From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 04:49:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8711C16A4CE for ; Tue, 27 Jan 2004 04:49:13 -0800 (PST) Received: from web60807.mail.yahoo.com (web60807.mail.yahoo.com [216.155.196.70]) by mx1.FreeBSD.org (Postfix) with SMTP id BE7D543D58 for ; Tue, 27 Jan 2004 04:49:11 -0800 (PST) (envelope-from richard_bejtlich@yahoo.com) Message-ID: <20040127124910.47711.qmail@web60807.mail.yahoo.com> Received: from [68.84.6.72] by web60807.mail.yahoo.com via HTTP; Tue, 27 Jan 2004 04:49:10 PST Date: Tue, 27 Jan 2004 04:49:10 -0800 (PST) From: Richard Bejtlich To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Recent use of Fragroute X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 12:49:13 -0000 Hello, Has anyone used Dug Song's Fragroute recently? I installed it using the security/fragroute port on 5.2 REL and 4.9 STABLE systems. There were no dependency problems. I could not get either system to actually send traffic while Fragroute was enabled, even with the simplest of fragroute.conf files, like: ip_frag 24 print I tried manually changing net.inet.ip.forwarding to 1 via sysctl, but I believe Fragroute should take care of that anyway? I was able to run Fragtest, however. I know how to use Fragroute properly as it works fine on my Red Hat 9 box. Does anyone have recent experience with Fragroute on FreeBSD? Thank you, Richard http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 08:45:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93C2716A4CE for ; Tue, 27 Jan 2004 08:45:30 -0800 (PST) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4923843D1F for ; Tue, 27 Jan 2004 08:45:13 -0800 (PST) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.9/8.12.9) with SMTP id i0RGiirp007537 for ; Tue, 27 Jan 2004 17:44:44 +0100 (CET) (envelope-from prosa@pro.sk) Message-ID: <003001c3e4f4$dbba7910$3501a8c0@peter> From: "Peter Rosa" To: References: <01a901c3e294$8ea8a500$3501a8c0@peter> <1653155537.20040126121155@b-o.ru> Date: Tue, 27 Jan 2004 17:44:40 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 16:45:30 -0000 Hello, please, is there some way to list ALL users, who connect remotely to my machine ? It is our gateway, so it should be one-user machine, but if I list /var/log/lastlog binary file, there are some lines showing usage of ttyp0. That console I have disabled in ttys, so why there are that lines ? How could I make FreeBSD to show that file in readable way ? Was my machine compromised ? Peter Rosa From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 08:52:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C81716A4CE for ; Tue, 27 Jan 2004 08:52:08 -0800 (PST) Received: from mx1-b.inoc.net (mx1-b.inoc.net [64.246.131.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1317043D75 for ; Tue, 27 Jan 2004 08:52:07 -0800 (PST) (envelope-from doon@inoc.net) Received: from doon.ops.inoc.net (noc-gw0-fe.dc1-alb.inoc.net [64.246.129.30]) by mx1-b.inoc.net (build v4.0.9) with ESMTP id 5545211 for multiple; Tue, 27 Jan 2004 11:51:43 -0500 From: Patrick Muldoon Organization: INOC To: "Peter Rosa" , Date: Tue, 27 Jan 2004 11:50:40 -0500 User-Agent: KMail/1.5.4 References: <01a901c3e294$8ea8a500$3501a8c0@peter> <1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> In-Reply-To: <003001c3e4f4$dbba7910$3501a8c0@peter> X-Powered-By: FreeBSD MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200401271150.40132.doon@inoc.net> Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 16:52:08 -0000 On Tuesday 27 January 2004 11:44 am, Peter Rosa wrote: > Hello, > please, is there some way to list ALL users, who connect remotely to my > machine ? It is our gateway, so it should be one-user machine, but if I > list /var/log/lastlog binary file, there are some lines showing usage of > ttyp0. That console I have disabled in ttys, so why there are that lines ? > How could I make FreeBSD to show that file in readable way ? man last last -- indicate last logins of users and ttys > > Was my machine compromised ? Not enough information to make a educated guess here, sorry. -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C The computer is mightier than the pen, the sword, and usually, the programmer. From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 08:56:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4A4416A4CE for ; Tue, 27 Jan 2004 08:56:30 -0800 (PST) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96B8D43D60 for ; Tue, 27 Jan 2004 08:56:23 -0800 (PST) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [10.177.171.220]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id i0RGtZE8080241; Tue, 27 Jan 2004 10:55:35 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <401697EA.3070108@centtech.com> Date: Tue, 27 Jan 2004 10:55:06 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20040121 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Rosa References: <01a901c3e294$8ea8a500$3501a8c0@peter> <1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> In-Reply-To: <003001c3e4f4$dbba7910$3501a8c0@peter> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 16:56:31 -0000 Peter Rosa wrote: > Hello, > > please, is there some way to list ALL users, who connect remotely to my > machine ? It is our gateway, so it should be one-user machine, but if I list > /var/log/lastlog binary file, there are some lines showing usage of ttyp0. > That console I have disabled in ttys, so why there are that lines ? How > could I make FreeBSD to show that file in readable way ? man last > Was my machine compromised ? More information and a more clearly worded question would help. Eric -- ------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology Today is the tomorrow you worried about yesterday. ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 08:56:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1F0E16A4D0 for ; Tue, 27 Jan 2004 08:56:54 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 8E7C843D78 for ; Tue, 27 Jan 2004 08:56:13 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 32036 invoked from network); 27 Jan 2004 16:53:00 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 27 Jan 2004 16:53:00 -0000 Received: (qmail 14016 invoked by uid 1000); 27 Jan 2004 16:55:48 -0000 Date: Tue, 27 Jan 2004 18:55:47 +0200 From: Peter Pentchev To: Peter Rosa Message-ID: <20040127165547.GB730@straylight.m.ringlet.net> Mail-Followup-To: Peter Rosa , freebsd-security@freebsd.org References: <01a901c3e294$8ea8a500$3501a8c0@peter> <1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="K8nIJk4ghYZn606h" Content-Disposition: inline In-Reply-To: <003001c3e4f4$dbba7910$3501a8c0@peter> User-Agent: Mutt/1.5.5.1i cc: freebsd-security@freebsd.org Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 16:56:54 -0000 --K8nIJk4ghYZn606h Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 27, 2004 at 05:44:40PM +0100, Peter Rosa wrote: > Hello, >=20 > please, is there some way to list ALL users, who connect remotely to my > machine ? It is our gateway, so it should be one-user machine, but if I l= ist > /var/log/lastlog binary file, there are some lines showing usage of ttyp0. > That console I have disabled in ttys, so why there are that lines ? How > could I make FreeBSD to show that file in readable way ? >=20 > Was my machine compromised ? ttyp0 is the first pseudo-tty. Pseudo-ttys may be created for many purposes, but the most common ones by far are 1. remote logins (telnet, SSH, or the like), and 2. utilities such as 'screen'. If you, or somebody else, has ever opened a telnet or SSH connection to the machine in question, then FreeBSD would have accepted the remote login on a pseudo-tty. The first such login would be on ttyp0, the second - if there are two at the same time - would be on ttyp1, and so on. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If this sentence didn't exist, somebody would have invented it. --K8nIJk4ghYZn606h Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAFpgT7Ri2jRYZRVMRAv7hAJwK202/zB/05JaecKY+oX3zxPoOigCgk+yg +T7uyj1kbZltAnXdbQ883QA= =jx8M -----END PGP SIGNATURE----- --K8nIJk4ghYZn606h-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 08:59:18 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC93716A4CE for ; Tue, 27 Jan 2004 08:59:18 -0800 (PST) Received: from corb.mc.mpls.visi.com (corb.mc.mpls.visi.com [208.42.156.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 998FA43D46 for ; Tue, 27 Jan 2004 08:58:57 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by corb.mc.mpls.visi.com (Postfix) with ESMTP id 714988990; Tue, 27 Jan 2004 10:57:42 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i0RGvfq01806; Tue, 27 Jan 2004 10:57:41 -0600 (CST) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Tue, 27 Jan 2004 10:57:41 -0600 From: D J Hawkey Jr To: Peter Rosa Message-ID: <20040127165741.GA1700@sheol.localdomain> References: <01a901c3e294$8ea8a500$3501a8c0@peter> <1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <003001c3e4f4$dbba7910$3501a8c0@peter> User-Agent: Mutt/1.4.1i cc: security at FreeBSD Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 16:59:19 -0000 On Jan 27, at 05:44 PM, Peter Rosa wrote: > > Hello, > > please, is there some way to list ALL users, who connect remotely to my > machine ? It is our gateway, so it should be one-user machine, but if I list > /var/log/lastlog binary file, there are some lines showing usage of ttyp0. `man lastlog` explains that file (and others), and the "SEE ALSO" section lists pertinent commands. > That console I have disabled in ttys, so why there are that lines ? How > could I make FreeBSD to show that file in readable way ? `man last`. > Was my machine compromised ? Not enough info to go on. `last` just may show the last time the admin was on tty0, disabling tty0. Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:24:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E291316A4CE for ; Tue, 27 Jan 2004 12:24:00 -0800 (PST) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id C325143D5A for ; Tue, 27 Jan 2004 12:23:51 -0800 (PST) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.9/8.12.9) with SMTP id i0RKNorp009816 for ; Tue, 27 Jan 2004 21:23:50 +0100 (CET) (envelope-from prosa@pro.sk) Message-ID: <002801c3e513$774a4040$3501a8c0@peter> From: "Peter Rosa" To: "security at FreeBSD" References: <01a901c3e294$8ea8a500$3501a8c0@peter><1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> Date: Tue, 27 Jan 2004 21:23:45 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:24:01 -0000 OK, sorry for unclear previous message. In the past, one man teached me the FreeBSD basics and also installed my gateway. In that time, I was not able to install and setup FreeBSD by myself. He left there some holes - e.g. open virtual consoles, unset firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD and I tried to setup my own firewall, install and setup some programs (with big help of this and Questions lists, manpages and other books). When I tried to setup more security on that system, except other things, I disabled all virtual tty's, because there is no need to connect to this machine remotelly (it's located 5 steps from my desk). In the past, that man connected to my system remotely from various IPs. Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read some connects from remote machines to ttyp0 and ttyp1. It's impossible for me to retrieve connection dates from that file. Of course, I read man last, man wtmp, etc., but there is nothing about /var/log/lastlog file. May be, that lines was added in the deep past, when the machine was open. But may be, it was done in few previous days... I know, if my machine was compromised, it is impossible to believe in anything on that machine (also kernel, sources). So, are there some other ways to get information about connection dates? Peter Rosa From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:29:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF54E16A4CE for ; Tue, 27 Jan 2004 12:29:09 -0800 (PST) Received: from monkeytest.eng.utah.edu (mailhub.eng.utah.edu [155.99.222.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 793D043D7B for ; Tue, 27 Jan 2004 12:28:23 -0800 (PST) (envelope-from ogden@navi.eng.utah.edu) Received: from navi.eng.utah.edu (navi.eng.utah.edu [155.99.222.27]) i0RKS3BW015620; Tue, 27 Jan 2004 13:28:03 -0700 (MST) Received: from navi.eng.utah.edu (localhost.localdomain [127.0.0.1]) by navi.eng.utah.edu (8.12.8/8.12.8) with ESMTP id i0RKS2MV019292; Tue, 27 Jan 2004 13:28:02 -0700 Received: (from ogden@localhost) by navi.eng.utah.edu (8.12.8/8.12.8/Submit) id i0RKS2nP019290; Tue, 27 Jan 2004 13:28:02 -0700 Date: Tue, 27 Jan 2004 13:28:02 -0700 From: Mark Ogden To: Peter Rosa Message-ID: <20040127202802.GA19276@navi.eng.utah.edu> References: <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <002801c3e513$774a4040$3501a8c0@peter> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:29:09 -0000 Peter Rosa on Tue, Jan 27, 2004 at 09:23:45PM +0100 wrote: > OK, sorry for unclear previous message. > > In the past, one man teached me the FreeBSD basics and also installed my > gateway. In that time, I was not able to install and setup FreeBSD by > myself. He left there some holes - e.g. open virtual consoles, unset > firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD > and I tried to setup my own firewall, install and setup some programs (with > big help of this and Questions lists, manpages and other books). > > When I tried to setup more security on that system, except other things, I > disabled all virtual tty's, because there is no need to connect to this > machine remotelly (it's located 5 steps from my desk). In the past, that man > connected to my system remotely from various IPs. > > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read > some connects from remote machines to ttyp0 and ttyp1. take a look at the /var/log/auth.log, it will show you everyone that remote connected and was denied. -Mark >It's impossible for > me to retrieve connection dates from that file. Of course, I read man last, > man wtmp, etc., but there is nothing about /var/log/lastlog file. > > May be, that lines was added in the deep past, when the machine was open. > But may be, it was done in few previous days... > > I know, if my machine was compromised, it is impossible to believe in > anything on that machine (also kernel, sources). So, are there some other > ways to get information about connection dates? > > Peter Rosa > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:33:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3B8E16A4CE for ; Tue, 27 Jan 2004 12:33:56 -0800 (PST) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86C8143D6B for ; Tue, 27 Jan 2004 12:33:53 -0800 (PST) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [10.177.171.220]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id i0RKX7E8023073; Tue, 27 Jan 2004 14:33:07 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <4016CAE5.6080808@centtech.com> Date: Tue, 27 Jan 2004 14:32:37 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20040121 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Rosa References: <01a901c3e294$8ea8a500$3501a8c0@peter><1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> In-Reply-To: <002801c3e513$774a4040$3501a8c0@peter> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security at FreeBSD Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:33:56 -0000 Peter Rosa wrote: [..snip..] > > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read > some connects from remote machines to ttyp0 and ttyp1. It's impossible for > me to retrieve connection dates from that file. Of course, I read man last, > man wtmp, etc., but there is nothing about /var/log/lastlog file. > > May be, that lines was added in the deep past, when the machine was open. > But may be, it was done in few previous days... > > I know, if my machine was compromised, it is impossible to believe in > anything on that machine (also kernel, sources). So, are there some other > ways to get information about connection dates? Possibly man lastlog will help, but the 'last' command is what you want. Is bsdsar running on that machine? You could look back and see what processes were running, and maybe some other things.. Eric -- ------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology Today is the tomorrow you worried about yesterday. ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:36:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA1F216A4CE for ; Tue, 27 Jan 2004 12:36:41 -0800 (PST) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D27943D5C for ; Tue, 27 Jan 2004 12:36:35 -0800 (PST) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.9/8.12.9) with SMTP id i0RKZJrp010035 for ; Tue, 27 Jan 2004 21:35:19 +0100 (CET) (envelope-from prosa@pro.sk) Message-ID: <00ae01c3e515$11dd1000$3501a8c0@peter> From: "Peter Rosa" To: References: <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> <20040127202802.GA19276@navi.eng.utah.edu> Date: Tue, 27 Jan 2004 21:35:15 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:36:41 -0000 Sorry, my syslog is not configured to save auth.