237B400 for ; Tue, 2 Jan 2001 19:34:02 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.1/8.11.1) with ESMTP id f033Xup03770; Tue, 2 Jan 2001 21:33:56 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200101030333.f033Xup03770@grumpy.dyndns.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: "Jason Halbert" Cc: questions@FreeBSD.ORG From: David Kelly Subject: Re: Security Problem In-reply-to: Message from "Jason Halbert" of "Tue, 02 Jan 2001 19:21:44 CST." <006101c07523$8c64df20$566933d8@xps> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 02 Jan 2001 21:33:56 -0600 Sender: dkelly@grumpy.dyndns.org Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Jason Halbert" writes: > Is there a way to block an enitre host (e.g. *.gtei.net) or a block of > ip's (e.g. 4.33.*) ? Or is there a way to say that only a certain > domain or block of ip's can access my system? See ipfw(8). And the examples in /etc/rc.firewall. You can block an address, or range of addresses. But you can't block by symbolic domain name. > Also, is there a way to block the use of "adduser" or "vipw" or even > looking at /etc/master.passwd without being the specific user "root". > Where as you must be root and not "su" or any other user to see and/or > use those commands. > > I hope that makes sense. Sort of. Read the man page for su, specifically the difference between the -m and -l versions. FreeBSD defaults with a shell alias for su of "su -m". If a user is able to su to root, then that user is able to do a full login to root where both user-id and effective-user-id are root. If you are having problems as you seem to be suggesting, then its likely you have been root-kit'ed and nothing on your machine can be trusted. Am saying its not just the su utility which is a problem. Its time for a backup, wipe, and re-install from known clean media such as the WC distribution CDROM. Then audit every thing which goes back on the system from the backup tape. Don't restore anything root would use, use only new clean copies. Later you can compare the old and new files to determine the extent of the problem. Tripwire (/usr/ports/security/tripwire*) and mtree (/usr/sbin/mtree) are helpful in such situations, but only if applied before the event, not after. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message