From owner-freebsd-security Sun Jul 26 03:28:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA06010 for freebsd-security-outgoing; Sun, 26 Jul 1998 03:28:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA05916 for ; Sun, 26 Jul 1998 03:26:48 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1]) by wumpus.its.uow.edu.au (8.9.1/8.9.1) with SMTP id UAA04109 for ; Sun, 26 Jul 1998 20:25:49 +1000 (EST) Date: Sun, 26 Jul 1998 20:25:48 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: freebsd-security@FreeBSD.ORG Subject: preventing fork bombs Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How can someone limit/prevent fork bomb attacks on your system. I recently tried one on myself after modifying kern.maxprocperuid (thinking that should prevent it), and got my machine up to a load of over 150 before I killed it. The simple code used was: #include main(void) { while(1) { fork(); } } The above effectively freezing my system. :\ Anyone got any ideas? Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 26 04:11:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA12414 for freebsd-security-outgoing; Sun, 26 Jul 1998 04:11:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA12409 for ; Sun, 26 Jul 1998 04:11:07 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id MAA10360; Sun, 26 Jul 1998 12:10:38 +0100 (BST) Received: from kronus (na.nu.na.nu.na.nu [194.207.104.143]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id MAA07807; Sun, 26 Jul 1998 12:10:38 +0100 (BST) Message-ID: <003a01bdb883$a5a19aa0$8f68cfc2@kronus> From: "Jay Tribick" To: "Nicholas Charles Brawn" Cc: Subject: Re: preventing fork bombs Date: Sun, 26 Jul 1998 11:49:10 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org |How can someone limit/prevent fork bomb attacks on your system. I |recently tried one on myself after modifying kern.maxprocperuid (thinking |that should prevent it), and got my machine up to a load of over 150 |before I killed it. | |The above effectively freezing my system. :\ I was wondering this, and after a few hours found the solution - in /etc/login.conf nice your shell accounts users down to 20 and make their maxprocess 32. This will successfully lock themselves out of the system but will not affect any other users. Regards, Jay Tribick | Network Administrator | FastNet International To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 26 04:48:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA15847 for freebsd-security-outgoing; Sun, 26 Jul 1998 04:48:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts03-040.dublin.indigo.ie [194.125.148.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA15836 for ; Sun, 26 Jul 1998 04:47:57 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id MAA00491; Sun, 26 Jul 1998 12:42:36 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807261142.MAA00491@indigo.ie> Date: Sun, 26 Jul 1998 12:42:36 +0000 In-Reply-To: ; Nicholas Charles Brawn Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Nicholas Charles Brawn , freebsd-security@FreeBSD.ORG Subject: Re: preventing fork bombs Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 26, 8:25pm, Nicholas Charles Brawn wrote: } Subject: preventing fork bombs > The simple code used was: > > #include > > main(void) { > while(1) { > fork(); > } > } > > The above effectively freezing my system. :\ As has been previously observed the system call frequency is so high that this is still an effective DOS. The solution is some kind of system call rate limiting. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 26 06:32:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA24051 for freebsd-security-outgoing; Sun, 26 Jul 1998 06:32:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.15.68.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA24046 for ; Sun, 26 Jul 1998 06:32:21 -0700 (PDT) (envelope-from bde@godzilla.zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.8.7) id XAA28114; Sun, 26 Jul 1998 23:31:52 +1000 Date: Sun, 26 Jul 1998 23:31:52 +1000 From: Bruce Evans Message-Id: <199807261331.XAA28114@godzilla.zeta.org.au> To: freebsd-security@FreeBSD.ORG, ncb05@uow.edu.au, rotel@indigo.ie Subject: Re: preventing fork bombs Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> #include >> >> main(void) { >> while(1) { >> fork(); >> } >> } >> >> The above effectively freezing my system. :\ > >As has been previously observed the system call frequency is so >high that this is still an effective DOS. The solution is some >kind of system call rate limiting. This has nothing to do with system calls. It has to do with there being lots of CPU hog processes. #include #include main() { int nproc; nproc = 1; for (;;) { switch (fork()) { case -1: warnx("created %d looping processes", nproc); for (;;) ; case 0: for (;;) ; default: nproc++; break; } } } Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 26 14:03:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA06786 for freebsd-security-outgoing; Sun, 26 Jul 1998 14:03:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA06776 for ; Sun, 26 Jul 1998 14:03:30 -0700 (PDT) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id QAA05303 for ; Sun, 26 Jul 1998 16:55:39 -0400 (EDT) Date: Sun, 26 Jul 1998 17:03:59 -0400 (EDT) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: freebsd-security@FreeBSD.ORG Subject: pidentd problem Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just noticed today that my identd was not working. And I can't figure out why. All the local tests seem to work fine. netstat -n |grep ESTAB | ./itest opsys 206.252.171.15 1914 209.69.36.227 119 opsys 206.252.171.15 1022 207.153.65.3 22 opsys 206.252.171.15 1061 206.165.111.241 6667 [opsys@pinkfloyd 07-26-1998 3:45pm] ~>telnet localhost 113 Trying 127.0.0.1... Connected to localhost.hit.net. Escape character is '^]'. 1921 , 113 1921 , 113 : USERID : UNIX :opsys Connection closed by foreign host. But for some reason non local lookups for instance, from irc, fail with NO-USER. And the telnet test to liu.se fails as well. Connecting to Ident server at 206.252.171.15... Querying for lport 49176, fport 114.... Reading response data... Error response is: Lport........ 49176 Fport........ 114 Error........ NO-USER Connection closed by foreign host. Something has obviously changed I just don't know what. Any ideas? Chris -- "You both seem to be ignoring the fact that the networking market is driven by so-called 'IT professionals' these days, most of whom can't tell the difference between an ARP and a carp." -Wes Peters ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.7 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 26 14:38:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA12580 for freebsd-security-outgoing; Sun, 26 Jul 1998 14:38:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA12565 for ; Sun, 26 Jul 1998 14:38:30 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id OAA09894; Sun, 26 Jul 1998 14:37:59 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Sun, 26 Jul 1998 14:37:59 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Nicholas Charles Brawn cc: freebsd-security@FreeBSD.ORG Subject: Re: preventing fork bombs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org n1ck .. man 5 lgoin.conf? Don't know if it will help though. Ohh.. and stop wasting so much space for yer C code: echo "main(){while(1){fork();}}">foo.c;gcc foo.c;rm foo.c;./a.out Much more compact, eh? :) Now. Here is something interesting. I tried this on my IPC with 16MB of RAM running OpenBSD. It didn't crash, but simply said: rome:usr {87} w No more processes. rome:usr {88} uptime No more processes. The interesting part is that the user running ./a.out would get "No more processes" - root AND other users (not the same user that run ./a.out though) was still able to do everything just fine (but freaking slow at first): rome:usr {85} id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) rome:etc {99} uptime 2:16PM up 12:50, 2 users, load averages: 78.44, 63.11, 34.65 rome:load {5} id uid=1001(load) gid=1001(load) groups=1001(load) rome:load {6} uptime 2:33PM up 13:08, 3 users, load averages: 78.67, 65.73, 54.17 rome:etc {120} ps ax | grep a.out | wc -l 79 Load stays around 78 and root and others can do whatever they want. I could telnet to the system just fine also. I guess now I'll have to figure out what exactly makes this possible and could FreeBSD do the same. (didn't see anything in sysctl and there is no /etc/login.conf either). -- Yan Jan Koum jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." "Write longer sentences - they are paying us a lot of money" On Sun, 26 Jul 1998, Nicholas Charles Brawn wrote: >How can someone limit/prevent fork bomb attacks on your system. I >recently tried one on myself after modifying kern.maxprocperuid (thinking >that should prevent it), and got my machine up to a load of over 150 >before I killed it. > >The simple code used was: > >#include > >main(void) { > while(1) { > fork(); > } >} > >The above effectively freezing my system. :\ > >Anyone got any ideas? > >Nick > >-- >Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick >Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A >"When in doubt, ask someone wiser than yourself..." -unknown > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 26 15:31:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA19628 for freebsd-security-outgoing; Sun, 26 Jul 1998 15:31:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from orbital.tiora.net (liam@cx31658-a.escnd1.sdca.home.com [24.0.185.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA19614 for ; Sun, 26 Jul 1998 15:31:30 -0700 (PDT) (envelope-from liam@orbital.tiora.net) Received: from localhost (liam@localhost) by orbital.tiora.net (8.8.8/8.8.8) with SMTP id PAA17053; Sun, 26 Jul 1998 15:38:01 -0700 (PDT) Date: Sun, 26 Jul 1998 15:38:01 -0700 (PDT) From: Liam Slusser To: "Jan B. Koum " cc: Nicholas Charles Brawn , freebsd-security@FreeBSD.ORG Subject: Re: preventing fork bombs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i tried that on my system, orbital# 3:11PM up 45 days, 1:12, 3 users, load averages: 511.89, 384.91, 198.55 orbital# notice..511..not bad for a pentium 133 ;) though if you run it at a nice +15, it just jumps the load avg...and other users hardly notice..;) (that 511 was a nice +15) liam On Sun, 26 Jul 1998, Jan B. Koum wrote: > > n1ck .. man 5 lgoin.conf? Don't know if it will help though. > Ohh.. and stop wasting so much space for yer C code: > echo "main(){while(1){fork();}}">foo.c;gcc foo.c;rm foo.c;./a.out > Much more compact, eh? :) > > Now. Here is something interesting. I tried this on my IPC with 16MB of > RAM running OpenBSD. It didn't crash, but simply said: > > rome:usr {87} w > No more processes. > rome:usr {88} uptime > No more processes. > > The interesting part is that the user running ./a.out would get "No more > processes" - root AND other users (not the same user that run ./a.out > though) was still able to do everything just fine (but freaking slow at > first): > > rome:usr {85} id > uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), > 5(operator), 20(staff), 31(guest) > rome:etc {99} uptime > 2:16PM up 12:50, 2 users, load averages: 78.44, 63.11, 34.65 > rome:load {5} id > uid=1001(load) gid=1001(load) groups=1001(load) > rome:load {6} uptime > 2:33PM up 13:08, 3 users, load averages: 78.67, 65.73, 54.17 > rome:etc {120} ps ax | grep a.out | wc -l > 79 > > Load stays around 78 and root and others can do whatever they want. > > I could telnet to the system just fine also. I guess now I'll have to > figure out what exactly makes this possible and could FreeBSD do the same. > (didn't see anything in sysctl and there is no /etc/login.conf either). > > -- Yan > > Jan Koum jkb@best.com | "Turn up the lights; I don't want > www.FreeBSD.org -- The Power to Serve | to go home in the dark." > "Write longer sentences - they are paying us a lot of money" > > On Sun, 26 Jul 1998, Nicholas Charles Brawn wrote: > > >How can someone limit/prevent fork bomb attacks on your system. I > >recently tried one on myself after modifying kern.maxprocperuid (thinking > >that should prevent it), and got my machine up to a load of over 150 > >before I killed it. > > > >The simple code used was: > > > >#include > > > >main(void) { > > while(1) { > > fork(); > > } > >} > > > >The above effectively freezing my system. :\ > > > >Anyone got any ideas? > > > >Nick > > > >-- > >Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick > >Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A > >"When in doubt, ask someone wiser than yourself..." -unknown > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 26 17:29:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA04982 for freebsd-security-outgoing; Sun, 26 Jul 1998 17:29:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bright.ny.otec.com (bright.ny.otec.com [209.3.16.125]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA04937 for ; Sun, 26 Jul 1998 17:29:44 -0700 (PDT) (envelope-from bright@hotjobs.com) Received: from localhost (bright@localhost) by bright.ny.otec.com (8.8.8/8.8.8) with SMTP id UAA13392; Sun, 26 Jul 1998 20:29:02 -0500 (EST) (envelope-from bright@hotjobs.com) X-Authentication-Warning: bright.ny.otec.com: bright owned process doing -bs Date: Sun, 26 Jul 1998 20:29:02 -0500 (EST) From: Alfred Perlstein X-Sender: bright@bright.ny.otec.com To: Nicholas Charles Brawn cc: freebsd-security@FreeBSD.ORG Subject: Re: preventing fork bombs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org man login.conf set limits there for login classes. -Alfred On Sun, 26 Jul 1998, Nicholas Charles Brawn wrote: > How can someone limit/prevent fork bomb attacks on your system. I > recently tried one on myself after modifying kern.maxprocperuid (thinking > that should prevent it), and got my machine up to a load of over 150 > before I killed it. > > The simple code used was: > > #include > > main(void) { > while(1) { > fork(); > } > } > > The above effectively freezing my system. :\ > > Anyone got any ideas? > > Nick > > -- > Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick > Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A > "When in doubt, ask someone wiser than yourself..." -unknown > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 26 19:43:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA22716 for freebsd-security-outgoing; Sun, 26 Jul 1998 19:43:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hillbilly.hayseed.net (root@hillbilly.hayseed.net [204.62.130.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA22705 for ; Sun, 26 Jul 1998 19:43:08 -0700 (PDT) (envelope-from enkhyl@hayseed.net) Received: from hillbilly.hayseed.net (enkhyl@hillbilly.hayseed.net [204.62.130.2]) by hillbilly.hayseed.net (8.8.8/8.8.5) with SMTP id TAA07616; Sun, 26 Jul 1998 19:39:35 -0700 Date: Mon, 27 Jul 1998 02:39:35 +0000 (Local time zone must be set--see zic manual page) From: Enkhyl To: "Jan B. Koum " cc: Nicholas Charles Brawn , freebsd-security@FreeBSD.ORG Subject: Re: preventing fork bombs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 26 Jul 1998, Jan B. Koum wrote: > Ohh.. and stop wasting so much space for yer C code: > echo "main(){while(1){fork();}}">foo.c;gcc foo.c;rm foo.c;./a.out > Much more compact, eh? :) Compact, yes. Readable, no. There's something to be said for self-documenting, readable code... :-) -- Christopher Nielsen Scient: The Art and Science of Electronic Business cnielsen@scient.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 00:17:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA22142 for freebsd-security-outgoing; Mon, 27 Jul 1998 00:17:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from leaf.lumiere.net (j@leaf.lumiere.net [207.218.152.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA22137 for ; Mon, 27 Jul 1998 00:16:57 -0700 (PDT) (envelope-from j@leaf.lumiere.net) Received: (from j@localhost) by leaf.lumiere.net (8.9.1/8.9.1) id AAA00412; Mon, 27 Jul 1998 00:16:38 -0700 (PDT) Date: Mon, 27 Jul 1998 00:16:38 -0700 (PDT) From: Jesse To: freebsd-security@FreeBSD.ORG Subject: ipfw rules to allow DNS activity Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm thinking of changing one of my boxes which is running bind (performing primary secondary DNS functions) from allow-anything-except-things-specifically-denied ipfw rules to deny-everything-except-things-specifically-allowed rules (open vs closed? hehe). Anyway, I was wondering what are the minimum rules necessary to allow DNS queries/transfers from other servers to my server, and also to allow queries from my server to other servers. I tried a variety of rules from the rc.firewall file, but it's still blocking some traffic, so there must be something I'm missing. Thanks! :) --- Jesse http://www.lumiere.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 00:55:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA25472 for freebsd-security-outgoing; Mon, 27 Jul 1998 00:55:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA25467 for ; Mon, 27 Jul 1998 00:55:27 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id AAA24929; Mon, 27 Jul 1998 00:55:00 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 27 Jul 1998 00:55:00 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Jesse cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Take a look at /etc/rc.firewall: # Allow DNS queries out in the world ipfw add pass udp from any 53 to ${ip} ipfw add pass udp from ${ip} to any 53 You will need to enable same setup as above but for tcp for zone transfers (someone correct me if I am wrong). Also take a look at FreeBSD ipfw Configuration Page: http://www.metronet.com/~pgilley/freebsd/ipfw -- Yan Jan Koum jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." "Write longer sentences - they are paying us a lot of money" On Mon, 27 Jul 1998, Jesse wrote: > >Hi, > >I'm thinking of changing one of my boxes which is running bind (performing >primary secondary DNS functions) from >allow-anything-except-things-specifically-denied ipfw rules to >deny-everything-except-things-specifically-allowed rules (open vs closed? >hehe). Anyway, I was wondering what are the minimum rules necessary to >allow DNS queries/transfers from other servers to my server, and also to >allow queries from my server to other servers. > >I tried a variety of rules from the rc.firewall file, but it's still >blocking some traffic, so there must be something I'm missing. > >Thanks! :) > >--- >Jesse >http://www.lumiere.net/ > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 01:07:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA27237 for freebsd-security-outgoing; Mon, 27 Jul 1998 01:07:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA27222 for ; Mon, 27 Jul 1998 01:07:14 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA16446; Mon, 27 Jul 1998 09:06:44 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id JAA11139; Mon, 27 Jul 1998 09:06:45 +0100 (BST) Date: Mon, 27 Jul 1998 09:06:45 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: Jesse cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | I'm thinking of changing one of my boxes which is running bind (performing | primary secondary DNS functions) from | allow-anything-except-things-specifically-denied ipfw rules to | deny-everything-except-things-specifically-allowed rules (open vs closed? | hehe). Anyway, I was wondering what are the minimum rules necessary to | allow DNS queries/transfers from other servers to my server, and also to | allow queries from my server to other servers. | | I tried a variety of rules from the rc.firewall file, but it's still | blocking some traffic, so there must be something I'm missing. AFAIR you should just be able to explicitly allow data from port 53 (udp & tcp) to pass through. i.e ipfw add 0 deny ip from any to ip.ip.ip.ip:255.255.255.255 ipfw add 1 allow tcp from any to ip.ip.ip.ip:255.255.255.255 53 ipfw add 1 allow udp from any to ip.ip.ip.ip:255.255.255.255 53 (Don't quote me on the above.. I don't tend to use ipfw and there's probably a better way of defining the above rules, for example, you may not want to deny packets but simly drop/reject them - depends how much info. you want to give out to script kiddies ;) Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 01:22:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA28879 for freebsd-security-outgoing; Mon, 27 Jul 1998 01:22:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA28874 for ; Mon, 27 Jul 1998 01:22:31 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA17401; Mon, 27 Jul 1998 09:22:02 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id JAA11275; Mon, 27 Jul 1998 09:22:03 +0100 (BST) Date: Mon, 27 Jul 1998 09:22:03 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: "Jan B. Koum " cc: security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi | >I'm thinking of changing one of my boxes which is running bind (performing | >primary secondary DNS functions) from | >allow-anything-except-things-specifically-denied ipfw rules to | >deny-everything-except-things-specifically-allowed rules (open vs closed? | >hehe). Anyway, I was wondering what are the minimum rules necessary to | >allow DNS queries/transfers from other servers to my server, and also to | >allow queries from my server to other servers. | >I tried a variety of rules from the rc.firewall file, but it's still | >blocking some traffic, so there must be something I'm missing. | Take a look at /etc/rc.firewall: | | # Allow DNS queries out in the world | ipfw add pass udp from any 53 to ${ip} | ipfw add pass udp from ${ip} to any 53 | | You will need to enable same setup as above but for tcp for zone | transfers (someone correct me if I am wrong). | | Also take a look at FreeBSD ipfw Configuration Page: | http://www.metronet.com/~pgilley/freebsd/ipfw AFAIK DNS zone-transfers are handled over via 53 aswell, I can't find another listing for 'Domain Name Server' in /etc/services so I assume the above will work fine. Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 01:48:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA02895 for freebsd-security-outgoing; Mon, 27 Jul 1998 01:48:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA02878 for ; Mon, 27 Jul 1998 01:48:31 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id BAA01914; Mon, 27 Jul 1998 01:48:00 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 27 Jul 1998 01:48:00 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Jay Tribick cc: security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No no no... What I mean is: [takes out the bible: TCP/IP Illustrated and opens it on page 206] DNS uses UDP for resolver queries (most of the time). DNS used TCP for zone transfers (always). If you don't want to allow zone transfer from that computer, don't worry about allowing TCP as long as your DNS response will never exceed 512 bytes. (yes I know one can also use xfrnets to stop unauthorized zone transfers but this is ipfw talk *grin*) -- Yan Jan Koum jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." "Write longer sentences - they are paying us a lot of money" On Mon, 27 Jul 1998, Jay Tribick wrote: > >Hi > >| >I'm thinking of changing one of my boxes which is running bind (performing >| >primary secondary DNS functions) from >| >allow-anything-except-things-specifically-denied ipfw rules to >| >deny-everything-except-things-specifically-allowed rules (open vs closed? >| >hehe). Anyway, I was wondering what are the minimum rules necessary to >| >allow DNS queries/transfers from other servers to my server, and also to >| >allow queries from my server to other servers. > >| >I tried a variety of rules from the rc.firewall file, but it's still >| >blocking some traffic, so there must be something I'm missing. > >| Take a look at /etc/rc.firewall: >| >| # Allow DNS queries out in the world >| ipfw add pass udp from any 53 to ${ip} >| ipfw add pass udp from ${ip} to any 53 >| >| You will need to enable same setup as above but for tcp for zone >| transfers (someone correct me if I am wrong). >| >| Also take a look at FreeBSD ipfw Configuration Page: >| http://www.metronet.com/~pgilley/freebsd/ipfw > >AFAIK DNS zone-transfers are handled over via 53 aswell, I can't find >another listing for 'Domain Name Server' in /etc/services so I assume >the above will work fine. > >Regards, > >Jay Tribick >-- >[| Network Administrator | FastNet International | http://fast.net.uk/ |] >[| Finger netadmin@fastnet.co.uk for contact information |] >[| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 02:05:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA05497 for freebsd-security-outgoing; Mon, 27 Jul 1998 02:05:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA05483 for ; Mon, 27 Jul 1998 02:05:26 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 25687 invoked by uid 1001); 27 Jul 1998 09:04:56 +0000 (GMT) To: jkb@best.com Cc: j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Your message of "Mon, 27 Jul 1998 00:55:00 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 27 Jul 1998 11:04:56 +0200 Message-ID: <25685.901530296@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Take a look at /etc/rc.firewall: > > # Allow DNS queries out in the world > ipfw add pass udp from any 53 to ${ip} > ipfw add pass udp from ${ip} to any 53 > > You will need to enable same setup as above but for tcp for zone > transfers (someone correct me if I am wrong). Unfortunately, it's not quite that simple: - You can't know the source port in zone transfers initiated from your own name server. It won't be 53 - remember that zone transfers are performed by a separate program (named-xfer). - If you use BIND 8, the source port for queries initiated by the name server itself will *not* be 53 unless you explicitly say so. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 02:23:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA08522 for freebsd-security-outgoing; Mon, 27 Jul 1998 02:23:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA08490 for ; Mon, 27 Jul 1998 02:23:01 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id CAA05136; Mon, 27 Jul 1998 02:22:25 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 27 Jul 1998 02:22:25 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: sthaug@nethelp.no cc: j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: <25685.901530296@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998 sthaug@nethelp.no wrote: >> Take a look at /etc/rc.firewall: >> >> # Allow DNS queries out in the world >> ipfw add pass udp from any 53 to ${ip} >> ipfw add pass udp from ${ip} to any 53 >> >> You will need to enable same setup as above but for tcp for zone >> transfers (someone correct me if I am wrong). > >Unfortunately, it's not quite that simple: > Hmm.. You sure? Not according to Stevens and my tcpdump: >- You can't know the source port in zone transfers initiated from your >own name server. It won't be 53 - remember that zone transfers are >performed by a separate program (named-xfer). This is from running "host -l some.host" in the other xterm: 02:15:05.598279 nfr.2509 > 209.157.102.11.domain: S 3408638927:3408638927(0) win 16384 (DF) 02:15:05.636200 209.157.102.11.domain > nfr.2509: S 3345473533:3345473533(0) ack 3408638928 win 17280 (DF) 02:15:05.636284 nfr.2509 > 209.157.102.11.domain: . ack 1 win 17280 (DF) 02:15:05.636391 nfr.2509 > 209.157.102.11.domain: P 1:3(2) ack 1 win 17280 (DF) 02:15:05.789950 209.157.102.11.domain > nfr.2509: . ack 3 win 17280 (DF) 02:15:05.790049 nfr.2509 > 209.157.102.11.domain: P 3:31(28) ack 1 win 17280 (DF) 02:15:05.920407 209.157.102.11.domain > nfr.2509: P 1:717(716) ack 31 win [snip] It is going from my host, nfr to the nameserver, 209.157.192.11, destination port 53 using tcp. Replies are coming back from 209.157.192.11, port 53 using tcp back to me. I don't see how this is "won't be 53" -- am I missing something in this picture? > >- If you use BIND 8, the source port for queries initiated by the name >server itself will *not* be 53 unless you explicitly say so. > >Steinar Haug, Nethelp consulting, sthaug@nethelp.no Source port for queries will be greater then 1024 (e.g.: port 2509 above). Destination port for queries will be DNS server, which runs on port 53. Are we talking about two different things here? :) -- yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 02:50:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA12077 for freebsd-security-outgoing; Mon, 27 Jul 1998 02:50:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA12023 for ; Mon, 27 Jul 1998 02:49:49 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from [192.168.1.2] (mac.sky [192.168.1.2]) by aniwa.sky (8.8.7/8.8.7) with SMTP id VAA15294; Mon, 27 Jul 1998 21:48:41 +1200 (NZST) (envelope-from andrew@squiz.co.nz) X-Sender: andrew@192.168.1.1 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 27 Jul 1998 21:52:22 +1200 To: security@FreeBSD.ORG From: andrew@squiz.co.nz (Andrew McNaughton) Subject: Re: pidentd problem Cc: Open Systems Networking Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I just noticed today that my identd was not working. And I can't figure >out why. All the local tests seem to work fine. >Something has obviously changed I just don't know what. >Any ideas? There was some stuff about a DoS in identd on bugtraq in August last year. Did that get fixed? Andrew @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The effort to understand the universe is . Andrew McNaughton one of the very few things that lifts . ++64 4 389 6891 human life above the level of farce, . . andrew@squiz.co.nz and gives it some of the grace . of tragedy - Steven Weinberg . http://www.newsroom.co.nz @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 02:58:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA14262 for freebsd-security-outgoing; Mon, 27 Jul 1998 02:58:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA14156 for ; Mon, 27 Jul 1998 02:58:22 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 27058 invoked by uid 1001); 27 Jul 1998 09:57:52 +0000 (GMT) To: jkb@best.com Cc: j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Your message of "Mon, 27 Jul 1998 02:22:25 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 27 Jul 1998 11:57:51 +0200 Message-ID: <27056.901533471@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >> # Allow DNS queries out in the world > >> ipfw add pass udp from any 53 to ${ip} > >> ipfw add pass udp from ${ip} to any 53 > >> > >> You will need to enable same setup as above but for tcp for zone > >> transfers (someone correct me if I am wrong). > > > >Unfortunately, it's not quite that simple: > > > > Hmm.. You sure? Not according to Stevens and my tcpdump: I'm sure. We're talking about different things. > >- You can't know the source port in zone transfers initiated from your > >own name server. It won't be 53 - remember that zone transfers are > >performed by a separate program (named-xfer). Notice I said "initiated from your own name server". I am talking about a name server that is *inside* the firewall, initiating a zone transfer from a name server that is *outside* the firewall - presumably because the name server inside is secondary for some of the zones on the name server outside the firewall. The port number for the name server which initiates the zone transfer will *not* be 53. In your case, you're the one initiating the zone transfer, and your port number is 2509. > >- If you use BIND 8, the source port for queries initiated by the name > >server itself will *not* be 53 unless you explicitly say so. > > Source port for queries will be greater then 1024 (e.g.: port 2509 > above). Destination port for queries will be DNS server, which runs on > port 53. Are we talking about two different things here? :) Again, I'm talking about a name server *inside* the firewall sending queries to name servers outside. BIND 8 behaves differently from BIND 4 by default. A name server sometimes needs to initiate queries by itself (eg. to perform a recursive query on behalf of a client). The *source port* for queries initiated by the name server itself *will not* be 53 in BIND 8 unless you specifically tell it so. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 03:04:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA15623 for freebsd-security-outgoing; Mon, 27 Jul 1998 03:04:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA15442 for ; Mon, 27 Jul 1998 03:03:58 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id DAA08297 for ; Mon, 27 Jul 1998 03:03:29 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 27 Jul 1998 03:03:28 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: security@FreeBSD.ORG Subject: files in /var/log Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, Be default FreeBSD has many files in /var/log group write. What is the reason for that? Can we change this to be group read only? Also, would it make more sence to ship /var/log/messages o-r by default? Why do we want all world to know what goes into our /var/log/messages files? [we would also need to modify /etc/newsyslog.conf's mode column to 640 then] -- Yan Jan Koum jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." "Write longer sentences - they are paying us a lot of money" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 03:12:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA17628 for freebsd-security-outgoing; Mon, 27 Jul 1998 03:12:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA17535 for ; Mon, 27 Jul 1998 03:12:30 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 27148 invoked by uid 1001); 27 Jul 1998 10:12:00 +0000 (GMT) To: jkb@best.com Cc: netadmin@fastnet.co.uk, security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Your message of "Mon, 27 Jul 1998 01:48:00 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 27 Jul 1998 12:12:00 +0200 Message-ID: <27146.901534320@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > DNS uses UDP for resolver queries (most of the time). > DNS used TCP for zone transfers (always). > > If you don't want to allow zone transfer from that computer, don't > worry about allowing TCP as long as your DNS response will never exceed > 512 bytes. > (yes I know one can also use xfrnets to stop unauthorized zone > transfers but this is ipfw talk *grin*) Use the tools appropriate for the job. In this case, it's much better to use BIND 8, which allows you fine grained control over zone transfers. It's not a good idea to block TCP port 53, because you may get TCP queries even if you don't have answers exceeding 512 bytes. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 05:31:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA07898 for freebsd-security-outgoing; Mon, 27 Jul 1998 05:31:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (root@brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA07889 for ; Mon, 27 Jul 1998 05:31:34 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id IAA23520; Mon, 27 Jul 1998 08:37:17 -0400 (EDT) Date: Mon, 27 Jul 1998 08:37:17 -0400 (EDT) From: andrewr To: security@FreeBSD.ORG cc: Open Systems Networking Subject: Re: pidentd problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >I just noticed today that my identd was not working. And I can't figure > >out why. All the local tests seem to work fine. > > >Something has obviously changed I just don't know what. > >Any ideas? > I have talked here and there with chris about identd not working, specifically pidentd. I too have had no luck getting it up and running, except for local requests. So, it doesn't seem to be a one time situation. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 05:37:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA08713 for freebsd-security-outgoing; Mon, 27 Jul 1998 05:37:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA08697 for ; Mon, 27 Jul 1998 05:37:55 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id IAA07865; Mon, 27 Jul 1998 08:37:15 -0400 (EDT) Date: Mon, 27 Jul 1998 08:37:15 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Jan B. Koum " cc: security@FreeBSD.ORG Subject: Re: files in /var/log In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jan, On my own machines I have added a "logger" group and set permissions in this manner: /var/cron/log root.loguser 640 3 100 * Z /var/log/amd.log root.loguser 644 7 100 * Z /var/log/kerberos.log root.loguser 640 7 100 * Z /var/log/lpd-errs root.loguser 644 7 100 * Z /var/log/maillog root.loguser 644 7 * 24 Z /var/log/messages root.loguser 644 5 * 168 Z /var/log/slip.log root.loguser 640 3 100 * Z /var/log/ppp.log root.loguser 640 3 100 * Z /var/log/wtmp root.loguser 644 52 * 168 ZB /var/log/auth root.loguser 640 14 * 168 Z # my stuff /var/log/ftpd.log root.loguser 640 3 * 168 Z /var/log/pop.log root.loguser 640 3 * 72 Z /var/log/kadmind.syslog root.loguser 640 14 * 168 Z /var/log/imapd.log root.loguser 640 3 * 72 Z /var/log/all-log root.loguser 640 7 * 72 Z A number of daemons and other programs tend to leak sensitive information (such as bad login information) to publically readable logs -- and I did not want to give users root access to get to these files where it was actually unnecessary. For more general use, root.wheel would probably be sufficient. I also changed some of the syslog logging rules to prevent auth-style log entries from going to the wrong places. I suspect that there are some daemons/etc out there that are delivering some of the auth-style log messages with the wrong level on the log message (i.e., notice or something) and as a result, they are not getting caught be this. However, I have not looked closely. I don't know if the standard FreeBSD ssh port/package changes the log level from DAEMON to AUTH or not, but I certainly had to do that on my own build of sshd (see /etc/sshd_config). On Mon, 27 Jul 1998, Jan B. Koum wrote: > > Hello all, > > Be default FreeBSD has many files in /var/log group write. What is > the reason for that? Can we change this to be group read only? > Also, would it make more sence to ship /var/log/messages o-r by > default? Why do we want all world to know what goes into our > /var/log/messages files? > [we would also need to modify /etc/newsyslog.conf's mode column > to 640 then] > > -- Yan > > Jan Koum jkb@best.com | "Turn up the lights; I don't want > www.FreeBSD.org -- The Power to Serve | to go home in the dark." > "Write longer sentences - they are paying us a lot of money" > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 05:41:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA09146 for freebsd-security-outgoing; Mon, 27 Jul 1998 05:41:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from copernicus.cpt.tech.iafrica.com (a7OpoUu349XwL5KKi4u9pJCJd8QZ3Cuh@copernicus.cpt.tech.iafrica.com [196.31.1.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA09134 for ; Mon, 27 Jul 1998 05:41:16 -0700 (PDT) (envelope-from sheldonh@iafrica.com) Received: from localhost ([127.0.0.1] helo=iafrica.com ident=[5AdxQefkTGZJhDuSzuG/pXW8HKUFRHq6]) by copernicus.cpt.tech.iafrica.com with esmtp (Exim 1.92 #1) id 0z0mZQ-0006LK-00; Mon, 27 Jul 1998 14:40:04 +0200 From: Sheldon Hearn To: "Jan B. Koum " cc: security@FreeBSD.ORG Subject: Re: files in /var/log In-reply-to: Your message of "Mon, 27 Jul 1998 03:03:28 MST." Date: Mon, 27 Jul 1998 14:40:04 +0200 Message-ID: <24385.901543204@iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998 03:03:28 MST, "Jan B. Koum " wrote: > Also, would it make more sence to ship /var/log/messages o-r by > default? Why do we want all world to know what goes into our > /var/log/messages files? By the same token, what _don't_ you want your users to see? As a non-administrative user on several FreeBSD systems, I would be most disappointed if my read access to maillog and messages were revoked. Of course, if there are files that contain information you feel should be hidden for reasons relating to system security, that's something you should say. Perhaps you could explain the background of your query, particularly what information concerns you? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 05:45:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA09793 for freebsd-security-outgoing; Mon, 27 Jul 1998 05:45:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA09787 for ; Mon, 27 Jul 1998 05:45:18 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id IAA07884; Mon, 27 Jul 1998 08:44:17 -0400 (EDT) Date: Mon, 27 Jul 1998 08:44:17 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: sthaug@nethelp.no cc: jkb@best.com, netadmin@fastnet.co.uk, security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: <27146.901534320@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998 sthaug@nethelp.no wrote: > > DNS uses UDP for resolver queries (most of the time). > > DNS used TCP for zone transfers (always). > > > > If you don't want to allow zone transfer from that computer, don't > > worry about allowing TCP as long as your DNS response will never exceed > > 512 bytes. > > (yes I know one can also use xfrnets to stop unauthorized zone > > transfers but this is ipfw talk *grin*) > > Use the tools appropriate for the job. In this case, it's much better to > use BIND 8, which allows you fine grained control over zone transfers. > > It's not a good idea to block TCP port 53, because you may get TCP queries > even if you don't have answers exceeding 512 bytes. I understand from some of the people working on DNSsec at TIS that there are some resolvers out there that *only* use TCP. I also understand that they are very rare. The real issue, though, is the truncation issue. With the increasing use of multiple A and CNAME records for web load distribution (etc), this limit is getting pushed. Also, with the advent of DNSsec and signatures/certs/etc passing through DNS, I think we can expect to see more large DNS payloads going around. I think there was a draft out at one point on larger DNS packet size support -- no doubt someone will bump up their UDP packet maximum at some point and we'll discver lots of buffer overflows in everyone's DNS support? :) Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 06:58:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA20733 for freebsd-security-outgoing; Mon, 27 Jul 1998 06:58:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA20623 for ; Mon, 27 Jul 1998 06:58:07 -0700 (PDT) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with SMTP id JAA25944; Mon, 27 Jul 1998 09:59:53 -0400 (EDT) Date: Mon, 27 Jul 1998 09:59:53 -0400 (EDT) From: Mike To: Jesse cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998, Jesse wrote: > hehe). Anyway, I was wondering what are the minimum rules necessary to > allow DNS queries/transfers from other servers to my server, and also to > allow queries from my server to other servers. I'm running BIND8, and would suggest that you simply use an 'allow-transfer' statement in named.conf if you are doing the same. Unless you prefer using ipfw for some reason, setup and maintenance seems much simpler and understandable through named.conf. allow-transfer { 10.2.0.1; // ips of servers to allow... 10.2.0.3; //etc... }; -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 07:34:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA25633 for freebsd-security-outgoing; Mon, 27 Jul 1998 07:34:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA25571 for ; Mon, 27 Jul 1998 07:34:19 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA08183; Mon, 27 Jul 1998 10:33:30 -0400 (EDT) Date: Mon, 27 Jul 1998 10:33:29 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Jan B. Koum " cc: sthaug@nethelp.no, j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998, Jan B. Koum wrote: > Hmm.. You sure? Not according to Stevens and my tcpdump: > > >- You can't know the source port in zone transfers initiated from your > >own name server. It won't be 53 - remember that zone transfers are > >performed by a separate program (named-xfer). > > This is from running "host -l some.host" in the other xterm: > > 02:15:05.598279 nfr.2509 > 209.157.102.11.domain: S > 3408638927:3408638927(0) win 16384 [|tcp]> (DF) > [snip] > > It is going from my host, nfr to the nameserver, 209.157.192.11, > destination port 53 using tcp. > Replies are coming back from 209.157.192.11, port 53 using tcp > back to me. I don't see how this is "won't be 53" -- am I missing > something in this picture? Does this differ on NT/Windows/Macintosh? I don't know if they have the same concept of "reserved ports" as they don't tend to have the same trust model that NFS/rsh/etc use. I've never checked to see whether Mac/Windows95 allocate ports <1024 for outgoing connections. Under NT, anyway, one assumes they don't so that various services can run on them unhindered? I could easily see some Microsoft programmer saying "hmm. I'll make an outgoing connection from port 867 on this machine to port 23 on that one.." :) Stevens' new unix network programming book has port range information for BSD, Solaris, but no microsoft/etc info (it being a UNIX network programming book :). Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 11:31:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA08715 for freebsd-security-outgoing; Mon, 27 Jul 1998 11:31:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA08650 for ; Mon, 27 Jul 1998 11:31:14 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id LAA01359; Mon, 27 Jul 1998 11:30:31 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 27 Jul 1998 11:30:30 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Sheldon Hearn cc: security@FreeBSD.ORG Subject: Re: files in /var/log In-Reply-To: <24385.901543204@iafrica.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998, Sheldon Hearn wrote: > >On Mon, 27 Jul 1998 03:03:28 MST, "Jan B. Koum " wrote: > >> Also, would it make more sence to ship /var/log/messages o-r by >> default? Why do we want all world to know what goes into our >> /var/log/messages files? > >By the same token, what _don't_ you want your users to see? As a >non-administrative user on several FreeBSD systems, I would be most >disappointed if my read access to maillog and messages were revoked. There are many reasons. With /var/log/maillog it is privacy issues: do you really want everyone on your system to know you sent mail to sales@class-sex-toys.com or that you are exchanging mail with your competitor. With /var/log/messages -- well, there is NOTHING there that average user needs. If you are an admin, you are most likely in the wheel group already and should have read access to /var/log/messages w/o doing su(1). People sometimes might enter their password at the login: prompt -- do you want all your users to read this? Do you want all your users to know other similar information? If so, chmod a+r /var/log/messages on your system. I still think by default we should ship /var/log/* files group read and world nothing. -- Yan > >Of course, if there are files that contain information you feel should >be hidden for reasons relating to system security, that's something you >should say. Perhaps you could explain the background of your query, >particularly what information concerns you? > >Ciao, >Sheldon. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 11:36:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA10031 for freebsd-security-outgoing; Mon, 27 Jul 1998 11:36:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA09903 for ; Mon, 27 Jul 1998 11:36:22 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id LAA02491; Mon, 27 Jul 1998 11:35:40 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 27 Jul 1998 11:35:40 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Robert Watson cc: security@FreeBSD.ORG Subject: Re: files in /var/log In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998, Robert Watson wrote: >Jan, > >On my own machines I have added a "logger" group and set permissions in >this manner: > >/var/cron/log root.loguser 640 3 100 * Z >/var/log/amd.log root.loguser 644 7 100 * Z >/var/log/kerberos.log root.loguser 640 7 100 * Z >/var/log/lpd-errs root.loguser 644 7 100 * Z >/var/log/maillog root.loguser 644 7 * 24 Z >/var/log/messages root.loguser 644 5 * 168 Z >/var/log/slip.log root.loguser 640 3 100 * Z >/var/log/ppp.log root.loguser 640 3 100 * Z >/var/log/wtmp root.loguser 644 52 * 168 ZB >/var/log/auth root.loguser 640 14 * 168 Z ># my stuff >/var/log/ftpd.log root.loguser 640 3 * 168 Z >/var/log/pop.log root.loguser 640 3 * 72 Z >/var/log/kadmind.syslog root.loguser 640 14 * 168 Z >/var/log/imapd.log root.loguser 640 3 * 72 Z >/var/log/all-log root.loguser 640 7 * 72 Z > >A number of daemons and other programs tend to leak sensitive information >(such as bad login information) to publically readable logs -- and I did >not want to give users root access to get to these files where it was >actually unnecessary. Exactly my point! > >For more general use, root.wheel would probably be sufficient. I also >changed some of the syslog logging rules to prevent auth-style log entries >from going to the wrong places. Yes, our /etc/syslog.conf can use auth.* entry or some other such entry. I also simply chown logs to root.wheel -- my rationale is that if you are in group wheel, most likely you can su(1) to root anyway and read logs -- this way you can read logs w/o doing extra su(1) step. > >I suspect that there are some daemons/etc out there that are delivering >some of the auth-style log messages with the wrong level on the log >message (i.e., notice or something) and as a result, they are not getting >caught be this. However, I have not looked closely. > >I don't know if the standard FreeBSD ssh port/package changes the log >level from DAEMON to AUTH or not, but I certainly had to do that on my own >build of sshd (see /etc/sshd_config). Heh.. I also always have: % grep AUTH /etc/sshd_config SyslogFacility AUTH % Then again, I never use ports or packages. :) -- Yan > >On Mon, 27 Jul 1998, Jan B. Koum wrote: > >> >> Hello all, >> >> Be default FreeBSD has many files in /var/log group write. What is >> the reason for that? Can we change this to be group read only? >> Also, would it make more sence to ship /var/log/messages o-r by >> default? Why do we want all world to know what goes into our >> /var/log/messages files? >> [we would also need to modify /etc/newsyslog.conf's mode column >> to 640 then] >> >> -- Yan >> >> Jan Koum jkb@best.com | "Turn up the lights; I don't want >> www.FreeBSD.org -- The Power to Serve | to go home in the dark." >> "Write longer sentences - they are paying us a lot of money" >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe security" in the body of the message >> > > > Robert N Watson > >Carnegie Mellon University http://www.cmu.edu/ >TIS Labs at Network Associates, Inc. http://www.tis.com/ >SafePort Network Services http://www.safeport.com/ >robert@fledge.watson.org http://www.watson.org/~robert/ > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 12:05:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA16441 for freebsd-security-outgoing; Mon, 27 Jul 1998 12:05:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from leaf.lumiere.net (j@leaf.lumiere.net [207.218.152.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA16305 for ; Mon, 27 Jul 1998 12:04:40 -0700 (PDT) (envelope-from j@leaf.lumiere.net) Received: (from j@localhost) by leaf.lumiere.net (8.9.1/8.9.1) id MAA22128; Mon, 27 Jul 1998 12:03:56 -0700 (PDT) Date: Mon, 27 Jul 1998 12:03:56 -0700 (PDT) From: Jesse To: Mike cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > hehe). Anyway, I was wondering what are the minimum rules necessary to > > allow DNS queries/transfers from other servers to my server, and also to > > allow queries from my server to other servers. > > I'm running BIND8, and would suggest that you simply use an > 'allow-transfer' statement in named.conf if you are doing the same. > Unless you prefer using ipfw for some reason, setup and maintenance seems > much simpler and understandable through named.conf. Hi Mike, The reason is, because even if I allow that, an ipfw firewall that denies everything except what is specifically allowed will still prevent all DNS activity. I think the others covered it pretty well though. And thanks for the allow-transfer tip, I can probably use that in addition to the ipfw rules. :) > > allow-transfer { > 10.2.0.1; // ips of servers to allow... > 10.2.0.3; > //etc... > }; > > -mike > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 13:16:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA29001 for freebsd-security-outgoing; Mon, 27 Jul 1998 13:16:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA28919 for ; Mon, 27 Jul 1998 13:16:30 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id QAA10023 for ; Mon, 27 Jul 1998 16:15:59 -0400 (EDT) Date: Mon, 27 Jul 1998 16:15:59 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: freebsd-security@FreeBSD.ORG Subject: inetd enhancements (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This seems like security to me -- the binding issue is especially relevant to firewall hosts (multi-homed). Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ ---------- Forwarded message ---------- Date: Mon, 27 Jul 1998 12:19:56 -0500 From: Jacques Vidrine To: hackers@FreeBSD.ORG Subject: inetd enhancements -----BEGIN PGP SIGNED MESSAGE----- Hi, I'd like to add some functionality to inetd. The two features needed are: * binding selected services to a particular interface * chroot'ing before exec'ing the service I've implemented these features as a port that modifies the stock inetd source: http://www.freebsd.org/~nectar/ports/ninetd.shar http://www.freebsd.org/~nectar/ports/ninetd.tar.gz (the modified inetd gets installed in /usr/local/sbin, and gets its config from /usr/local/etc/inetd.conf, so it shouldn't be too intrusive) I also came across a patch that implements the binding in a different manner: see PR bin/2387. I'd like comments. Jacques Vidrine -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNby2vDeRhT8JRySpAQEzYQQAyWBRkv1lhYxrnT3GUeVSTh1CcUesQdXT nDvIIjO5AlQHXQodH241WZBED3v2fcnjmf5hc5msg3E4H5yx059T7TexG9pHeIXT EiUQe/ZqG6LP2Cs4rN3kGmPIsp1442byE3MmeaNO80VSmhv0olx6r5KV0YR4qVqo FyPgUDxwWcM= =S1bV -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 14:38:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA15385 for freebsd-security-outgoing; Mon, 27 Jul 1998 14:38:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA15286 for ; Mon, 27 Jul 1998 14:38:12 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id RAA12680; Mon, 27 Jul 1998 17:37:35 -0400 (EDT) Date: Mon, 27 Jul 1998 17:37:32 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Robert Watson cc: freebsd-security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998, Robert Watson wrote: > This seems like security to me -- the binding issue is especially relevant > to firewall hosts (multi-homed). Ever since I learned how the sockets API supports binding to a specific interface, I've wanted ways to use this in inet software. As it is, I'm using tcp_wrappers to get equivalent functionality, but this would certainly be more elegant. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 15:09:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA21443 for freebsd-security-outgoing; Mon, 27 Jul 1998 15:09:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA21390 for ; Mon, 27 Jul 1998 15:08:37 -0700 (PDT) (envelope-from woods@mail.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id SAA04421; Mon, 27 Jul 1998 18:05:47 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id SAA17004; Mon, 27 Jul 1998 18:05:47 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id SAA14388; Mon, 27 Jul 1998 18:09:28 -0400 (EDT) (envelope-from woods@mail.zeus.leitch.com) Date: Mon, 27 Jul 1998 18:09:28 -0400 (EDT) Message-Id: <199807272209.SAA14388@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: "Jan B. Koum " Cc: security@FreeBSD.ORG Subject: Re: files in /var/log In-Reply-To: Jan B. Koum 's message of "Mon, July 27, 1998 11:30:30 -0700" regarding "Re: files in /var/log " id References: <24385.901543204@iafrica.com> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ On Mon, July 27, 1998 at 11:30:30 (-0700), Jan B. Koum wrote: ] > Subject: Re: files in /var/log > > There are many reasons. With /var/log/maillog it is privacy > issues: do you really want everyone on your system to know you sent mail > to sales@class-sex-toys.com or that you are exchanging mail with your > competitor. Some of the other BSDs do ship with /var/log/mail at mode 640. However on my own machines the mailer logs are a matter of public record and available for all to see. Local policy should dictate and so far as I'm concerned the default should be more open than not. > With /var/log/messages -- well, there is NOTHING there that > average user needs. If you are an admin, you are most likely in the wheel > group already and should have read access to /var/log/messages w/o doing > su(1). People sometimes might enter their password at the login: prompt -- > do you want all your users to read this? Do you want all your users to > know other similar information? If so, chmod a+r /var/log/messages on your > system. I still think by default we should ship /var/log/* files group > read and world nothing. /var/log/messages should never contain bad login records. They go in /var/log/authpriv, which unfortunately FreeBSD doesn't have by default. Making /var/log/messages unreadable by everyone would be very very very unfriendly in my books -- this is something any user should be able to look at. Again, local policy should dictate, and in general everything but stuff to the authpriv facility (and maybe auth too) should be readable by everyone by default. See for example syslog(3)'s advice: LOG_AUTHPRIV The same as LOG_AUTH, but logged to a file readable only by selected individuals. Here's my /etc/syslog.conf: *.err;kern.*;auth.warning;authpriv.none;mail.crit /dev/console *.info;auth,authpriv,cron,ftp,kern,lpr,mail.none /var/log/messages kern.debug /var/log/messages # the master debug file should not be world readable *.* /var/log/debug # these files can be world readable to assist users daemon.* /var/log/daemon kern.* /var/log/kern lpr.* /var/log/lpr mail.* /var/log/mail news.info /var/log/news syslog.* /var/log/syslog user.* /var/log/user uucp.info /var/log/uucp local0.*;local1.*;local2.*;local3.*;local4.*;local5.*;local6.*;local7.* /var/log/local # The authpriv log file should be restricted access; these # messages shouldn't go to terminals or publically-readable # files. auth.* /var/log/auth authpriv.* /var/log/authpriv cron.info /var/cron/log ftp.info /var/log/xferlog lpr.info /var/log/lpd-errs #uucp.info /var/spool/uucp/ERRORS # immeadiate warnings *.emerg * *.alert;kern.err;daemon.err;auth.warning;user.none root,operator -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 15:18:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA22994 for freebsd-security-outgoing; Mon, 27 Jul 1998 15:18:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA22935 for ; Mon, 27 Jul 1998 15:17:43 -0700 (PDT) (envelope-from woods@mail.