* info :-((( I did not read syslog.conf carefully... PR ----- Original Message ----- From: "Mark Ogden" To: "Peter Rosa" Cc: Sent: Tuesday, January 27, 2004 9:28 PM Subject: Re: Possible compromise ? > Peter Rosa on Tue, Jan 27, 2004 at 09:23:45PM +0100 wrote: > > OK, sorry for unclear previous message. > > > > In the past, one man teached me the FreeBSD basics and also installed my > > gateway. In that time, I was not able to install and setup FreeBSD by > > myself. He left there some holes - e.g. open virtual consoles, unset > > firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD > > and I tried to setup my own firewall, install and setup some programs (with > > big help of this and Questions lists, manpages and other books). > > > > When I tried to setup more security on that system, except other things, I > > disabled all virtual tty's, because there is no need to connect to this > > machine remotelly (it's located 5 steps from my desk). In the past, that man > > connected to my system remotely from various IPs. > > > > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read > > some connects from remote machines to ttyp0 and ttyp1. > > take a look at the /var/log/auth.log, it will show you everyone that > remote connected and was denied. > > -Mark > > >It's impossible for > > me to retrieve connection dates from that file. Of course, I read man last, > > man wtmp, etc., but there is nothing about /var/log/lastlog file. > > > > May be, that lines was added in the deep past, when the machine was open. > > But may be, it was done in few previous days... > > > > I know, if my machine was compromised, it is impossible to believe in > > anything on that machine (also kernel, sources). So, are there some other > > ways to get information about connection dates? > > > > Peter Rosa > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:43:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45B3616A4CF for ; Tue, 27 Jan 2004 12:43:31 -0800 (PST) Received: from mail.evilcoder.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 738D443D39 for ; Tue, 27 Jan 2004 12:42:58 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: "Mark Ogden" , "Peter Rosa" Date: Tue, 27 Jan 2004 21:42:06 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) In-Reply-To: <20040127203109.3C89817@mail.elvandar.org> Importance: Normal X-Virus-Scanned: by amavisd-new at elvandar.org Message-Id: <20040127204125.01D0E2B4D8E@mail.evilcoder.org> cc: freebsd-security@freebsd.org Subject: RE: [Freebsd-security] Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:43:31 -0000 that only works when you are presuming that the host was not hacked already because i would clear those logs when i hacked a system :) but indeed it's a try, If you remain unsure, it is best to reinstall the system to be sure that a fresh and newly updated (yeah update it when installed :)) system is not compromised at that time.. loads of work, but it gives you some relief to know that it's clean. GoodLuck! -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: freebsd-security-bounces@lists.elvandar.org [mailto:freebsd-security-bounces@lists.elvandar.org]Namens Mark Ogden Verzonden: dinsdag 27 januari 2004 21:28 Aan: Peter Rosa CC: freebsd-security@freebsd.org Onderwerp: [Freebsd-security] Re: Possible compromise ? Peter Rosa on Tue, Jan 27, 2004 at 09:23:45PM +0100 wrote: > OK, sorry for unclear previous message. > > In the past, one man teached me the FreeBSD basics and also installed my > gateway. In that time, I was not able to install and setup FreeBSD by > myself. He left there some holes - e.g. open virtual consoles, unset > firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD > and I tried to setup my own firewall, install and setup some programs (with > big help of this and Questions lists, manpages and other books). > > When I tried to setup more security on that system, except other things, I > disabled all virtual tty's, because there is no need to connect to this > machine remotelly (it's located 5 steps from my desk). In the past, that man > connected to my system remotely from various IPs. > > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read > some connects from remote machines to ttyp0 and ttyp1. take a look at the /var/log/auth.log, it will show you everyone that remote connected and was denied. -Mark >It's impossible for > me to retrieve connection dates from that file. Of course, I read man last, > man wtmp, etc., but there is nothing about /var/log/lastlog file. > > May be, that lines was added in the deep past, when the machine was open. > But may be, it was done in few previous days... > > I know, if my machine was compromised, it is impossible to believe in > anything on that machine (also kernel, sources). So, are there some other > ways to get information about connection dates? > > Peter Rosa > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ Freebsd-security mailing list Freebsd-security@lists.elvandar.org http://lists.elvandar.org/mailman/listinfo/freebsd-security From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:45:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E249C16A4CE for ; Tue, 27 Jan 2004 12:45:35 -0800 (PST) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AB8543D6A for ; Tue, 27 Jan 2004 12:44:57 -0800 (PST) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.9/8.12.9) with SMTP id i0RKiBrp010245 for ; Tue, 27 Jan 2004 21:44:11 +0100 (CET) (envelope-from prosa@pro.sk) Message-ID: <00c401c3e516$4f1bf7a0$3501a8c0@peter> From: "Peter Rosa" To: "security at FreeBSD" References: <01a901c3e294$8ea8a500$3501a8c0@peter><1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> <4016CAE5.6080808@centtech.com> Date: Tue, 27 Jan 2004 21:44:07 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00C1_01C3E51E.B0D207C0" X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:45:36 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_00C1_01C3E51E.B0D207C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit As Mr. Anderson wrote, I tried last -f /var/log/lastlog and get, what is in attachment. Unreadable chaos, bad dates. May be, lastlog has not exact structure for last, isn't it ? PR ------=_NextPart_000_00C1_01C3E51E.B0D207C0 Content-Type: text/plain; name="lastlog.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="lastlog.txt" ttyp2 067.mbne Thu Jan 1 01:00 - 08:08 = (9012+06:08)=0A= =11m=15@ttyv0 Thu Jan 1 01:00 still = logged in=0A= 0 h=F6&=3Dttyp 160- Thu Jan 1 01:00 still = logged in=0A= 0 d=B6=D1?ttyv Thu Jan 1 01:00 still = logged in=0A= =0A= wtmp begins Thu Jan 1 01:00:00 CET 1970=0A= ------=_NextPart_000_00C1_01C3E51E.B0D207C0-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:49:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 555E916A4CE for ; Tue, 27 Jan 2004 12:49:42 -0800 (PST) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2296943D77 for ; Tue, 27 Jan 2004 12:48:36 -0800 (PST) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.9/8.12.9) with SMTP id i0RKkIrp010288; Tue, 27 Jan 2004 21:46:18 +0100 (CET) (envelope-from prosa@pro.sk) Message-ID: <00d401c3e516$9afe3ca0$3501a8c0@peter> From: "Peter Rosa" To: "Remko Lodder" , "Mark Ogden" References: <20040127204125.01D0E2B4D8E@mail.evilcoder.org> Date: Tue, 27 Jan 2004 21:46:14 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) cc: freebsd-security@freebsd.org Subject: Re: [Freebsd-security] Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:49:42 -0000 Yes, but it is the way I wouldn't like to go. Because of sooo much time :-( PR ----- Original Message ----- From: "Remko Lodder" To: "Mark Ogden" ; "Peter Rosa" Cc: Sent: Tuesday, January 27, 2004 9:42 PM Subject: RE: [Freebsd-security] Re: Possible compromise ? > that only works when you are presuming that the host was not hacked already > because i would clear those logs when i hacked a system :) > > but indeed it's a try, > > If you remain unsure, it is best to reinstall the system to be sure that a > fresh > and newly updated (yeah update it when installed :)) system is not > compromised at that > time.. > > loads of work, but it gives you some relief to know that it's clean. > > GoodLuck! > > -- > > Kind regards, > > Remko Lodder > Elvandar.org/DSINet.org > www.mostly-harmless.nl Dutch community for helping newcomers on the > hackerscene > > -----Oorspronkelijk bericht----- > Van: freebsd-security-bounces@lists.elvandar.org > [mailto:freebsd-security-bounces@lists.elvandar.org]Namens Mark Ogden > Verzonden: dinsdag 27 januari 2004 21:28 > Aan: Peter Rosa > CC: freebsd-security@freebsd.org > Onderwerp: [Freebsd-security] Re: Possible compromise ? > > > Peter Rosa on Tue, Jan 27, 2004 at 09:23:45PM +0100 wrote: > > OK, sorry for unclear previous message. > > > > In the past, one man teached me the FreeBSD basics and also installed my > > gateway. In that time, I was not able to install and setup FreeBSD by > > myself. He left there some holes - e.g. open virtual consoles, unset > > firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD > > and I tried to setup my own firewall, install and setup some programs > (with > > big help of this and Questions lists, manpages and other books). > > > > When I tried to setup more security on that system, except other things, I > > disabled all virtual tty's, because there is no need to connect to this > > machine remotelly (it's located 5 steps from my desk). In the past, that > man > > connected to my system remotely from various IPs. > > > > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can > read > > some connects from remote machines to ttyp0 and ttyp1. > > take a look at the /var/log/auth.log, it will show you everyone that > remote connected and was denied. > > -Mark > > >It's impossible for > > me to retrieve connection dates from that file. Of course, I read man > last, > > man wtmp, etc., but there is nothing about /var/log/lastlog file. > > > > May be, that lines was added in the deep past, when the machine was open. > > But may be, it was done in few previous days... > > > > I know, if my machine was compromised, it is impossible to believe in > > anything on that machine (also kernel, sources). So, are there some other > > ways to get information about connection dates? > > > > Peter Rosa > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > Freebsd-security mailing list > Freebsd-security@lists.elvandar.org > http://lists.elvandar.org/mailman/listinfo/freebsd-security > From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:50:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62AC016A4CE for ; Tue, 27 Jan 2004 12:50:48 -0800 (PST) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4F7843D4C for ; Tue, 27 Jan 2004 12:50:15 -0800 (PST) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [10.177.171.220]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id i0RKmME8024996; Tue, 27 Jan 2004 14:48:22 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <4016CE78.2020500@centtech.com> Date: Tue, 27 Jan 2004 14:47:52 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20040121 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Rosa References: <01a901c3e294$8ea8a500$3501a8c0@peter><1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> <4016CAE5.6080808@centtech.com> <00c401c3e516$4f1bf7a0$3501a8c0@peter> In-Reply-To: <00c401c3e516$4f1bf7a0$3501a8c0@peter> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit cc: security at FreeBSD Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:50:48 -0000 Peter Rosa wrote: > As Mr. Anderson wrote, I tried last -f /var/log/lastlog and get, what is in > attachment. > Unreadable chaos, bad dates. May be, lastlog has not exact structure for > last, isn't it ? > > PR > > > ------------------------------------------------------------------------ > > ttyp2 067.mbne Thu Jan 1 01:00 - 08:08 (9012+06:08) > m@ttyv0 Thu Jan 1 01:00 still logged in > 0 hö&=ttyp 160- Thu Jan 1 01:00 still logged in > 0 d¶Ñ?ttyv Thu Jan 1 01:00 still logged in > > wtmp begins Thu Jan 1 01:00:00 CET 1970 lastlog needs wtmp, so you should do: last -f /var/log/wtmp which is the default action if you just last with no arguments. Eric -- ------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology Today is the tomorrow you worried about yesterday. ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:52:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3478916A4CE for ; Tue, 27 Jan 2004 12:52:40 -0800 (PST) Received: from mail.evilcoder.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB23943D3F for ; Tue, 27 Jan 2004 12:51:36 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: "Peter Rosa" , "Mark Ogden" Date: Tue, 27 Jan 2004 21:50:43 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) In-Reply-To: <20040127204624.78E9919@mail.elvandar.org> Importance: Normal X-Virus-Scanned: by amavisd-new at elvandar.org Message-Id: <20040127204958.44C6D2B4D8E@mail.evilcoder.org> cc: freebsd-security@freebsd.org Subject: RE: [Freebsd-security] Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:52:40 -0000 Yeah but if you are uncertain about your own box my VERY STRONG advise is that you reinstall. IF your host is indeed owned, then you are a lot further away then just reinstalling, god knows what issues can arrise when a cracker exploits the system to do bogus tasks.. Then i say: Too bad for your time, sorry but it's like that -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: Peter Rosa [mailto:prosa@pro.sk] Verzonden: dinsdag 27 januari 2004 21:46 Aan: Remko Lodder; Mark Ogden CC: freebsd-security@freebsd.org Onderwerp: Re: [Freebsd-security] Re: Possible compromise ? Yes, but it is the way I wouldn't like to go. Because of sooo much time :-( PR ----- Original Message ----- From: "Remko Lodder" To: "Mark Ogden" ; "Peter Rosa" Cc: Sent: Tuesday, January 27, 2004 9:42 PM Subject: RE: [Freebsd-security] Re: Possible compromise ? > that only works when you are presuming that the host was not hacked already > because i would clear those logs when i hacked a system :) > > but indeed it's a try, > > If you remain unsure, it is best to reinstall the system to be sure that a > fresh > and newly updated (yeah update it when installed :)) system is not > compromised at that > time.. > > loads of work, but it gives you some relief to know that it's clean. > > GoodLuck! > > -- > > Kind regards, > > Remko Lodder > Elvandar.org/DSINet.org > www.mostly-harmless.nl Dutch community for helping newcomers on the > hackerscene > > -----Oorspronkelijk bericht----- > Van: freebsd-security-bounces@lists.elvandar.org > [mailto:freebsd-security-bounces@lists.elvandar.org]Namens Mark Ogden > Verzonden: dinsdag 27 januari 2004 21:28 > Aan: Peter Rosa > CC: freebsd-security@freebsd.org > Onderwerp: [Freebsd-security] Re: Possible compromise ? > > > Peter Rosa on Tue, Jan 27, 2004 at 09:23:45PM +0100 wrote: > > OK, sorry for unclear previous message. > > > > In the past, one man teached me the FreeBSD basics and also installed my > > gateway. In that time, I was not able to install and setup FreeBSD by > > myself. He left there some holes - e.g. open virtual consoles, unset > > firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD > > and I tried to setup my own firewall, install and setup some programs > (with > > big help of this and Questions lists, manpages and other books). > > > > When I tried to setup more security on that system, except other things, I > > disabled all virtual tty's, because there is no need to connect to this > > machine remotelly (it's located 5 steps from my desk). In the past, that > man > > connected to my system remotely from various IPs. > > > > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can > read > > some connects from remote machines to ttyp0 and ttyp1. > > take a look at the /var/log/auth.log, it will show you everyone that > remote connected and was denied. > > -Mark > > >It's impossible for > > me to retrieve connection dates from that file. Of course, I read man > last, > > man wtmp, etc., but there is nothing about /var/log/lastlog file. > > > > May be, that lines was added in the deep past, when the machine was open. > > But may be, it was done in few previous days... > > > > I know, if my machine was compromised, it is impossible to believe in > > anything on that machine (also kernel, sources). So, are there some other > > ways to get information about connection dates? > > > > Peter Rosa > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > Freebsd-security mailing list > Freebsd-security@lists.elvandar.org > http://lists.elvandar.org/mailman/listinfo/freebsd-security > From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:58:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7447D16A4CE for ; Tue, 27 Jan 2004 12:58:59 -0800 (PST) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16E1443D5F for ; Tue, 27 Jan 2004 12:58:19 -0800 (PST) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.9/8.12.9) with SMTP id i0RKuOrp010523 for ; Tue, 27 Jan 2004 21:56:24 +0100 (CET) (envelope-from prosa@pro.sk) Message-ID: <013901c3e518$03d7dc80$3501a8c0@peter> From: "Peter Rosa" To: "security at FreeBSD" References: <01a901c3e294$8ea8a500$3501a8c0@peter><1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> <4016CAE5.6080808@centtech.com> <00c401c3e516$4f1bf7a0$3501a8c0@peter> <4016CE78.2020500@centtech.com> Date: Tue, 27 Jan 2004 21:56:20 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:58:59 -0000 OK, tried, but all four wtmp files ar clean (the are wtmp, wtmp.0....wtmp.3 in /var/log). The only place, where those connections are mentioned, is the lastlog file. PR ----- Original Message ----- From: "Eric Anderson" To: "Peter Rosa" Cc: "security at FreeBSD" Sent: Tuesday, January 27, 2004 9:47 PM Subject: Re: Possible compromise ? > Peter Rosa wrote: > > As Mr. Anderson wrote, I tried last -f /var/log/lastlog and get, what is in > > attachment. > > Unreadable chaos, bad dates. May be, lastlog has not exact structure for > > last, isn't it ? > > > > PR > > > > > > ------------------------------------------------------------------------ > > > > ttyp2 067.mbne Thu Jan 1 01:00 - 08:08 (9012+06:08) > > m@ttyv0 Thu Jan 1 01:00 still logged in > > 0 hö&=ttyp 160- Thu Jan 1 01:00 still logged in > > 0 d¶Ñ?ttyv Thu Jan 1 01:00 still logged in > > > > wtmp begins Thu Jan 1 01:00:00 CET 1970 > > lastlog needs wtmp, so you should do: > > last -f /var/log/wtmp > which is the default action if you just last with no arguments. > > Eric > > > > -- > ------------------------------------------------------------------ > Eric Anderson Sr. Systems Administrator Centaur Technology > Today is the tomorrow you worried about yesterday. > ------------------------------------------------------------------ > From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 13:02:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 547D116A4CE for ; Tue, 27 Jan 2004 13:02:09 -0800 (PST) Received: from pc5.i.0x5.de (reverse-213-146-113-119.dialin.kamp-dsl.de [213.146.113.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B20443D45 for ; Tue, 27 Jan 2004 13:01:41 -0800 (PST) (envelope-from nicolas@dauerreden.de) Received: from pc5.i.0x5.de (nicolas@localhost [127.0.0.1]) by pc5.i.0x5.de (8.12.9p2/8.12.9) with ESMTP id i0RL0FjY012638; Tue, 27 Jan 2004 22:00:15 +0100 (CET) (envelope-from nicolas@pc5.i.0x5.de) Received: (from nicolas@localhost) by pc5.i.0x5.de (8.12.9p2/8.12.9/Submit) id i0RL0Fo1012637; Tue, 27 Jan 2004 22:00:15 +0100 (CET) (envelope-from nicolas) Date: Tue, 27 Jan 2004 22:00:15 +0100 From: Nicolas Rachinsky To: Peter Rosa Message-ID: <20040127210015.GA12328@pc5.i.0x5.de> Mail-Followup-To: Peter Rosa , security at FreeBSD References: <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> <4016CAE5.6080808@centtech.com> <00c401c3e516$4f1bf7a0$3501a8c0@peter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00c401c3e516$4f1bf7a0$3501a8c0@peter> X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc X-SECURITY: Never trust a running system User-Agent: Mutt/1.5.5.1i cc: security at FreeBSD Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 21:02:09 -0000 * Peter Rosa [2004-01-27 21:44 +0100]: > As Mr. Anderson wrote, I tried last -f /var/log/lastlog and get, what is in > attachment. > Unreadable chaos, bad dates. May be, lastlog has not exact structure for > last, isn't it ? The program to show /var/log/lastlog is lastlogin. Nicolas From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 13:11:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC08616A4CE for ; Tue, 27 Jan 2004 13:11:30 -0800 (PST) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3704B43D72 for ; Tue, 27 Jan 2004 13:10:52 -0800 (PST) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [10.177.171.220]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id i0RL9eE8029893; Tue, 27 Jan 2004 15:09:41 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <4016D377.6090208@centtech.com> Date: Tue, 27 Jan 2004 15:09:11 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20040121 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Nicolas Rachinsky References: <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> <4016CAE5.6080808@centtech.com> <00c401c3e516$4f1bf7a0$3501a8c0@peter> <20040127210015.GA12328@pc5.i.0x5.de> In-Reply-To: <20040127210015.GA12328@pc5.i.0x5.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: Peter Rosa cc: security at FreeBSD Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 21:11:31 -0000 Nicolas Rachinsky wrote: > * Peter Rosa [2004-01-27 21:44 +0100]: > >>As Mr. Anderson wrote, I tried last -f /var/log/lastlog and get, what is in >>attachment. >>Unreadable chaos, bad dates. May be, lastlog has not exact structure for >>last, isn't it ? > > > The program to show /var/log/lastlog is lastlogin. Actually, last reads it also, the lastlogin tool is a "subtool" I think: From lastlogin(8): "The lastlogin utility differs from last(1) in that it only prints infor-mation regarding the very last login session. The last login database is never turned over or deleted in standard usage." Eric -- ------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology Today is the tomorrow you worried about yesterday. ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 13:17:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A14F16A4DA for ; Tue, 27 Jan 2004 13:17:27 -0800 (PST) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56CFB43D6D for ; Tue, 27 Jan 2004 13:17:00 -0800 (PST) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.9/8.12.9) with SMTP id i0RLFErp010805 for ; Tue, 27 Jan 2004 22:15:14 +0100 (CET) (envelope-from prosa@pro.sk) Message-ID: <014f01c3e51a$a5a302e0$3501a8c0@peter> From: "Peter Rosa" To: "security at FreeBSD" References: <003001c3e4f4$dbba7910$3501a8c0@peter><20040127165741.GA1700@sheol.localdomain><002801c3e513$774a4040$3501a8c0@peter> <4016CAE5.6080808@centtech.com><00c401c3e516$4f1bf7a0$3501a8c0@peter> <20040127210015.GA12328@pc5.i.0x5.de> Date: Tue, 27 Jan 2004 22:15:10 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 21:17:27 -0000 Thanks for pointing me. But lastlogin returns only local and only few last connects. If I understand well, the bottom of lastlogin is the oldest. So may be, that connections was done in the deep past. Anyway, I will reinstall this weekend :-( Just to be sure. Many thanks to everybody who spent time with me. Peter Rosa ----- Original Message ----- From: "Nicolas Rachinsky" To: "Peter Rosa" Cc: "security at FreeBSD" Sent: Tuesday, January 27, 2004 10:00 PM Subject: Re: Possible compromise ? > * Peter Rosa [2004-01-27 21:44 +0100]: > > As Mr. Anderson wrote, I tried last -f /var/log/lastlog and get, what is in > > attachment. > > Unreadable chaos, bad dates. May be, lastlog has not exact structure for > > last, isn't it ? > > The program to show /var/log/lastlog is lastlogin. > > Nicolas > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 14:22:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1E2016A4CE for ; Tue, 27 Jan 2004 14:22:16 -0800 (PST) Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 058B043D69 for ; Tue, 27 Jan 2004 14:21:33 -0800 (PST) (envelope-from freeman@cs.dal.ca) Received: from [192.168.1.4] ([67.71.70.193]) by tomts5-srv.bellnexxia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20040127222110.FSMJ108.tomts5-srv.bellnexxia.net@[192.168.1.4]> for ; Tue, 27 Jan 2004 17:21:10 -0500 From: Kenny Freeman (by way of Kenny Freeman ) Date: Tue, 27 Jan 2004 18:19:06 -0500 User-Agent: KMail/1.5.4 Organization: PCHG Internet Solutions To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_wHvFAA7ujiNHL3V"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200401271819.12286.kennyf@pchg.net> Subject: Running X inside a jail. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: kennyf@pchg.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 22:22:16 -0000 --Boundary-02=_wHvFAA7ujiNHL3V Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline I could swear that this has been done in the past (I think I remember reading an email about the devfs perms required) but I can't find any mention of it. I'm going to be moving to 5.2-RELEASE soon on i386 - I'm doing a complete format. I want to run the latest XFree86 server inside a jail for various reasons. Anyone know how to do this? is this possible? Is there any point to running x inside a jail? I'm curious if you have to jump through hoops and open some perms up to get this to fly. -Kenny --Boundary-02=_wHvFAA7ujiNHL3V Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQBAFvHwpkWIXJRvi30RAnt6AJ4zCKUxVJWN8uJyk9V2RpzBXwuwHwCfZ/su esxE9CMLR6zdbbNCqt133Dg= =+qMV -----END PGP SIGNATURE----- --Boundary-02=_wHvFAA7ujiNHL3V-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 15:49:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A11316A4CE for ; Tue, 27 Jan 2004 15:49:33 -0800 (PST) Received: from phuket.psconsult.nl (ps226.psconsult.nl [213.222.19.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id B06BF43D41 for ; Tue, 27 Jan 2004 15:49:28 -0800 (PST) (envelope-from paul@phuket.psconsult.nl) Received: from phuket.psconsult.nl (localhost [127.0.0.1]) by phuket.psconsult.nl (8.12.6p3/8.12.6) with ESMTP id i0RNnRGB027668 for ; Wed, 28 Jan 2004 00:49:27 +0100 (CET) (envelope-from paul@phuket.psconsult.nl) Received: (from paul@localhost) by phuket.psconsult.nl (8.12.6p3/8.12.6/Submit) id i0RNnQDL027667 for freebsd-security@freebsd.org; Wed, 28 Jan 2004 00:49:26 +0100 (CET) Date: Wed, 28 Jan 2004 00:49:26 +0100 From: Paul Schenkeveld To: security at FreeBSD Message-ID: <20040127234926.GA27135@psconsult.nl> Mail-Followup-To: security at FreeBSD References: <20040127210015.GA12328@pc5.i.0x5.de> <014f01c3e51a$a5a302e0$3501a8c0@peter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <014f01c3e51a$a5a302e0$3501a8c0@peter> User-Agent: Mutt/1.5.4i Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 23:49:33 -0000 Hi Peter, On Tue, Jan 27, 2004 at 10:15:10PM +0100, Peter Rosa wrote: > > Thanks for pointing me. But lastlogin returns only local and only few last > connects. > If I understand well, the bottom of lastlogin is the oldest. So may be, that > connections was done in the deep past. Every login gets logged to wtmp, but wtmp gets rotated by newsyslog. BTW, oldest logins are at the top of the file but the last(1) command reads the file backwards for convenience. /var/log/astlog holds one record for every user that ever logged in into the system with the time and date, tty line and remote host of that last login. It never gets truncated so that's why it's normal to see entries for ttyp0 and ttyp1 there even if these ttys have been disabled afterwards. I know of no standard program to list the entire lastlogin file (/bin/login only shows your own record when logging in) so I've thrown a few bytes in the right order to visualize its contents. Just compile is with "cc -o showlast showlast.c" There's a uuencoded copy of the source at the end jus in case your mailer scrambles the listing. Regards, Paul Schenkeveld, Consultant PSconsult ICT Services BV /* showlast.c - show contents of lastlog */ #include #include #include #include #include #define LASTLOG "/var/log/lastlog" int main(int argc, char *argv[]) { struct lastlog lbuf; struct passwd *pw; int fd, n; uid_t uid = 0; if ((fd = open(LASTLOG, O_RDONLY)) < 0) { perror(LASTLOG); exit(1); } printf("Username UID Line Remote host Date/time\n"); printf("---------------- ----- -------- ---------------- " "------------------------\n"); while ((n = read(fd, &lbuf, sizeof(lbuf))) == sizeof(lbuf)) { if (lbuf.ll_time > 0) { pw = getpwuid(uid); printf("%-16.16s %5d %-*.*s %-*.*s %s", pw ? pw->pw_name : "(unknown)", uid, UT_LINESIZE, UT_LINESIZE, lbuf.ll_line, UT_HOSTSIZE, UT_HOSTSIZE, lbuf.ll_host, ctime(&lbuf.ll_time)); } uid++; } close(fd); switch (n) { case -1: perror(LASTLOG); exit(1); case 0: break; default: fprintf(stderr, "%s: corrupted\n", LASTLOG); exit(1); } exit(0); } begin 644 showlast.c M+RH@7!EPH)<&5R Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A177016A4CE for ; Tue, 27 Jan 2004 23:04:14 -0800 (PST) Received: from smtp1.eunet.yu (smtp1.eunet.yu [194.247.192.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CA9E43D31 for ; Tue, 27 Jan 2004 23:04:12 -0800 (PST) (envelope-from kolicz@eunet.yu) Received: from smtp1.EUnet.yu (root@localhost) by smtp1.eunet.yu (8.12.10/8.12.10) with SMTP id i0S74Axx013002 for ; Wed, 28 Jan 2004 08:04:10 +0100 Received: from kolic.net (P-2.15.EUnet.yu [213.240.2.15]) by smtp1.eunet.yu (8.12.10/8.12.10) with ESMTP id i0S7497A012888 for ; Wed, 28 Jan 2004 08:04:10 +0100 Received: by kolic.net (Postfix, from userid 1001) id 67EB042FF; Wed, 28 Jan 2004 07:54:29 +0100 (CET) Date: Wed, 28 Jan 2004 07:54:29 +0100 From: Zoran Kolic To: freebsd-security@freebsd.org Message-ID: <20040128065429.GA589@kolic.net> References: <20040127234954.5359F16A540@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040127234954.5359F16A540@hub.freebsd.org> Subject: Re: possible compromise? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2004 07:04:14 -0000 Dear Peter! I think it's time to reinstall now. Not at the end of week. If you have any doubt, don't spend more time to check logs. Some measures could be taken to clear it to look fine. Yes. You spent more time to check logs than you will to reinstall. Write on your conf files and all will be as you wish for 30-60 minutes. ZK From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 05:17:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F9C516A4CE for ; Wed, 28 Jan 2004 05:17:00 -0800 (PST) Received: from mail.jpbv.nl (asd-rzbg-2a57.mxs.adsl.euronet.nl [212.129.170.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id C302343D39 for ; Wed, 28 Jan 2004 05:16:57 -0800 (PST) (envelope-from R.v.Gogh@kappe-int.com) Received: by HNTS-04 with Internet Mail Service (5.5.2657.72) id ; Tue, 27 Jan 2004 12:06:34 +0100 Message-ID: <0FDD52D38220D611B7CC0004763B37448F0161@HNTS-04> From: "Gogh, Ruben van" To: freebsd-security@freebsd.org Date: Tue, 27 Jan 2004 12:06:25 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: How to allow a jail to use interface gif0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2004 13:17:00 -0000 Heya, i've build a few jails on my system for multiple purposes... I want one of the jails run some ipv6 tunnels but unfortenately I'm not allowed to access/modify gif0 from inside the jail... How can I bypass this security issue (keep in mind that want to run the jail on a ipv4 adress)? Kind regards, Ruben van Gogh ******************************************** The information in this e-mail is personal and may contain confidential and/or priveliged material. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, any use, disclosure, copying, distribution or action taken on it is prohibited. If you have received this communication in error please notify us by e-mail and then delete the e-mail and all attachments. ******************************************** From owner-freebsd-security@FreeBSD.ORG Wed Jan 28 09:49:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 090AD16A4CE for ; Wed, 28 Jan 2004 09:49:06 -0800 (PST) Received: from kestrel.alerce.com (kestrel.alerce.com [209.182.219.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id C359E43D3F for ; Wed, 28 Jan 2004 09:49:04 -0800 (PST) (envelope-from hartzell@kestrel.alerce.com) Received: from rosebud.alerce.com (rosebud.lbl.gov [131.243.193.115]) (authenticated bits=128) by kestrel.alerce.com (8.12.10/8.12.10) with ESMTP id i0SHn3LN004265 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 28 Jan 2004 09:49:03 -0800 (PST) (envelope-from hartzell@kestrel.alerce.com) Received: from rosebud.alerce.com (localhost [127.0.0.1]) by rosebud.alerce.com (8.12.9p2/8.12.9) with ESMTP id i0SHn2aj006202 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 28 Jan 2004 09:49:03 -0800 (PST) (envelope-from hartzell@rosebud.alerce.com) Received: (from hartzell@localhost) by rosebud.alerce.com (8.12.9p2/8.12.9/Submit) id i0SHn2EV006199; Wed, 28 Jan 2004 09:49:02 -0800 (PST) (envelope-from hartzell) From: George Hartzell MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16407.62989.973224.587094@rosebud.alerce.com> Date: Wed, 28 Jan 2004 09:49:01 -0800 To: freebsd-security@freebsd.org In-Reply-To: <16388.28960.595527.20394@rosebud.alerce.com> References: <16388.28960.595527.20394@rosebud.alerce.com> X-Mailer: VM 7.14 under 21.4 (patch 14) "Reasonable Discussion" XEmacs Lucid X-Virus-Scanned: ClamAV version 'clamd / ClamAV version devel-20031103', clamav-milter version '0.60n' Subject: Re: IPSEC btwn stable and Linksys BEFVP41 stopped working. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hartzell@kestrel.alerce.