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id SAA04481; Mon, 27 Jul 1998 18:15:01 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id SAA17059; Mon, 27 Jul 1998 18:15:01 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id SAA14531; Mon, 27 Jul 1998 18:18:42 -0400 (EDT) (envelope-from woods@mail.zeus.leitch.com) Date: Mon, 27 Jul 1998 18:18:42 -0400 (EDT) Message-Id: <199807272218.SAA14531@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: Jacques Vidrine Cc: freebsd-security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) In-Reply-To: Robert Watson's message of "Mon, July 27, 1998 16:15:59 -0400" regarding "inetd enhancements (fwd)" id References: X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ On Mon, July 27, 1998 at 16:15:59 (-0400), Robert Watson wrote: ] > Subject: inetd enhancements (fwd) > > > This seems like security to me -- the binding issue is especially relevant > to firewall hosts (multi-homed). > > Robert N Watson > > Carnegie Mellon University http://www.cmu.edu/ > TIS Labs at Network Associates, Inc. http://www.tis.com/ > SafePort Network Services http://www.safeport.com/ > robert@fledge.watson.org http://www.watson.org/~robert/ > > ---------- Forwarded message ---------- > Date: Mon, 27 Jul 1998 12:19:56 -0500 > From: Jacques Vidrine > To: hackers@FreeBSD.ORG > Subject: inetd enhancements > > -----BEGIN PGP SIGNED MESSAGE----- > > Hi, > > I'd like to add some functionality to inetd. The two features > needed are: > > * binding selected services to a particular interface There's a version of this feature in NetBSD's inetd. I don't know if it's similar to your idea or to PR#2387's, but it would be nice to see all BSDs use the same config file interface.... > * chroot'ing before exec'ing the service This is probably better done by a wrapper. Getting the chroot area set up can be very tricky and anyone capable of doing so can easily write the appropriate wrapper too. > I've implemented these features as a port that modifies the > stock inetd source: > > http://www.freebsd.org/~nectar/ports/ninetd.shar > http://www.freebsd.org/~nectar/ports/ninetd.tar.gz > > (the modified inetd gets installed in /usr/local/sbin, > and gets its config from /usr/local/etc/inetd.conf, so > it shouldn't be too intrusive) > > I also came across a patch that implements the binding > in a different manner: see PR bin/2387. > > I'd like comments. > > Jacques Vidrine > > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBNby2vDeRhT8JRySpAQEzYQQAyWBRkv1lhYxrnT3GUeVSTh1CcUesQdXT > nDvIIjO5AlQHXQodH241WZBED3v2fcnjmf5hc5msg3E4H5yx059T7TexG9pHeIXT > EiUQe/ZqG6LP2Cs4rN3kGmPIsp1442byE3MmeaNO80VSmhv0olx6r5KV0YR4qVqo > FyPgUDxwWcM= > =S1bV > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 15:22:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA23949 for freebsd-security-outgoing; Mon, 27 Jul 1998 15:22:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts05-043.dublin.indigo.ie [194.125.220.53]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA23825 for ; Mon, 27 Jul 1998 15:22:14 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id XAA00990; Mon, 27 Jul 1998 23:12:04 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807272212.XAA00990@indigo.ie> Date: Mon, 27 Jul 1998 23:11:38 +0000 In-Reply-To: ; Robert Watson Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Robert Watson , freebsd-security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 27, 4:15pm, Robert Watson wrote: } Subject: inetd enhancements (fwd) > > This seems like security to me -- the binding issue is especially relevant > to firewall hosts (multi-homed). Binding isn't going to be especially useful because it can only be enforced with ipfw rules. And why does inetd need to be modified to support chroot? Doesn't: ftp stream tcp nowait root /usr/sbin/chroot chroot /xyz ftp work? Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 15:35:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA26382 for freebsd-security-outgoing; Mon, 27 Jul 1998 15:35:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from spawn.nectar.com (spawn.nectar.com [204.27.67.86]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA26330 for ; Mon, 27 Jul 1998 15:35:17 -0700 (PDT) (envelope-from nectar@spawn.nectar.com) Received: from localhost.nectar.com ([127.0.0.1] helo=spawn.nectar.com) by spawn.nectar.com with esmtp (Exim 1.92 #1) for freebsd-security@FreeBSD.ORG id 0z0vqs-0001ui-00; Mon, 27 Jul 1998 17:34:42 -0500 X-Mailer: exmh version 2.0.2 2/24/98 X-PGP-RSAfprint: 00 F9 E6 A2 C5 4D 0A 76 26 8B 8B 57 73 D0 DE EE X-PGP-RSAkey: http://www.nectar.com/nectar-pgp262.txt From: Jacques Vidrine In-reply-to: <199807272218.SAA14531@brain.zeus.leitch.com> References: <199807272218.SAA14531@brain.zeus.leitch.com> Subject: Re: inetd enhancements (fwd) To: freebsd-security@FreeBSD.ORG Date: Mon, 27 Jul 1998 17:34:42 -0500 Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- On 27 July 1998 at 18:18, woods@zeus.leitch.com (Greg A. Woods) wrote: > There's a version of this feature in NetBSD's inetd. I don't know if > it's similar to your idea or to PR#2387's, but it would be nice to see > all BSDs use the same config file interface.... Thanks for the pointer, I'll go check it out. > This is probably better done by a wrapper. Getting the chroot area set > up can be very tricky and anyone capable of doing so can easily write > the appropriate wrapper too. The reason I want to incorporate it into inetd is that so many wrappers are: #! /bin/sh /usr/sbin/chroot /my-chroot-dir /my-executable Also, by sticking the chroot() in inetd, it is easy to give up root privs after the chroot. This is not so easily done in a script after you've chroot()'d, without sticking copies of ``su'' all around, or using setuid executables. - -- Jacques Vidrine -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNb0AgjeRhT8JRySpAQGiAAP/XdzXxhuK2C81dljGtDiC/4acHOwMsbjD SaPWtfnU9D7JxZCBKPWP1vSrHV6fCLlUdi/NL5qieqyGkYJ5nkZaIuKo3YYyhq4O FikADsVWLhrylxKsfYNHchVmm2WDrE7yb62FhQjljGL47+UmW+HP2qXaVS5PERQZ KFaD2h3CXo0= =/wVR -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 15:56:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29942 for freebsd-security-outgoing; Mon, 27 Jul 1998 15:56:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29861 for ; Mon, 27 Jul 1998 15:56:04 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id PAA05943 for ; Mon, 27 Jul 1998 15:55:36 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 27 Jul 1998 15:55:35 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: security@FreeBSD.ORG Subject: FreeBSD Security How-to for your review. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, Due to some recent (imap, qpop, etc) bugs and just because I had some time, I put together "FreeBSD Security How-To". This is not "kernel hacking" type of doc but rather just steps a user new to FreeBSD can take to further secure their OS. I would like to get any comments or feedback I can get from you. Don't cc: the list -- just mail me directly. Currently it is at www.best.com/~jkb/howto.txt - this is still work in progress, but I'd like to get your opinion so far. Thanks, -- Yan Jan Koum jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." "Write longer sentences - they are paying us a lot of money" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 16:55:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA12915 for freebsd-security-outgoing; Mon, 27 Jul 1998 16:55:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12727; Mon, 27 Jul 1998 16:54:38 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id RAA01585; Mon, 27 Jul 1998 17:54:03 -0600 (MDT) Message-Id: <199807272354.RAA01585@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 27 Jul 1998 17:22:07 -0600 To: "Jan B. Koum " From: Brett Glass Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) Cc: chat@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: References: <199807272300.RAA00688@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 04:11 PM 7/27/98 -0700, Jan B. Koum wrote: > Hello all, > > Since the secret is out now on freebsd-security .. I have been >working on FreeBSD Security How-To for the last few weeks. It is still in >beta and I hope to get more comments from people on -security. > It is currently at www.best.com/~jkb/howto.txt > No kernel hacking -- just basic steps users can take to secure >their workstations, server, etc. I'd like any comments, feedback or >suggestions from -chat also. (yes, I'll soon have html also for those of >you who can't stand ascii). > >-- Yan I'd like to commend Jan on this effort. I do think that the section on eliminating inetd needs some fleshing out, though. Some servers, such as all of the POP3 daemons I've tried, don't seem to admit themselves to being run except from inetd. Also, the section should discuss the dangers of having a server die without any automatic means to resuscitate it. For example, the docs for identd warn against running it without inetd, since if it quits it will not be restarted. Perhaps a utility that checks for the presence of servers and restarts them if they've died could be developed as part of this effort and perhaps added to the FreeBSD distribution. Also, the section on ssh suggests running it without telling the user where to find client software. Any recommendation for a secure service should include information on how to obtain clients for all of the usual client platforms (including -- yes -- Microsoft OSes). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 20:09:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA19261 for freebsd-security-outgoing; Mon, 27 Jul 1998 20:09:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dumont.neoplanos.com.br (dumont.neoplanos.com.br [200.249.209.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA19247 for ; Mon, 27 Jul 1998 20:08:55 -0700 (PDT) (envelope-from john@neoplanos.com.br) Received: from john (john@linha03.neoplanos.com.br [200.249.209.103]) by dumont.neoplanos.com.br (8.8.8/8.8.5) with SMTP id AAA02510 for ; Tue, 28 Jul 1998 00:20:02 -0300 (EST) Message-Id: <3.0.5.32.19980728000808.007cb4f0@neoplanos.com.br> X-Sender: john@neoplanos.com.br (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 28 Jul 1998 00:08:08 -0300 To: security@FreeBSD.ORG From: Joao Paulo Campello Subject: Re: FreeBSD Security How-to for your review. In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id UAA19256 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I dunno if it's the correct list to ask for this kind of information, but... I once tried to compile an irc daemon in my old Linux, and when needed to establish more than 256 simultaneuos connections I've got the error: "FD Table too big" I didn't find any kernel option in the RedHat kernel configuration to rise the FD Table value... Now i've the same problem in my FreeBSD 2.2.6 Does anybody know which is the FD Table value in FreeBSD? Or even how to change this?!?! Cheers, João Paulo Caldas Campello Diretor Tecnico - Neo Planos Solution Provider http://www.neoplanos.com.br/ IRCAdmin NetLink - Recife/PE (ICQ # ASK-ME :)) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 21:38:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA00266 for freebsd-security-outgoing; Mon, 27 Jul 1998 21:38:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from biggusdiskus.flyingfox.com (biggusdiskus.flyingfox.com [205.162.1.28]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA00261 for ; Mon, 27 Jul 1998 21:38:35 -0700 (PDT) (envelope-from jas@flyingfox.com) Received: (from jas@localhost) by biggusdiskus.flyingfox.com (8.8.8/8.8.5) id VAA12658; Mon, 27 Jul 1998 21:40:15 -0700 (PDT) Date: Mon, 27 Jul 1998 21:40:15 -0700 (PDT) From: Jim Shankland Message-Id: <199807280440.VAA12658@biggusdiskus.flyingfox.com> To: ben@rosengart.com Subject: Re: inetd enhancements (fwd) Cc: security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Snob Art Genre writes: > Ever since I learned how the sockets API supports binding to a > specific interface, I've wanted ways to use this in inet > software. As it is, I'm using tcp_wrappers to get equivalent > functionality, but this would certainly be more elegant. Careful there. The sockets API supports binding to a specific *address*, not interface. If your machine has two interfaces with addresses A and B, and you bind your server socket to address B, it will happily accept connections addressed to address B, but physically arriving via the "A" interface. In many situations, this can't happen, due to routing. E.g., if address B is 192.168.1.1, and I'm an Evil Hacker In Bulgaria, I'll be hard pressed to get packets addressed to 192.168.1.1 delivered to your server. On the other hand, in this case, an "inside" client can likely connect to services bound only to the "outside" address. And if the bad guy has control of your immediate upstream, s/he/it (the universal "bad guy" pronoun, often suffixed with "-head") could arrange to deliver packets addressed to your "inside" interface down your "outside" wire. Anyway, caveat emptor. The sockets API was written back when everyone was friends. Jim Shankland Flying Fox Computer Systems, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 22:29:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA04778 for freebsd-security-outgoing; Mon, 27 Jul 1998 22:29:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA04773 for ; Mon, 27 Jul 1998 22:29:47 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id BAA14633; Tue, 28 Jul 1998 01:29:04 -0400 (EDT) Date: Tue, 28 Jul 1998 01:29:04 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Jim Shankland cc: ben@rosengart.com, security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) In-Reply-To: <199807280440.VAA12658@biggusdiskus.flyingfox.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998, Jim Shankland wrote: > Careful there. The sockets API supports binding to a specific > *address*, not interface. If your machine has two interfaces > with addresses A and B, and you bind your server socket to address > B, it will happily accept connections addressed to address B, > but physically arriving via the "A" interface. Hrm, that's no good. But if I'm not mistaken, each interface is configured with its own address. Does this not give the system enough information to reject packets arriving on the wrong interface for their address? Are you sure that the system will accept packets for the wrong interface? Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 23:00:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA07868 for freebsd-security-outgoing; Mon, 27 Jul 1998 23:00:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from biggusdiskus.flyingfox.com (biggusdiskus.flyingfox.com [205.162.1.28]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA07854 for ; Mon, 27 Jul 1998 23:00:11 -0700 (PDT) (envelope-from jas@flyingfox.com) Received: (from jas@localhost) by biggusdiskus.flyingfox.com (8.8.8/8.8.5) id XAA13523; Mon, 27 Jul 1998 23:01:52 -0700 (PDT) Date: Mon, 27 Jul 1998 23:01:52 -0700 (PDT) From: Jim Shankland Message-Id: <199807280601.XAA13523@biggusdiskus.flyingfox.com> To: ben@rosengart.com Subject: Re: inetd enhancements (fwd) Cc: security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From benedict@echonyc.com Mon Jul 27 22:31:23 1998 Date: Tue, 28 Jul 1998 01:29:04 -0400 (EDT) From: Reply-To: ben@rosengart.com To: Jim Shankland cc: ben@rosengart.com, security@freebsd.org Subject: Re: inetd enhancements (fwd) In-Reply-To: <199807280440.VAA12658@biggusdiskus.flyingfox.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Snob Art Genre writes: > On Mon, 27 Jul 1998, Jim Shankland wrote: > > > Careful there. The sockets API supports binding to a specific > > *address*, not interface.... > > Hrm, that's no good. But if I'm not mistaken, each interface > is configured with its own address. Does this not give the > system enough information to reject packets arriving on the > wrong interface for their address? Well, each interface is not necessarily configured with a *unique* address; think point-to-point interfaces reusing the address of an Ethernet interface. But yes, one could in theory enforce the restriction that packets are only accepted by a host if their destination address is one of the ones associated with that particular interface. However, this would break a few things. (We have a machine with 11 Ethernet interfaces -- hence, 11 IP addresses -- running BIND8 and serving about 80 domains. *One* of those IP addresses is listed as the name server for those 80 domains with InterNIC. It would be bad if users on the other 10 Ethernets couldn't address this nameserver to resolve the 80 domains.) > Are you sure that the system will accept packets for the wrong > interface? Try it :-). Jim Shankland Flying Fox Computer Systems, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 27 23:08:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA09160 for freebsd-security-outgoing; Mon, 27 Jul 1998 23:08:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from redfish.go2net.com (redfish.go2net.com [207.178.55.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id XAA09155 for ; Mon, 27 Jul 1998 23:08:48 -0700 (PDT) (envelope-from marcs@go2net.com) Received: from marcs by redfish.go2net.com with smtp (Exim 1.82 #2) id 0z12uA-0007Ci-00; Mon, 27 Jul 1998 23:06:34 -0700 Date: Mon, 27 Jul 1998 23:06:34 -0700 (PDT) From: Marc Slemko X-Sender: marcs@redfish To: ben@rosengart.com cc: security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Jul 1998, Snob Art Genre wrote: > On Mon, 27 Jul 1998, Jim Shankland wrote: > > > Careful there. The sockets API supports binding to a specific > > *address*, not interface. If your machine has two interfaces > > with addresses A and B, and you bind your server socket to address > > B, it will happily accept connections addressed to address B, > > but physically arriving via the "A" interface. > > Hrm, that's no good. But if I'm not mistaken, each interface is > configured with its own address. Does this not give the system enough > information to reject packets arriving on the wrong interface for their > address? There is no such thing as the "wrong interface". It is completely normal and valid to expect that binding to an IP address will let connections be accepted on that IP address. If routing etc. is somehow setup so that works when traffic comes in through another interface, so it should. It is called routing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 00:00:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA16923 for freebsd-security-outgoing; Tue, 28 Jul 1998 00:00:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from inet.chipweb.ml.org (qmailr@c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA16908 for ; Tue, 28 Jul 1998 00:00:29 -0700 (PDT) (envelope-from ludwigp@bigfoot.com) Message-Id: <199807280700.AAA16908@hub.freebsd.org> Received: (qmail 18970 invoked from network); 28 Jul 1998 06:59:26 -0000 Received: from speedy.chipweb.ml.org (172.16.1.1) by inet.chipweb.ml.org with SMTP; 28 Jul 1998 06:59:26 -0000 X-Sender: ludwigp2@mail-r X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 27 Jul 1998 23:59:12 -0700 To: Joao Paulo Campello , security@FreeBSD.ORG From: Ludwig Pummer Subject: Re: FreeBSD Security How-to for your review. In-Reply-To: <3.0.5.32.19980728000808.007cb4f0@neoplanos.com.br> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:08 AM 7/28/98 -0300, Joao Paulo Campello wrote: >Hi all, > >I dunno if it's the correct list to ask for this kind of information, but... If you ask in freebsd-questions@freebsd.org, you'll probably get a response. And don't reply to a totally unrelated thread . > I once tried to compile an irc daemon in my old Linux, and when needed to >establish more than 256 simultaneuos connections I've got the error: > >"FD Table too big" Be sure to mention the name and version of the irc daemon when you post to freebsd-questions. --Ludwig Pummer ludwigp@bigfoot.com ludwigp@chipweb.ml.org ICQ UIN: 692441 http://chipweb.home.ml.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 00:35:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA23280 for freebsd-security-outgoing; Tue, 28 Jul 1998 00:35:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA23258 for ; Tue, 28 Jul 1998 00:35:20 -0700 (PDT) (envelope-from maillist@oaks.com.au) Received: from bigbox (frankenputer.aussie.org [203.29.75.73]) by mail.aussie.org (8.9.0/8.9.0) with SMTP id RAA23635; Tue, 28 Jul 1998 17:34:16 +1000 (EST) Message-Id: <199807280734.RAA23635@mail.aussie.org> From: "Hallam Oaks P/L list account" To: "freebsd-security@FreeBSD.ORG" , "Jesse" Date: Tue, 28 Jul 1998 17:35:03 +1000 Reply-To: "Hallam Oaks P/L list account" X-Mailer: PMMail 98 Standard (2.01.1600) For Windows NT (4.0.1381;3) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: ipfw rules to allow DNS activity Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998 00:16:38 -0700 (PDT), Jesse wrote: >I'm thinking of changing one of my boxes which is running bind (performing >primary secondary DNS functions) from allow-anything-except-things- >specifically-denied ipfw rules to deny-everything-except-things- >specifically-allowed rules (open vs closed? hehe). Anyway, I was wondering >what are the minimum rules necessary to allow DNS queries/transfers from >? >other servers to my server, and also to allow queries from my server to >other servers. check out the rc.firewall I posted to the list recently (it's also on the FreeBSD rc.firewall page ; see http://www.metronet.com/~pgilley/freebsd/ipfw/ for more info. the one I posted has entries to allow DNS (as the machine it's used on is a primary DNS server). -- Chris Hallam Oaks P/L To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 00:55:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA25945 for freebsd-security-outgoing; Tue, 28 Jul 1998 00:55:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA25940 for ; Tue, 28 Jul 1998 00:55:42 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 12064 invoked by uid 1001); 28 Jul 1998 07:55:12 +0000 (GMT) To: marcs@znep.com Cc: ben@rosengart.com, security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) In-Reply-To: Your message of "Mon, 27 Jul 1998 23:06:34 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 28 Jul 1998 09:55:12 +0200 Message-ID: <12062.901612512@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Hrm, that's no good. But if I'm not mistaken, each interface is > > configured with its own address. Does this not give the system enough > > information to reject packets arriving on the wrong interface for their > > address? > > There is no such thing as the "wrong interface". > > It is completely normal and valid to expect that binding to an IP address > will let connections be accepted on that IP address. If routing etc. is > somehow setup so that works when traffic comes in through another > interface, so it should. It is called routing. If your box is setup *not* to route (net.inet.ip.forwarding = 0), I can certainly see security advantages in not allowing packets to be accepted unless they have destination address equal to the interface address. I have seen a patch for this floating around on the net, but it would be nice to have this configurable. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 01:58:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA04212 for freebsd-security-outgoing; Tue, 28 Jul 1998 01:58:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hoth.amu.edu.pl (nexus@hoth.amu.edu.pl [150.254.113.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA04203 for ; Tue, 28 Jul 1998 01:58:16 -0700 (PDT) (envelope-from nexus@hoth.amu.edu.pl) Received: from localhost (nexus@localhost) by hoth.amu.edu.pl (8.9.0/8.9.0) with SMTP id KAA16967; Tue, 28 Jul 1998 10:56:50 +0200 (CEST) Date: Tue, 28 Jul 1998 10:56:50 +0200 (CEST) From: Bohdan Horst To: Joao Paulo Campello cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security How-to for your review. In-Reply-To: <3.0.5.32.19980728000808.007cb4f0@neoplanos.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Jul 1998, Joao Paulo Campello wrote: > Hi all, > > I dunno if it's the correct list to ask for this kind of information, but... > > I once tried to compile an irc daemon in my old Linux, and when needed to > establish more than 256 simultaneuos connections I've got the error: > > "FD Table too big" > > I didn't find any kernel option in the RedHat kernel configuration to rise > the FD Table value... Now i've the same problem in my FreeBSD 2.2.6 > > Does anybody know which is the FD Table value in FreeBSD? Or even how to > change this?!?! FreeBSD 2.2.* /usr/src/sys/sys/types.h --------- /* * Select uses bit masks of file descriptors in longs. These macros * manipulate such bit fields (the filesystem macros use chars). * FD_SETSIZE may be defined by the user, but the default here should * be enough for most uses. */ #ifndef FD_SETSIZE #define FD_SETSIZE 256 #endif --------- change this to 1024 (or 2048) and ircd will work fine :) (tested on ircd with >800 users) p.s. FreeBSD 3.* -> #define FD_SETSIZE 1024 -- / irl:Bohdan 'Nexus' Horst | mailto:nexus@irc.pl | irc:Nexus \ {---------------------------^----------v----------^------------} \ http://www.physd.amu.edu.pl/~nexus/ | Instytut Fizyki UAM / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 02:22:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA07283 for freebsd-security-outgoing; Tue, 28 Jul 1998 02:22:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from freefall.pipeline.ch (freefall.pipeline.ch [195.134.128.40]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA07209; Tue, 28 Jul 1998 02:22:01 -0700 (PDT) (envelope-from andre@pipeline.ch) Received: from pipeline.ch ([195.134.128.41]) by freefall.pipeline.ch (Netscape Mail Server v2.02) with ESMTP id AAA322; Tue, 28 Jul 1998 11:20:21 +0200 Message-ID: <35BD97DE.2E242C6E@pipeline.ch> Date: Tue, 28 Jul 1998 11:20:30 +0200 From: "IBS / Andre Oppermann" Organization: Internet Business Solutions Ltd. (AG) X-Mailer: Mozilla 4.03 [en] (WinNT; U) MIME-Version: 1.0 To: Brett Glass CC: "Jan B. Koum" , chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) References: <199807272300.RAA00688@lariat.lariat.org> <199807272354.RAA01585@lariat.lariat.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: -snip- > I do think that the section on eliminating inetd needs some fleshing out, > though. Some servers, such as all of the POP3 daemons I've tried, don't > seem to admit themselves to being run except from inetd. Also, the section > should discuss the dangers of having a server die without any automatic > means to resuscitate it. For example, the docs for identd warn against > running it without inetd, since if it quits it will not be restarted. > Perhaps a utility that checks for the presence of servers and restarts them > if they've died could be developed as part of this effort and perhaps added > to the FreeBSD distribution. There's a nice tool called tcpserver avail from DJB (we all love his coding style): ftp://koobera.math.uic.edu/www/ucspi-tcp.html The description: # tcpclient and tcpserver are easy-to-use command-line tools for building # TCP client-server applications. tcpclient makes a TCP connection and # runs a program of your choice. tcpserver waits for incoming connections # and, for each connection, runs a program of your choice. Your program # receives environment variables showing the local and remote host names, # IP addresses, and port numbers. # # tcpserver offers a concurrency limit to protect you from running out # of processes and memory. When you are handling 40 (by default) # simultaneous connections, tcpserver smoothly defers acceptance of # new connections. # # tcpserver also provides TCP access control features, similar to # tcp-wrappers/tcpd's hosts.allow but much faster. Its access control # rules are compiled into a hashed format with cdb, so it can easily # deal with thousands of different hosts. # # tcpclient and tcpserver conform to UCSPI, the UNIX Client-Server # Program Interface, using the TCP protocol. UCSPI tools are available # for several different networks. -- Andre Oppermann CEO / Geschaeftsfuehrer Internet Business Solutions Ltd. (AG) Hardstrasse 235, 8005 Zurich, Switzerland Fon +41 1 277 75 75 / Fax +41 1 277 75 77 http://www.pipeline.ch ibs@pipeline.ch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 03:29:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA15724 for freebsd-security-outgoing; Tue, 28 Jul 1998 03:29:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA15715 for ; Tue, 28 Jul 1998 03:29:45 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 13881 invoked by uid 1001); 28 Jul 1998 10:27:43 +0000 (GMT) To: andre@pipeline.ch Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: Your message of "Tue, 28 Jul 1998 11:20:30 +0200" References: <35BD97DE.2E242C6E@pipeline.ch> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 28 Jul 1998 12:27:42 +0200 Message-ID: <13879.901621662@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I do think that the section on eliminating inetd needs some fleshing out, > > though. Some servers, such as all of the POP3 daemons I've tried, don't > > seem to admit themselves to being run except from inetd. Also, the section > > should discuss the dangers of having a server die without any automatic > > means to resuscitate it. For example, the docs for identd warn against > > running it without inetd, since if it quits it will not be restarted. > > Perhaps a utility that checks for the presence of servers and restarts them > > if they've died could be developed as part of this effort and perhaps added > > to the FreeBSD distribution. > > There's a nice tool called tcpserver avail from DJB (we all love his > coding style): ftp://koobera.math.uic.edu/www/ucspi-tcp.html For those who are interested in high security and in eliminating inetd, I'd recommend Marcus Ranum's simplified inetd. See the enclosed message. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- From: mjr@tis.com (Marcus J. Ranum) Subject: Re: Frigging inetd!!!! Date: 26 Oct 1993 19:07:53 GMT [I added comp.security.unix to the distribution and dropped the gopher group, since this is really a security rant, and part of an ongoing rant from comp.security.unix] > Why not just get a copy of the source for inetd and rebuild it >for your system? Also, there is a new program called xinetd, which >is supposed to be an augmented inetd that has built in security. I've >got the source code, but I have not had much of a chance to play with >it yet. Here I must insert my mandatory rant about "augmentation" "features" and "security." Xinetd has (presumably) a huge number of features. It's also a relatively huge piece of code. Compare it to the BSD inetd sources: Program Modules Lines of Code ------- ------- ------------- inetd, from BSD Net-2 1 964 xinetd, minus support libraries 36 11801 For a security critical application like inetd, the last thing you want is security at the price of 12 times as much code. Large programs that do security critical things (sendmail, xinetd, wuarchive-ftpd, Xterm) are traditionally a snakepit of security holes. The idea of "built in security" is contrary to most formal security practices. The security critical policy sections should be clearly isolated from the rest of the code that does bookkeeping or whatever else. I enclose below a version of inetd that's 80 lines of code. The security critical section is clearly visible. More importantly, the implementation is small enough that when I showed a copy to a friend, he instantly spotted a bug. It's a lot easier to spot a bug in a 1 page program, than in an 11,801 line program that is 36+ files in 2 directories. Also, this version of inetd is not vulnerable to attacks on inetd.conf since it doesn't use one, and doesn't have any argument limitations on the invoked programs. It doesn't support UDP services, but then, from a security standpoint, UDP services make me all nervous anyhow. Note, too, that the code has only one comment. It's simple enough that it needs no comments. mjr. ------------------------------ #include #include #include #include #include #include reap() { int s; while(wait(&s) != -1); } main(ac,av) int ac; char *av[]; { struct sockaddr_in mya; struct servent *sp; fd_set muf; int myfd, new, x, maxfd = getdtablesize(); openlog("inetd",LOG_PID,LOG_DAEMON); if(ac < 3) { syslog(LOG_ERR,"usage: %s serviceport command [args]",av[0]); exit(1); } signal(SIGCLD,reap); if((myfd = socket(AF_INET,SOCK_STREAM,0)) < 0) { syslog(LOG_ERR,"socket : %m"); exit(1); } mya.sin_family = AF_INET; bzero(&mya.sin_addr,sizeof(mya.sin_addr)); if((sp = getservbyname(av[1],"tcp")) == (struct servent *)0) { if(atoi(av[1]) <= 0) { syslog(LOG_ERR,"Cannot interpret %s as service",av[1]); exit(1); } mya.sin_port = htons(atoi(av[1])); } else mya.sin_port = sp->s_port; if(bind(myfd,(struct sockaddr *)&mya,sizeof(mya))) { syslog(LOG_ERR,"bind: %m"); exit(1); } /* END SECURITY CRITICAL CODE */ /* setuid(4); */ if(listen(myfd,1) < 0) { perror("listen"); exit(1); } loop: FD_ZERO(&muf); FD_SET(myfd,&muf); if(select(myfd + 1,&muf,0,0,0) != 1 || !FD_ISSET(myfd,&muf)) goto loop; if((new = accept(myfd,0,0)) < 0) goto loop; if(fork() == 0) { for(x = 2; x < maxfd; x++) if(x != new) close(x); for(x = 0; x < NSIG; x++) signal(x,SIG_DFL); dup2(new,0); close(new); dup2(0,1); dup2(0,2); execv(av[2],av + 2); syslog(LOG_ERR,"exec %s: %m",av[2]); exit(1); } close(new); goto loop; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 05:31:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA02456 for freebsd-security-outgoing; Tue, 28 Jul 1998 05:31:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.EUnet-Bretagne.fr (ns.eunet-bretagne.fr [193.107.210.125]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA02446 for ; Tue, 28 Jul 1998 05:31:15 -0700 (PDT) (envelope-from Eric.Feillant@EUnet-Bretagne.fr) Received: from EUnet-Bretagne.fr (ericf.EUnet-Bretagne.fr [193.107.210.161]) by ns.EUnet-Bretagne.fr (8.8.7/8.8.7) with ESMTP id OAA14615 for ; Tue, 28 Jul 1998 14:30:08 +0200 (MET DST) Message-ID: <35BDC6CA.E4B1B924@EUnet-Bretagne.fr> Date: Tue, 28 Jul 1998 14:40:42 +0200 From: Eric Feillant Organization: EUnet BRETAGNE groupe EUnet X-Mailer: Mozilla 4.05 [fr] (Win95; I) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: (pas d'objet) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 05:49:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA04258 for freebsd-security-outgoing; Tue, 28 Jul 1998 05:49:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA04253; Tue, 28 Jul 1998 05:48:55 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id IAA12287; Tue, 28 Jul 1998 08:48:05 -0400 (EDT) Date: Tue, 28 Jul 1998 08:48:05 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Brett Glass cc: "Jan B. Koum " , chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: <199807272354.RAA01585@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998, Brett Glass wrote: > I'd like to commend Jan on this effort. Yes, I think this is a great thing :) > I do think that the section on eliminating inetd needs some fleshing out, > though. Some servers, such as all of the POP3 daemons I've tried, don't > seem to admit themselves to being run except from inetd. Also, the section > should discuss the dangers of having a server die without any automatic > means to resuscitate it. For example, the docs for identd warn against > running it without inetd, since if it quits it will not be restarted. > Perhaps a utility that checks for the presence of servers and restarts them > if they've died could be developed as part of this effort and perhaps added > to the FreeBSD distribution. I agree with limiting/replacing this inetd, but I am actually not sure I agree with just removing inetd. inetd provides a number of useful services under BSD: 1. Single location to configure the majority of IP services (i.e., a single point of configuration that is easy to maintain and monitor) 2. Single location to install IP wrappers and IP-based access control 3. Single location to monitor for potential denial of service attacks These are all important, I feel. Inetd provides a simple way to monitor which daemons you are running, and disable them easily. Rather than having to modify umpteen rc.* scripts in many directories, I can modify a single file. Simplifying the policy control mechanism is not bad, and it makes it easy for new users of BSD to disable services. Now, instead of finding references in many scripts and config files, I can in 20 seconds comment out all the lines but telnet, ftp, etc. This is not bad. And the format of the inetd configuration file is certainly not bad -- attempting to stuff the same degree of control into rc.conf is only asking for trouble :). With a single HUP, I can enact the new policy, rather than tracking down dozens of processes hanging around. Also, let's not forget the reason for inetd in the first place -- if you have a number of infrequently used TCP services, you experience far lower load and resource consumption via inetd. You are less susceptible to memory leaks (or even just fragmentation), swap space consumption, etc. Most long-lasting heavily hit services regularly kill their component processes to try and address this (for example, many web servers only use particular server processes 64 times before killing them in an effort ot reduce fragmentation and memory leak issues). I would rather reduce the number of long-running daemons and have a centralized point of control. But there are more sides to this (points 2 + 3 of above). inetd allows the use of TCP wrappers via a central administration point. Rather than building by-IP access control into each and every daemon running on the system, using a central TCP wrappers config file makes far more sense. It also means that I can apply varying access control mechanisms to binary-only daemons I may have (commercially available daemons). It also means I don't have to sit there and patch a ported daemon like crazy to use my access control. An example: suppose I have an IPsec FreeBSD router. The FreeBSD router needs to be configured remotely by a mobile host so that we can have mobile IP. I want the machine to allow connections to the telnet, etc, daemons only if it is a secured connection with the correct keying material/etc. Rather than build this into each daemon, I'd really prfer to have it live in TCP wrappers. When the connection comes in, the TCP wrapper makes an authorization decision based on knowing about IPsec, and then if desired, forwards the connection to the telnet daemon. Similarly, wrappers provide a central logging facility. Rather than rely on the far larger and more complex telnetd that is probably more susceptible to programming errors, I want wrappers to securely log the event, and then allow the connection to telnetd. Perhaps also, one might want to run inetd itself chroot, and have all daemons inherit that aspect? The third point is denial of service. With a dozen daemons running independantly, written by a variety of vendors, it might be quite hard to monitor denial of service attacks. With a single daemon multiplexing connections in userland, I can far more easily install a filter watching for application-based denial of service, or resource consumption. I feel that inetd provides a degree of centralization for configuration and security that is more of a benefit than a liability. Certainly, in an environment where *no* daemons are running, inetd is probably a bad idea. The same for high volume daemons like httpd. On the other hand, wouldn't you rather have a small daemon (finger) run as nobody via the benefits of inetd changing the uid, than running fingerd as root so that it can bind the port? > Also, the section on ssh suggests running it without telling the user where > to find client software. Any recommendation for a secure service should > include information on how to obtain clients for all of the usual client > platforms (including -- yes -- Microsoft OSes). I heard there was a free Windows ssh client these days -- I haven't used it as (oops) I don't run any Microsoft operating systems :). SSH is a great tool and we should encourage its use. There are some caveats involving automatic X forwarding (etc) that should be raised. There are already papers on this around so perhaps point to existing documents for details? Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 06:17:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA07919 for freebsd-security-outgoing; Tue, 28 Jul 1998 06:17:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bright.ny.otec.com (bright.ny.otec.com [209.3.16.125]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA07898 for ; Tue, 28 Jul 1998 06:17:02 -0700 (PDT) (envelope-from bright@hotjobs.com) Received: from localhost (bright@localhost) by bright.ny.otec.com (8.8.8/8.8.8) with SMTP id JAA20467; Tue, 28 Jul 1998 09:17:14 -0500 (EST) (envelope-from bright@hotjobs.com) X-Authentication-Warning: bright.ny.otec.com: bright owned process doing -bs Date: Tue, 28 Jul 1998 09:17:14 -0500 (EST) From: Alfred Perlstein X-Sender: bright@bright.ny.otec.com To: Joao Paulo Campello cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security How-to for your review. In-Reply-To: <3.0.5.32.19980728000808.007cb4f0@neoplanos.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id GAA07904 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org for all these kinds of questions you should consult the "LINT" kernel /usr/src/sys/i386/conf/LINT you need to at least install the freebsd kernel (sys) source tree -Alfred On Tue, 28 Jul 1998, Joao Paulo Campello wrote: > Hi all, > > I dunno if it's the correct list to ask for this kind of information, but... > > I once tried to compile an irc daemon in my old Linux, and when needed to > establish more than 256 simultaneuos connections I've got the error: > > "FD Table too big" > > I didn't find any kernel option in the RedHat kernel configuration to rise > the FD Table value... Now i've the same problem in my FreeBSD 2.2.6 > > Does anybody know which is the FD Table value in FreeBSD? Or even how to > change this?!?! > > Cheers, > > > João Paulo Caldas Campello > Diretor Tecnico - Neo Planos Solution Provider > http://www.neoplanos.com.br/ > IRCAdmin NetLink - Recife/PE (ICQ # ASK-ME :)) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 08:01:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA23862 for freebsd-security-outgoing; Tue, 28 Jul 1998 08:01:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA23828 for ; Tue, 28 Jul 1998 08:00:50 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.8/8.8.8) id LAA19134; Tue, 28 Jul 1998 11:00:13 -0400 (EDT) (envelope-from wollman) Date: Tue, 28 Jul 1998 11:00:13 -0400 (EDT) From: Garrett Wollman Message-Id: <199807281500.LAA19134@khavrinen.lcs.mit.edu> To: ben@rosengart.com Cc: Jim Shankland , security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) In-Reply-To: References: <199807280440.VAA12658@biggusdiskus.flyingfox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Hrm, that's no good. But if I'm not mistaken, each interface is > configured with its own address. Does this not give the system enough > information to reject packets arriving on the wrong interface for their > address? > Are you sure that the system will accept packets for the wrong > interface? There's nothing ``wrong'' about it. In a complex network with routing protocols operating, it is perfectly conceivable that a packet addressed to one interface may be delivered to another. (Indeed, that is often desirable, particularly if one interface is much higher-speed than another. For example, at a previous POE, we had a bunch of SGI servers on a FDDI ring, which were also on the regular Ethernet. If someone on server A mounted an NFS filesystem from server B, we wanted that traffic to stay on the FDDI ring rather than crossing our aging Cisco router.) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 08:45:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA03461 for freebsd-security-outgoing; Tue, 28 Jul 1998 08:45:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA03432; Tue, 28 Jul 1998 08:45:50 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id JAA15940; Tue, 28 Jul 1998 09:45:05 -0600 (MDT) Message-Id: <199807281545.JAA15940@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 28 Jul 1998 09:07:40 -0600 To: Robert Watson From: Brett Glass Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) Cc: "Jan B. Koum " , chat@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: References: <199807272354.RAA01585@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:48 AM 7/28/98 -0400, Robert Watson wrote: >I heard there was a free Windows ssh client these days -- I haven't used >it as (oops) I don't run any Microsoft operating systems :). Anyone know where to get it? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 08:53:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA05181 for freebsd-security-outgoing; Tue, 28 Jul 1998 08:53:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from atena.eurocontrol.fr (atena.uneec.eurocontrol.fr [147.196.69.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA05158; Tue, 28 Jul 1998 08:53:32 -0700 (PDT) (envelope-from roberto@eurocontrol.fr) Received: from caerdonn.eurocontrol.fr (caerdonn.eurocontrol.fr [147.196.30.193]) by atena.eurocontrol.fr (8.9.1/8.9.1/atena-1.1/nospam) with ESMTP id RAA10553; Tue, 28 Jul 1998 17:52:58 +0200 (MET DST) (envelope-from roberto@caerdonn.eurocontrol.fr) Received: by caerdonn.eurocontrol.fr (VMailer, from userid 1193) id D15A43F; Tue, 28 Jul 1998 17:52:58 +0200 (CEST) Message-ID: <19980728175257.H19941@caerdonn.eurocontrol.fr> Date: Tue, 28 Jul 1998 17:52:57 +0200 From: Ollivier Robert To: chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Windows SSH clients (was: Re: FreeBSD Security How-To (Was: QPopper exploit)) Mail-Followup-To: chat@freebsd.org, security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i X-Operating-System: FreeBSD 3.0-CURRENT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Try these: and a pointer to Cygnus GNU-Win32 project. -- Ollivier ROBERT -=- Eurocontrol EEC/TS -=- Ollivier.Robert@eurocontrol.fr FreeBSD caerdonn.eurocontrol.fr 3.0-CURRENT #38: Mon Jun 29 16:20:38 CEST 1998 root@caerdonn.eurocontrol.fr:/src/src/sys/compile/CAERDONN i386 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 09:53:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA19729 for freebsd-security-outgoing; Tue, 28 Jul 1998 09:53:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA19709 for ; Tue, 28 Jul 1998 09:53:04 -0700 (PDT) (envelope-from ingham@i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.8.8/8.8.7) id KAA05237; Tue, 28 Jul 1998 10:49:58 -0600 (MDT) (envelope-from ingham) Message-ID: <19980728104957.53877@i-pi.com> Date: Tue, 28 Jul 1998 10:49:58 -0600 From: Kenneth Ingham To: security@FreeBSD.ORG Subject: date on schg files changing, how? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On a machine running 2.2.6 from the CD, I see the following type of thing regularly: Differences in special files: 28c28 < -r-sr-xr-x 5 root bin schg 286720 Jul 9 00:00:27 1998 /usr/sbin/sendmail --- > -r-sr-xr-x 5 root bin schg 286720 Jul 11 00:00:03 1998 /usr/sbin/sendmail This file has the schg flag, and the machine is running at securelevel 2 so nothing about this file should be able to be changed. Doing an md5 or checksum on the file says it has not actually changed, just the date. What is causing the date to change? Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 10:38:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA28735 for freebsd-security-outgoing; Tue, 28 Jul 1998 10:38:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (root@mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA28600 for ; Tue, 28 Jul 1998 10:38:12 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id NAA66572 for ; Tue, 28 Jul 1998 13:37:47 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: <199807272209.SAA14388@brain.zeus.leitch.com> References: Jan B. Koum 's message of "Mon, July 27, 1998 11:30:30 -0700" regarding "Re: files in /var/log " id <24385.901543204@iafrica.com> Date: Tue, 28 Jul 1998 13:41:43 -0400 To: security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: files in /var/log Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 6:09 PM -0400 7/27/98, Greg A. Woods wrote: >[ On Mon, July 27, 1998 at 11:30:30 (-0700), Jan B. Koum wrote: ] >> Subject: Re: files in /var/log >> >> There are many reasons. With /var/log/maillog it is privacy >> issues: do you really want everyone on your system to know you sent mail >> to sales@class-sex-toys.com or that you are exchanging mail with your >> competitor. > > Some of the other BSDs do ship with /var/log/mail at mode 640. > > However on my own machines the mailer logs are a matter of public > record and available for all to see. > > Local policy should dictate and so far as I'm concerned the default > should be more open than not. I imagine everyone agrees that local policy would dictate the settings, the question is what the default settings should be. If the local policy is that the files should be permitted, then what's the worse thing that happens if the default settings are to not-permit them? Some user complains, and someone with root access takes a minute to permit the files. However, if local policy is that the files should not be readable by "all", and the defaults is that they are readable by all, then the worst that can happen might be a bit more problematic. Some user may get information about another user which they really don't have the right to have. I would not suggest that you change your local policy, but I think it's reasonable to default to 640 permissions for some of these log files. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 11:46:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA14250 for freebsd-security-outgoing; Tue, 28 Jul 1998 11:46:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (root@mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA14134 for ; Tue, 28 Jul 1998 11:45:50 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id OAA91258 for ; Tue, 28 Jul 1998 14:45:19 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: References: <199807220125.TAA21968@lariat.lariat.org> Date: Tue, 28 Jul 1998 14:49:10 -0400 To: security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: Translation to a safer language... Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:30 PM -0500 7/23/98, Lee Crites (ASC) wrote: >On Tue, 21 Jul 1998, Brett Glass wrote: >=> candidates; of course, a new language could be developed >=> with this application in mind. (The advantage of developing >=> something new is that it could have obvious, but safe, mappings >=> from C constructs, facilitating machine translation.) Ideas? > > A new language doesn't seem like it would be a good idea to me. > We'd have to work on debugging a new language and a new compiler > and new libraries at the same time we are working on the > operating system. It could happen, but I think we'd be better > off with an existing language. Perhaps the most practical thing would be a C-offshoot which does not allow some "dangerous" practices, but the code for it would compile just as well with any standard-C compiler. This would include changes to routines in the "standard" libraries for this C-offshoot language. The biggest challenge of this idea is getting anyone to agree what those "dangerous" practices would be... As one example, I'd have this off-C language know about strcpy, and not allow strcpy's when the source is a variable. I figure it'd take at least two or three years to argue that out with people who want the "power" of strcpy, and who won't be happy with even the slightest change... To deal with performance issues (of strncpy or strncat), I'd probably want to add another set of routines which still do bounds-checking but which don't result in as much overhead. Perhaps what I'm thinking of is merely a "taintC" idea, along the lines of what perl has. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 12:06:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA18277 for freebsd-security-outgoing; Tue, 28 Jul 1998 12:06:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bytor.rush.net (lynch@bytor.rush.net [209.45.245.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA18167 for ; Tue, 28 Jul 1998 12:05:23 -0700 (PDT) (envelope-from lynch@rush.net) Received: from localhost (lynch@localhost) by bytor.rush.net (8.9.1/8.8.8) with SMTP id PAA08900; Tue, 28 Jul 1998 15:04:05 -0400 (EDT) (envelope-from lynch@rush.net) Date: Tue, 28 Jul 1998 15:04:04 -0400 (EDT) From: Pat Lynch To: Adam Shostack cc: andrewr , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <199807222201.SAA28072@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry I'm reentering this converstaion so late, I had oral surgery and have been playing catchup ever since... theres a couple of good ideas here.... 1) to assign simple auditing tasks like looking over code for the more obvious things 2) to assign groups parts of the tree to look at as well 3) the more "skilled" coders to work out the hairier bits (which I know myself am not qualified for, but might have a couple of people working for me who are, and use FreeBSD as much as I do) This could be a really good project with a really good project leader and a few coordinators. ___________________________________________________________________________ Pat Lynch lynch@rush.net Systems Administrator Rush Networking ___________________________________________________________________________ On Wed, 22 Jul 1998, Adam Shostack wrote: > > | > The biggest problem before was that many people doing the audit didn't > | > know what to look for, so missed a lot of things..... > | > | Which is why I am going to ask people who I know for sure know what to > | look for. > > > Could I suggest that rather than insist on getting skilled > people, you consider offering help to volunteers? Something like my > review guidelines (which need more on temp races) can let someone > without a lot of knowlege contribute first pass, so you can focus your > good people on the uglier code. A complete audit takes years of work > by a few highly skilled and dedicated people, but reading the Open- > cvs logs and seeing if the changed code exists in Free- is not a high > skill task. And its where a lot of high payoff results will be. > > You might also want to listen to the linux audit project > folks, to see how they're addressing things. The list is ezmlm run at > security-audit-subscribe@ferret.lmh.ox.ac.uk > > Adam > > > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 13:58:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA13414 for freebsd-security-outgoing; Tue, 28 Jul 1998 13:58:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ratthing.reef.com (ratthing.REEF.COM [207.212.49.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA13272; Tue, 28 Jul 1998 13:58:11 -0700 (PDT) (envelope-from james@reef.com) Received: from reef.com (lal.REEF.COM [207.212.49.217]) by ratthing.reef.com (8.8.8/8.8.8) with ESMTP id NAA10972; Tue, 28 Jul 1998 13:57:19 -0700 (PDT) Message-ID: <35BE3B30.ED223DA3@reef.com> Date: Tue, 28 Jul 1998 13:57:20 -0700 From: James Buszard-Welcher Organization: Silicon Reef, Inc. X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Brett Glass CC: Robert Watson , "Jan B. Koum" , chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) References: <199807272354.RAA01585@lariat.lariat.org> <199807281545.JAA15940@lariat.lariat.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org http://fox.doc.ic.ac.uk/~ci2/ssh/ No complaints. Brett Glass wrote: > > At 08:48 AM 7/28/98 -0400, Robert Watson wrote: > > >I heard there was a free Windows ssh client these days -- I haven't used > >it as (oops) I don't run any Microsoft operating systems :). > > Anyone know where to get it? > > --Brett -- James Buszard-Welcher | VOX 415.241.2800 | "It's not the stuff... Chief Technology Officer | FAX 415.241.9499 | it's the power to Silicon Reef, Inc. | PGR 800.418.0016 | *MAKE* the stuff." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 14:03:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA14576 for freebsd-security-outgoing; Tue, 28 Jul 1998 14:03:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dumont.neoplanos.com.br (dumont.neoplanos.com.br [200.249.209.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA14427 for ; Tue, 28 Jul 1998 14:02:46 -0700 (PDT) (envelope-from john@neoplanos.com.br) Received: from john (linha01.neoplanos.com.br [200.249.209.101]) by dumont.neoplanos.com.br (8.8.8/8.8.5) with SMTP id SAA00494; Tue, 28 Jul 1998 18:12:38 -0300 (EST) Message-Id: <3.0.5.32.19980728171455.007c5dc0@neoplanos.com.br> X-Sender: john@neoplanos.com.br X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 28 Jul 1998 17:14:55 -0300 To: Ludwig Pummer From: Joao Paulo Campello Subject: Re: FD Table and a mistake!! Cc: security@FreeBSD.ORG In-Reply-To: <199807280711.EAA03330@dumont.neoplanos.com.br> References: <3.0.5.32.19980728000808.007cb4f0@neoplanos.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id OAA14540 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:59 P 27/07/98 -0700, Ludwig Pummer wrote: Hi, >If you ask in freebsd-questions@freebsd.org, you'll probably get a >response. And don't reply to a totally unrelated thread . Oka, thnx for the help!! Sorry for the subject, but it was the fast way to complete the To: field!! :) I just forgot to wipe out the Subject... Hugs, João Paulo Caldas Campello Diretor Tecnico - Neo Planos Solution Provider http://www.neoplanos.com.br/ IRCAdmin NetLink - Recife/PE (ICQ # ASK-ME :)) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 14:06:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA15004 for freebsd-security-outgoing; Tue, 28 Jul 1998 14:06:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts02-119.dublin.indigo.ie [194.125.134.249]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA14928 for ; Tue, 28 Jul 1998 14:06:00 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA01034; Tue, 28 Jul 1998 22:00:19 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807282100.WAA01034@indigo.ie> Date: Tue, 28 Jul 1998 22:00:18 +0000 In-Reply-To: <19980728104957.53877@i-pi.com>; Kenneth Ingham Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Kenneth Ingham , security@FreeBSD.ORG Subject: Re: date on schg files changing, how? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 28, 10:49am, Kenneth Ingham wrote: } Subject: date on schg files changing, how? > On a machine running 2.2.6 from the CD, I see the following type of > thing regularly: > > Differences in special files: > 28c28 > < -r-sr-xr-x 5 root bin schg 286720 Jul 9 00:00:27 1998 /usr/sbin/sendmail > --- > > -r-sr-xr-x 5 root bin schg 286720 Jul 11 00:00:03 1998 /usr/sbin/sendmail > > This file has the schg flag, and the machine is running at securelevel > 2 so nothing about this file should be able to be changed. > Doing an md5 or checksum on the file says it has not actually > changed, just the date. Kenneth, I think I have seen this before, it is rumored to be a bug in the FS code which causes random date changes on files. Can anyone confirm or deny this? Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 14:12:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA16361 for freebsd-security-outgoing; Tue, 28 Jul 1998 14:12:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f1.hotmail.com [207.82.250.12]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA16295 for ; Tue, 28 Jul 1998 14:12:28 -0700 (PDT) (envelope-from showboat@hotmail.com) Received: (qmail 14100 invoked by uid 0); 28 Jul 1998 21:11:25 -0000 Message-ID: <19980728211125.14099.qmail@hotmail.com> Received: from 38.28.41.117 by www.hotmail.com with HTTP; Tue, 28 Jul 1998 14:11:24 PDT X-Originating-IP: [38.28.41.117] From: "Show Boat" To: security@FreeBSD.ORG Subject: Post qpopper trauma Content-Type: text/plain Date: Tue, 28 Jul 1998 14:11:24 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've just joined the security mailling list. I've read the charters, and I think I'm in line here. If I offend, please be gentle in your flaming. On Just 17th my 2.2.5 system was violated via the qpopper hack. Fortunately I came online during the hack, and was able to salvage the situation somewhat. I found the info on the qpopper exploit, and corrected my version. The intruders were busy when they were on (with root access.) They were attempting to recompile telnetd with their own little backdoor in it. I replaced all my telnetd stuff from a recent system backup. (I ran diff on the sources and was able to tell the code they added.) I recompiled the original, and thought all was well. I believed I had eliminated all trace of the intrusion, and eliminated any way they might have back in. However, it seems as though I was wrong. Last Friday, someone gained access to our system, and installed an eggdrop bot in our system. (hidden as well as could be.) This didn't come to my attention until this morning. The PID doesn't show up under 'ps aux'. If you grep specifically for that PID, it shows up as telnetd. They have a file called faqproxy, and a link telnetd@ -> faqproxy. The eggdrop does show under top though. same PID as that telnetd. I can't figure out how they gained access to the system this time. I am losing hair rapidly over this. They still have a some kind of shunt that gives them root access. (or so it seems.) I've scoured my messages. They ONLY thing I cannot account for is this: Jul 24 19:05:38 nefertiti popper[28212]: Client at "207.155.142.251" resolves to an unknown host name "ts010d47.pri-nj.concentric.net" That it is popper scares me. The time frame is appropriate, as the eggdrop was launched in the 7pm hour of Jul 24. I've looked through the 'last' log extensively. Again, nothing I cannot account for. Anyone with potential root access (sudo) logged from an IP I can account for. So I am against a wall. I cannot tell how access was gained, and I cannot guarantee that there aren't other nasties going on on the system. Thus, I am looking for some useful advice, or perhaps a security consult. If this is inappropriate for this list I apologize. I would be happy to continue this discussion through private e-mail. Thanks, Jeremy showboat@hotmail.com ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 14:39:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA21441 for freebsd-security-outgoing; Tue, 28 Jul 1998 14:39:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA21362 for ; Tue, 28 Jul 1998 14:38:50 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id XAA11080 for security@FreeBSD.ORG; Tue, 28 Jul 1998 23:38:09 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (VMailer, from userid 101) id 1401DE165; Tue, 28 Jul 1998 22:52:43 +0200 (CEST) Message-ID: <19980728225243.A350@keltia.freenix.fr> Date: Tue, 28 Jul 1998 22:52:43 +0200 From: Ollivier Robert To: security@FreeBSD.ORG Subject: Re: date on schg files changing, how? Mail-Followup-To: security@FreeBSD.ORG References: <19980728104957.53877@i-pi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: <19980728104957.53877@i-pi.com>; from Kenneth Ingham on Tue, Jul 28, 1998 at 10:49:58AM -0600 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4503 AMD-K6 MMX @ 233 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Kenneth Ingham: > What is causing the date to change? A VM bug that cause time change on a few pages from time to time. I believe it is fixed in 2.2.7 and CURRENT now. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 14:40:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA21542 for freebsd-security-outgoing; Tue, 28 Jul 1998 14:40:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA21498 for ; Tue, 28 Jul 1998 14:39:34 -0700 (PDT) (envelope-from ingham@i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.8.8/8.8.7) id PAA05853; Tue, 28 Jul 1998 15:36:23 -0600 (MDT) (envelope-from ingham) Message-ID: <19980728153623.18526@i-pi.com> Date: Tue, 28 Jul 1998 15:36:23 -0600 From: Kenneth Ingham To: security@FreeBSD.ORG Subject: Re: date on schg files changing, how? References: <19980728104957.53877@i-pi.com> <199807282100.WAA01034@indigo.ie> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <199807282100.WAA01034@indigo.ie>; from Niall Smart on Tue, Jul 28, 1998 at 10:00:18PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Niall Smart, rotel@indigo.ie commented: > I think I have seen this before, it is rumored to be a bug in the FS code > which causes random date changes on files. Can anyone confirm or deny > this? The change is only occurring on sendmail (and the files linked to it, of course). Another person mentioned that he had seen it when sendmail was called from cron. We are calling sendmail crom cron on this machine (instead of running it as a daemon). However, why this should make the date change baffles me. I don't even see how it could do it, because the schg is working as I would expect: # touch sendmail touch: sendmail: Operation not permitted Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 14:59:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA26796 for freebsd-security-outgoing; Tue, 28 Jul 1998 14:59:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts02-119.dublin.indigo.ie [194.125.134.249]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA26578 for ; Tue, 28 Jul 1998 14:58:52 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA01531; Tue, 28 Jul 1998 22:49:49 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807282149.WAA01531@indigo.ie> Date: Tue, 28 Jul 1998 22:49:24 +0000 In-Reply-To: <19980728211125.14099.qmail@hotmail.com>; "Show Boat" Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: "Show Boat" , security@FreeBSD.ORG Subject: Re: Post qpopper trauma Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 28, 2:11pm, "Show Boat" wrote: } Subject: Post qpopper trauma > I've just joined the security mailling list. I've read the charters, > and I think I'm in line here. If I offend, please be gentle in your > flaming. > > On Just 17th my 2.2.5 system was violated via the qpopper hack. > Fortunately I came online during the hack, and was able to salvage the > situation somewhat. I found the info on the qpopper exploit, and > corrected my version. Subscribe to bugtraq: echo subscribe bugtraq | listserv@netspace.org Re-install _everything_, come back if you are still experience problems. Note that there was a UW-imapd exploit recently too. Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 15:07:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA28665 for freebsd-security-outgoing; Tue, 28 Jul 1998 15:07:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA28528 for ; Tue, 28 Jul 1998 15:06:29 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id PAA29482; Tue, 28 Jul 1998 15:05:45 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Tue, 28 Jul 1998 15:05:45 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Show Boat cc: security@FreeBSD.ORG Subject: Re: Post qpopper trauma In-Reply-To: <19980728211125.14099.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Jul 1998, Show Boat wrote: >I've just joined the security mailling list. I've read the charters, >and I think I'm in line here. If I offend, please be gentle in your >flaming. Not at all. Actually, you should have joined this list right when you installed FreeBSD for the very first time. :) > >On Just 17th my 2.2.5 system was violated via the qpopper hack. >Fortunately I came online during the hack, and was able to salvage the >situation somewhat. I found the info on the qpopper exploit, and >corrected my version. > >The intruders were busy when they were on (with root access.) They were >attempting to recompile telnetd with their own little backdoor in it. I >replaced all my telnetd stuff from a recent system backup. (I ran diff >on the sources and was able to tell the code they added.) I recompiled >the original, and thought all was well. I believed I had eliminated all >trace of the intrusion, and eliminated any way they might have back in. > >However, it seems as though I was wrong. > >Last Friday, someone gained access to our system, and installed an >eggdrop bot in our system. (hidden as well as could be.) This didn't >come to my attention until this morning. The PID doesn't show up under >'ps aux'. If you grep specifically for that PID, it shows up as >telnetd. They have a file called faqproxy, and a link telnetd@ -> >faqproxy. The eggdrop does show under top though. same PID as that >telnetd. > >I can't figure out how they gained access to the system this time. I am >losing hair rapidly over this. They still have a some kind of shunt >that gives them root access. (or so it seems.) Uhm.. when someone gets root on your system, there are 99999 ways to backdoor the system. Did you check all the crontabs? What about at jobs? What about all .rhosts? Or all .forward? This list can go on forever. The one thing you should do at this point is backup all your user data (you do that anyway, right?) and reinstall from scratch. If you don't want to do that, you can try to CVSup latest sources and rebuild all of your binaries > >I've scoured my messages. They ONLY thing I cannot account for is this: > >Jul 24 19:05:38 nefertiti popper[28212]: Client at "207.155.142.251" >resolves to an unknown host name "ts010d47.pri-nj.concentric.net" When someone gets root they will MOST LIKELY (unless it is a stupid script kiddie) clean up their logs: messages, lastlog, wtmp. They wont' show up in last and they won't show up in w(1). > >That it is popper scares me. The time frame is appropriate, as the >eggdrop was launched in the 7pm hour of Jul 24. As jkh said at one point: it is qpopper source which should scare you. :) > >I've looked through the 'last' log extensively. Again, nothing I cannot >account for. Anyone with potential root access (sudo) logged from an IP >I can account for. Unless you have a syslog daemon log to another SECURE host, you have no idea if your logs have been modified by an attackers. > >So I am against a wall. I cannot tell how access was gained, and I >cannot guarantee that there aren't other nasties going on on the system. Either of two things: clean reinstall or CVSup (I'd prefer the first one - the later one just saves time, but MIGHT not help you if there are backdoors in places other then system binaries: /etc/alias, /etc/hosts.equiv, /root/.rhosts, etc). If you do clean reinstall, look at the system critical files which you move over (such as master.passwd, /etc/crontab, etc). > >Thus, I am looking for some useful advice, or perhaps a security >consult. If this is inappropriate for this list I apologize. I would >be happy to continue this discussion through private e-mail. > www.best.com/~jkb/howto.txt ... don't you wish I had written it a month ago? :) -- Yan >Thanks, >Jeremy > >showboat@hotmail.com > >______________________________________________________ >Get Your Private, Free Email at http://www.hotmail.com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 19:00:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA12363 for freebsd-security-outgoing; Tue, 28 Jul 1998 19:00:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA12310 for ; Tue, 28 Jul 1998 19:00:10 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id TAA26543; Tue, 28 Jul 1998 19:59:36 -0600 (MDT) Message-Id: <199807290159.TAA26543@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 28 Jul 1998 19:59:32 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Any procmail experts here? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We have dozens of users who might get bit by the MIME filename buffer overflow bug described at http://www.sjmercury.com/business/microsoft/docs/security0728.htm and would like to try to use procmail to plug the hole (it seems to be the best tool for the job). However, I have no experience with procmail. Could someone help me write a procmail.rc that will eliminate the extra-long filenames, truncating them back to (say) 64 characters max? All that's required is to recognize the Content-type: .... filename="" header and make sure that is chopped if it's too long. This would be a fix for which thousands of sysadmins would be exceedinglyy grateful. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 19:41:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA17448 for freebsd-security-outgoing; Tue, 28 Jul 1998 19:41:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gabriel.vasia.com (gabriel.vasia.com [208.213.216.242]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA17438 for ; Tue, 28 Jul 1998 19:41:28 -0700 (PDT) (envelope-from wen@vasia.com) Received: from cerberus.vasia.com (makati.vasia.com [198.6.25.5]) by gabriel.vasia.com (8.9.1/8.9.0) with ESMTP id AAA05125 for ; Wed, 29 Jul 1998 00:12:56 -0400 (EDT) Received: from cerberus.vasia.com (weno.vasia.com [203.176.12.10]) by cerberus.vasia.com (8.9.1/8.9.1) with SMTP id KAA11138 for ; Wed, 29 Jul 1998 10:44:58 +0800 Date: Wed, 29 Jul 1998 10:44:58 +0800 Message-Id: <199807290244.KAA11138@cerberus.vasia.com> X-Sender: wen@manila.vasia.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: security@FreeBSD.ORG From: "Bobby S. Wen" Subject: Extending max characters for user named Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I need to increase the maximium characters allowed for user names. When i use adduser, it limits me to 8. I understand that this is normal in many implementations. How can i increase the max user ID characters? Thanks in advance regards Bobby S. Wen wen@vasia.com System Administrator Virtual Asia, Inc. "In Search of the Truth" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 20:01:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA20785 for freebsd-security-outgoing; Tue, 28 Jul 1998 20:01:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA20767 for ; Tue, 28 Jul 1998 20:01:43 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id VAA28924; Tue, 28 Jul 1998 21:01:09 -0600 (MDT) Message-Id: <199807290301.VAA28924@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 28 Jul 1998 21:01:06 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: Any procmail experts here? In-Reply-To: <199807290159.TAA26543@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Whoops.... As many of you have doubtless already noted, the header we need to catch is Content-Disposition: attachment; filename="" --Brett At 07:59 PM 7/28/98 -0600, Brett Glass wrote: >We have dozens of users who might get bit by the MIME filename buffer >overflow bug described at > >http://www.sjmercury.com/business/microsoft/docs/security0728.htm > >and would like to try to use procmail to plug the hole (it seems to be the >best tool for the job). However, I have no experience with procmail. Could >someone help me write a procmail.rc that will eliminate the extra-long >filenames, truncating them back to (say) 64 characters max? All that's >required is to recognize the Content-type: .... filename="" header >and make sure that is chopped if it's too long. > >This would be a fix for which thousands of sysadmins would be exceedinglyy >grateful. > >--Brett > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 20:03:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA21168 for freebsd-security-outgoing; Tue, 28 Jul 1998 20:03:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from andrew1.lnk.telstra.net (andrew1.lnk.telstra.net [139.130.51.121]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA21163; Tue, 28 Jul 1998 20:03:24 -0700 (PDT) (envelope-from cagney@tpgi.com.au) Received: from tpgi.com.au (localhost [127.0.0.1]) by andrew1.lnk.telstra.net (8.8.8/8.7.3) with ESMTP id NAA02125; Wed, 29 Jul 1998 13:04:48 +1000 (EST) Message-ID: <35BE914A.A946F57D@tpgi.com.au> Date: Wed, 29 Jul 1998 13:04:42 +1000 From: Andrew Cagney X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386) MIME-Version: 1.0 To: freebsd-questions@FreeBSD.ORG CC: freebsd-security@FreeBSD.ORG, cagney@tpgi.com.au Subject: IPFW rules applied twice? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Given a network arramgement physically wired as: FIREWALL <-ppp0-internet-... <-vx0-ethernet-vx0-> LOCALMC (for what of a better notation). Then a packet from the internet destined for LOCALMC takes the path: INTERNET -> ppp0 interface -> FIREWALL route tables -> vx0 interface -> ethernet -> vx0/LOCALMC My question: Do the IPFW rules get applied twice? o when the packet comes IN on the ppp0 interface. o when the packet goes OUT on the vx0 interface. I think they do (as they should). The problem is, I can't find anything in the IPFW documentation that confirms this. Can someone confirm that this firewall is `normal'? :-) Did I miss something in the doco? If I didn't, should something be added? enjoy, Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 21:00:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA01441 for freebsd-security-outgoing; Tue, 28 Jul 1998 21:00:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from notabene.zer0.org (sac-port55.jps.net [209.63.114.210]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA01434 for ; Tue, 28 Jul 1998 21:00:18 -0700 (PDT) (envelope-from gsutter@n1.dyn.ml.org) Received: (from gsutter@localhost) by notabene.zer0.org (8.8.7/8.8.8) id VAA14337; Tue, 28 Jul 1998 21:04:56 -0700 (PDT) (envelope-from gsutter) Message-ID: <19980728210456.C12810@notabene.zer0.org> Date: Tue, 28 Jul 1998 21:04:56 -0700 From: Gregory Sutter To: Brett Glass , security@FreeBSD.ORG Subject: Re: Any procmail experts here? References: <199807290159.TAA26543@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i In-Reply-To: <199807290159.TAA26543@lariat.lariat.org>; from Brett Glass on Tue, Jul 28, 1998 at 07:59:32PM -0600 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 28, 1998 at 07:59:32PM -0600, Brett Glass wrote: > We have dozens of users who might get bit by the MIME filename buffer > overflow bug described at > > http://www.sjmercury.com/business/microsoft/docs/security0728.htm > > and would like to try to use procmail to plug the hole (it seems to be the > best tool for the job). However, I have no experience with procmail. Could > someone help me write a procmail.rc that will eliminate the extra-long > filenames, truncating them back to (say) 64 characters max? All that's > required is to recognize the Content-type: .... filename="" header > and make sure that is chopped if it's too long. > > This would be a fix for which thousands of sysadmins would be exceedinglyy > grateful. Brett, I suggest you also make that request of the procmail mailing list, at procmail@informatik.rwth-aachen.de (subscription requests to procmail-request@...) There are some real procmail geniuses there. Regards, Greg -- Gregory S. Sutter "How do I read this file?" mailto:gsutter@pobox.com "You uudecode it." http://www.pobox.com/~gsutter/ "I I I decode it?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 28 21:45:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA07374 for freebsd-security-outgoing; Tue, 28 Jul 1998 21:45:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (root@brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA07364; Tue, 28 Jul 1998 21:45:42 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id AAA26043; Wed, 29 Jul 1998 00:51:26 -0400 (EDT) Date: Wed, 29 Jul 1998 00:51:25 -0400 (EDT) From: andrewr To: Brett Glass cc: Robert Watson , "Jan B. Koum " , chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: <199807281545.JAA15940@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Jul 1998, Brett Glass wrote: > At 08:48 AM 7/28/98 -0400, Robert Watson wrote: > > >I heard there was a free Windows ssh client these days -- I haven't used > >it as (oops) I don't run any Microsoft operating systems :). > > Anyone know where to get it? > > --Brett For a 30 day trial copy, go to www.datafellows.com and hed to their download section. You can get a m$ copy of ssh client there. Andrew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 04:26:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA05078 for freebsd-security-outgoing; Wed, 29 Jul 1998 04:26:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA05070 for ; Wed, 29 Jul 1998 04:26:36 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id SAA24376; Wed, 29 Jul 1998 18:50:11 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Wed, 29 Jul 1998 18:50:11 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Any procmail experts here? In-Reply-To: <199807290301.VAA28924@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :0 hfw * ^Content-disposition: | /usr/local/bin/perl -pe 's/^(Content-Disposition:.{80}).*/$1/i' It's a little rough, but should work, Improvement is a perl regex problem rather than a procmail one. Andrew McNaughton On Tue, 28 Jul 1998, Brett Glass wrote: > Date: Tue, 28 Jul 1998 21:01:06 -0600 > From: Brett Glass > To: security@FreeBSD.ORG > Subject: Re: Any procmail experts here? > > Whoops.... As many of you have doubtless already noted, the header > we need to catch is > > Content-Disposition: attachment; filename="" > > --Brett > > At 07:59 PM 7/28/98 -0600, Brett Glass wrote: > > >We have dozens of users who might get bit by the MIME filename buffer > >overflow bug described at > > > >http://www.sjmercury.com/business/microsoft/docs/security0728.htm > > > >and would like to try to use procmail to plug the hole (it seems to be the > >best tool for the job). However, I have no experience with procmail. Could > >someone help me write a procmail.rc that will eliminate the extra-long > >filenames, truncating them back to (say) 64 characters max? All that's > >required is to recognize the Content-type: .... filename="" header > >and make sure that is chopped if it's too long. > > > >This would be a fix for which thousands of sysadmins would be exceedinglyy > >grateful. > > > >--Brett > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 05:46:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA16283 for freebsd-security-outgoing; Wed, 29 Jul 1998 05:46:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA16262; Wed, 29 Jul 1998 05:46:05 -0700 (PDT) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltax-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id RAA03633; Wed, 29 Jul 1998 17:07:31 +0400 (MSD) (envelope-from ark@eltex.ru) Received: from paranoid.eltex.spb.ru (border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with ESMTP id QAA27075; Wed, 29 Jul 1998 16:45:33 +0400 (MSD) (envelope-from ark@eltex.ru) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id NAA13679; Wed, 29 Jul 1998 13:03:44 GMT Date: Wed, 29 Jul 1998 13:03:44 GMT Message-Id: <199807291303.NAA13679@paranoid.eltex.spb.ru> Organization: "Klingon Imperial Intelligence Service" Subject: Re: Windows SSH clients (was: Re: FreeBSD Security How-To (Was: QPopper exploit) To: roberto@eurocontrol.fr Cc: chat@FreeBSD.ORG, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, btw does anybody know a 'doze ssh client that does support options like TISAuthentication? _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNb8dr6H/mIJW9LeBAQFhKQP/WwZp1nK6q4nfK4DFTAxc6dAxYs6+ZG8g vf95VebQwxAn/fkJS+O/vanMskeBCLYGLXKhmZ9tXjez1958wQ/m8AhsJ982q8e6 s9tVcCOKbvD8jahPdRGgE4qS/7g2mM114tbw+4RzW0nNKH9FQKOtxeIbogXukK2O qf6kdHMTk0M= =sRKE -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 05:54:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA17265 for freebsd-security-outgoing; Wed, 29 Jul 1998 05:54:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Mercury.unix.acs.cc.unt.edu (mercury.acs.unt.edu [129.120.220.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA17260 for ; Wed, 29 Jul 1998 05:54:08 -0700 (PDT) (envelope-from john@unt.edu) Received: from leonardo.cascss.unt.edu (leonardo.cascss.unt.edu [129.120.32.203]) by Mercury.unix.acs.cc.unt.edu (8.8.8/8.8.8) with ESMTP id HAA29705; Wed, 29 Jul 1998 07:53:31 -0500 (CDT) Received: (from john@localhost) by leonardo.cascss.unt.edu (8.8.8/8.6.9) id HAA18461; Wed, 29 Jul 1998 07:52:15 -0500 (CDT) From: john Message-Id: <199807291252.HAA18461@leonardo.cascss.unt.edu> Subject: Re: date on schg files changing, how? In-Reply-To: <199807282100.WAA01034@indigo.ie> from Niall Smart at "Jul 28, 98 10:00:18 pm" To: rotel@indigo.ie Date: Wed, 29 Jul 1998 07:52:15 -0500 (CDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Jul 28, 10:49am, Kenneth Ingham wrote: > } Subject: date on schg files changing, how? > > On a machine running 2.2.6 from the CD, I see the following type of > > thing regularly: > > > > Differences in special files: > > 28c28 > > < -r-sr-xr-x 5 root bin schg 286720 Jul 9 00:00:27 1998 /usr/sbin/sendmail > > --- > > > -r-sr-xr-x 5 root bin schg 286720 Jul 11 00:00:03 1998 /usr/sbin/sendmail > > > Kenneth, > > I think I have seen this before, it is rumored to be a bug in the FS code > which causes random date changes on files. Can anyone confirm or deny > this? I believe if we check further with Kenneth that permissions are being changed on the sendmail files as well--I ran into the exact problem when I was using cron to run sendmail. Mail would break often and it was because the suid bits on sendmail were being removed automagically by some wierd interaction between sendmail/cron. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 08:33:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA14358 for freebsd-security-outgoing; Wed, 29 Jul 1998 08:33:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA14351; Wed, 29 Jul 1998 08:33:30 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id JAA27889; Wed, 29 Jul 1998 09:32:26 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id JAA26878; Wed, 29 Jul 1998 09:32:23 -0600 Date: Wed, 29 Jul 1998 09:32:23 -0600 Message-Id: <199807291532.JAA26878@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: andrewr Cc: Brett Glass , Robert Watson , "Jan B. Koum " , chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: References: <199807281545.JAA15940@lariat.lariat.org> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > >I heard there was a free Windows ssh client these days -- I haven't used > > >it as (oops) I don't run any Microsoft operating systems :). > > > > Anyone know where to get it? > > For a 30 day trial copy, go to www.datafellows.com and hed to their > download section. You can get a m$ copy of ssh client there. We bought a half dozen of these, and all I can say is they're buggier than snot. Compression doesn't work if turned on, it hogs all the CPU on the machine (but does nothing) much of the time, and crashes the box occasionally. Their M$ product is *NOT* recommended. (Although they're unix client is just a regular SSH client with some additional patches...) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 09:06:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA21982 for freebsd-security-outgoing; Wed, 29 Jul 1998 09:06:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from galois.boolean.net (galois.boolean.net [209.133.111.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA21975 for ; Wed, 29 Jul 1998 09:06:50 -0700 (PDT) (envelope-from Kurt@Boolean.Net) Received: from gypsy (galois.boolean.net [209.133.111.74]) by galois.boolean.net (8.8.8/8.8.8) with SMTP id OAA18790; Wed, 29 Jul 1998 14:54:48 GMT (envelope-from Kurt@Boolean.Net) Message-Id: <3.0.5.32.19980729085429.0092f220@127.0.0.1> X-Sender: guru@127.0.0.1 (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 29 Jul 1998 08:54:29 -0700 To: andrewr From: "Kurt D. Zeilenga" Subject: SSH for Windows (was: Re: FreeBSD Security How-To (Was: QPopper exploit)) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <199807281545.JAA15940@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've been using SecureCRT from Van Dyke Tech (http://www.vandyke.com/). The terminal emulator is based upon their popular CRT product. I've been very happy with it so far. The port forwarding support has allowed me deny non-localhost access to my server's Popper and SMTP relay. Kurt At 12:51 AM 7/29/98 -0400, you wrote: > > >On Tue, 28 Jul 1998, Brett Glass wrote: > >> At 08:48 AM 7/28/98 -0400, Robert Watson wrote: >> >> >I heard there was a free Windows ssh client these days -- I haven't used >> >it as (oops) I don't run any Microsoft operating systems :). >> >> Anyone know where to get it? >> >> --Brett > >For a 30 day trial copy, go to www.datafellows.com and hed to their >download section. You can get a m$ copy of ssh client there. > >Andrew > >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe security" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 09:14:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA23744 for freebsd-security-outgoing; Wed, 29 Jul 1998 09:14:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from postal.accessus.net (root@postal.accessus.net [204.248.93.6]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA23714; Wed, 29 Jul 1998 09:14:25 -0700 (PDT) (envelope-from mcneills@accessus.net) Received: from mcneills (kew1-219.dialup.accessus.net [207.206.182.219]) by postal.accessus.net (8.9.0/8.9.0) with SMTP id LAA19476; Wed, 29 Jul 1998 11:11:59 -0500 Received: by mcneills (VPOP3 - Unregistered) with SMTP; Wed, 29 Jul 1998 11:15:12 -0500 Message-ID: <001201bdbb0b$d25a2780$0200a8c0@Dell> Reply-To: "Dennis Reiter" From: "Dennis Reiter" To: , Cc: , Subject: Re: Windows SSH clients (was: Re: FreeBSD Security How-To (Was: QPopper exploit)QPopper exploit) Date: Wed, 29 Jul 1998 11:13:26 -0500 MIME-Version: 1.0 Content-Type: text/plain;charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.2038.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2039.0 X-Server: VPOP3 V1.2.5 Unregistered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org http://public.srce.hr/~cigaly/ssh It's a free SSH Windoze client (Cedomir Igaly's) and I believe it has some support for TIS. Regards, Denny Reiter denny@kewanee.net ------------------------------------------ FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info -----Original Message----- From: ark@eltex.ru To: roberto@eurocontrol.fr Cc: chat@FreeBSD.ORG ; security@FreeBSD.ORG Date: Wednesday, July 29, 1998 7:46 AM Subject: Re: Windows SSH clients (was: Re: FreeBSD Security How-To (Was: QPopper exploit)QPopper exploit) >-----BEGIN PGP SIGNED MESSAGE----- > >nuqneH, > >btw does anybody know a 'doze ssh client that does support options like >TISAuthentication? > _ _ _ _ _ _ _ > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 09:18:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA24779 for freebsd-security-outgoing; Wed, 29 Jul 1998 09:18:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA24713 for ; Wed, 29 Jul 1998 09:18:21 -0700 (PDT) (envelope-from ingham@i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.8.8/8.8.7) id KAA07657; Wed, 29 Jul 1998 10:14:59 -0600 (MDT) (envelope-from ingham) Message-ID: <19980729101458.55788@i-pi.com> Date: Wed, 29 Jul 1998 10:14:58 -0600 From: Kenneth Ingham To: john Cc: freebsd-security@FreeBSD.ORG Subject: Re: date on schg files changing, how? References: <199807282100.WAA01034@indigo.ie> <199807291252.HAA18461@leonardo.cascss.unt.