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2004 17:49:06 -0000 Everything's working now, so I thought I'd post to get closure. Upgrading the laptop to 4.9-RELEASE-p1 and racoon-20040116a seems to have set things right. I'm not sure whether one, the other, or both were required to get it going, but it's happy now. g. From owner-freebsd-security@FreeBSD.ORG Fri Jan 30 08:07:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 120ED16A4CE; Fri, 30 Jan 2004 08:07:28 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8CEF43D54; Fri, 30 Jan 2004 08:07:12 -0800 (PST) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) i0UG7CFR082207; Fri, 30 Jan 2004 08:07:12 -0800 (PST) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0UG7CIl082205; Fri, 30 Jan 2004 08:07:12 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Fri, 30 Jan 2004 08:07:12 -0800 (PST) Message-Id: <200401301607.i0UG7CIl082205@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-04:01.mksnap_ffs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jan 2004 16:07:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:01.mksnap_ffs Security Advisory The FreeBSD Project Topic: mksnap_ffs clears file system options Category: core Module: mksnap_ffs Announced: 2004-01-30 Credits: Kimura Fuyuki Wiktor Niesiobedzki Affects: FreeBSD 5.1-RELEASE FreeBSD 5.2-RELEASE Corrected: 2004-01-27 19:33:16 UTC (RELENG_5_1, 5.1-RELEASE-p12) 2004-01-29 22:54:31 UTC (RELENG_5_2, 5.2-RELEASE-p1) CVE Name: CAN-2004-0099 FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Mounted filesystems can have a variety of flags set on them. Some flags affect performance and reliability, while others enable or disable particular security-related features such as the ability to execute a binary stored on the filesystem or the use of access control lists to complement normal Unix file permissions. The mksnap_ffs(8) command creates a `snapshot' of a filesystem. A `snapshot' is a static representation of the state of the filesystem at a particular point in time. Snapshots have a variety of uses, but their primary purpose is to make it possible to run fsck(8) and dump(8) on live filesystems. II. Problem Description The kernel interface for creating a snapshot of a filesystem is the same as that for changing the flags on that filesystem. Due to an oversight, the mksnap_ffs(8) command called that interface with only the snapshot flag set, causing all other flags to be reset to the default value. III. Impact A regularly scheduled backup of a live filesystem, or any other process that uses the mksnap_ffs(8) command (for instance, to provide a rough undelete functionality on a file server), will clear any flags in effect on the filesystem being snapshot. Possible consequences depend on local usage, but can include disabling extended access control lists or enabling the use of setuid executables stored on an untrusted filesystem. The mksnap_ffs(8) command is normally only available to the superuser and members of the `operator' group. There is therefore no risk of a user gaining elevated privileges directly through use of the mksnap_ffs(8) command unless it has been intentionally made available to unprivileged users. IV. Workaround Do not use the mksnap_ffs(8) command, nor the -L option of the dump(8) command. It is recommended that you delete the mksnap_ffs(8) command from your system to prevent accidental use: # rm /sbin/mksnap_ffs V. Solution Do one of the following: 1) Upgrade your vulnerable system to the RELENG_5_1 or RELENG_5_2 security branch dated after the correction date. NOTE WELL: Due to release engineering in progress at the time of this writing, the RELENG_5_2 security branch (5.2-RELEASE-p1) also includes numerous other critical bug fixes, most of which are not security related. Please read src/UPDATING for details on these changes. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 5.1 systems] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:01/mksnap_ffs_5_1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:01/mksnap_ffs_5_1.patch.asc [FreeBSD 5.2 systems] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:01/mksnap_ffs_5_2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:01/mksnap_ffs_5_2.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/sbin/mksnap_ffs # make obj && make depend && make && make install You are strongly encouraged to verify that all your filesystems have the correct flags set. The mount(8) command can list currently mounted filesystems and flags. Run the following command as root: # mount VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5_1 src/sbin/mksnap_ffs/mksnap_ffs.c 1.2.2.1 src/sys/conf/newvers.sh 1.50.2.14 RELENG_5_2 src/sbin/mksnap_ffs/mksnap_ffs.c 1.5.2.1 src/sys/conf/newvers.sh 1.56.2.3 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAGn6pFdaIBMps37IRApSKAJ9XfweoblldFos1o7QlaDRVVIdFCACePueA 1jXllY/GB8cAeEQ8oaYYPTU= =6qi5 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jan 30 08:25:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D381016A4CE for ; Fri, 30 Jan 2004 08:25:13 -0800 (PST) Received: from tx1.oucs.ox.ac.uk (tx1.oucs.ox.ac.uk [129.67.1.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1757043D7C for ; Fri, 30 Jan 2004 08:24:25 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan1.oucs.ox.ac.uk ([129.67.1.166] helo=localhost) by tx1.oucs.ox.ac.uk with esmtp (Exim 4.24) id 1AmbPF-0002R5-GS for security@freebsd.org; Fri, 30 Jan 2004 16:22:09 +0000 Received: from rx1.oucs.ox.ac.uk ([129.67.1.165]) by localhost (scan1.oucs.ox.ac.uk [129.67.1.166]) (amavisd-new, port 25) with ESMTP id 09152-07 for ; Fri, 30 Jan 2004 16:22:08 +0000 (GMT) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx1.oucs.ox.ac.uk with smtp (Exim 4.24) id 1AmbPE-0002Qv-6B for security@freebsd.org; Fri, 30 Jan 2004 16:22:08 +0000 Received: (qmail 15749 invoked by uid 0); 30 Jan 2004 16:22:08 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 2.423326 secs); 30 Jan 2004 16:22:08 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 2.423326 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 30 Jan 2004 16:22:06 -0000 Message-Id: <6.0.1.1.1.20040130161508.03e79768@imap.sfu.ca> X-Sender: cperciva@imap.sfu.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Fri, 30 Jan 2004 16:21:11 +0000 To: security@freebsd.org From: Colin Percival In-Reply-To: <200401301607.i0UG7CIl082205@freefall.freebsd.org> References: <200401301607.i0UG7CIl082205@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:01.mksnap_ffs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jan 2004 16:25:14 -0000 At 16:07 30/01/2004, FreeBSD Security Advisories wrote: >============================================================================= >FreeBSD-SA-04:01.mksnap_ffs Security Advisory > >V. Solution >Do one of the following: > >1) Upgrade your vulnerable system to the RELENG_5_1 or RELENG_5_2 >security branch dated after the correction date. > >2) To patch your present system [...] As usual, there is a third option here: I'm building binary security updates and distributing them via the FreeBSD Update port (security/freebsd-update in the ports tree). For systems running an official RELEASE plus security patches, this provides an easier update method than building from source. To use these updates: 1) Install FreeBSD Update and copy the sample configuration file into place: # cd /usr/ports/security/freebsd-update && make install clean # cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf 2) Fetch and install updates: # /usr/local/sbin/freebsd-update fetch # /usr/local/sbin/freebsd-update install For more details see http://www.daemonology.net/freebsd-update/ . Note that this is something I'm providing personally; it is in no way endorsed by the Security Officer or the Project as a whole. Colin Percival From owner-freebsd-security@FreeBSD.ORG Fri Jan 30 08:42:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40AB616A4CE for ; Fri, 30 Jan 2004 08:42:52 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B1D243D5F for ; Fri, 30 Jan 2004 08:42:14 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 2A4305482B for ; Fri, 30 Jan 2004 10:18:36 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id AE3356D455; Fri, 30 Jan 2004 10:18:35 -0600 (CST) Date: Fri, 30 Jan 2004 10:18:35 -0600 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20040130161835.GA487@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org References: <200401301607.i0UG7CIl082205@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200401301607.i0UG7CIl082205@freefall.freebsd.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:01.mksnap_ffs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jan 2004 16:42:52 -0000 On Fri, Jan 30, 2004 at 08:07:12AM -0800, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-04:01.mksnap_ffs Security Advisory > The FreeBSD Project > > Topic: mksnap_ffs clears file system options I don't generally like to release advisories on a Friday if I can help it. However, this issue (affecting only FreeBSD 5.x) has been committed to CVS several days ago and has a subtle but possibly important impact for some users. Cheers, -- Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal nectar@celabo.org jvidrine@verio.net nectar@freebsd.org nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Feb 2 04:02:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0646516A4CE for ; Mon, 2 Feb 2004 04:02:50 -0800 (PST) Received: from cicero1.cybercity.dk (cicero1.cybercity.dk [212.242.40.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72DCB43D53 for ; Mon, 2 Feb 2004 04:02:48 -0800 (PST) (envelope-from db@traceroute.dk) Received: from user3.cybercity.dk (fxp0.user3.ip.cybercity.dk [212.242.41.36]) by cicero1.cybercity.dk (Postfix) with ESMTP id B8B9D7E4066 for ; Mon, 2 Feb 2004 13:02:44 +0100 (CET) Received: from main.trunet.dk (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user3.cybercity.dk (Postfix) with SMTP id 61EFE93EF7 for ; Mon, 2 Feb 2004 13:02:43 +0100 (CET) Date: Mon, 2 Feb 2004 13:07:33 +0100 From: db To: security@freebsd.org Message-Id: <20040202130733.11439402@main.trunet.dk> X-Mailer: Sylpheed version 0.9.8claws (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Lockdown ready for testing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2004 12:02:50 -0000 Hi group As promised some months ago, I'm letting you know that lockdown is now ready for testing. Please don't study the code to much, I know it is a mess and therefore a rewrite is on it's way. But feel free to take a look at the features offered, how you use them and the default settings. When lockdown is ready for production usage, I'll release version 1.0. I guess that will happen just before the port collection freezes for the 5.3-release. Download: lockdown.trunet.dk Best regards Daniel Blankensteiner From owner-freebsd-security@FreeBSD.ORG Mon Feb 2 10:00:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F50716A594 for ; Mon, 2 Feb 2004 10:00:23 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5333C43D1D for ; Mon, 2 Feb 2004 10:00:20 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 70FED5309; Mon, 2 Feb 2004 19:00:19 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id EFD015308 for ; Mon, 2 Feb 2004 19:00:03 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id D780E33C6A; Mon, 2 Feb 2004 19:00:03 +0100 (CET) To: security@freebsd.org From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Mon, 02 Feb 2004 19:00:03 +0100 Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 Subject: clarification regarding gensetdefs update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2004 18:00:23 -0000 Some of you may have noticed the recent commits I made to src/usr.bin/gensetdefs/gensetdefs.c on the RELENG_4_7 and RELENG_4_8 security branches (revisions 1.4.12.1 and 1.4.14.1, respectively). I would like to clarify the purpose and impact of these commits, in case anybody is wondering whether they should update their systems. The modified file contained several multi-line string literals written in a style which was understood by older versions of GCC, but is no longer supported in GCC 3.2. Since gensetdefs(8) is a build tool, it needs to be compiled with the host system's toolchain. This means that it was previously not possible to build a 4.7 or 4.8 world on a system with GCC 3.2, such as FreeBSD 5.2 or 5-CURRENT. The only purpose of these commits was to allow building 4.7 and 4.8 worlds on 5.x systems, to facilitate our QA process. There is no functional change, and in fact the binaries generated before and after the commit are identical byte by byte. There is no need for anyone to update their 4.7 or 4.8 systems as a result of these commits. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Feb 2 16:30:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0A3216A4CE for ; Mon, 2 Feb 2004 16:30:02 -0800 (PST) Received: from mail.komquats.com (h24-108-145-252.gv.shawcable.net [24.108.145.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B11443D46 for ; Mon, 2 Feb 2004 16:29:57 -0800 (PST) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by mail.komquats.com (Postfix) with ESMTP id 54FBB5A830 for ; Mon, 2 Feb 2004 16:29:55 -0800 (PST) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.12.10/8.12.8) with ESMTP id i130Ts8F014698 for ; Mon, 2 Feb 2004 16:29:54 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Message-Id: <200402030029.i130Ts8F014698@cwsys.cwsent.com> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: freebsd-security@freebsd.org In-Reply-To: Your message of "Fri, 30 Jan 2004 08:07:12 PST." <200401301607.i0UG7CIl082205@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Feb 2004 16:29:54 -0800 Sender: Cy.Schubert@komquats.com Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:01.mksnap_ffs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Cy Schubert List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2004 00:30:03 -0000 In message <200401301607.i0UG7CIl082205@freefall.freebsd.org>, FreeBSD Security Advisories writes: > Branch Revision > Path > ------------------------------------------------------------------------- > RELENG_5_1 > src/sbin/mksnap_ffs/mksnap_ffs.c 1.2.2.1 > src/sys/conf/newvers.sh 1.50.2.14 > RELENG_5_2 > src/sbin/mksnap_ffs/mksnap_ffs.c 1.5.2.1 > src/sys/conf/newvers.sh 1.56.2.3 > ------------------------------------------------------------------------- Would it be worth our while to list the revision in -CURRENT too (e.g. 1.7)? Just a thought. Cheers, -- Cy Schubert http://www.komquats.com/ BC Government . FreeBSD UNIX Cy.Schubert@osg.gov.bc.ca . cy@FreeBSD.org http://www.gov.bc.ca/ . http://www.FreeBSD.org/ From owner-freebsd-security@FreeBSD.ORG Mon Feb 2 17:03:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E559816A4CE for ; Mon, 2 Feb 2004 17:03:50 -0800 (PST) Received: from obsecurity.dyndns.org (adsl-67-119-53-122.dsl.lsan03.pacbell.net [67.119.53.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F91F43D45 for ; Mon, 2 Feb 2004 17:03:49 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id F358D66CD1; Mon, 2 Feb 2004 17:03:48 -0800 (PST) Date: Mon, 2 Feb 2004 17:03:48 -0800 From: Kris Kennaway To: Cy Schubert Message-ID: <20040203010348.GA93989@xor.obsecurity.org> References: <200401301607.i0UG7CIl082205@freefall.freebsd.org> <200402030029.i130Ts8F014698@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline In-Reply-To: <200402030029.i130Ts8F014698@cwsys.cwsent.com> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:01.mksnap_ffs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2004 01:03:51 -0000 --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 02, 2004 at 04:29:54PM -0800, Cy Schubert wrote: > In message <200401301607.i0UG7CIl082205@freefall.freebsd.org>, FreeBSD=20 > Security > Advisories writes: > > Branch Revisi= on > > Path > > -----------------------------------------------------------------------= -- > > RELENG_5_1 > > src/sbin/mksnap_ffs/mksnap_ffs.c 1.2.2= .1 > > src/sys/conf/newvers.sh 1.50.2.= 14 > > RELENG_5_2 > > src/sbin/mksnap_ffs/mksnap_ffs.c 1.5.2= .1 > > src/sys/conf/newvers.sh 1.56.2= .3 > > -----------------------------------------------------------------------= -- >=20 > Would it be worth our while to list the revision in -CURRENT too (e.g. 1.= 7)? >=20 > Just a thought. It's explicitly stated on the Security webpage that -CURRENT isn't supported by security advisories. Kris --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAHvN0Wry0BWjoQKURAlErAJ940ca/O3QLo6W0SbQPUQh3OWsyPgCg4ZCw RPDVNMfyBCBIS3tEosn169g= =DBsU -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l-- From owner-freebsd-security@FreeBSD.ORG Wed Feb 4 04:04:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADAAC16A4CE for ; Wed, 4 Feb 2004 04:04:05 -0800 (PST) Received: from techno.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id CE99243D45 for ; Wed, 4 Feb 2004 04:04:03 -0800 (PST) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 71526 invoked by uid 0); 4 Feb 2004 12:03:55 -0000 Received: from unknown (HELO tarkhil.over.ru) (213.148.23.65) by webmail.sub.ru with SMTP; 4 Feb 2004 12:03:55 -0000 Date: Wed, 4 Feb 2004 15:03:08 +0300 From: Alex Povolotsky To: freebsd-security@freebsd.org Message-Id: <20040204150308.205fb0db.tarkhil@webmail.sub.ru> In-Reply-To: References: <40016769.3030202@sitetronics.com> Organization: sub.ru X-Mailer: Sylpheed version 0.9.6claws (GTK+ 1.2.10; i386-portbld-freebsd4.6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2004 12:04:05 -0000 On Wed, 21 Jan 2004 23:42:05 +0100 (CET) Krzysztof Zaraska wrote: KZ> That one maybe: KZ> KZ> http://www.icir.org/vern/bro.html Isn't it dead? It is the same 0.8-without-doc as it has been 4 years ago. -- Alex. From owner-freebsd-security@FreeBSD.ORG Wed Feb 4 18:58:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3F5016A4CE for ; Wed, 4 Feb 2004 18:58:44 -0800 (PST) Received: from filter.mimos.my (filter.mimos.my [192.228.137.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3488343D39 for ; Wed, 4 Feb 2004 18:58:43 -0800 (PST) (envelope-from sazli@jaring.my) Received: from ew.mimos.my (localhost.localdomain [127.0.0.1]) by filter.mimos.my (8.11.6/8.11.6) with ESMTP id i152wfE19717 for ; Thu, 5 Feb 2004 10:58:41 +0800 Received: (from root@localhost) by ew.mimos.my (8.12.8p2/8.12.3) id i152wfdB085234 for freebsd-security@freebsd.org; Thu, 5 Feb 2004 10:58:41 +0800 (MYT) (envelope-from sazli@jaring.my) Received: from mib65.nat.mimos.my (mib65.nat.mimos.my [10.1.26.65]) by ew.mimos.my (8.12.8p2/8.11.6) with ESMTP id i152wfoi085031 for ; Thu, 5 Feb 2004 10:58:41 +0800 (MYT) (envelope-from sazli@jaring.my) Date: Thu, 5 Feb 2004 10:58:30 +0800 (MYT) From: Syahrul Sazli Shaharir X-X-Sender: sazli@localhost To: freebsd-security@freebsd.org Message-ID: <20040205103946.W1640@localhost> MIME-Version: 1.0 X-scanner: scanned by Inflex 1.0.10 - (http://pldaniels.com/inflex/) Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Status Check: CVE CAN-2004-0002 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 02:58:45 -0000 Hi, Just want to ask about the status of this:- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0002 >From list archives I gather the fix is still under refinement (but committed (and removed?) in HEAD and RELENG_5_2). One paranoid little shop is running a public web server on RELENG_4_9, and contemplating this patch:- http://marc.theaimsgroup.com/?l=freebsd-cvs-all&m=107358506010148&w=2 Before I go ahead, any new developments on this? Thanks. --sazli http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x270BD43E Key fingerprint: 47F4 6E37 48D2 5FF1 8C67 A14F D7B5 05F8 270B D43E From owner-freebsd-security@FreeBSD.ORG Wed Feb 4 23:12:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E585916A4CE for ; Wed, 4 Feb 2004 23:12:42 -0800 (PST) Received: from ftp.bjpu.edu.cn (ftp.bjpu.edu.cn [202.112.78.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id B48FD43D2F for ; Wed, 4 Feb 2004 23:12:40 -0800 (PST) (envelope-from delphij@frontfree.net) Received: from localhost (localhost [127.0.0.1]) by ftp.bjpu.edu.cn (Postfix) with ESMTP id 8386C52CA for ; Thu, 5 Feb 2004 15:12:37 +0800 (CST) Received: from ftp.bjpu.edu.cn ([127.0.0.1]) by localhost (ftp.bjpu.edu.cn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19138-09 for ; Thu, 5 Feb 2004 15:12:35 +0800 (CST) Received: from beastie.frontfree.net (beastie.frontfree.net [218.107.145.7]) by ftp.bjpu.edu.cn (Postfix) with ESMTP id 9F8DC52C9 for ; Thu, 5 Feb 2004 15:12:31 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id 21C53114F1; Thu, 5 Feb 2004 15:12:31 +0800 (CST) Date: Thu, 5 Feb 2004 15:12:30 +0800 From: Xin LI To: Syahrul Sazli Shaharir Message-ID: <20040205071230.GA34699@frontfree.net> References: <20040205103946.W1640@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline In-Reply-To: <20040205103946.W1640@localhost> User-Agent: Mutt/1.4.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.2-RELEASE FreeBSD 5.2-RELEASE #16: Sat Jan 10 15:24:09 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net cc: freebsd-security@freebsd.org Subject: Re: Status Check: CVE CAN-2004-0002 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 07:12:43 -0000 --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Feb 05, 2004 at 10:58:30AM +0800, Syahrul Sazli Shaharir wrote: > Just want to ask about the status of this:- > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0002 Some discuss took place about this issue. Unfortuanatelly, the commit seemed to generating some problem, and that delaied the MFC to -STABLE. This will be hopefully better resolved, and you may want to manually apply the -STABLE patch available here: http://www.nrg4u.com/freebsd/tcpminmss-4stable-20040107.diff In my test, the patch will mitigate MSS exhaustion attacks, but it also disrupt some normal operations, for example, if you ssh to a remote box and do mergemaster and the computer responds fast enough, the connection will be dropped, if you did not set the sysctl's properly. I am looking for some other mechanisms on mitigating this issue. You may want to consult andre@ for detailed information. -- Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAIezeOfuToMruuMARAjU4AJ9D4lBNV7Obcpi2njOjYSquBFA1sgCdHynd e8qfJ5fSwHZe7/8Q8732/3M= =ubBa -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- From owner-freebsd-security@FreeBSD.ORG Wed Feb 4 23:33:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CDFA16A4CE for ; Wed, 4 Feb 2004 23:33:25 -0800 (PST) Received: from duke.boxke.be (duke.boxke.be [62.213.198.10]) by mx1.FreeBSD.org (Postfix) with SMTP id EFA4843D1D for ; Wed, 4 Feb 2004 23:33:22 -0800 (PST) (envelope-from admin@inet-solutions.be) Received: (qmail 29860 invoked from network); 5 Feb 2004 07:33:21 -0000 Received: from unknown (HELO webmail.boxke.be) (127.0.0.1) by duke.boxke.be with SMTP; 5 Feb 2004 07:33:21 -0000 Received: from 195.95.26.125 (SquirrelMail authenticated user postmaster@inet-solutions.be) by webmail.boxke.be with HTTP; Thu, 5 Feb 2004 08:33:21 +0100 (CET) Message-ID: <1085.195.95.26.125.1075966401.squirrel@webmail.boxke.be> Date: Thu, 5 Feb 2004 08:33:21 +0100 (CET) From: "Jimmy Scott" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: using libparanoia X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 07:33:25 -0000 Hi there, I was looking for stack smashing protection under freebsd, so i found libparanoia (/usr/ports/security/libparanoia), i had only one question using the normal 'make install' (so no copy-to-libc). If i add in /ert/make.conf: CFLAGS= -O -pipe -lparanoia -L/usr/local/lib COPTFLAGS= -O -pipe -lparanoia -L/usr/local/lib Will EVERYTHING build from that time (including kernel/userland/ports), be protected by libparanoia? if not, what will be? Because when using copy-to-libc i guess i have to reinstall the port every time i cvsup src-all + i do not build ports on any production server and 'make package' does not include the copy-to-libc procedure. Greetz, Jimmy Scott From owner-freebsd-security@FreeBSD.ORG Wed Feb 4 23:48:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8D0C16A4CE for ; Wed, 4 Feb 2004 23:48:30 -0800 (PST) Received: from jaguar.icir.org (jaguar.icir.org [192.150.187.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08BD443D31 for ; Wed, 4 Feb 2004 23:48:30 -0800 (PST) (envelope-from vern@icir.org) Received: from jaguar.icir.org (localhost [127.0.0.1]) by jaguar.icir.org (8.12.9p1/8.12.8) with ESMTP id i157mTmO039516 for ; Wed, 4 Feb 2004 23:48:29 -0800 (PST) (envelope-from vern@jaguar.icir.org) Message-Id: <200402050748.i157mTmO039516@jaguar.icir.org> To: freebsd-security@freebsd.org Date: Wed, 04 Feb 2004 23:48:29 -0800 From: Vern Paxson X-Mailman-Approved-At: Thu, 05 Feb 2004 03:39:54 -0800 Subject: Re: BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 07:48:31 -0000 (brought to my attention by colleagues, as I don't read this list) > KZ> That one maybe: > KZ> > KZ> http://www.icir.org/vern/bro.html > > Isn't it dead? It is the same 0.8-without-doc as it has been 4 years ago. Bro is far from dead, and is in fact gaining considerable momentum in a number of ways. The last release was Dec 16 2003, and the next one will be later this month. As for "without-doc", there's a 160 page manual available at http://www.icir.org/vern/bro-manual/index.html and http://www.icir.org/vern/bro-manual/manual.ps , though it hasn't been updated in a while and a lot has been added :-(. That said, I certainly admit that the lame web page referred to by KZ above doesn't help in conveying that Bro is alive & vital! There's a draft replacement page at http://www-nrg.ee.lbl.gov/bro.html, by the way. Vern From owner-freebsd-security@FreeBSD.ORG Wed Feb 4 23:53:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7595516A4CE for ; Wed, 4 Feb 2004 23:53:59 -0800 (PST) Received: from jaguar.icir.org (jaguar.icir.org [192.150.187.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACDB643D3F for ; Wed, 4 Feb 2004 23:53:57 -0800 (PST) (envelope-from vern@icir.org) Received: from jaguar.icir.org (localhost [127.0.0.1]) by jaguar.icir.org (8.12.9p1/8.12.8) with ESMTP id i157rvmO040194 for ; Wed, 4 Feb 2004 23:53:57 -0800 (PST) (envelope-from vern@jaguar.icir.org) Message-Id: <200402050753.i157rvmO040194@jaguar.icir.org> To: freebsd-security@freebsd.org Date: Wed, 04 Feb 2004 23:53:57 -0800 From: Vern Paxson Subject: Re: BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 07:53:59 -0000 (resent having now subscribed) > KZ> That one maybe: > KZ> > KZ> http://www.icir.org/vern/bro.html > > Isn't it dead? It is the same 0.8-without-doc as it has been 4 years ago. Bro is far from dead, and is in fact gaining considerable momentum in a number of ways. The last release was Dec 16 2003, and the next one will be later this month. As for "without-doc", there's a 160 page manual available at http://www.icir.org/vern/bro-manual/index.html and http://www.icir.org/vern/bro-manual/manual.ps , though it hasn't been updated in a while and a lot has been added :-(. That said, I certainly admit that the lame web page referred to by KZ above doesn't help in conveying that Bro is alive & vital! There's a draft replacement page at http://www-nrg.ee.lbl.gov/bro.html, by the way. Vern From owner-freebsd-security@FreeBSD.ORG Thu Feb 5 03:01:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 006B116A52B for ; Thu, 5 Feb 2004 03:01:54 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F05043D39 for ; Thu, 5 Feb 2004 03:01:53 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 7EDF6530D; Thu, 5 Feb 2004 12:01:52 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 36B665308; Thu, 5 Feb 2004 12:01:46 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 1CF5B33C6B; Thu, 5 Feb 2004 12:01:46 +0100 (CET) To: Syahrul Sazli Shaharir References: <20040205103946.W1640@localhost> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Thu, 05 Feb 2004 12:01:46 +0100 In-Reply-To: <20040205103946.W1640@localhost> (Syahrul Sazli Shaharir's message of "Thu, 5 Feb 2004 10:58:30 +0800 (MYT)") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: freebsd-security@freebsd.org Subject: Re: Status Check: CVE CAN-2004-0002 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 11:01:55 -0000 Syahrul Sazli Shaharir writes: > Just want to ask about the status of this:- > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0002 > > From list archives I gather the fix is still under refinement (but > committed (and removed?) in HEAD and RELENG_5_2). Not removed, just not enabled by default. They cause problems for legitimate applications (such as database servers and sshd) which generate large numbers of small packets. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Feb 5 08:54:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC0EB16A4CF for ; Thu, 5 Feb 2004 08:54:46 -0800 (PST) Received: from jaguar.icir.org (jaguar.icir.org [192.150.187.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2738F43D4C for ; Thu, 5 Feb 2004 08:54:46 -0800 (PST) (envelope-from vern@icir.org) Received: from jaguar.icir.org (localhost [127.0.0.1]) by jaguar.icir.org (8.12.9p1/8.12.8) with ESMTP id i15GshmO053029; Thu, 5 Feb 2004 08:54:43 -0800 (PST) (envelope-from vern@jaguar.icir.org) Message-Id: <200402051654.i15GshmO053029@jaguar.icir.org> To: "forge" In-reply-to: Your message of 05 Feb 2004 18:00:48 +0800. Date: Thu, 05 Feb 2004 08:54:43 -0800 From: Vern Paxson cc: freebsd-security@freebsd.org Subject: Re:  BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 16:54:47 -0000 Dear "forge", > I can't access http://www-nrg.ee.lbl.gov/bro.html. What happens when you try? Is it possible you had a typo in the name? I just cut-and-paste from what you wrote above and it worked fine for me. If you send the IP address you're coming from, I can check it against LBL's Bro logs (ironically :-) and see just what's happening to your session. Vern From owner-freebsd-security@FreeBSD.ORG Thu Feb 5 10:41:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4403B16A4CE; Thu, 5 Feb 2004 10:41:09 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7012C43D5E; Thu, 5 Feb 2004 10:40:35 -0800 (PST) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) i15IeZFR041255; Thu, 5 Feb 2004 10:40:35 -0800 (PST) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i15IeZZM041253; Thu, 5 Feb 2004 10:40:35 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Thu, 5 Feb 2004 10:40:35 -0800 (PST) Message-Id: <200402051840.i15IeZZM041253@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-04:02.shmat X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 18:41:09 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:02.shmat Security Advisory The FreeBSD Project Topic: shmat reference counting bug Category: core Module: kernel Announced: 2004-02-05 Credits: Joost Pol Affects: All FreeBSD releases Corrected: 2004-02-04 18:00:40 UTC (RELENG_4) 2004-02-04 18:00:47 UTC (RELENG_5_2, 5.2-RELEASE-p2) 2004-02-04 18:00:55 UTC (RELENG_5_1, 5.1-RELEASE-p14) 2004-02-04 18:01:03 UTC (RELENG_5_0, 5.0-RELEASE-p20) 2004-02-04 18:01:10 UTC (RELENG_4_9, 4.9-RELEASE-p2) 2004-02-04 18:01:18 UTC (RELENG_4_8, 4.8-RELEASE-p15) 2004-02-04 18:01:25 UTC (RELENG_4_7, 4.7-RELEASE-p25) CVE Name: CAN-2004-0114 FreeBSD only: NO I. Background The System V Shared Memory interface provides primitives for sharing memory segments between separate processes. FreeBSD supports this interface when the kernel is built with SYSVSHM option, or the sysvshm module is loaded. By default, the FreeBSD kernel is built with the SYSVSHM option. The shmat(2) system call, which is part of the System V Shared Memory interface, is used to attach a shared memory segment to the calling process's address space. II. Problem Description A programming error in the shmat(2) system call can result in a shared memory segment's reference count being erroneously incremented. III. Impact It may be possible to cause a shared memory segment to reference unallocated kernel memory, but remain valid. This could allow a local attacker to gain read or write access to a portion of kernel memory, resulting in sensitive information disclosure, bypass of access control mechanisms, or privilege escalation. IV. Workaround NOTE: These workarounds could cause applications that use shared memory, such as the X Window System, to exhibit erratic behavior or to fail completely. Do one of the following: 1) Disable the System V Shared Memory interface entirely by following these steps: - Remove or comment out any lines mentioning `SYSVSHM' from your kernel configuration file, and recompile your kernel as described in . - Remove or comment out any lines mentioning `sysvshm' from /boot/loader.conf and /etc/rc.conf. - On FreeBSD 5.x systems only , System V Shared Memory support may be provided as a kld(4). To be absolutely safe, remove any files named `sysvshm.ko' in /modules, /boot, and any subdirectories. - Finally, reboot your system. OR 2) Configure the System V Shared Memory parameters so that no new shared memory segments may be created, terminate all processes using shared memory, and delete all existing shared memory segments. Run the following commands as root: # sysctl -w kern.ipc.shmmax=0 # echo 'kern.ipc.shmmax=0' >> /etc/sysctl.conf # ipcs | awk '/^m/ { print $2 }' | xargs -n 1 ipcrm -m V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2, RELENG_5_1, RELENG_4_9, or RELENG_4_8 security branch dated after the correction date. NOTE WELL: Due to release engineering in progress at the time of this writing, the RELENG_5_2 security branch (5.2-RELEASE-p2) also includes numerous other critical bug fixes, most of which are not security related. Please read src/UPDATING for details on these changes. OR 2) Patch your present system: The following patch has been verified to apply to FreeBSD 4.x and 5.x systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- RELENG_4 src/sys/kern/sysv_shm.c 1.45.2.8 RELENG_5_2 src/UPDATING 1.282.2.5 src/sys/conf/newvers.sh 1.56.2.5 src/sys/kern/sysv_shm.c 1.89.2.1 RELENG_5_1 src/UPDATING 1.251.2.15 src/sys/conf/newvers.sh 1.50.2.15 src/sys/kern/sysv_shm.c 1.83.2.1 RELENG_5_0 src/UPDATING 1.229.2.26 src/sys/conf/newvers.sh 1.48.2.21 src/sys/kern/sysv_shm.c 1.74.2.1 RELENG_4_9 src/UPDATING 1.73.2.89.2.3 src/sys/conf/newvers.sh 1.44.2.32.2.3 src/sys/kern/sysv_shm.c 1.45.2.6.4.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.18 src/sys/conf/newvers.sh 1.44.2.29.2.16 src/sys/kern/sysv_shm.c 1.45.2.6.2.1 RELENG_4_7 src/UPDATING 1.73.2.74.2.29 src/sys/conf/newvers.sh 1.44.2.26.2.27 src/sys/kern/sysv_shm.c 1.45.2.5.6.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAIocaFdaIBMps37IRAtO8AJ9pP86snAwE67qdkwsat1CoJ+gFGACeJLtU PjD0jexX+1QaN7q2JvgVXmc= =IEvj -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Feb 5 11:15:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3338116A4CE for ; Thu, 5 Feb 2004 11:15:30 -0800 (PST) Received: from tx3.oucs.ox.ac.uk (tx3.oucs.ox.ac.uk [163.1.2.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id E404543D4C for ; Thu, 5 Feb 2004 11:15:15 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan3.oucs.ox.ac.uk ([163.1.2.166] helo=localhost) by tx3.oucs.ox.ac.uk with esmtp (Exim 4.24) id 1AoowW-0003q5-Pa for security@freebsd.org; Thu, 05 Feb 2004 19:13:40 +0000 Received: from rx3.oucs.ox.ac.uk ([163.1.2.165]) by localhost (scan3.oucs.ox.ac.uk [163.1.2.166]) (amavisd-new, port 25) with ESMTP id 14453-09 for ; Thu, 5 Feb 2004 19:13:40 +0000 (GMT) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx3.oucs.ox.ac.uk with smtp (Exim 4.24) id 1AoowW-0003q0-CE for security@freebsd.org; Thu, 05 Feb 2004 19:13:40 +0000 Received: (qmail 24713 invoked by uid 0); 5 Feb 2004 19:13:40 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 1.37758 secs); 05 Feb 2004 19:13:40 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.37758 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 5 Feb 2004 19:13:39 -0000 Message-Id: <6.0.1.1.1.20040205190938.0326cad0@imap.sfu.ca> X-Sender: cperciva@imap.sfu.