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <199807291252.HAA18461@leonardo.cascss.unt.edu>; from john on Wed, Jul 29, 1998 at 07:52:15AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 29, 1998 at 07:52:15AM -0500, john wrote: > I believe if we check further with Kenneth that permissions are being > changed on the sendmail files as well No permissions changes, just date. I'm going to upgrade a machine to 2.2.7 and test there because one person said that the problem has been fixed in it and -current. Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 09:31:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA27712 for freebsd-security-outgoing; Wed, 29 Jul 1998 09:31:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA27702 for ; Wed, 29 Jul 1998 09:31:12 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id KAA11022; Wed, 29 Jul 1998 10:30:32 -0600 (MDT) Message-Id: <199807291630.KAA11022@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 29 Jul 1998 10:24:53 -0600 To: andrew@squiz.co.nz From: Brett Glass Subject: Re: Any procmail experts here? Cc: security@FreeBSD.ORG In-Reply-To: References: <199807290301.VAA28924@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wow.... That means invoking both procmail AND Perl on every message. Not such a good idea on a busy mail server. (And, of course, Perl will recompile the regex each and every time it executes.) How could one avoid this? --Brett At 06:50 PM 7/29/98 +1200, Andrew McNaughton wrote: > >:0 hfw >* ^Content-disposition: >| /usr/local/bin/perl -pe 's/^(Content-Disposition:.{80}).*/$1/i' > >It's a little rough, but should work, Improvement is a perl regex problem >rather than a procmail one. > >Andrew McNaughton > > >On Tue, 28 Jul 1998, Brett Glass wrote: > >> Date: Tue, 28 Jul 1998 21:01:06 -0600 >> From: Brett Glass >> To: security@FreeBSD.ORG >> Subject: Re: Any procmail experts here? >> >> Whoops.... As many of you have doubtless already noted, the header >> we need to catch is >> >> Content-Disposition: attachment; filename="" >> >> --Brett >> >> At 07:59 PM 7/28/98 -0600, Brett Glass wrote: >> >> >We have dozens of users who might get bit by the MIME filename buffer >> >overflow bug described at >> > >> >http://www.sjmercury.com/business/microsoft/docs/security0728.htm >> > >> >and would like to try to use procmail to plug the hole (it seems to be the >> >best tool for the job). However, I have no experience with procmail. Could >> >someone help me write a procmail.rc that will eliminate the extra-long >> >filenames, truncating them back to (say) 64 characters max? All that's >> >required is to recognize the Content-type: .... filename="" header >> >and make sure that is chopped if it's too long. >> > >> >This would be a fix for which thousands of sysadmins would be exceedinglyy >> >grateful. >> > >> >--Brett >> > >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe security" in the body of the message >> > >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe security" in the body of the message >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 09:33:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA28255 for freebsd-security-outgoing; Wed, 29 Jul 1998 09:33:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA28250; Wed, 29 Jul 1998 09:33:26 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id MAA16762; Wed, 29 Jul 1998 12:32:51 -0400 (EDT) Date: Wed, 29 Jul 1998 12:32:50 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Nate Williams cc: chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: <199807291532.JAA26878@mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (CC list trimmed a little) On Wed, 29 Jul 1998, Nate Williams wrote: > > > >I heard there was a free Windows ssh client these days -- I haven't used > > > >it as (oops) I don't run any Microsoft operating systems :). > > > > > > Anyone know where to get it? > > > > For a 30 day trial copy, go to www.datafellows.com and hed to their > > download section. You can get a m$ copy of ssh client there. > > We bought a half dozen of these, and all I can say is they're buggier > than snot. Compression doesn't work if turned on, it hogs all the CPU > on the machine (but does nothing) much of the time, and crashes the box > occasionally. > > Their M$ product is *NOT* recommended. (Although they're unix client is > just a regular SSH client with some additional patches...) I was very disappointed with DataFellows and that particular product -- I was hoping for something that performed far better. The tunneling works and so on, but the connections occasionally flake out, and the cpu for tunneling anything useful (like Exceed with X windows) is bad. Also, the Windows product (last I checked -- 1.0?) doesn't make use of the RSA authentication forwarding agent stuff -- you can do RSA authentication to the first host you connect to, but it doesn't forward. There is also no way to use the kerberos ssh support with the windows client. The terminal emulation is pretty buggy. Someone posted locations to look at free ones -- I haven't tried any of the free windows ssh clients, but I don't imagine they are much worse :). Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 09:40:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA29921 for freebsd-security-outgoing; Wed, 29 Jul 1998 09:40:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA29830 for ; Wed, 29 Jul 1998 09:40:20 -0700 (PDT) (envelope-from peter@netplex.com.au) Received: from spinner.netplex.com.au (localhost [127.0.0.1]) by spinner.netplex.com.au (8.8.8/8.8.8/Spinner) with ESMTP id AAA02315; Thu, 30 Jul 1998 00:38:50 +0800 (WST) (envelope-from peter@spinner.netplex.com.au) Message-Id: <199807291638.AAA02315@spinner.netplex.com.au> X-Mailer: exmh version 2.0.2 2/24/98 To: "Jan B. Koum " cc: Show Boat , security@FreeBSD.ORG Subject: Re: Post qpopper trauma In-reply-to: Your message of "Tue, 28 Jul 1998 15:05:45 MST." Date: Thu, 30 Jul 1998 00:38:49 +0800 From: Peter Wemm Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jan B. Koum " wrote: [..] > >That it is popper scares me. The time frame is appropriate, as the > >eggdrop was launched in the 7pm hour of Jul 24. > > As jkh said at one point: it is qpopper source which should scare > you. :) That's nothing.. Look at the cucipop source... :-] I dare anybody to figure out why it's miscounting the message byte lengths from the mailbox in under 5 minutes without tracing the flow of execution.. The cucipop code truely has to be seen to be believed...... eg: ======= } } ;{ int namelen=sizeof peername; if(getpeername(fileno(sockin),(struct sockaddr*)&peername,&namelen)&& !debug&&(errno==ENOTSOCK||errno==EINVAL)) { int serverfd,curfd; signal(SIGHUP,SIG_IGN);signal(SIGPIPE,SIG_IGN);fclose(stdin); fclose(stdout);serverfd=socket(AF_INET,SOCK_STREAM,TCP_PROT); peername.sin_family=AF_INET;peername.sin_addr.s_addr=INADDR_ANY; peername.sin_port=htons(port);curfd=-1; setsockopt(serverfd,SOL_SOCKET,SO_REUSEADDR,&curfd,sizeof curfd); if(bind(serverfd,(struct sockaddr*)&peername,sizeof peername)) ======= I've heard 'you can write fortran code in any language'.. I suspect this is C written by an assembler programmer. The handcrafted optimization reminds me of dark periods in my past of trying to save every last clock cycle and/or byte of memory. However, I feel a lot more confident about the safety of cucipop than qpopper.. > >I've looked through the 'last' log extensively. Again, nothing I cannot > >account for. Anyone with potential root access (sudo) logged from an IP > >I can account for. > > Unless you have a syslog daemon log to another SECURE host, you > have no idea if your logs have been modified by an attackers. If you are running named, check that you've got 4.9.7 or later.. I've seen a couple of script tools now that specifically scan for the old vulnerable named on freebsd systems. Have a good look at places like www.rootshell.com and use their stuff on your system to see what can get in.. You might be suprised what old stuff you have around that's been forgotten about. Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 10:37:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA09406 for freebsd-security-outgoing; Wed, 29 Jul 1998 10:37:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA09389 for ; Wed, 29 Jul 1998 10:37:54 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 2793 invoked by uid 1001); 29 Jul 1998 17:37:18 +0000 (GMT) To: nate@mt.sri.com Cc: andrewr@slack.net, brett@lariat.org, robert+freebsd@cyrus.watson.org, jkb@best.com, chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: Your message of "Wed, 29 Jul 1998 09:32:23 -0600" References: <199807291532.JAA26878@mt.sri.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 29 Jul 1998 19:37:18 +0200 Message-ID: <2791.901733838@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > For a 30 day trial copy, go to www.datafellows.com and hed to their > > download section. You can get a m$ copy of ssh client there. > > We bought a half dozen of these, and all I can say is they're buggier > than snot. Compression doesn't work if turned on, it hogs all the CPU > on the machine (but does nothing) much of the time, and crashes the box > occasionally. Different experiences, evidently. We have several users here who use the Windows version all the time, and they seem happy enough. Tunnelling pop3 through ssh works on the windows client too... (Note that I don't use the Windows version myself - though I've been using the free Unix version basically from day 1.) Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 10:41:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA10792 for freebsd-security-outgoing; Wed, 29 Jul 1998 10:41:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA10754 for ; Wed, 29 Jul 1998 10:41:22 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id LAA28972; Wed, 29 Jul 1998 11:40:49 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id LAA27824; Wed, 29 Jul 1998 11:40:47 -0600 Date: Wed, 29 Jul 1998 11:40:47 -0600 Message-Id: <199807291740.LAA27824@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: sthaug@nethelp.no Cc: nate@mt.sri.com, security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: <2791.901733838@verdi.nethelp.no> References: <199807291532.JAA26878@mt.sri.com> <2791.901733838@verdi.nethelp.no> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > For a 30 day trial copy, go to www.datafellows.com and hed to their > > > download section. You can get a m$ copy of ssh client there. > > > > We bought a half dozen of these, and all I can say is they're buggier > > than snot. Compression doesn't work if turned on, it hogs all the CPU > > on the machine (but does nothing) much of the time, and crashes the box > > occasionally. > > Different experiences, evidently. We have several users here who use the > Windows version all the time, and they seem happy enough. Tunnelling pop3 > through ssh works on the windows client too... Try using the client with something bigger than a few K of data (say a couple of megabytes) and it'll wipe out the box. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 10:55:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA13913 for freebsd-security-outgoing; Wed, 29 Jul 1998 10:55:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from orion.ac.hmc.edu (Orion.AC.HMC.Edu [134.173.32.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA13891 for ; Wed, 29 Jul 1998 10:54:51 -0700 (PDT) (envelope-from brdavis@orion.ac.hmc.edu) Received: from localhost (brdavis@localhost) by orion.ac.hmc.edu (8.8.8/8.8.8) with SMTP id KAA16541; Wed, 29 Jul 1998 10:53:44 -0700 (PDT) Date: Wed, 29 Jul 1998 10:53:44 -0700 (PDT) From: Brooks Davis Reply-To: brooks@one-eyed-alien.net To: Brett Glass cc: andrew@squiz.co.nz, security@FreeBSD.ORG Subject: Re: Any procmail experts here? In-Reply-To: <199807291630.KAA11022@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Jul 1998, Brett Glass wrote: > Wow.... That means invoking both procmail AND Perl on every message. > Not such a good idea on a busy mail server. (And, of course, Perl > will recompile the regex each and every time it executes.) How could > one avoid this? > > At 06:50 PM 7/29/98 +1200, Andrew McNaughton wrote: > > >:0 hfw > >* ^Content-disposition: > >| /usr/local/bin/perl -pe 's/^(Content-Disposition:.{80}).*/$1/i' Procmail doesn't really let you make changes to messages so you're going to have to invoke an external program to do that, but you could write a very simple C program to print a message back exactly like it was with shortened Content-disposition: headers (just make sure to avoid writing a buffer overflow into that program ;-). You could also change the rule set to the following to only envoke perl on the bad cases. :0 hfw * ^Content-disposition:.{80} | /usr/local/bin/perl -pe 's/^(Content-Disposition:.{80}).*/$1/i' I haven't tested that, but procmail is supposed to use egrep expressions and Solaris egrep claims to supports {#} notation. -- Brooks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 11:05:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA16909 for freebsd-security-outgoing; Wed, 29 Jul 1998 11:05:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (root@mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA16894; Wed, 29 Jul 1998 11:05:25 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id OAA24986; Wed, 29 Jul 1998 14:04:46 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: <199807291532.JAA26878@mt.sri.com> References: <199807281545.JAA15940@lariat.lariat.org> Date: Wed, 29 Jul 1998 14:08:41 -0400 To: Nate Williams , andrewr From: Garance A Drosihn Subject: ssh clients available for other platforms Cc: chat@FreeBSD.ORG, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> For a 30 day trial copy, go to www.datafellows.com and hed to their >> download section. You can get a m$ copy of ssh client there. > > We bought a half dozen of these, and all I can say is they're buggier > than snot. Compression doesn't work if turned on, it hogs all the CPU > on the machine (but does nothing) much of the time, and crashes the box > occasionally. > > Their M$ product is *NOT* recommended. For what it's worth, I have been using their ssh client for MacOS, and it works pretty well. It does not seem buggy, although the app is not as featureful as standard *telnet* clients (things like BetterTelnet or Versaterm). It even seems to work pretty well with MacX, which is very nice. Still, once BetterTelnet has ssh support, I'd probably tend to use that instead of the F-Secure (datafellows) product. Sorry about yet-another thread topic on this tangent to the FreeBSD security how-to. I think that How-To deserves more kudos than the datafellows ssh client (particularly on freebsd mailing lists!), but it just seemed appropriate to mention that I've had much better luck with their MacOS product than people have apparently had with their Windows-based product. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 11:07:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA17403 for freebsd-security-outgoing; Wed, 29 Jul 1998 11:07:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA16028 for ; Wed, 29 Jul 1998 11:02:35 -0700 (PDT) (envelope-from bs@devnull.ruhr.de) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5-r-beta/8.8.5) with UUCP id TAA14479; Wed, 29 Jul 1998 19:51:58 +0200 (MET DST) Received: from [192.168.22.75] (helo=rm.devnull.ruhr.de) by devnull.ruhr.de with esmtp (Exim 1.92 #1) id 0z19tm-0000sU-00; Tue, 28 Jul 1998 15:34:38 +0200 Received: from bs by rm.devnull.ruhr.de with local (Exim 1.92 #1) id 0z19tk-00006i-00; Tue, 28 Jul 1998 15:34:36 +0200 To: sthaug@nethelp.no Cc: marcs@znep.com, ben@rosengart.com, security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) References: <12062.901612512@verdi.nethelp.no> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 28 Jul 1998 15:34:36 +0200 In-Reply-To: sthaug@nethelp.no's message of "Tue, 28 Jul 1998 09:55:12 +0200" Message-ID: <87af5um74j.fsf@devnull.ruhr.de> Lines: 57 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sthaug@nethelp.no writes: > If your box is setup *not* to route (net.inet.ip.forwarding = 0), I can > certainly see security advantages in not allowing packets to be accepted > unless they have destination address equal to the interface address. I > have seen a patch for this floating around on the net, but it would be > nice to have this configurable. I'd use a packet filter for that, something like DENY="/sbin/ipfw add deny" IF1="ed0" IP1="192.168.47.11" IF2="ed1" IP2="192.168.227.28" $DENY all from $IP1 to any in via $IF2 $DENY all from $IP2 to any in via $IF1 (this is off my head and a couple months after I've last written a packet filter set, so YMMV). A similar ruleset that's using networks instead of individual addresses should be used on any packet filtering router. Making this the default behaviour will break a variety of things in connection with multihomed hosts that have interfaces in multiple networks (like for performance issues) but leave the actual routing business to some active network component. Example: For performance reasons I've got four networks 192.168.1.0 to 192.168.4.0 and a single high-speed NFS server "nfs.example.com" with an interface in each net on IP addresses 192.168.[1-4].42. If I want to make use of all these interfaces I can either - assign different names to the addresses and configure all machines in the networks to use the proper address for their network - use some ugly DNS hacking - announce host routes to the first address on all other addresses. The first solution involves configuring all client machines, the second is a bl**dy mess and the third may be somewhat weird. If I'm dealing with four crowded class C's I'd always go for the third approach. So long, Ben -- Ben(edikt)? Stockebrand Un*x SA My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 11:09:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA18033 for freebsd-security-outgoing; Wed, 29 Jul 1998 11:09:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA17951 for ; Wed, 29 Jul 1998 11:09:31 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 2985 invoked by uid 1001); 29 Jul 1998 18:08:54 +0000 (GMT) To: benedikt@devnull.ruhr.de Cc: marcs@znep.com, ben@rosengart.com, security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) In-Reply-To: Your message of "28 Jul 1998 15:34:36 +0200" References: <87af5um74j.fsf@devnull.ruhr.de> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 29 Jul 1998 20:08:54 +0200 Message-ID: <2983.901735734@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > If your box is setup *not* to route (net.inet.ip.forwarding = 0), I can > > certainly see security advantages in not allowing packets to be accepted > > unless they have destination address equal to the interface address. I > > have seen a patch for this floating around on the net, but it would be > > nice to have this configurable. > > I'd use a packet filter for that, something like Certainly you can do that - but it seems like a rather heavyweight method of solving this particular problem. I'd like to have something that could be twiddled with sysctl myself. > Making this the default behaviour will break a variety of things in > connection with multihomed hosts that have interfaces in multiple > networks (like for performance issues) but leave the actual routing > business to some active network component. Agreed - that why I'd like to be able to turn this behavior off and on. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 11:15:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA19834 for freebsd-security-outgoing; Wed, 29 Jul 1998 11:15:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from iq.org (proff@polysynaptic.iq.org [203.4.184.222]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA19694 for ; Wed, 29 Jul 1998 11:15:10 -0700 (PDT) (envelope-from proff@iq.org) From: proff@iq.org Received: (qmail 19520 invoked by uid 110); 29 Jul 1998 18:14:18 -0000 Message-ID: <19980729181418.19519.qmail@iq.org> Subject: Berg coding style (was qpopper trauma) In-Reply-To: <199807291638.AAA02315@spinner.netplex.com.au> from Peter Wemm at "Jul 30, 98 00:38:49 am" To: peter@netplex.com.au (Peter Wemm) Date: Thu, 30 Jul 1998 04:14:17 +1000 (EST) Cc: jkb@best.com, showboat@hotmail.com, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The cucipop code truely has to be seen to be believed...... eg: > ======= > } > } > ;{ int namelen=sizeof peername; > if(getpeername(fileno(sockin),(struct sockaddr*)&peername,&namelen)&& > !debug&&(errno==ENOTSOCK||errno==EINVAL)) > { int serverfd,curfd; > signal(SIGHUP,SIG_IGN);signal(SIGPIPE,SIG_IGN);fclose(stdin); > fclose(stdout);serverfd=socket(AF_INET,SOCK_STREAM,TCP_PROT); > peername.sin_family=AF_INET;peername.sin_addr.s_addr=INADDR_ANY; > peername.sin_port=htons(port);curfd=-1; > setsockopt(serverfd,SOL_SOCKET,SO_REUSEADDR,&curfd,sizeof curfd); > if(bind(serverfd,(struct sockaddr*)&peername,sizeof peername)) > ======= > > I've heard 'you can write fortran code in any language'.. I suspect this > is C written by an assembler programmer. The handcrafted optimization > reminds me of dark periods in my past of trying to save every last clock > cycle and/or byte of memory. That's actually pretty tame for Berg code (S. R. van den Berg). My favourite is the following line from bregex.c (Berg's record-beating posix compatible regex pattern matcher included in nntpcache): while((jump=jt[*(jstr+=jump)])); For the uninitiated the above is a full blown Boyer-Moore loop. regexp.c in procmail is worth a glance too. Cheers, Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 11:28:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA24222 for freebsd-security-outgoing; Wed, 29 Jul 1998 11:28:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (root@brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA24144; Wed, 29 Jul 1998 11:28:19 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id OAA25896; Wed, 29 Jul 1998 14:34:03 -0400 (EDT) Date: Wed, 29 Jul 1998 14:34:03 -0400 (EDT) From: andrewr To: Garance A Drosihn cc: Nate Williams , chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: ssh clients available for other platforms In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok This thread must stop! No more Windows speak! Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 11:32:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA25216 for freebsd-security-outgoing; Wed, 29 Jul 1998 11:32:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fubar.cl.msu.edu (fubar.cl.msu.edu [35.8.1.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA25191 for ; Wed, 29 Jul 1998 11:31:54 -0700 (PDT) (envelope-from evans@fubar.cl.msu.edu) Received: (from evans@localhost) by fubar.cl.msu.edu (8.8.8/8.8.8) id OAA06935; Wed, 29 Jul 1998 14:31:28 -0400 (EDT) (envelope-from evans) Date: Wed, 29 Jul 1998 14:31:28 -0400 (EDT) From: Jeff Evans Message-Id: <199807291831.OAA06935@fubar.cl.msu.edu> To: freebsd-security@FreeBSD.ORG Subject: FreeBSD Security How-To (Was: QPopper exploit) X-Newsreader: NN version 6.5.0 #1 (NOV) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > >I heard there was a free Windows ssh client these days -- I haven't used > > >it as (oops) I don't run any Microsoft operating systems :). > > > > Anyone know where to get it? I've seen a freeware (for education at least if not everyone) version of Tera Term for windows that supports SSH. It's always seemed to work well for me under Win 95, and Windows NT (Win 98 might cause it problems). Plus as an added bonus the cut and paste works kind of like an xterm :). You can find Teraterm and the ssh client at these URLs: http://hp.vector.co.jp/authors/VA002416/teraterm.html http://www.zip.com.au/~roca/ttssh.html hope this helps, -Jeff -- Jeff Evans -- evans@msu.edu Michigan State University http://pilot.msu.edu/~evans To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 11:49:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA29329 for freebsd-security-outgoing; Wed, 29 Jul 1998 11:49:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (root@mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA29307 for ; Wed, 29 Jul 1998 11:48:53 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id OAA70630 for ; Wed, 29 Jul 1998 14:48:23 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: <199807291740.LAA27824@mt.sri.com> References: <2791.901733838@verdi.nethelp.no> <199807291532.JAA26878@mt.sri.com> <2791.901733838@verdi.nethelp.no> Date: Wed, 29 Jul 1998 14:52:19 -0400 To: security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Perhaps we could keep *this* thread about the excellent effort to have a FreeBSD Security How-To. That's a worthy topic which will probably benefit many FreeBSD users. That how-to was listed as being at http://www.best.com/~jkb/howto.txt - and the author was interested in feedback. It looks pretty helpful. The discussion of ssh clients for *other* operating systems probably does not need to continue on freebsd-security, or at the very least, not under this particular subject/thread... (yeah, I know, I also added comments on the MacOS version, but I'll be better-behaved now) --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 12:47:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA13360 for freebsd-security-outgoing; Wed, 29 Jul 1998 12:47:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA13347 for ; Wed, 29 Jul 1998 12:47:06 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id NAA14449; Wed, 29 Jul 1998 13:46:31 -0600 (MDT) Message-Id: <199807291946.NAA14449@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 29 Jul 1998 13:46:14 -0600 To: freebsd-security@FreeBSD.ORG From: Brett Glass Subject: procmail workaround for MIME filename overflow exploit Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Hardin has just updated his procmail "kit" to shorten long file names on MIME attachments. This should prevent potential exploits in mail clients such as Outlook, Outlook Express, Netscape Mail, and possibly Eudora (there's still some debate about whether Eudora is susceptible). John's procmail filter kit can be found at http://www.wolfenet.com/~jhardin/procmail-kit.html You can view his "recipe" for solving the problem at the end of the file http://www.wolfenet.com/~jhardin/html-trap.procmail I have no idea whether his solution is bulletproof (we should all probably review it to be sure!), but it certainly looks good. Admins: it'd be a fantastic idea to install this NOW to protect users, unless anyone knows of security holes in procmail. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 13:09:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA16595 for freebsd-security-outgoing; Wed, 29 Jul 1998 13:09:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA16577 for ; Wed, 29 Jul 1998 13:08:53 -0700 (PDT) (envelope-from bs@devnull.ruhr.de) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5-r-beta/8.8.5) with UUCP id VAA02027; Wed, 29 Jul 1998 21:50:52 +0200 (MET DST) Received: from [192.168.22.75] (helo=rm.devnull.ruhr.de) by devnull.ruhr.de with esmtp (Exim 1.92 #1) id 0z1c3V-0000rs-00; Wed, 29 Jul 1998 21:38:33 +0200 Received: from bs by rm.devnull.ruhr.de with local (Exim 1.92 #1) id 0z1c3U-0000cb-00; Wed, 29 Jul 1998 21:38:32 +0200 To: "Show Boat" Cc: security@FreeBSD.ORG Subject: Re: Post qpopper trauma References: <19980728211125.14099.qmail@hotmail.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 29 Jul 1998 21:38:30 +0200 In-Reply-To: "Show Boat"'s message of "Tue, 28 Jul 1998 14:11:24 PDT" Message-ID: <87g1fksb0p.fsf@devnull.ruhr.de> Lines: 43 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Show Boat" writes: > I've looked through the 'last' log extensively. Again, nothing I cannot > account for. Anyone with potential root access (sudo) logged from an IP > I can account for. Are you sure that those machines haven't been hacked? Aside from that, a couple additional suggestions: - Use "netstat -a -n" to learn about services you don't expect. And don't believe the service numbers in your /etc/services but look things up (maybe on an installation CD-ROM?). - If you have a spare machine (any 386 with some disk space will do), make it a secured log host. IOW, make it close all ports except syslog and read logs directly on the console. And maybe hack up some tcpdump stuff on it to see about unexpected things going on. - Use tripwire to check if any files have been modified. This especially includes configuration files. - Consider using RCS or CVS for managing your config files. But keep the repositories out of everyones reach. - Install from scratch. - When you restore the user home directories etc. check for suid/sgid files. - Install packet filters wherever feasible. So long, Ben -- Ben(edikt)? Stockebrand Un*x SA My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 13:54:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA26071 for freebsd-security-outgoing; Wed, 29 Jul 1998 13:54:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA25968; Wed, 29 Jul 1998 13:53:35 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id NAA26010; Wed, 29 Jul 1998 13:52:29 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma026006; Wed Jul 29 13:52:11 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id NAA19705; Wed, 29 Jul 1998 13:52:11 -0700 (PDT) From: Archie Cobbs Message-Id: <199807292052.NAA19705@bubba.whistle.com> Subject: Re: IPFW rules applied twice? In-Reply-To: <35BE914A.A946F57D@tpgi.com.au> from Andrew Cagney at "Jul 29, 98 01:04:42 pm" To: cagney@tpgi.com.au (Andrew Cagney) Date: Wed, 29 Jul 1998 13:52:11 -0700 (PDT) Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrew Cagney writes: > My question: Do the IPFW rules get applied twice? > > o when the packet comes IN on the > ppp0 interface. > > o when the packet goes OUT on the > vx0 interface. > > I think they do (as they should). > The problem is, I can't find anything in the IPFW documentation > that confirms this. Yes, firewall rules are applied as packets enter and as they leave an interface. That's why you can specify "in" and/or "out" in the firewall rules. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 14:51:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA08504 for freebsd-security-outgoing; Wed, 29 Jul 1998 14:51:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from notabene.zer0.org (sac-port55.jps.net [209.63.114.210]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA08492 for ; Wed, 29 Jul 1998 14:51:13 -0700 (PDT) (envelope-from gsutter@n1.dyn.ml.org) Received: (from gsutter@localhost) by notabene.zer0.org (8.8.7/8.8.8) id OAA19756; Wed, 29 Jul 1998 14:55:56 -0700 (PDT) (envelope-from gsutter) Message-ID: <19980729145556.C16073@notabene.zer0.org> Date: Wed, 29 Jul 1998 14:55:56 -0700 From: Gregory Sutter To: Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: procmail workaround for MIME filename overflow exploit References: <199807291946.NAA14449@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i In-Reply-To: <199807291946.NAA14449@lariat.lariat.org>; from Brett Glass on Wed, Jul 29, 1998 at 01:46:14PM -0600 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 29, 1998 at 01:46:14PM -0600, Brett Glass wrote: > John Hardin has just updated his procmail "kit" to shorten long file names > on MIME attachments. This should prevent potential exploits in mail clients > such as Outlook, Outlook Express, Netscape Mail, and possibly Eudora > (there's still some debate about whether Eudora is susceptible). > > John's procmail filter kit can be found at > http://www.wolfenet.com/~jhardin/procmail-kit.html > > You can view his "recipe" for solving the problem at the end of the file > http://www.wolfenet.com/~jhardin/html-trap.procmail Brett, John's recipe has the same problem as Andrew McNaughton's proposed solution -- it invokes perl. That's a lot of overhead to process a mail message, when procmail can do it just fine. Out of several recipes suggested on the procmail mailing list, David Tamkin's is the best: :0fhw # sixty-three dots in second condition * ^Content-Disposition:(.*\>)?filename="\/[^"]+ * MATCH ?? ^^\/............................................................... | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" That recipe will truncate any filenames longer than 63 characters to 63 chars. If you wish to specially denote offending messages, you can change the action line to: | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" \ -i "X-Security-Modification: Truncated long filename" Regards, Greg -- Gregory S. Sutter Bureaucrats cut red tape -- lengthwise. mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 17:08:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA08494 for freebsd-security-outgoing; Wed, 29 Jul 1998 17:08:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA08469 for ; Wed, 29 Jul 1998 17:08:27 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id SAA18937; Wed, 29 Jul 1998 18:07:52 -0600 (MDT) Message-Id: <199807300007.SAA18937@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 29 Jul 1998 18:07:33 -0600 To: Gregory Sutter , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: procmail workaround for MIME filename overflow exploit In-Reply-To: <19980729145556.C16073@notabene.zer0.org> References: <199807291946.NAA14449@lariat.lariat.org> <199807291946.NAA14449@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:55 PM 7/29/98 -0700, Gregory Sutter wrote: >Brett, > >John's recipe has the same problem as Andrew McNaughton's proposed >solution -- it invokes perl. As far as I can see, it invokes Perl only if a potential exploit is recognized.... Hopefully, a rare event. John's original recipe DOES have the problem that it doesn't handle varying amounts of whitespace between items, or tabs rather than spaces as whitespace. I've mentioned this to John and I expect he'll update his recipes (he has several relating to MIME). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 17:15:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA10217 for freebsd-security-outgoing; Wed, 29 Jul 1998 17:15:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from andrew1.lnk.telstra.net (andrew1.lnk.telstra.net [139.130.51.121]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA10132; Wed, 29 Jul 1998 17:15:32 -0700 (PDT) (envelope-from cagney@tpgi.com.au) Received: (from cagney@localhost) by andrew1.lnk.telstra.net (8.8.8/8.7.3) id KAA00812; Thu, 30 Jul 1998 10:16:56 +1000 (EST) Received: from Messages.8.5.N.CUILIB.3.45.SNAP.NOT.LINKED.b1.cygnus.com.i386.bsd via MS.5.6.b1.cygnus.com.i386_bsd; Thu, 30 Jul 1998 10:16:55 +1000 (WET) Message-ID: Date: Thu, 30 Jul 1998 10:16:55 +1000 (WET) From: Andrew Cagney To: Archie Cobbs Subject: Re: IPFW rules applied twice? CC: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <199807292052.NAA19705@bubba.whistle.com> References: <199807292052.NAA19705@bubba.whistle.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Excerpts from mail: 29-Jul-98 Re: IPFW rules applied twice? Archie Cobbs@whistle.com (634*) > Yes, firewall rules are applied as packets enter and as they > leave an interface. That's why you can specify "in" and/or "out" > in the firewall rules. Good :-) I think the documentation needs to be very clear about this - when it comes to security things can't be left cloudy -) thanks, Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 18:31:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA02630 for freebsd-security-outgoing; Wed, 29 Jul 1998 18:31:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hillbilly.hayseed.net (hillbilly.hayseed.net [204.62.130.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA02623 for ; Wed, 29 Jul 1998 18:31:48 -0700 (PDT) (envelope-from enkhyl@hayseed.net) Received: from hillbilly.hayseed.net (enkhyl@hillbilly.hayseed.net [204.62.130.2]) by hillbilly.hayseed.net (8.9.1/8.8.5) with SMTP id BAA03678; Thu, 30 Jul 1998 01:29:17 GMT Date: Thu, 30 Jul 1998 01:29:17 +0000 (Local time zone must be set--see zic manual page) From: Enkhyl To: "Kurt D. Zeilenga" cc: andrewr , freebsd-security@FreeBSD.ORG Subject: Re: SSH for Windows (was: Re: FreeBSD Security How-To (Was: QPopper exploit)) In-Reply-To: <3.0.5.32.19980729085429.0092f220@127.0.0.1> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org After test driving SecureCRT for a few months, we went ahead and bought several licenses. It's a very nice product with lots of features. It's definitely far superior to the DataFellows SSH client. On Wed, 29 Jul 1998, Kurt D. Zeilenga wrote: > I've been using SecureCRT from Van Dyke Tech (http://www.vandyke.com/). > The terminal emulator is based upon their popular CRT product. I've > been very happy with it so far. The port forwarding support has allowed > me deny non-localhost access to my server's Popper and SMTP relay. > > Kurt > > > At 12:51 AM 7/29/98 -0400, you wrote: > > > > > >On Tue, 28 Jul 1998, Brett Glass wrote: > > > >> At 08:48 AM 7/28/98 -0400, Robert Watson wrote: > >> > >> >I heard there was a free Windows ssh client these days -- I haven't used > >> >it as (oops) I don't run any Microsoft operating systems :). > >> > >> Anyone know where to get it? > >> > >> --Brett > > > >For a 30 day trial copy, go to www.datafellows.com and hed to their > >download section. You can get a m$ copy of ssh client there. > > > >Andrew -- Christopher Nielsen Scient: The Art and Science of Electronic Business cnielsen@scient.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 20:08:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA18499 for freebsd-security-outgoing; Wed, 29 Jul 1998 20:08:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tasam.com (tasam.com [198.232.144.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA18488 for ; Wed, 29 Jul 1998 20:08:34 -0700 (PDT) (envelope-from clash@tasam.com) Received: from bug (bug.tasam.com [198.232.144.254]) by tasam.com (8.9.1/8.9.1) with SMTP id WAA13586 for ; Wed, 29 Jul 1998 22:07:13 -0500 (EST) Message-ID: <006101bdbb67$38d1c8a0$0171a1ce@bug.tasam.com> From: "Joe Gleason" To: Subject: Re: preventing fork bombs Date: Wed, 29 Jul 1998 23:07:41 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Last time I tried that on my shell server, it worked but not for things run from cron. So an especialy evil and crafy user could just run their fork bomb from cron. Joe Gleason Tasam >man login.conf > >set limits there for login classes. > >-Alfred > >On Sun, 26 Jul 1998, Nicholas Charles Brawn wrote: > >> How can someone limit/prevent fork bomb attacks on your system. I >> recently tried one on myself after modifying kern.maxprocperuid (thinking >> that should prevent it), and got my machine up to a load of over 150 >> before I killed it. >> >> The simple code used was: >> >> #include >> >> main(void) { >> while(1) { >> fork(); >> } >> } >> >> The above effectively freezing my system. :\ >> >> Anyone got any ideas? >> >> Nick >> >> -- >> Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick >> Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A >> "When in doubt, ask someone wiser than yourself..." -unknown >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe security" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 23:15:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA09538 for freebsd-security-outgoing; Wed, 29 Jul 1998 23:15:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA09514; Wed, 29 Jul 1998 23:15:19 -0700 (PDT) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id KAA26280; Thu, 30 Jul 1998 10:14:02 +0400 (MSD) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id KAA10095; Thu, 30 Jul 1998 10:13:59 +0400 (MSD) Message-ID: <19980730101358.A10071@tversu.ru> Date: Thu, 30 Jul 1998 10:13:58 +0400 From: Vadim Kolontsov To: chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Windows SSH clients (was: Re: FreeBSD Security How-To (Was: QPopper exploit)) References: <19980728175257.H19941@caerdonn.eurocontrol.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: <19980728175257.H19941@caerdonn.eurocontrol.fr>; from Ollivier Robert on Tue, Jul 28, 1998 at 05:52:57PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Presonally I like TeraTerm with ssh-extension: TTSSH http://www.zip.com.au/~roca/ttssh.html Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 23:19:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA10354 for freebsd-security-outgoing; Wed, 29 Jul 1998 23:19:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA10347 for ; Wed, 29 Jul 1998 23:18:55 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id SAA06800; Thu, 30 Jul 1998 18:17:53 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Thu, 30 Jul 1998 18:17:52 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Any procmail experts here? In-Reply-To: <199807291630.KAA11022@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org procmail will run every time. perl will only run if there is a Content-Disposition header. This variant executes perl only if the content-Disposition header is long :0 hfw * ^Content-disposition:................................................................. | /usr/local/bin/perl -pe 's/^(Content-Disposition:.{80}).*/$1/i' I didn't bother to count the dots I typed. Set it to what you think is appropriate. Procmail's regexp has a construct \/ which puts anything matched by the regexp after that point into $MATCH. This could be used to discard or redirect the message without trying to make it safe. If you're not using procmail for anything else, then you're probably better to use perl only, or perhaps even sed. Is it possible to have sendmail keep the filter pipe open somehow? Andrew On Wed, 29 Jul 1998, Brett Glass wrote: > Date: Wed, 29 Jul 1998 10:24:53 -0600 > From: Brett Glass > To: andrew@squiz.co.nz > Cc: security@FreeBSD.ORG > Subject: Re: Any procmail experts here? > > Wow.... That means invoking both procmail AND Perl on every message. > Not such a good idea on a busy mail server. (And, of course, Perl > will recompile the regex each and every time it executes.) How could > one avoid this? > > --Brett > > At 06:50 PM 7/29/98 +1200, Andrew McNaughton wrote: > > > > >:0 hfw > >* ^Content-disposition: > >| /usr/local/bin/perl -pe 's/^(Content-Disposition:.{80}).*/$1/i' > > > >It's a little rough, but should work, Improvement is a perl regex problem > >rather than a procmail one. > > > >Andrew McNaughton > > > > > >On Tue, 28 Jul 1998, Brett Glass wrote: > > > >> Date: Tue, 28 Jul 1998 21:01:06 -0600 > >> From: Brett Glass > >> To: security@FreeBSD.ORG > >> Subject: Re: Any procmail experts here? > >> > >> Whoops.... As many of you have doubtless already noted, the header > >> we need to catch is > >> > >> Content-Disposition: attachment; filename="" > >> > >> --Brett > >> > >> At 07:59 PM 7/28/98 -0600, Brett Glass wrote: > >> > >> >We have dozens of users who might get bit by the MIME filename buffer > >> >overflow bug described at > >> > > >> >http://www.sjmercury.com/business/microsoft/docs/security0728.htm > >> > > >> >and would like to try to use procmail to plug the hole (it seems to be the > >> >best tool for the job). However, I have no experience with procmail. Could > >> >someone help me write a procmail.rc that will eliminate the extra-long > >> >filenames, truncating them back to (say) 64 characters max? All that's > >> >required is to recognize the Content-type: .... filename="" header > >> >and make sure that is chopped if it's too long. > >> > > >> >This would be a fix for which thousands of sysadmins would be exceedinglyy > >> >grateful. > >> > > >> >--Brett > >> > > >> > > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org > >> >with "unsubscribe security" in the body of the message > >> > > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe security" in the body of the message > >> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 23:30:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA12550 for freebsd-security-outgoing; Wed, 29 Jul 1998 23:30:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA12544 for ; Wed, 29 Jul 1998 23:30:06 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id CAA22779; Thu, 30 Jul 1998 02:34:19 -0400 (EDT) Date: Thu, 30 Jul 1998 02:34:19 -0400 (EDT) From: andrewr To: Garance A Drosihn cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok, here is my solution.. All those interested in being on a FreeBSD Security Audit mailing list, just email andrewr@slack.net and we can figure out a way that we can do this not through FreeBSD.org. After speaking with jkh, we must first set up our own mailing list, then, if productive, we can move it to FreeBSD.org. But, for now, just email me. And I will figure something out. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 23:39:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA13511 for freebsd-security-outgoing; Wed, 29 Jul 1998 23:39:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix.welearn.com.au (suebla.lnk.telstra.net [139.130.44.81]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA13498 for ; Wed, 29 Jul 1998 23:39:52 -0700 (PDT) (envelope-from sue@phoenix.welearn.com.au) Received: (from sue@localhost) by phoenix.welearn.com.au (8.8.5/8.8.5) id QAA02939; Thu, 30 Jul 1998 16:18:23 +1000 (EST) Message-ID: <19980730161820.19596@welearn.com.au> Date: Thu, 30 Jul 1998 16:18:20 +1000 From: Sue Blake To: Garance A Drosihn Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) References: <2791.901733838@verdi.nethelp.no> <199807291532.JAA26878@mt.sri.com> <2791.901733838@verdi.nethelp.no> <199807291740.LAA27824@mt.sri.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: ; from Garance A Drosihn on Wed, Jul 29, 1998 at 02:52:19PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 29, 1998 at 02:52:19PM -0400, Garance A Drosihn wrote: > > The discussion of ssh clients for *other* operating systems > probably does not need to continue on freebsd-security, or > at the very least, not under this particular subject/thread... I disagree. Until everyone accessing my system has a suitable ssh client, I cannot make my system as secure as I'd like it. The lack of clients for other operating systems has been a big headache here. While extended discussions about them are out of place, I am grateful to have received this new information, including about which clients will best encourage users to comply with my request to use only ssh. All I need now is something to recommend for OS/2 and telnet gets ditched. -- Regards, -*Sue*- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 29 23:55:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA15611 for freebsd-security-outgoing; Wed, 29 Jul 1998 23:55:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA15587 for ; Wed, 29 Jul 1998 23:55:47 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id SAA06998; Thu, 30 Jul 1998 18:39:09 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Thu, 30 Jul 1998 18:39:09 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Gregory Sutter cc: Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: procmail workaround for MIME filename overflow exploit In-Reply-To: <19980729145556.C16073@notabene.zer0.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Jul 1998, Gregory Sutter wrote: > John's recipe has the same problem as Andrew McNaughton's proposed > solution -- it invokes perl. That's a lot of overhead to process a > mail message, when procmail can do it just fine. Out of several > recipes suggested on the procmail mailing list, David Tamkin's is the > best: > > :0fhw # sixty-three dots in second condition > * ^Content-Disposition:(.*\>)?filename="\/[^"]+ > * MATCH ?? ^^\/............................................................... > | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" > > That recipe will truncate any filenames longer than 63 characters to 63 > chars. If you wish to specially denote offending messages, you can > change the action line to: > > | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" \ > -i "X-Security-Modification: Truncated long filename" If formail is substantially faster than perl to invoke then it's better, but I prefer a test on the length of the entire header rather than just the filename. Do any of the vulnerable programs also make assumptions about the length of the header as a whole? Do any accept whitespace around the '='. What happens if there is no terminating '"'. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 30 01:01:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA25505 for freebsd-security-outgoing; Thu, 30 Jul 1998 01:01:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA25498 for ; Thu, 30 Jul 1998 01:01:44 -0700 (PDT) (envelope-from bs@devnull.ruhr.de) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5-r-beta/8.8.5) with UUCP id JAA00731; Thu, 30 Jul 1998 09:34:52 +0200 (MET DST) Received: from [192.168.22.75] (helo=rm.devnull.ruhr.de) by devnull.ruhr.de with esmtp (Exim 1.92 #1) id 0z1d6f-00013b-00; Wed, 29 Jul 1998 22:45:53 +0200 Received: from bs by rm.devnull.ruhr.de with local (Exim 1.92 #1) id 0z1d6d-0000lG-00; Wed, 29 Jul 1998 22:45:51 +0200 To: sthaug@nethelp.no Cc: benedikt@devnull.ruhr.de, marcs@znep.com, ben@rosengart.com, security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) References: <87af5um74j.fsf@devnull.ruhr.de> <2983.901735734@verdi.nethelp.no> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 29 Jul 1998 22:45:50 +0200 In-Reply-To: sthaug@nethelp.no's message of "Wed, 29 Jul 1998 20:08:54 +0200" Message-ID: <87d8aos7wh.fsf@devnull.ruhr.de> Lines: 56 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sthaug@nethelp.no writes: [Re: Filtering packets coming in through the "wrong" interface] > > I'd use a packet filter for that, something like > > Certainly you can do that - but it seems like a rather heavyweight > method of solving this particular problem. I'd like to have something > that could be twiddled with sysctl myself. Point taken. But let me play the advocatus diaboli for a moment: - If we put everything that may be reasonable for some people and/or situations into the kernel we risk to end up with a system that's as sluggish as Solaris (not to mention something like NT). - As long as we're dealing with security, a smaller system is inherently less insecure because it'll contain less bugs. The filter you propose doesn't provide additional functionality that can't be done through the packet filter mechanism. To achieve maximum "orthogonality" it should be left out. - If your system lives on a network with potentially malicious packets coming in, you better use a proper packet filter anyway as part of securing that machine properly. If you don't have to worry about possible attacks (because you've got a firewall in place and trust the local machines) you don't really need for such a filter. As a consequence there shouldn't be the widespread use for this feature to justify it being put into the kernel. Of course I'm somewhat biased because I think that the only way to build a reasonably secure system is to stick with those abstract rules of thumb like "maximizing orthogonality" and "minimizing total system size" and such. And since I feel reasonably comfortable setting up a packet filter I don't feel as much of a pressing need for this feature as someone who's only started trying to figure out what a packet filter is. Anyway, your proposal isn't something I'd feel like getting religious about. If someone provides the code and someone with commit privilege is willing to integrate it into the source tree I'd just go on with life as before :-) So long, Ben -- Ben(edikt)? Stockebrand Un*x SA My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 30 01:16:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA27439 for freebsd-security-outgoing; Thu, 30 Jul 1998 01:16:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA27433 for ; Thu, 30 Jul 1998 01:16:41 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id BAA14819; Thu, 30 Jul 1998 01:16:38 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Thu, 30 Jul 1998 01:16:38 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Garance A Drosihn cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Jul 1998, Garance A Drosihn wrote: > >Perhaps we could keep *this* thread about the excellent effort >to have a FreeBSD Security How-To. That's a worthy topic which >will probably benefit many FreeBSD users. That how-to was >listed as being at http://www.best.com/~jkb/howto.txt - and the >author was interested in feedback. It looks pretty helpful. Thanks for the kind words. I am getting a lot of responses from people saying this doc is in one way or another helpful to them. I also got a lot of comments and feedback which I will incorporate into the How-To over the weekend. Thanks again to everyone, -- Yan > >The discussion of ssh clients for *other* operating systems >probably does not need to continue on freebsd-security, or >at the very least, not under this particular subject/thread... > >(yeah, I know, I also added comments on the MacOS version, >but I'll be better-behaved now) > >--- >Garance Alistair Drosehn = gad@eclipse.its.rpi.edu >Senior Systems Programmer or drosih@rpi.edu >Rensselaer Polytechnic Institute > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 30 04:42:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA24630 for freebsd-security-outgoing; Thu, 30 Jul 1998 04:42:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cons.org (knight.cons.org [194.233.237.86]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA24623; Thu, 30 Jul 1998 04:42:13 -0700 (PDT) (envelope-from cracauer@cons.org) Received: (from cracauer@localhost) by cons.org (8.8.8/8.7.3) id NAA12444; Thu, 30 Jul 1998 13:42:02 +0200 (CEST) Message-ID: <19980730134201.A12433@cons.org> Date: Thu, 30 Jul 1998 13:42:01 +0200 From: Martin Cracauer To: obrien@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: mutt security fix Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David, [CC to -security for those hwo care] This is from http://paul.boehm.org/mutt-parse.patch. It fixes a remotly exploitable buffer overrun in MIME subtype checking. As the mutt folks didn't react yet, I suggest you commit it to the mutt port. --- parse.c.old Tue Jul 28 18:25:50 1998 +++ parse.c Tue Jul 28 18:25:56 1998 @@ -268,7 +268,7 @@ if ((pc = strchr(s, '/'))) { *pc++ = 0; - while (*pc && !ISSPACE (*pc) && *pc != ';') + while (*pc && !ISSPACE (*pc) && *pc != ';' && i < (SHORT_STRING - 1)) { buffer[i++] = *pc; pc++; -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin Cracauer http://www.cons.org/cracauer cracauer@wavehh.hanse.de (batched, preferred for large mails) Tel.: (private) +4940 5221829 Fax.: (private) +4940 5228536 Paper: (private) Waldstrasse 200, 22846 Norderstedt, Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 30 07:28:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA09675 for freebsd-security-outgoing; Thu, 30 Jul 1998 07:28:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA09647 for ; Thu, 30 Jul 1998 07:27:57 -0700 (PDT) (envelope-from ingham@i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.8.8/8.8.7) id IAA09952; Thu, 30 Jul 1998 08:17:28 -0600 (MDT) (envelope-from ingham) Message-ID: <19980730081728.46269@i-pi.com> Date: Thu, 30 Jul 1998 08:17:28 -0600 From: Kenneth Ingham To: Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: procmail workaround for MIME filename overflow exploit References: <199807291946.NAA14449@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <199807291946.NAA14449@lariat.lariat.org>; from Brett Glass on Wed, Jul 29, 1998 at 01:46:14PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've got one problem with using procmail to solve the MIME problem. My users regularly send each other >5MB email messages. When I was using procmail as the local delivery agent, it died on large messages, sometimes taking all the swap space on the machine (284MB) with it. Changing back to the standard local mail delivery agent solved the problems. This is on a 2.2.6-RELEASE machine. Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 30 08:02:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA12997 for freebsd-security-outgoing; Thu, 30 Jul 1998 08:02:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk ([195.8.135.83]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA12962 for ; Thu, 30 Jul 1998 08:02:43 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id QAA03715; Thu, 30 Jul 1998 16:43:50 +0200 (CEST) To: Kenneth Ingham cc: Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: procmail workaround for MIME filename overflow exploit In-reply-to: Your message of "Thu, 30 Jul 1998 08:17:28 MDT." <19980730081728.46269@i-pi.com> Date: Thu, 30 Jul 1998 16:43:50 +0200 Message-ID: <3713.901809830@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19980730081728.46269@i-pi.com>, Kenneth Ingham writes: >I've got one problem with using procmail to solve the MIME problem. >My users regularly send each other >5MB email messages. When I >was using procmail as the local delivery agent, it died on large >messages, sometimes taking all the swap space on the machine (284MB) >with it. Changing back to the standard local mail delivery agent >solved the problems. procmail realloc(3)'s memory in a truly stupid way: it reallocs the same chunk over and over again, in 16k size increments. This is stupid. It should double the size everytime. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 30 09:05:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA18396 for freebsd-security-outgoing; Thu, 30 Jul 1998 09:05:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA18384 for ; Thu, 30 Jul 1998 09:05:04 -0700 (PDT) (envelope-from cschuber@passer.osg.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.1/8.6.10) id IAA14552; Thu, 30 Jul 1998 08:17:53 -0700 (PDT) Message-Id: <199807301517.IAA14552@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdx14543; Thu Jul 30 08:17:38 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group X-Sender: cschuber To: andrewr cc: Garance A Drosihn , Nate Williams , security@FreeBSD.ORG Subject: Re: ssh clients available for other platforms In-reply-to: Your message of "Wed, 29 Jul 1998 14:34:03 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Jul 1998 08:17:34 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, I found this helpful. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC > > Ok > This thread must stop! No more Windows speak! > > Andrew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 30 14:36:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA29867 for freebsd-security-outgoing; Thu, 30 Jul 1998 14:36:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cotdazr.org (cotdazr.org [205.228.248.205]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA29793 for ; Thu, 30 Jul 1998 14:36:46 -0700 (PDT) (envelope-from efb@cotdazr.org) From: efb@cotdazr.org Received: (qmail 6027 invoked by uid 10); 30 Jul 1998 21:36:29 -0000 Date: 30 Jul 1998 21:36:29 -0000 Message-ID: <19980730213629.6026.qmail@cotdazr.org> To: security@FreeBSD.ORG Subject: PPP.3000.exposure Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Had a random sweep and the question came up .. what and why does my port 3000 show to the world outside for .. can I block it .. should I sweat it .. the F.Bsd_205 box is the router as well as main server .. Can I Wrap the 3000 at least so as not to kill iijppp and reduce my exposure and how ??? /Everett/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 30 17:04:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA28015 for freebsd-security-outgoing; Thu, 30 Jul 1998 17:04:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from spike.porcupine.org (umbilical.porcupine.org [168.100.189.