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Thu, 05 Feb 2004 19:13:37 +0000 To: security@freebsd.org From: Colin Percival In-Reply-To: <200402051840.i15IeZZM041253@freefall.freebsd.org> References: <200402051840.i15IeZZM041253@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:02.shmat X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 19:15:30 -0000 At 18:40 05/02/2004, FreeBSD Security Advisories wrote: >============================================================================= >FreeBSD-SA-04:02.shmat Security Advisory > >V. Solution > >Do one of the following: > >1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2, >RELENG_5_1, RELENG_4_9, or RELENG_4_8 security branch dated after the >correction date. > >2) Patch your present system: [...] As usual, there is a third option here: I'm building binary security updates for the x86 platform and distributing them via the FreeBSD Update port (security/freebsd-update in the ports tree). For x86 systems running an official RELEASE plus security patches, this provides an easier update method than building from source. To use these updates: 1) Install FreeBSD Update and copy the sample configuration file into place: # cd /usr/ports/security/freebsd-update && make install clean # cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf 2) Fetch and install updates: # /usr/local/sbin/freebsd-update fetch # /usr/local/sbin/freebsd-update install Note that if you have built your own kernel, the default behaviour of FreeBSD Update will leave it unmodified (ie, not updated to reflect this latest advisory). If you have the latest version of FreeBSD Update installed (version 1.5), then you can force any locally modified files (eg, the kernel) to be replaced with up-to-date GENERIC versions by using the --branch option. For more details see http://www.daemonology.net/freebsd-update/ . While I am a FreeBSD committer and member of the security team, these updates are something I'm providing personally; they are in no way endorsed by the Security Officer or the Project as a whole. Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Feb 5 12:09:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3958416A4CE for ; Thu, 5 Feb 2004 12:09:49 -0800 (PST) Received: from tx1.oucs.ox.ac.uk (tx1.oucs.ox.ac.uk [129.67.1.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC14B43D66 for ; Thu, 5 Feb 2004 12:09:41 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan1.oucs.ox.ac.uk ([129.67.1.166] helo=localhost) by tx1.oucs.ox.ac.uk with esmtp (Exim 4.24) id 1AopnA-0004Uv-GN for security@freebsd.org; Thu, 05 Feb 2004 20:08:04 +0000 Received: from rx1.oucs.ox.ac.uk ([129.67.1.165]) by localhost (scan1.oucs.ox.ac.uk [129.67.1.166]) (amavisd-new, port 25) with ESMTP id 17133-05 for ; Thu, 5 Feb 2004 20:08:03 +0000 (GMT) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx1.oucs.ox.ac.uk with smtp (Exim 4.24) id 1Aopn9-0004Uq-6D for security@freebsd.org; Thu, 05 Feb 2004 20:08:03 +0000 Received: (qmail 6361 invoked by uid 0); 5 Feb 2004 20:08:03 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 1.378581 secs); 05 Feb 2004 20:08:03 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.378581 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 5 Feb 2004 20:08:02 -0000 Message-Id: <6.0.1.1.1.20040205195513.0325fc60@imap.sfu.ca> X-Sender: cperciva@imap.sfu.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Thu, 05 Feb 2004 20:08:00 +0000 To: security@freebsd.org From: Colin Percival In-Reply-To: <6.0.1.1.1.20040205190938.0326cad0@imap.sfu.ca> References: <200402051840.i15IeZZM041253@freefall.freebsd.org> <6.0.1.1.1.20040205190938.0326cad0@imap.sfu.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:02.shmat X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 20:09:49 -0000 At 19:13 05/02/2004, Colin Percival wrote: >2) Fetch and install updates: ># /usr/local/sbin/freebsd-update fetch ># /usr/local/sbin/freebsd-update install Something I forgot to mention here: For FreeBSD 5.2, FreeBSD Update is distributing only the security updates, and not the other fixes which have been merged onto the RELENG_5_2 branch; FreeBSD Update will distribute those fixes at a later date (and I'll post to -security and -current at the time.) Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Feb 5 13:28:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D4F516A4CE for ; Thu, 5 Feb 2004 13:28:20 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39ADF43D45 for ; Thu, 5 Feb 2004 13:28:08 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id C8018530D; Thu, 5 Feb 2004 22:28:06 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 483715308; Thu, 5 Feb 2004 22:28:00 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id BBF1533C6F; Thu, 5 Feb 2004 22:27:59 +0100 (CET) To: "Jimmy Scott" References: <1085.195.95.26.125.1075966401.squirrel@webmail.boxke.be> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Thu, 05 Feb 2004 22:27:59 +0100 In-Reply-To: <1085.195.95.26.125.1075966401.squirrel@webmail.boxke.be> (Jimmy Scott's message of "Thu, 5 Feb 2004 08:33:21 +0100 (CET)") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: freebsd-security@freebsd.org Subject: Re: using libparanoia X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 21:28:20 -0000 "Jimmy Scott" writes: > If i add in /ert/make.conf: > CFLAGS=3D -O -pipe -lparanoia -L/usr/local/lib > COPTFLAGS=3D -O -pipe -lparanoia -L/usr/local/lib > > Will EVERYTHING build from that time (including kernel/userland/ports), > be protected by libparanoia? if not, what will be? nothing. if you put -lparanoia in CFLAGS it will be too early on the command line to have any effect. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Feb 5 15:41:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE8FE16A4CF for ; Thu, 5 Feb 2004 15:41:46 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0224543D5E for ; Thu, 5 Feb 2004 15:41:29 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA01061; Thu, 5 Feb 2004 16:40:35 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20040205163923.0568f898@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Thu, 05 Feb 2004 16:40:11 -0700 To: Colin Percival , security@freebsd.org From: Brett Glass In-Reply-To: <6.0.1.1.1.20040205190938.0326cad0@imap.sfu.ca> References: <200402051840.i15IeZZM041253@freefall.freebsd.org> <6.0.1.1.1.20040205190938.0326cad0@imap.sfu.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:02.shmat X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 23:41:47 -0000 At 12:13 PM 2/5/2004, Colin Percival wrote: > As usual, there is a third option here: I'm building binary >security updates for the x86 platform and distributing them via >the FreeBSD Update port (security/freebsd-update in the ports >tree). Do you also update the kernel sources, so that those with custom kernels will get the fix when they recompile their kernels? If not, you should. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 02:15:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BE8B16A4CE for ; Fri, 6 Feb 2004 02:15:01 -0800 (PST) Received: from ns.tern.ru (mail.tern.ru [195.210.170.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DAF743D54 for ; Fri, 6 Feb 2004 02:14:59 -0800 (PST) (envelope-from freebsd@tern.ru) Received: from mail.tern.ru (mail.tern.ru [192.168.1.140]) by ns.tern.ru (X/X) with ESMTP id i16AG7Yj077208 for ; Fri, 6 Feb 2004 13:16:07 +0300 X-Spam-Filter: check_local@ns.tern.ru by digitalanswers.org Received: from mail.tern.ru (localhost.tern.ru [127.0.0.1]) by mail.tern.ru (X/X) with ESMTP id i16AHUH6011930 for ; Fri, 6 Feb 2004 13:17:31 +0300 (MSK) Received: (from root@localhost) by mail.tern.ru (X/X) id i16AHUlW011929 for freebsd-security@freebsd.org.VIRCHECK; Fri, 6 Feb 2004 13:17:30 +0300 (MSK) Received: from snork.tern.ru (snork.tern.ru [192.168.1.133]) by mail.tern.ru (X/X) with ESMTP id i16AHUH6011921 for ; Fri, 6 Feb 2004 13:17:30 +0300 (MSK) Date: Fri, 6 Feb 2004 13:17:06 +0300 From: freebsd@tern.ru X-Priority: 3 (Normal) Message-ID: <614479869.20040206131706@tern.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ipfw question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Alex List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 10:15:01 -0000 Dear All. I want to use 'not' for 2 addresses (for both) in ipfw2 rule. The only way that looks like what I need is # ipfw add count from IP1 to not IP2,IP3 But does this rule indeed makes what I want? Does it count all packets destined to addresses other then IP2 AND IP3?! No other syntax works. For example more logically correct not IP2 AND not IP3 or even not { IP2 or IP3 } are understood by ipfw2 man does not contain the good description of this Can somebody clear this up for me? From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 02:21:51 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B534116A4CE for ; Fri, 6 Feb 2004 02:21:51 -0800 (PST) Received: from staub.silver.rec.br (BHE059073.res-com.wayinternet.com.br [200.150.59.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7DA643D1D for ; Fri, 6 Feb 2004 02:21:49 -0800 (PST) (envelope-from castro@ps5.com.br) Received: from ps5.com.br (love@localhost [127.0.0.1]) by staub.silver.rec.br (8.12.10/8.12.10) with ESMTP id i16ALt5C064965 for ; Fri, 6 Feb 2004 08:21:55 -0200 (BRST) (envelope-from castro@ps5.com.br) Message-ID: <40236AC3.3020402@ps5.com.br> Date: Fri, 06 Feb 2004 08:21:55 -0200 From: Danilo Castro User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: ARP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 10:21:51 -0000 er.... How to block Arp PAckages? []s From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 02:24:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50A3716A4CE for ; Fri, 6 Feb 2004 02:24:52 -0800 (PST) Received: from mail.evilcoder.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27F0543D39 for ; Fri, 6 Feb 2004 02:24:46 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: "Freebsd-Security@Freebsd. Org" Date: Fri, 6 Feb 2004 11:25:06 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: for evilcoder.org Message-Id: <20040206102444.980562B4D7C@mail.evilcoder.org> Subject: FW: [Freebsd-security] ARP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 10:24:52 -0000 for the list. -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: Remko Lodder [mailto:remko@elvandar.org] Verzonden: vrijdag 6 februari 2004 11:24 Aan: Danilo Castro Onderwerp: RE: [Freebsd-security] ARP ifconfig -arp ? this stops spreading arp requests on the inteface, how to block it in filtering software, i don't know. cheers -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: freebsd-security-bounces@lists.elvandar.org [mailto:freebsd-security-bounces@lists.elvandar.org]Namens Danilo Castro Verzonden: vrijdag 6 februari 2004 11:22 Aan: freebsd-security@freebsd.org Onderwerp: [Freebsd-security] ARP er.... How to block Arp PAckages? []s _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ Freebsd-security mailing list Freebsd-security@lists.elvandar.org http://lists.elvandar.org/mailman/listinfo/freebsd-security From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 02:32:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A950F16A4CE for ; Fri, 6 Feb 2004 02:32:07 -0800 (PST) Received: from web14103.mail.yahoo.com (web14103.mail.yahoo.com [216.136.172.133]) by mx1.FreeBSD.org (Postfix) with SMTP id 1588E43D1D for ; Fri, 6 Feb 2004 02:32:07 -0800 (PST) (envelope-from cguttesen@yahoo.dk) Message-ID: <20040206103206.68535.qmail@web14103.mail.yahoo.com> Received: from [194.248.174.58] by web14103.mail.yahoo.com via HTTP; Fri, 06 Feb 2004 11:32:06 CET Date: Fri, 6 Feb 2004 11:32:06 +0100 (CET) From: =?iso-8859-1?q?Claus=20Guttesen?= To: Danilo Castro , freebsd-security@freebsd.org In-Reply-To: <40236AC3.3020402@ps5.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: ARP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 10:32:07 -0000 > How to block Arp PAckages? >From getting in or getting out? If you want to avoid arp from your own NIC you can use the -arp option (ifconfig(8)). ifconfig_xyz="inet a.b.c.d netmask a.b.c.d -arp in /etc/rc.conf. regards Claus Yahoo! Mail (http://dk.mail.yahoo.com) - Gratis: 6 MB lagerplads, spamfilter og virusscan From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 02:36:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6533E16A4CE for ; Fri, 6 Feb 2004 02:36:56 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 9012743D46 for ; Fri, 6 Feb 2004 02:36:52 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 22842 invoked from network); 6 Feb 2004 10:36:09 -0000 Received: from office.casyst.com (HELO straylight.m.ringlet.net) (212.91.166.145) by gandalf.online.bg with SMTP; 6 Feb 2004 10:36:09 -0000 Received: (qmail 76970 invoked by uid 1000); 6 Feb 2004 10:38:34 -0000 Date: Fri, 6 Feb 2004 12:38:33 +0200 From: Peter Pentchev To: Alex Message-ID: <20040206103833.GD4848@straylight.m.ringlet.net> Mail-Followup-To: Alex , freebsd-security@freebsd.org References: <614479869.20040206131706@tern.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="hOcCNbCCxyk/YU74" Content-Disposition: inline In-Reply-To: <614479869.20040206131706@tern.ru> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: ipfw question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 10:36:56 -0000 --hOcCNbCCxyk/YU74 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 06, 2004 at 01:17:06PM +0300, freebsd@tern.ru wrote: > Dear All. >=20 > I want to use 'not' for 2 addresses (for both) in ipfw2 rule. > The only way that looks like what I need is >=20 > # ipfw add count from IP1 to not IP2,IP3 >=20 > But does this rule indeed makes what I want? Does it count all > packets destined to addresses other then IP2 AND IP3?! >=20 > No other syntax works. > For example more logically correct > not IP2 AND not IP3 > or even > not { IP2 or IP3 } > are understood by ipfw2 Could you try ipfw add count from IP1 to not { IP2,IP3 } G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I had finished this sentence, --hOcCNbCCxyk/YU74 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAI26p7Ri2jRYZRVMRAl34AJ40qLbrb7KzFPa/z9MUFYLMy6/6xQCfbCwe EnmffqdUJ+EAD5dt4r8/WRY= =9pEN -----END PGP SIGNATURE----- --hOcCNbCCxyk/YU74-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 02:44:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DACAD16A4D0 for ; Fri, 6 Feb 2004 02:44:15 -0800 (PST) Received: from ns.tern.ru (mail.tern.ru [195.210.170.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36DAC43D5A for ; Fri, 6 Feb 2004 02:44:13 -0800 (PST) (envelope-from freebsd@tern.ru) Received: from mail.tern.ru (mail.tern.ru [192.168.1.140]) by ns.tern.ru (X/X) with ESMTP id i16AjIYj076818 for ; Fri, 6 Feb 2004 13:45:19 +0300 X-Spam-Filter: check_local@ns.tern.ru by digitalanswers.org Received: from mail.tern.ru (localhost.tern.ru [127.0.0.1]) by mail.tern.ru (X/X) with ESMTP id i16AkgH6013038 for ; Fri, 6 Feb 2004 13:46:42 +0300 (MSK) Received: (from root@localhost) by mail.tern.ru (X/X) id i16Akg02013031 for freebsd-security@freebsd.org.VIRCHECK; Fri, 6 Feb 2004 13:46:42 +0300 (MSK) Received: from snork.tern.ru (snork.tern.ru [192.168.1.133]) by mail.tern.ru (X/X) with ESMTP id i16AkgH6013019; Fri, 6 Feb 2004 13:46:42 +0300 (MSK) Date: Fri, 6 Feb 2004 13:46:18 +0300 From: freebsd@tern.ru X-Priority: 3 (Normal) Message-ID: <1424875954.20040206134618@tern.ru> To: Peter Pentchev In-Reply-To: <20040206103833.GD4848@straylight.m.ringlet.net> References: <614479869.20040206131706@tern.ru> <20040206103833.GD4848@straylight.m.ringlet.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re[2]: ipfw question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Alex List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 10:44:16 -0000 Dear Peter Definitely I tried it already before writing to group. It does not work. Here is the exact error message for this try: ipfw: hostname ``'' unknown PP> On Fri, Feb 06, 2004 at 01:17:06PM +0300, freebsd@tern.ru wrote: PP> Could you try PP> ipfw add count from IP1 to not { IP2,IP3 } PP> G'luck, PP> Peter From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 05:28:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3580316A4CE for ; Fri, 6 Feb 2004 05:28:31 -0800 (PST) Received: from cicero0.cybercity.dk (cicero0.cybercity.dk [212.242.40.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id F381643D48 for ; Fri, 6 Feb 2004 05:28:29 -0800 (PST) (envelope-from db@traceroute.dk) Received: from user3.cybercity.dk (fxp0.user3.ip.cybercity.dk [212.242.41.36]) by cicero0.cybercity.dk (Postfix) with ESMTP id 9E4EA2A822 for ; Fri, 6 Feb 2004 14:28:28 +0100 (CET) Received: from main.trunet.dk (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user3.cybercity.dk (Postfix) with SMTP id 61CAD948E3 for ; Fri, 6 Feb 2004 14:28:28 +0100 (CET) Date: Fri, 6 Feb 2004 14:33:32 +0100 From: db To: security@freebsd.org Message-Id: <20040206143332.35c40887@main.trunet.dk> X-Mailer: Sylpheed version 0.9.8claws (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Lockdown ready for testing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 13:28:31 -0000 Hi again 48 downloads (about 23 via the port) and 235 hits, but 0 replies regarding lockdown. So just one quick request: If anyone here would want to use lockdown, please write me a private mail saying you do....because if I'm the only user of lockdown, I wouldn't spend time and energi distributing it. br db (lockdown.trunet.dk) From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 06:55:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3075016A4CE for ; Fri, 6 Feb 2004 06:55:09 -0800 (PST) Received: from mail.jpbv.nl (asd-rzbg-2a57.mxs.adsl.euronet.nl [212.129.170.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3857543D1D for ; Fri, 6 Feb 2004 06:55:07 -0800 (PST) (envelope-from R.v.Gogh@kappe-int.com) Received: by HNTS-04 with Internet Mail Service (5.5.2657.72) id ; Fri, 6 Feb 2004 15:55:01 +0100 Message-ID: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04> From: "Gogh, Ruben van" To: "'freebsd-security@freebsd.org'" Date: Fri, 6 Feb 2004 15:55:00 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Subject: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 14:55:09 -0000 Hey Guys, today I upgraded to 4.8-RELEASE-p15. As usual I set IPFIREWALL to default accept in my kernel config file. Config & make weren't complaining so, installed the kernel, reboot and there it was: >IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled Another rebuild didn't work out so... I reviewed /usr/src/UPDATING but there's no such thing as dropping IPFIREWALL_DEFAULT_TO_ACCEPT. So, is this a true bug or what? Regards, Ruben ******************************************** The information in this e-mail is personal and may contain confidential and/or priveliged material. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, any use, disclosure, copying, distribution or action taken on it is prohibited. If you have received this communication in error please notify us by e-mail and then delete the e-mail and all attachments. ******************************************** From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 06:57:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E8A716A4CE for ; Fri, 6 Feb 2004 06:57:00 -0800 (PST) Received: from mail.jpbv.nl (asd-rzbg-2a57.mxs.adsl.euronet.nl [212.129.170.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11F8043D72 for ; Fri, 6 Feb 2004 06:56:39 -0800 (PST) (envelope-from R.v.Gogh@kappe-int.com) Received: by HNTS-04 with Internet Mail Service (5.5.2657.72) id ; Fri, 6 Feb 2004 15:56:39 +0100 Message-ID: <0FDD52D38220D611B7CC0004763B3744F80822@HNTS-04> From: "Gogh, Ruben van" To: "'freebsd-security@freebsd.org'" Date: Fri, 6 Feb 2004 15:56:38 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: FW: Out of Office AutoReply: IPFIREWALL_DEFAULT_TO_ACCEPT becomes def ault to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 14:57:00 -0000 Sigh? _____ Van: Sorisio, Chris [mailto:ChrisSorisio@PeakTechnical.com] Verzonden: vrijdag 6 februari 2004 15:56 Aan: Gogh, Ruben van Onderwerp: Out of Office AutoReply: IPFIREWALL_DEFAULT_TO_ACCEPT becomes def ault to deny I will be out of the office until February 9th, 2004. Please contact Paul DeFloria at 412.825.4772 if you require an immediate response. ******************************************** The information in this e-mail is personal and may contain confidential and/or priveliged material. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, any use, disclosure, copying, distribution or action taken on it is prohibited. If you have received this communication in error please notify us by e-mail and then delete the e-mail and all attachments. ******************************************** From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 07:06:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0FD116A4CE for ; Fri, 6 Feb 2004 07:06:25 -0800 (PST) Received: from amsfep15-int.chello.nl (amsfep15-int.chello.nl [213.46.243.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEE7B43D46 for ; Fri, 6 Feb 2004 07:06:21 -0800 (PST) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([62.163.150.222]) by amsfep15-int.chello.nl (InterMail vM.6.00.05.02 201-2115-109-103-20031105) with ESMTP id <20040206150619.SNBW9653.amsfep15-int.chello.nl@sitetronics.com>; Fri, 6 Feb 2004 16:06:19 +0100 Message-ID: <4023AD12.6070106@sitetronics.com> Date: Fri, 06 Feb 2004 16:04:50 +0100 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Gogh, Ruben van" References: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04> In-Reply-To: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: "'freebsd-security@freebsd.org'" Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 15:06:26 -0000 Gogh, Ruben van wrote: > Hey Guys, > > today I upgraded to 4.8-RELEASE-p15. As usual I set IPFIREWALL to default > accept in my kernel config file. > Config & make weren't complaining so, installed the kernel, reboot and there > it was: > >>IP packet filtering initialized, divert disabled, rule-based forwarding > > enabled, default to deny, logging disabled > > Another rebuild didn't work out so... I reviewed /usr/src/UPDATING but > there's no such thing as dropping IPFIREWALL_DEFAULT_TO_ACCEPT. > > So, is this a true bug or what? > > Regards, > > Ruben I'm not sure what to make of this as IPFIREWALL_DEFAULT_TO_ACCEPT works fine for me in 4.8, 4.9, 5.1 and 5.2. Are you sure you compiled with the correct kernel configuration (and installed as well)? Additionally, you might like to look into setting firewall_enable="YES" and firewall_type="open" in rc.conf Kind regards, Devon H. O'Dell From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 09:46:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68FC716A4CE for ; Fri, 6 Feb 2004 09:46:20 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6507F43D46 for ; Fri, 6 Feb 2004 09:46:14 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA14204; Fri, 6 Feb 2004 10:46:03 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20040206104336.0587c5a0@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 06 Feb 2004 10:46:01 -0700 To: "Devon H. O'Dell" , "Gogh, Ruben van" From: Brett Glass In-Reply-To: <4023AD12.6070106@sitetronics.com> References: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04> <4023AD12.6070106@sitetronics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: "'freebsd-security@freebsd.org'" Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 17:46:20 -0000 At 08:04 AM 2/6/2004, Devon H. O'Dell wrote: >I'm not sure what to make of this as IPFIREWALL_DEFAULT_TO_ACCEPT works >fine for me in 4.8, 4.9, 5.1 and 5.2. Are you sure you compiled with the >correct kernel configuration (and installed as well)? I've noticed that, in 4.9-RELEASE (and probably in -STABLE too), making even minor changes to your kernel configuration often requires make clean; make depend; make; make install to work. If you leave out the "make clean" or "make depend", modifications to your configuration sometimes don't take effect, depending upon what you changed. This may be an indication that something about the dependency mechanisms or makefiles isn't quite right. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 11:46:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 745A716A4CE for ; Fri, 6 Feb 2004 11:46:11 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 0DBE243D55 for ; Fri, 6 Feb 2004 11:46:08 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 6536 invoked from network); 6 Feb 2004 19:45:33 -0000 Received: from office.casyst.com (HELO straylight.m.ringlet.net) (212.91.166.145) by gandalf.online.bg with SMTP; 6 Feb 2004 19:45:33 -0000 Received: (qmail 78949 invoked by uid 1000); 6 Feb 2004 19:48:00 -0000 Date: Fri, 6 Feb 2004 21:48:00 +0200 From: Peter Pentchev To: Brett Glass Message-ID: <20040206194800.GG724@straylight.m.ringlet.net> Mail-Followup-To: Brett Glass , "Devon H. O'Dell" , "Gogh, Ruben van" , "'freebsd-security@freebsd.org'" References: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04> <4023AD12.6070106@sitetronics.com> <6.0.0.22.2.20040206104336.0587c5a0@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="o0ZfoUVt4BxPQnbU" Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20040206104336.0587c5a0@localhost> User-Agent: Mutt/1.5.6i cc: "'freebsd-security@freebsd.org'" cc: "Gogh, Ruben van" Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 19:46:11 -0000 --o0ZfoUVt4BxPQnbU Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 06, 2004 at 10:46:01AM -0700, Brett Glass wrote: > At 08:04 AM 2/6/2004, Devon H. O'Dell wrote: >=20 > >I'm not sure what to make of this as IPFIREWALL_DEFAULT_TO_ACCEPT works= =20 > >fine for me in 4.8, 4.9, 5.1 and 5.2. Are you sure you compiled with the= =20 > >correct kernel configuration (and installed as well)? >=20 > I've noticed that, in 4.9-RELEASE (and probably in -STABLE too), making= =20 > even minor changes to your kernel configuration often requires >=20 > make clean; make depend; make; make install >=20 > to work. If you leave out the "make clean" or "make depend",=20 > modifications to your configuration sometimes don't take effect,=20 > depending upon what you changed. >=20 > This may be an indication that something about the dependency mechanisms= =20 > or makefiles isn't quite right. Usually, just 'make depend', or simply using the 'buildkernel' target in /usr/src, ought to be enough... G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 because I didn't think of a good beginning of it. --o0ZfoUVt4BxPQnbU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAI+9w7Ri2jRYZRVMRAs5qAJ9r+mxob2mBGJ9WfV9v9vWYvxk5swCaAhhd NUdKlc5sRMbzMV2I9KcJc74= =8+Rg -----END PGP SIGNATURE----- --o0ZfoUVt4BxPQnbU-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 12:16:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FEAC16A4CE for ; Fri, 6 Feb 2004 12:16:29 -0800 (PST) Received: from gigatrex.com (saraswati.gigatrex.com [64.5.48.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 827F443D46 for ; Fri, 6 Feb 2004 12:16:27 -0800 (PST) (envelope-from piechota@argolis.org) Received: (qmail 17834 invoked from network); 6 Feb 2004 20:16:17 -0000 Received: from unknown (HELO cithaeron.argolis.org) (141.156.46.123) by saraswati.gigatrex.com with SMTP; 6 Feb 2004 20:16:17 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) i16KGOHa001005; Fri, 6 Feb 2004 15:16:24 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)i16KG5NC001001; Fri, 6 Feb 2004 15:16:05 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Fri, 6 Feb 2004 15:16:05 -0500 (EST) From: Matt Piechota To: Brett Glass In-Reply-To: <6.0.0.22.2.20040206104336.0587c5a0@localhost> Message-ID: <20040206151109.S921@cithaeron.argolis.org> References: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04> <6.0.0.22.2.20040206104336.0587c5a0@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: "'freebsd-security@freebsd.org'" cc: "Gogh, Ruben van" Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 20:16:29 -0000 On Fri, 6 Feb 2004, Brett Glass wrote: > I've noticed that, in 4.9-RELEASE (and probably in -STABLE too), making > even minor changes to your kernel configuration often requires > > make clean; make depend; make; make install > > to work. If you leave out the "make clean" or "make depend", > modifications to your configuration sometimes don't take effect, > depending upon what you changed. Aren't supposed to run 'config' on your kernel conf when you modify it? That's what the handbook says, after all. :) -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 12:22:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F91816A4CE for ; Fri, 6 Feb 2004 12:22:31 -0800 (PST) Received: from gi.sourcefire.com (gi.sourcefire.com [12.110.105.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B25443D2F for ; Fri, 6 Feb 2004 12:22:26 -0800 (PST) (envelope-from nigel@sourcefire.com) Received: from [192.168.1.100] ([10.2.2.98]) (AUTH: PLAIN nhoughton, ) by gi.sourcefire.com with esmtp; Fri, 06 Feb 2004 15:22:24 -0500 Date: Fri, 6 Feb 2004 15:19:46 -0500 (EST) From: Nigel Houghton Sender: nigel@enterprise.sfeng.sourcefire.com To: Matt Piechota In-Reply-To: <20040206151109.S921@cithaeron.argolis.org> Message-ID: References: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04> <20040206151109.S921@cithaeron.argolis.org> X-SG1: Mr Glass is half empty over here Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: "'freebsd-security@freebsd.org'" cc: "Gogh, Ruben van" Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 20:22:31 -0000 Around 3:16pm Matt Piechota said: MP :On Fri, 6 Feb 2004, Brett Glass wrote: MP : MP :> I've noticed that, in 4.9-RELEASE (and probably in -STABLE too), making MP :> even minor changes to your kernel configuration often requires MP :> MP :> make clean; make depend; make; make install MP :> MP :> to work. If you leave out the "make clean" or "make depend", MP :> modifications to your configuration sometimes don't take effect, MP :> depending upon what you changed. MP : MP :Aren't supposed to run 'config' on your kernel conf when you modify it? MP :That's what the handbook says, after all. :) It does? All these issues are covered in the handbook, it's a good resource. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html Now we're way off topic for this list, nothing to see here, move along. ----------------------------------------------------------------------- Nigel Houghton Security Research Engineer Sourcefire Inc. Vulnerability Research Team "In an emergency situation involving two or more officers of equal rank, seniority will be granted to whichever officer can program a vcr." From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 12:28:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A23816A4CE for ; Fri, 6 Feb 2004 12:28:46 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74E9243D46 for ; Fri, 6 Feb 2004 12:28:43 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA16884; Fri, 6 Feb 2004 13:28:05 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20040206132723.058bf848@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 06 Feb 2004 13:28:03 -0700 To: Matt Piechota From: Brett Glass In-Reply-To: <20040206151109.S921@cithaeron.argolis.org> References: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04> <4023AD12.6070106@sitetronics.com> <6.0.0.22.2.20040206104336.0587c5a0@localhost> <20040206151109.S921@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: "'freebsd-security@freebsd.org'" cc: "Gogh, Ruben van" Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 20:28:46 -0000 At 01:16 PM 2/6/2004, Matt Piechota wrote: >Aren't supposed to run 'config' on your kernel conf when you modify it? Of course. After which you change directories and actually do the build. (Why this isn't automatic, I don't know.) --Brett From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 13:23:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7C3516A4CE for ; Fri, 6 Feb 2004 13:23:14 -0800 (PST) Received: from eterna.binary.net (eterna.binary.net [216.229.0.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D0A843D1D for ; Fri, 6 Feb 2004 13:23:13 -0800 (PST) (envelope-from blaine@binary.net) Received: from matrix.binary.net (matrix.binary.net [216.229.0.2]) by eterna.binary.net (Postfix) with ESMTP id 6A2F2B461C; Fri, 6 Feb 2004 15:23:11 -0600 (CST) Received: by matrix.binary.net (Postfix, from userid 1021) id BA3FD10296D; Fri, 6 Feb 2004 15:23:10 -0600 (CST) Date: Fri, 6 Feb 2004 15:23:10 -0600 From: Blaine Kahle To: Brett Glass Message-ID: <20040206212310.GJ94075@binary.net> Mail-Followup-To: Brett Glass , Matt Piechota , "'freebsd-security@freebsd.org'" , "Gogh, Ruben van" References: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04> <4023AD12.6070106@sitetronics.com> <6.0.0.22.2.20040206104336.0587c5a0@localhost> <20040206151109.S921@cithaeron.argolis.org> <6.0.0.22.2.20040206132723.058bf848@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20040206132723.058bf848@localhost> User-Agent: Mutt/1.4.1i cc: "'freebsd-security@freebsd.org'" cc: "Gogh, Ruben van" Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 21:23:15 -0000 On Fri, Feb 06, 2004 at 01:28:03PM -0700, Brett Glass wrote: > At 01:16 PM 2/6/2004, Matt Piechota wrote: > > >Aren't supposed to run 'config' on your kernel conf when you modify it? > > Of course. After which you change directories and actually do the > build. (Why this isn't automatic, I don't know.) Because that's the "old" way of doing it. The "new" way (buildkernel, installkernel) has been around for some time (4.2 at the least). http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html -- Blaine Kahle blaine@binary.net 0x178AA0E0 From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 22:29:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93C9916A4CE for ; Fri, 6 Feb 2004 22:29:30 -0800 (PST) Received: from smtp23.singnet.com.sg (smtp23.singnet.com.sg [165.21.101.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E25143D41 for ; Fri, 6 Feb 2004 22:29:17 -0800 (PST) (envelope-from spades@galaxynet.org) Received: from bryanuptrvb0jc (bb-203-125-28-225.singnet.com.sg [203.125.28.225])i176TFZU026788 for ; Sat, 7 Feb 2004 14:29:15 +0800 Message-ID: <051801c3ed43$bad1f6e0$fa10fea9@bryanuptrvb0jc> From: "Spades" To: References: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04><4023AD12.6070106@sitetronics.com><6.0.0.22.2.20040206104336.0587c5a0@localhost><20040206151109.S921@cithaeron.argolis.org><6.0.0.22.2.20040206132723.058bf848@localhost> <20040206212310.GJ94075@binary.net> Date: Sat, 7 Feb 2004 14:29:24 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: IPFIREWALL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Spades List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2004 06:29:30 -0000 Heya, lately my freebsd connection is being slow'd down after it got ddos by some kiddies, and i got this feeling it is still being packetted by in small amt cos i can feel a constant lag. i have ipfw running and denied all icmp Any idea how i can secure my box against all ddos and prevent syn or other kind of floods? anyway to monitor packets as well? Thanks & regards. From owner-freebsd-security@FreeBSD.ORG Fri Feb 6 23:50:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA9E716A4CE for ; Fri, 6 Feb 2004 23:50:24 -0800 (PST) Received: from mailhost.icepr.com (unknown [196.12.160.