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA28001 for ; Thu, 30 Jul 1998 17:04:43 -0700 (PDT) (envelope-from wietse@porcupine.org) Received: by spike.porcupine.org (VMailer, from userid 100) id 4580B7036A; Thu, 30 Jul 1998 20:04:39 -0400 (EDT) Subject: Re: PPP.3000.exposure To: efb@cotdazr.org Date: Thu, 30 Jul 1998 20:04:39 -0400 (EDT) Cc: security@FreeBSD.ORG In-Reply-To: <19980730213629.6026.qmail@cotdazr.org> from "efb@cotdazr.org" at "Jul 30, 98 09:36:29 pm" Organization: Wietse Venema, White Plains, NY, USA X-Time-Zone: USA EST, 6 hours behind central European time X-Mailer: ELM [version 2.4ME+ PL15 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <19980731000439.4580B7036A@spike.porcupine.org> From: wietse@porcupine.org (Wietse Venema) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org efb@cotdazr.org: > > Had a random sweep and the question came up .. what and why does my > port 3000 show to the world outside for .. can I block it .. should I > sweat it .. the F.Bsd_205 box is the router as well as main server .. > > Can I Wrap the 3000 at least so as not to kill iijppp and reduce my > exposure and how ??? This is one feature of the ppp daemon that I didn't like at all. To block, you'd need a kernel-based packet filter; or hack the source and rip out the if (server > 0) FD_SET(server, &rfds); line. Beware, this is untested advice. Wietse To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 30 18:42:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA12653 for freebsd-security-outgoing; Thu, 30 Jul 1998 18:42:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from enya.hilink.com.au (enya.hilink.com.au [203.8.14.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA12641 for ; Thu, 30 Jul 1998 18:42:44 -0700 (PDT) (envelope-from danny@enya.hilink.com.au) Received: from localhost (danny@localhost) by enya.hilink.com.au (8.8.8/8.8.7) with SMTP id LAA21572; Fri, 31 Jul 1998 11:29:22 +1000 (EST) (envelope-from danny@enya.hilink.com.au) Date: Fri, 31 Jul 1998 11:29:22 +1000 (EST) From: "Daniel O'Callaghan" To: Wietse Venema cc: efb@cotdazr.org, security@FreeBSD.ORG Subject: Re: PPP.3000.exposure In-Reply-To: <19980731000439.4580B7036A@spike.porcupine.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 30 Jul 1998, Wietse Venema wrote: > efb@cotdazr.org: > > > > Had a random sweep and the question came up .. what and why does my > > port 3000 show to the world outside for .. can I block it .. should I > > sweat it .. the F.Bsd_205 box is the router as well as main server .. > > > > Can I Wrap the 3000 at least so as not to kill iijppp and reduce my > > exposure and how ??? > > This is one feature of the ppp daemon that I didn't like at all. > To block, you'd need a kernel-based packet filter; or hack the > source and rip out the Brian will correct me if I am wrong, but I believe that for quite a while now ppp has not bound to 3000 if there is no password set for the machine. Not perfect protection, of course, but something. It is not too hard to enable ipfw, either in-kernel or as lkm. Just flick the switch in /etc/rc.conf (firewall="YES") and add the appropriate ipfw rules. Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 02:25:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA27227 for freebsd-security-outgoing; Fri, 31 Jul 1998 02:25:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp2.globalserve.net (smtp2.globalserve.net [209.90.128.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA27222; Fri, 31 Jul 1998 02:25:34 -0700 (PDT) (envelope-from geoffr@globalserve.net) Received: from globalserve.net (dialin770.toronto.globalserve.net [209.90.133.7]) by smtp2.globalserve.net (8.9.1/8.9.1) with ESMTP id FAA15601; Fri, 31 Jul 1998 05:25:22 -0400 (EDT) (envelope-from geoffr@globalserve.net) Message-ID: <35C18B48.8E767439@globalserve.net> Date: Fri, 31 Jul 1998 05:15:52 -0400 From: Geoffrey Robinson X-Mailer: Mozilla 4.03 [en] (Win95; U) MIME-Version: 1.0 To: Vadim Kolontsov CC: chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Windows SSH clients (was: Re: FreeBSD Security How-To (Was: QPopper exploit)) References: <19980728175257.H19941@caerdonn.eurocontrol.fr> <19980730101358.A10071@tversu.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Vadim Kolontsov wrote: > > Presonally I like TeraTerm with ssh-extension: TTSSH > > http://www.zip.com.au/~roca/ttssh.html > Any chance there is an SSH client for windowz out there than can do Secure Copy too or maby just a stand-alone SCP client? SSH doasn't really help anybody if M$ users have to log in over FTP. -- Geoffrey Robinson geoffr@globalserve.net Oakville, Ontario, Canada. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 02:28:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA27486 for freebsd-security-outgoing; Fri, 31 Jul 1998 02:28:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotpoint.dcs.qmw.ac.uk (hotpoint.dcs.qmw.ac.uk [138.37.88.162]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA27427 for ; Fri, 31 Jul 1998 02:27:56 -0700 (PDT) (envelope-from scott@dcs.qmw.ac.uk) Received: from brunos-sun.dcs.qmw.ac.uk [138.37.88.185]; by hotpoint.dcs.qmw.ac.uk (8.8.7/8.8.5/S-4.0) with SMTP; for ""; id KAA11847; Fri, 31 Jul 1998 10:27:46 +0100 (BST) Received: locally by brunos-sun (SMI-8.6/QMW-client-3.2b); poster "scott"; id KAA04492; Fri, 31 Jul 1998 10:21:28 +0100 Message-ID: <19980731102128.A4466@dcs.qmw.ac.uk> Date: Fri, 31 Jul 1998 10:21:28 +0100 From: Scott Mitchell To: freebsd-security@FreeBSD.ORG Subject: Re: PPP.3000.exposure References: <19980731000439.4580B7036A@spike.porcupine.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: ; from Daniel O'Callaghan on Fri, Jul 31, 1998 at 11:29:22AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jul 31, 1998 at 11:29:22AM +1000, Daniel O'Callaghan wrote: > > > On Thu, 30 Jul 1998, Wietse Venema wrote: > > > efb@cotdazr.org: > > > > > > Had a random sweep and the question came up .. what and why does my > > > port 3000 show to the world outside for .. can I block it .. should I > > > sweat it .. the F.Bsd_205 box is the router as well as main server .. > > > > > > Can I Wrap the 3000 at least so as not to kill iijppp and reduce my > > > exposure and how ??? > > > > This is one feature of the ppp daemon that I didn't like at all. > > To block, you'd need a kernel-based packet filter; or hack the > > source and rip out the > > Brian will correct me if I am wrong, but I believe that for quite a while > now ppp has not bound to 3000 if there is no password set for the machine. > Not perfect protection, of course, but something. > > It is not too hard to enable ipfw, either in-kernel or as lkm. Just flick > the switch in /etc/rc.conf (firewall="YES") and add the appropriate ipfw > rules. > > Danny If you can live with logging in to the machine in order to tweak PPP, you can have it bind to a UNIX domain socket instead. With appropriate permissions on the socket you can restrict access (to people in your 'dialer' group perhaps) without having to set a PPP password. Works for me. Scott. -- =========================================================================== Scott Mitchell | PGP Key ID |"If I can't have my coffee, I'm just | 0x54B171B9 | like a dried up piece of roast goat" QMW College, London, UK | 0xAA775B8B | -- J. S. Bach. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 06:15:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA22486 for freebsd-security-outgoing; Fri, 31 Jul 1998 06:15:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from eh.est.is (eh.est.is [194.144.208.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA22480 for ; Fri, 31 Jul 1998 06:15:50 -0700 (PDT) (envelope-from totii@est.is) Received: from gateway.toti.est.is (root@toti.est.is [194.144.208.200]) by eh.est.is (8.8.5/8.8.7) with ESMTP id NAA13416 for ; Fri, 31 Jul 1998 13:15:55 GMT (envelope-from totii@est.is) Received: from didda.toti.est.is ([192.168.255.22]) by gateway.toti.est.is (8.8.7/8.8.7) with ESMTP id NAA18339 for ; Fri, 31 Jul 1998 13:17:15 GMT (envelope-from totii@est.is) Message-ID: <35C1B523.FA05E6AC@est.is> Date: Fri, 31 Jul 1998 13:14:27 +0100 From: "=?iso-8859-1?Q?=DE=F3r=F0ur=20=CDvarsson?=" Reply-To: thivars@est.is X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: "security@FreeBSD.ORG" Subject: Where are your logs? Methods of logging? X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id GAA22481 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I notice here on the list that many of us get break in and there are no logs available afterwards. After break in to one of our system I installed system on old but reliable computer and with plenty of diskspace for logs. All services not needed are disabled and firewall that denys everything but incoming logging packets. Now I log everything from every system to that computer, backup the logs every day, and trace them. Is this something that might help us to trace the problems or is this just extra trouble? Þórður Ívarsson thivars@est.is To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 06:52:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA26483 for freebsd-security-outgoing; Fri, 31 Jul 1998 06:52:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from copernicus.cpt.tech.iafrica.com (copernicus.cpt.tech.iafrica.com [196.31.1.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA26471 for ; Fri, 31 Jul 1998 06:52:07 -0700 (PDT) (envelope-from sheldonh@iafrica.com) Received: from localhost ([127.0.0.1] helo=iafrica.com ident=[x0IhkJC8NmeeQDXJzceWIFXfkakhbkej]) by copernicus.cpt.tech.iafrica.com with esmtp (Exim 1.92 #1) for security@FreeBSD.ORG id 0z2Fam-0000mi-00; Fri, 31 Jul 1998 15:51:32 +0200 From: Sheldon Hearn To: security@FreeBSD.ORG Subject: INFO REQ: Fagan Inspections In-reply-to: Your message of "Fri, 24 Jul 1998 11:08:52 +0200." <19980724110852.62387@follo.net> Date: Fri, 31 Jul 1998 15:51:32 +0200 Message-ID: <3019.901893092@iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 24 Jul 1998 11:08:52 +0200, Eivind Eklund wrote: > Inspections (or "Fagan inspections" if you want) work. [...] From a > personal viewpoint (I didn't measure this), they seemed much more > effective than just doing reviews. Hi folks, I really don't want to start another off-topic thread with this request, so I think it's best that any replies come directly to me and I'll post a digest of feedback in a few days. It sounded very much like you folks were talking about a formalized system for auditing development cycles and code itself. I'd be very interested in having a look at any documentation that may exist. Any pointers to information online or in print (ISBN pls) would be fantastic. Thanks, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 07:26:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA01520 for freebsd-security-outgoing; Fri, 31 Jul 1998 07:26:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from trost.ravn.no (trost.ravn.no [193.215.220.235]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA01515 for ; Fri, 31 Jul 1998 07:26:21 -0700 (PDT) (envelope-from reidar@ravn.no) Received: from gribb.ravn.no (gribb.ravn.no [193.215.220.237]) by trost.ravn.no (8.8.7/8.8.7) with SMTP id QAA05214 for ; Fri, 31 Jul 1998 16:26:17 +0200 (CEST) (envelope-from reidar@ravn.no) Message-Id: <3.0.32.19980731162500.00869ce0@trost.ravn.no> X-Sender: reidar@trost.ravn.no X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 31 Jul 1998 16:25:00 +0200 To: security@FreeBSD.ORG From: Reidar Bratsberg Subject: Re: Where are your logs? Methods of logging? Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Logging to a secure machine with syslog (or other) is as crucial as tripwire, IMHO. I haven't done it myself, but I've heard that some cut (!) the "send"-wires on the TP-cable to the secure machine -- making it impossible to reach it via the network. The syslog entries get through though. Other options: Let syslog log to a serial port, and set up an old machine with MS-DOS (or whatever) to receive them. At 13:14 31.07.98 +0100, Þórður Ívarsson wrote: >Now I log everything from every system to that computer, backup the logs >every day, and trace them. (...) >Is this something that might help us to trace the problems or is this >just extra trouble? I think it is absolutely worth the trouble. We don't take backup of the log-machine though. I guess we should... We've considered setting up an old matrix printer as well, but I'm not sure it's worth the trouble (or paper!). Best, Reidar -- Reidar Bratsberg Ravn Informasjonssystemer Ans, Oslo, Norway Phone: +47 22 37 97 00 Fax: +47 22 37 97 01 Business e-mail: ravn@ravn.no Public PGP-key available from http://www.ravn.no/~reidar/pub-pgp.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 08:37:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA10023 for freebsd-security-outgoing; Fri, 31 Jul 1998 08:37:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA09994 for ; Fri, 31 Jul 1998 08:37:29 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 7825 invoked by uid 1001); 31 Jul 1998 15:37:10 +0000 (GMT) To: reidar@ravn.no Cc: security@FreeBSD.ORG Subject: Re: Where are your logs? Methods of logging? In-Reply-To: Your message of "Fri, 31 Jul 1998 16:25:00 +0200" References: <3.0.32.19980731162500.00869ce0@trost.ravn.no> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 31 Jul 1998 17:37:10 +0200 Message-ID: <7823.901899430@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I haven't done it myself, but I've heard that some cut (!) the > "send"-wires on the TP-cable to the secure machine -- making it > impossible to reach it via the network. Sorry, doesn't work with TP, since TP depends on "link pulses" to detect that the link is up. A similar arrangement using AUI & coax was described by Bellovin & co quite a while, though. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 08:53:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA12084 for freebsd-security-outgoing; Fri, 31 Jul 1998 08:53:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from moon.jic.com ([206.156.0.147]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA12061; Fri, 31 Jul 1998 08:53:45 -0700 (PDT) (envelope-from mbriggs@switchboard.net) Received: from fortbriggs.ml.org (root@alex-va-n013c109.moon.jic.com [208.135.210.119]) by moon.jic.com (8.8.8/8.8.8) with ESMTP id LAA08307; Fri, 31 Jul 1998 11:51:19 -0400 (EDT) Received: from switchboard.net (root@alex-va-n013c109.moon.jic.com [208.135.210.119]) by fortbriggs.ml.org (8.8.8/8.8.8) with ESMTP id CAA05129; Fri, 31 Jul 1998 02:53:13 -0400 (EDT) Message-ID: <35C1E876.758C1A21@switchboard.net> Date: Fri, 31 Jul 1998 11:53:26 -0400 From: "Matthew R. Briggs" X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Geoffrey Robinson CC: Vadim Kolontsov , chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Windows SSH clients (was: Re: FreeBSD Security How-To (Was: QPopper exploit)) References: <19980728175257.H19941@caerdonn.eurocontrol.fr> <19980730101358.A10071@tversu.ru> <35C18B48.8E767439@globalserve.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Geoffrey Robinson wrote: > > Vadim Kolontsov wrote: > > > > Presonally I like TeraTerm with ssh-extension: TTSSH > > > > http://www.zip.com.au/~roca/ttssh.html > > > > Any chance there is an SSH client for windowz out there than can do Secure > Copy too or maby just a stand-alone SCP client? SSH doasn't really help > anybody if M$ users have to log in over FTP. > > -- > Geoffrey Robinson > geoffr@globalserve.net > Oakville, Ontario, Canada. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message Hi, I thought about this problem too (I'm on a Win95 machine at work, behind a firewall, and I connect to my home with ssh). The answer is to do port redirection on the client side, so executing "ftp localhost" actually gets you your remote server machine, and it goes across the encrypted connection. Cedomir Igaly's Windows SSH Client will do this, although it has a few other rough edges. It's free, but closed-source. Drop me a line if you want more details. Matt Briggs mbriggs@switchboard.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 10:06:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA20783 for freebsd-security-outgoing; Fri, 31 Jul 1998 10:06:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cotdazr.org (cotdazr.org [205.228.248.205]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA20774 for ; Fri, 31 Jul 1998 10:06:45 -0700 (PDT) (envelope-from efb@cotdazr.org) Received: (qmail 7709 invoked by uid 10); 31 Jul 1998 17:06:36 -0000 Message-ID: <19980731100635.33065@cotdazr.org> Date: Fri, 31 Jul 1998 10:06:35 -0700 From: Everett F Batey To: "Daniel O'Callaghan" Subject: Re: PPP.3000.exposure Reply-To: efb@cotdazr.org References: <19980731000439.4580B7036A@spike.porcupine.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84 In-Reply-To: ; from Daniel O'Callaghan on Fri, Jul 31, 1998 at 11:29:22AM +1000 X-Tele: +1 805 985.3146 / 805 340.6471 Pg 805 655.2017 X-URL: http://www.cotdazr.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Danny .. Problem is 205 is before the days when we could run ipfw .. I have been told by others on the Free BSD team .. ??? Regretably my bigger problem is using BIND_8.1.2 cause last time I tried to build found from others that there are really a lot of diffs between the Unix release and the FreeBSD post makefile mortum .. lots of patching to compile unix code on fbsd .. bummer .. my bind is easy to put to sleep by a hacker attack .. /Ev/ On Fri, Jul 31, 1998 at 11:29:22AM +1000, Daniel O'Callaghan wrote: > On Thu, 30 Jul 1998, Wietse Venema wrote: > > > efb@cotdazr.org: > > > > > > Had a random sweep and the question came up .. what and why does my > > > port 3000 show to the world outside for .. can I block it .. should I > > > sweat it .. the F.Bsd_205 box is the router as well as main server .. > > > > > > Can I Wrap the 3000 at least so as not to kill iijppp and reduce my > > > exposure and how ??? > > > > This is one feature of the ppp daemon that I didn't like at all. > > To block, you'd need a kernel-based packet filter; or hack the > > source and rip out the > > Brian will correct me if I am wrong, but I believe that for quite a while > now ppp has not bound to 3000 if there is no password set for the machine. > Not perfect protection, of course, but something. > > It is not too hard to enable ipfw, either in-kernel or as lkm. Just flick > the switch in /etc/rc.conf (firewall="YES") and add the appropriate ipfw > rules. > > Danny -- + http://www.cotdazr.org efb@cotdazr.org -- WA6CRE -- http://www.gitt.gov + + http://www.oxnardsd.org [EFB15] SunUG: http://halide.acs.uci.edu/GCSUG + + BSD Unix Sun Linux, Security, Cisco Routing, QMail Inn DNS & My Opinions + + Beep: 805.655.2017 Vmail: 805.340.6471+5, 800.545.6998 USN: 805.982.7180 + To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 11:23:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA01431 for freebsd-security-outgoing; Fri, 31 Jul 1998 11:23:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA01425 for ; Fri, 31 Jul 1998 11:23:32 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 8730 invoked by uid 1001); 31 Jul 1998 18:23:27 +0000 (GMT) To: efb@cotdazr.org Cc: danny@hilink.com.au, freebsd-security@FreeBSD.ORG Subject: Re: PPP.3000.exposure In-Reply-To: Your message of "Fri, 31 Jul 1998 10:06:35 -0700" References: <19980731100635.33065@cotdazr.org> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 31 Jul 1998 20:23:27 +0200 Message-ID: <8728.901909407@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Regretably my bigger problem is using BIND_8.1.2 cause last time I tried > to build found from others that there are really a lot of diffs between > the Unix release and the FreeBSD post makefile mortum .. lots of patching > to compile unix code on fbsd .. bummer .. my bind is easy to put to > sleep by a hacker attack .. I'm afraid I don't understand what you're talking about. Bind 8.1.2 builds "out of the box" (make clean; make depend; make) on FreeBSD 2.2.x, and needs one small patch for FreeBSD 3.x (documented on the ISC errata page, http://www.isc.org/bind8/errata/8.1.2/patches/). Note that there are big differences between: - Installing only named/named-xfer - Installing everything, including include files, shared libraries etc. In order to use BIND 8.1.2, you only need named/named-xfer. I run 8.1.2 on several FreeBSD boxes with zero problems. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 12:14:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA07534 for freebsd-security-outgoing; Fri, 31 Jul 1998 12:14:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from castor2.freiepresse.de (castor2.freiepresse.de [194.25.232.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA07502; Fri, 31 Jul 1998 12:14:30 -0700 (PDT) (envelope-from G.Sittig@abo.FreiePresse.DE) Received: from uncle.gsinet (ppp-pln189.freiepresse.de [194.25.234.189]) by castor2.freiepresse.de (8.8.4/8.8.4) with ESMTP id VAA14277; Fri, 31 Jul 1998 21:08:13 +0200 (MET DST) Received: from uncle.gsinet (sittig@uncle.gsinet [192.168.11.131]) by uncle.gsinet (8.8.8/8.8.8) with SMTP id TAA32305; Fri, 31 Jul 1998 19:58:14 +0200 Date: Fri, 31 Jul 1998 19:58:14 +0200 (MEST) From: Gerhard Sittig X-Sender: sittig@uncle.gsinet cc: chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Windows SSH clients (was: Re: FreeBSD Security How-To (Was: QPopper exploit)) In-Reply-To: <35C18B48.8E767439@globalserve.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 31 Jul 1998, Geoffrey Robinson wrote: > Vadim Kolontsov wrote: > > > > Presonally I like TeraTerm with ssh-extension: TTSSH > > > > http://www.zip.com.au/~roca/ttssh.html > > Any chance there is an SSH client for windowz out there than can do Secure > Copy too or maby just a stand-alone SCP client? SSH doasn't really help > anybody if M$ users have to log in over FTP. TeraTerm DOES send and receive files when there is an established connection. Have a look at the File menu. And it's FASTER and much more responsive than any other telnet I have seen. G.Sittig@abo.FreiePresse.DE -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 12:20:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA08956 for freebsd-security-outgoing; Fri, 31 Jul 1998 12:20:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.eds.com (ns1.eds.com [192.85.154.78]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA08947 for ; Fri, 31 Jul 1998 12:20:05 -0700 (PDT) (envelope-from jadamson@can.eds.com) Received: from nnsa.eds.com (nnsa.eds.com [192.85.154.30] (may be forged)) by ns1.eds.com (8.8.8/8.8.8) with ESMTP id PAA13576 for ; Fri, 31 Jul 1998 15:20:00 -0400 (EDT) Received: from fangio.osipc.can.eds.com (fangio.osipc.can.eds.com [205.239.195.11]) by nnsa.eds.com (8.8.8/8.8.8) with ESMTP id PAA13574 for ; Fri, 31 Jul 1998 15:19:30 -0400 (EDT) Received: from VOY-LAPTOP ([204.104.139.88]) by fangio.osipc.can.eds.com (Netscape Mail Server v1.1) with SMTP id AAA25958 for ; Fri, 31 Jul 1998 15:17:02 -0400 Received: by VOY-LAPTOP with Microsoft Mail id <01BDBC96.858D7B00@VOY-LAPTOP>; Fri, 31 Jul 1998 15:18:50 -0400 Message-ID: <01BDBC96.858D7B00@VOY-LAPTOP> From: jadamson@can.eds.com (Adamson, Jason) To: "'thivars@est.is'" , "security@FreeBSD.ORG" Subject: RE: Where are your logs? Methods of logging? Date: Fri, 31 Jul 1998 15:18:43 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id MAA08951 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What about a one way serial connection from your gateway ( or whatever ) to your logging machine. This way no one could mess with the connection. Just a thought. Jason Adamson EDS Canada Network Security Administration jadamson@can.eds.com -----Original Message----- From: Þórður Ívarsson [SMTP:totii@est.is] Sent: Friday, July 31, 1998 8:14 AM To: security@FreeBSD.ORG Subject: Where are your logs? Methods of logging? I notice here on the list that many of us get break in and there are no logs available afterwards. After break in to one of our system I installed system on old but reliable computer and with plenty of diskspace for logs. All services not needed are disabled and firewall that denys everything but incoming logging packets. Now I log everything from every system to that computer, backup the logs every day, and trace them. Is this something that might help us to trace the problems or is this just extra trouble? Þórður Ívarsson thivars@est.is To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 13:11:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA16505 for freebsd-security-outgoing; Fri, 31 Jul 1998 13:11:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org ([206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA16500 for ; Fri, 31 Jul 1998 13:11:46 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id OAA05278; Fri, 31 Jul 1998 14:11:04 -0600 (MDT) Message-Id: <199807312011.OAA05278@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Fri, 31 Jul 1998 14:06:28 -0600 To: sthaug@nethelp.no, reidar@ravn.no From: Brett Glass Subject: Re: Where are your logs? Methods of logging? Cc: security@FreeBSD.ORG In-Reply-To: <7823.901899430@verdi.nethelp.no> References: <3.0.32.19980731162500.00869ce0@trost.ravn.no> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It was probably a TP RS-232 cable. --Brett At 05:37 PM 7/31/98 +0200, sthaug@nethelp.no wrote: >> I haven't done it myself, but I've heard that some cut (!) the >> "send"-wires on the TP-cable to the secure machine -- making it >> impossible to reach it via the network. > >Sorry, doesn't work with TP, since TP depends on "link pulses" to detect >that the link is up. A similar arrangement using AUI & coax was described >by Bellovin & co quite a while, though. > >Steinar Haug, Nethelp consulting, sthaug@nethelp.no > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 16:01:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA18907 for freebsd-security-outgoing; Fri, 31 Jul 1998 16:01:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA18869 for ; Fri, 31 Jul 1998 16:01:13 -0700 (PDT) (envelope-from bs@devnull.ruhr.de) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5-r-beta/8.8.5) with UUCP id AAA02570; Sat, 1 Aug 1998 00:36:10 +0200 (MET DST) Received: from [192.168.22.75] (helo=rm.devnull.ruhr.de) by devnull.ruhr.de with esmtp (Exim 1.92 #1) id 0z2MD1-0000Ov-00; Fri, 31 Jul 1998 22:55:27 +0200 Received: from bs by rm.devnull.ruhr.de with local (Exim 1.92 #1) id 0z2MCz-0000Q2-00; Fri, 31 Jul 1998 22:55:25 +0200 To: Reidar Bratsberg Cc: security@FreeBSD.ORG Subject: Re: Where are your logs? Methods of logging? References: <3.0.32.19980731162500.00869ce0@trost.ravn.no> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 31 Jul 1998 22:55:24 +0200 In-Reply-To: Reidar Bratsberg's message of "Fri, 31 Jul 1998 16:25:00 +0200" Message-ID: <87k94tyc3n.fsf@devnull.ruhr.de> Lines: 56 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Reidar Bratsberg writes: > Other options: Let syslog log to a serial port, and set up an > old machine with MS-DOS (or whatever) to receive them. There's a problem with this approach, though. If someone launches an attack that causes more log entries to be written than can be sent over the serial line at the same speed you may lock up the victim host due to full buffers. The syslog protocol uses UDP and therefore doesn't have this problem but may lose packages, i.e. log entries, if attacked this way. Anyway, if you're really serious about reliable logging you should consider buying two 100baseTX cards and a nullhub cable. > We've considered setting up an old matrix printer as well, but I'm not > sure it's worth the trouble (or paper!). A line printer is even slower than a serial line... Another Good Thing (TM) dealing with logs during attacks seems to write a perl script or whatever to read the logs and try to recognize unusual events. Used in conjunction with a sound card, some pager software or whatever you prefer to issue an alarm this can speed up your response to an attack quite considerably. > I haven't done it myself, but I've heard that some cut (!) the > "send"-wires on the TP-cable to the secure machine -- making it > impossible to reach it via the network. The syslog entries > get through though. That's in Cheswick & Bellovin, "Firewalls and Internet Security". They tried to tap the network traffic from an "invisible" machine and did it to suppress its ARP announcements. As Steinar points out this doesn't work with UTP. If you try to send your logs to such a machine you've got a problem: Its MAC (Ethernet) address must be known, either through the ARP protocol or some hardcoded /etc/ethers entries. In any case, once an attacker broke into the box he/she/it can find out about such a log machine. If you're really serious about it you'll send the log entries somewhere else and use tcpdump to sniff those log entries. But this may go way too far... So long, Ben -- Ben(edikt)? Stockebrand Un*x SA My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 31 18:37:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA10567 for freebsd-security-outgoing; Fri, 31 Jul 1998 18:37:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from socko.cdnow.com (socko.cdnow.com [209.83.166.75]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA10561 for ; Fri, 31 Jul 1998 18:37:49 -0700 (PDT) (envelope-from heller@daria.cdnow.com) Received: from daria.cdnow.com (daria.cdnow.com [209.83.166.60]) by socko.cdnow.com (8.9.0/8.9.0) with ESMTP id VAA15927 for ; Fri, 31 Jul 1998 21:37:31 -0400 (EDT) Received: (from heller@localhost) by daria.cdnow.com (8.8.8/8.8.8) id VAA23979 for freebsd-security@freebsd.org; Fri, 31 Jul 1998 21:34:40 -0400 (EDT) From: "A. Karl Heller" Message-Id: <199808010134.VAA23979@daria.cdnow.com> Subject: SUBSCRIBE heller@cdnow.com To: freebsd-security@FreeBSD.ORG Date: Fri, 31 Jul 1998 21:34:40 +2000 (EDT) Reply-To: heller@cdnow.com X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org SUBSCRIBE heller@cdnow.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message