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36D7343D2F for ; Fri, 6 Feb 2004 23:50:24 -0800 (PST) (envelope-from jhernandez@progrexive.com) Received: from localhost (patrol.icenetworks.com [::ffff:196.12.160.251]) by mailhost.icepr.com with esmtp; Sat, 07 Feb 2004 01:59:50 -0400 Received: from 69.79.2.125 ([69.79.2.125]) by webmail.icenetworks.com (IMP) with HTTP for ; Sat, 7 Feb 2004 01:59:14 -0400 Message-ID: <1076133554.40247eb21c430@webmail.icenetworks.com> Date: Sat, 7 Feb 2004 01:59:14 -0400 From: "" To: "" References: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04> <4023AD12.6070106@sitetronics.com> <6.0.0.22.2.20040206104336.0587c5a0@localhost> <20040206151109.S921@cithaeron.argolis.org> <6.0.0.22.2.20040206132723.058bf848@localhost> <20040206212310.GJ94075@binary.net> In-Reply-To: <20040206212310.GJ94075@binary.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 3.2.2 X-Originating-IP: 69.79.2.125 X-Mime-Autoconverted: from 8bit to 7bit by courier 0.43 Subject: SYN Attacks - how i cant stop it X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2004 07:50:24 -0000 How i cant stop the SYN and Port Scanner Attacks. I have a attacks all nights. Check this. Feb 6 11:54:24 TCP: port scan detected [port 6667] from 212.165.80.117 [ports 63432,63453,63466,63499,63522,...] Feb 6 11:58:09 TCP: port scan mode expired for 212.165.80.117 - received a total of 38 packets (1064 bytes). Feb 6 12:02:33 ICMP: ping flood mode expired for 65.23.218.180 - received a total of 562 packets (22480 bytes). Feb 6 12:09:51 TCP: port scan detected [port 6667] from 200.37.75.236 [ports 3192,3247,3309,3362,3421,...] Feb 6 12:11:21 TCP: port scan detected [port 6667] from 80.139.185.241 [ports 3114,3514,3960,4360,4795,...] Feb 6 12:12:17 TCP: port scan mode expired for 200.37.75.236 - received a total of 27 packets (756 bytes). Feb 6 12:19:47 TCP: port scan detected [port 6667] from 80.15.16.77 [ports 3048,3471,3819,4259,4648,...] Feb 6 12:23:58 TCP: port scan detected [port 6667] from 213.6.123.252 [ports 3129,3947,4690,3577,4343,...] Feb 6 12:25:52 TCP: port scan mode expired for 80.15.16.77 - received a total of 60 packets (1680 bytes). Feb 6 12:31:54 TCP: port scan detected [port 6667] from 212.165.80.117 [ports 61345,61356,61370,61386,61408,...] Feb 6 12:32:04 TCP: port scan detected [port 6667] from 213.6.125.34 [ports 1157,1509,1928,2294,2741,...] Feb 6 12:33:39 TCP: port scan detected [port 6667] from 200.81.81.174 [ports 4917,4918,4927,4931,4935,...] Feb 6 12:34:22 TCP: port scan mode expired for 212.165.80.117 - received a total of 26 packets (728 bytes). Feb 6 12:34:44 TCP: port scan mode expired for 200.81.81.174 - received a total of 16 packets (448 bytes). Feb 6 12:42:00 TCP: port scan mode expired for 213.6.125.34 - received a total of 93 packets (2604 bytes). Feb 6 12:44:45 TCP: port scan mode expired for 213.6.123.252 - received a total of 186 packets (5208 bytes). Feb 6 12:45:22 TCP: port scan detected [port 6667] from 200.106.106.207 [ports 18072,18091,18113,18157,18172,...] Feb 6 12:49:16 TCP: port scan detected [port 6667] from 200.49.217.132 [ports 4124,4143,4157,4174,4198,...] Feb 6 12:53:29 TCP: port scan mode expired for 80.139.185.241 - received a total of 369 packets (11808 bytes). Feb 6 13:00:16 TCP: port scan detected [port 9999] from 204.117.88.37 [ports 4568,4571,4572,4573,4574,...] Feb 6 13:01:29 TCP: port scan mode expired for 204.117.88.37 - received a total of 352 packets (9856 bytes). Feb 6 13:01:52 TCP: port scan detected [port 9999] from 204.117.88.43 [ports 4883,4885,4886,4887,4888,...] Feb 6 13:02:54 TCP: port scan mode expired for 204.117.88.43 - received a total of 261 packets (7308 bytes). Feb 6 13:04:56 TCP: port scan mode expired for 200.49.217.132 - received a total of 125 packets (3500 bytes). Feb 6 13:16:37 TCP: port scan mode expired for 200.106.106.207 - received a total of 243 packets (6804 bytes). Feb 6 13:26:16 TCP: port scan detected [port 6667] from 200.81.85.232 [ports 1077,1078,1080,1081] Feb 6 13:27:16 TCP: port scan mode expired for 200.81.85.232 - received a total of 16 packets (448 bytes). Feb 6 13:28:11 TCP: port scan detected [port 6667] from 80.38.110.228 [ports 1040,1494,1901,2310,2695,...] Feb 6 13:33:00 TCP: SYN scan mode expired for pD952BE7F.dip.t-dialin.net (217.82.190.127) - received a total of 1073 packets Feb 6 13:33:17 TCP: port scan mode expired for ANancy-106-1-4-183.w81-248.abo.wanadoo.fr (81.248.192.183) - received a total Feb 6 13:35:33 TCP: port scan mode expired for host231-253.pool8175.interbusiness.it (81.75.253.231) - received a total of 25 Feb 6 13:44:25 ICMP: ping flood mode expired for 210.92.221.49 - received a total of 468 packets (30657744 bytes). Feb 6 13:46:13 TCP: port scan detected [port 6667] from A7b25.a.pppool.de (213.6.123.37) [ports 3485,3573,3763,4159,4297,...] Feb 6 13:54:26 TCP: port scan detected [port 6667] from host231-253.pool8175.interbusiness.it (81.75.253.231) [ports 1070,352 Feb 6 14:35:56 TCP: port scan mode expired for host231-253.pool8175.interbusiness.it (81.75.253.231) - received a total of 12 Feb 6 14:46:39 TCP: port scan mode expired for 228.Red-80-38-110.pooles.rima-tde.net (80.38.110.228) - received a total of 18 Feb 6 14:50:45 TCP: port scan detected [port 6667] from A7c22.a.pppool.de (213.6.124.34) [ports 3326,3553,3604,3791,3846,...] Feb 6 14:56:25 ICMP: ping flood detected from 210.92.221.49 Regards, Jean ------------------------------------------------- This mail sent through ICENetworks.com: http://www.icenetworks.com From owner-freebsd-security@FreeBSD.ORG Sat Feb 7 00:55:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B96D916A4CE for ; Sat, 7 Feb 2004 00:55:45 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 9A9AD43D54 for ; Sat, 7 Feb 2004 00:55:44 -0800 (PST) (envelope-from roam@straylight.m.ringlet.net) Received: (qmail 588 invoked from network); 6 Feb 2004 11:08:26 -0000 Received: from office.casyst.com (HELO straylight.m.ringlet.net) (212.91.166.145) by gandalf.online.bg with SMTP; 6 Feb 2004 11:08:26 -0000 Received: (qmail 1750 invoked by uid 1000); 6 Feb 2004 11:10:51 -0000 Date: Fri, 6 Feb 2004 13:10:51 +0200 From: Peter Pentchev To: Alex Message-ID: <20040206111051.GB724@straylight.m.ringlet.net> Mail-Followup-To: Alex , freebsd-security@freebsd.org References: <614479869.20040206131706@tern.ru> <20040206103833.GD4848@straylight.m.ringlet.net> <1424875954.20040206134618@tern.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="hHWLQfXTYDoKhP50" Content-Disposition: inline In-Reply-To: <1424875954.20040206134618@tern.ru> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: ipfw question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2004 08:55:45 -0000 --hHWLQfXTYDoKhP50 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 06, 2004 at 01:46:18PM +0300, freebsd@tern.ru wrote: [actually, I wrote] > PP> Could you try > PP> ipfw add count from IP1 to not { IP2,IP3 } >=20 > Definitely I tried it already before writing to group. It does not > work. > Here is the exact error message for this try: > ipfw: hostname ``'' unknown Er, sorry, my mistake; could you try 'not to' instead of 'to not'? :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. --hHWLQfXTYDoKhP50 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAI3Y77Ri2jRYZRVMRArNXAJsH6NlOpYjjQJSQ1XrpoJljHhc8pgCgxHIu oejZ6gtFKi0vCVEj5wgzLRk= =L+K+ -----END PGP SIGNATURE----- --hHWLQfXTYDoKhP50-- From owner-freebsd-security@FreeBSD.ORG Sat Feb 7 01:55:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DE9D16A4CE for ; Sat, 7 Feb 2004 01:55:05 -0800 (PST) Received: from mailbox.wingercom.dk (mailbox.wingercom.dk [81.19.240.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2108543D2F for ; Sat, 7 Feb 2004 01:55:05 -0800 (PST) (envelope-from per@xterm.dk) Received: from mailbox.wingercom.dk (localhost [127.0.0.1]) by mailbox.wingercom.dk (Postfix) with SMTP id 3119C93212; Sat, 7 Feb 2004 10:58:49 +0100 (CET) Received: from 62.242.151.142 (SquirrelMail authenticated user per) by mailbox.wingercom.dk with HTTP; Sat, 7 Feb 2004 10:58:49 +0100 (CET) Message-ID: <32969.62.242.151.142.1076147929.squirrel@mailbox.wingercom.dk> Date: Sat, 7 Feb 2004 10:58:49 +0100 (CET) From: "Per Engelbrecht" To: In-Reply-To: <1076133554.40247eb21c430@webmail.icenetworks.com> References: <1076133554.40247eb21c430@webmail.icenetworks.com> X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-security@freebsd.org Subject: Re: SYN Attacks - how i cant stop it X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2004 09:55:05 -0000 Hi, > all nights. Check this. > > Feb 6 11:54:24 TCP: port scan detected [port 6667] from > 212.165.80.117 [ports 63432,63453,63466,63499,63522,...] > Feb 6 11:58:09 TCP: port scan mode expired for 212.165.80.117 - It's hard to get rid of shit-heads like this - I'm talking about the person doing this attac, that is. You send a looong output of a log, but no info on your system or any adjustments you have made (or not made) on your system i.e. kernel (options), sysctl (tweaks) and ipfw (rules). If the problem is out-of-bandwith (and your system already has been optimized) then the only real solution is more 'pipe' a.k.a the Microsoft-solution. So fare I've only been guessing, but here is what I normally do with my setup. I'm not telling you that this is the solution! just adwises! Kernel; options SC_DISABLE_REBOOT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT options IPFILTER options IPFILTER_LOG options IPSTEALTH (don't touch the ttl/can't see the wall) options TCP_DROP_SYNFIN (drop tcp packet with syn+fin/scanner) options RANDOM_IP_ID (hard to do calculate ip frekv. number) options DUMMYNET (e.g. 40% for web, 30% for mail and so on) options DEVICE_POLLING (can't do this short and not with SMP) options HZ=1000 (can't do this short and not with SMP) Sysctl; kern.ipc.somaxconn=1024 #this is set high! kern.ipc.nmbclusters=65536 #this is set high! kern.polling.enable=1 #remember kernel options kern.polling.user_frac=50>90 #remember kernel options net.xorp.polling=1 net.xorp.poll_burst=10 net.xorp.poll_in_trap=3 (if you use dynamic rules in ipfw [stateful] you can tweak this) net.inet.ip.fw.dyn_ack_lifetime=200 #shorte timeout on connection net.inet.ip.fw.dyn_syn_lifetime=20 net.inet.ip.fw.dyn_fin_lifetime=20 net.inet.ip.fw.dyn_rst_lifetime=5 net.inet.ip.fw.dyn_short_lifetime=10 #longer timeout for e.g. icmp net.inet.ip.fw.dyn_max=1500 #higher number of dynamic rules net.inet.ip.fw.dyn_count: #count of number of dynamic rules ipfw; There's a zillion ways to set it up. start with a few rules regarding lo0 and icmp. Then use stateful inspection and dynamic rules for the rest of the wall. ... and by the way, I could see that a few of the scan came from RIPE ranges. Do some digging and report it! Even if the boxes are use without the owners awareness, you can [we all can] bring this part to an end. respectfully /per per@xterm.dk From owner-freebsd-security@FreeBSD.ORG Sat Feb 7 02:56:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EA2816A4CE for ; Sat, 7 Feb 2004 02:56:44 -0800 (PST) Received: from mars.powweb.com (mars.powweb.com [66.152.97.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8922943D1D for ; Sat, 7 Feb 2004 02:56:44 -0800 (PST) (envelope-from mikhailg@webanoide.org) Received: from www.webanoide.org (localhost [127.0.0.1]) by mars.powweb.com (Postfix) with SMTP id 60BC82B8D8; Sat, 7 Feb 2004 02:56:45 -0800 (PST) Received: from 203.220.118.239 (SquirrelMail authenticated user mikhailg) by www.webanoide.org with HTTP; Sat, 7 Feb 2004 21:56:45 +1100 (EST) Message-ID: <3442.203.220.118.239.1076151405.squirrel@www.webanoide.org> In-Reply-To: <1076133554.40247eb21c430@webmail.icenetworks.com> References: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04><4023AD12.6070106@sitetronics.com><6.0.0.22.2.20040206104336.0587c5a0@localhost><20040206151109.S921@cithaeron.argolis.org><6.0.0.22.2.20040206132723.058bf848@localhost><20040206212310.GJ94075@binary.net> <1076133554.40247eb21c430@webmail.icenetworks.com> Date: Sat, 7 Feb 2004 21:56:45 +1100 (EST) From: "Mikhail Goriachev" To: jhernandez@progrexive.com User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-security@freebsd.org Subject: Re: SYN Attacks - how i cant stop it X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2004 10:56:44 -0000 > How i cant stop the SYN and Port Scanner Attacks. I have a attacks all > nights. > Check this. I get this phenomena from time to time too... I reckon some kiddies are trying to get in by scanning ports. > Feb 6 13:33:17 TCP: port scan mode expired for > ANancy-106-1-4-183.w81-248.abo.wanadoo.fr (81.248.192.183) - received a > total Now this wanadoo.fr looks familiar. Couple of months ago a friend of mine detected way too much activity on his FTP server which wasn't secured (just a default installation). He later found that someone (through wanadoo.fr) was using his FTP server as a WAREZ storage by creating a folder with " " name (just an empty space so you couldn't see it by having a quick look using 'ls'). Off topic but I think this is worth mentioning. > > Regards, > Jean > > > > ------------------------------------------------- > This mail sent through ICENetworks.com: http://www.icenetworks.com > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > -- -------------------------------------- Mikhail Goriachev Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 e-mail: mikhailg@webanoide.org URL: http://www.webanoide.org GPG Key ID: 4E148A3B -------------------------------------- From owner-freebsd-security@FreeBSD.ORG Sat Feb 7 03:02:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3871A16A4CE for ; Sat, 7 Feb 2004 03:02:26 -0800 (PST) Received: from mail.evilcoder.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7B3243D1D for ; Sat, 7 Feb 2004 03:02:25 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: "Spades" , Date: Sat, 7 Feb 2004 12:02:19 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) In-Reply-To: <20040207063015.2BF733F@mail.elvandar.org> Importance: Normal X-Virus-Scanned: for evilcoder.org Message-Id: <20040207110224.48A122B4D7C@mail.evilcoder.org> Subject: RE: [Freebsd-security] Re: IPFIREWALL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2004 11:02:26 -0000 Hi, I dont think you can deny all ddos against your box, you will need help from your isp. That is because if a person sends you enough packets, like 1mbit (and your line is 1mbit) full of packets, your connection is stuck, whether you filter or not. Though you can mitigate those by closing all non needed ports, log them if any attempt is being made to connect to them, and use a bogon list which filters out traffic that come from unused ip-ranges. Note that DDOS not only happends due icmp, but can also means attacking TCP/UDP and other protocols as well. I don't know how it is done by IPFW, but iptables can limit syn connections (again i don't know how it's done since i dont have any experience with it, but it can do it) Also you can use stuff like snmp for example to monitor traffic in combination with mrtg that is a good start. Hope it helped you a little, -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: freebsd-security-bounces@lists.elvandar.org [mailto:freebsd-security-bounces@lists.elvandar.org]Namens Spades Verzonden: zaterdag 7 februari 2004 7:29 Aan: freebsd-security@freebsd.org Onderwerp: [Freebsd-security] Re: IPFIREWALL Heya, lately my freebsd connection is being slow'd down after it got ddos by some kiddies, and i got this feeling it is still being packetted by in small amt cos i can feel a constant lag. i have ipfw running and denied all icmp Any idea how i can secure my box against all ddos and prevent syn or other kind of floods? anyway to monitor packets as well? Thanks & regards. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ Freebsd-security mailing list Freebsd-security@lists.elvandar.org http://lists.elvandar.org/mailman/listinfo/freebsd-security From owner-freebsd-security@FreeBSD.ORG Sat Feb 7 03:33:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C711916A4CE for ; Sat, 7 Feb 2004 03:33:11 -0800 (PST) Received: from diaspar.rdsnet.ro (diaspar.rdsnet.ro [213.157.165.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07E0C43D1D for ; Sat, 7 Feb 2004 03:33:11 -0800 (PST) (envelope-from dudu@diaspar.rdsnet.ro) Received: (qmail 1717 invoked by uid 89); 4 Dec 2005 11:31:07 -0000 Received: from unknown (HELO diaspar.rdsnet.ro) (dudu@diaspar.rdsnet.ro@213.157.165.224) by 0 with AES256-SHA encrypted SMTP; 4 Dec 2005 11:31:06 -0000 From: Vlad Galu To: security@freebsd.org Message-Id: <20051204133104.60280173.dudu@diaspar.rdsnet.ro> In-Reply-To: References: <1085.195.95.26.125.1075966401.squirrel@webmail.boxke.be> X-Mailer: Sylpheed version 0.9.9 (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Signature=_Sun__4_Dec_2005_13_31_04_+0200_M.mnoZJE=PidiqRy" Subject: Re: using libparanoia X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sat, 07 Feb 2004 11:33:11 -0000 X-Original-Date: Sun, 4 Dec 2005 13:31:04 +0200 X-List-Received-Date: Sat, 07 Feb 2004 11:33:11 -0000 --Signature=_Sun__4_Dec_2005_13_31_04_+0200_M.mnoZJE=PidiqRy Content-Type: text/plain; charset=ISO-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable des@des.no (Dag-Erling Sm=F8rgrav) writes: |"Jimmy Scott" writes: |> If i add in /ert/make.conf: |> CFLAGS=3D -O -pipe -lparanoia -L/usr/local/lib |> COPTFLAGS=3D -O -pipe -lparanoia -L/usr/local/lib |> |> Will EVERYTHING build from that time (including |kernel/userland/ports),> be protected by libparanoia? if not, what will |be? | |nothing. if you put -lparanoia in CFLAGS it will be too early on the |command line to have any effect. Better try IBM's propolice:=20 http://www.research.ibm.com/trl/projects/security/ssp/buildfreebsd.html |DES |--=20 |Dag-Erling Sm=F8rgrav - des@des.no |_______________________________________________ |freebsd-security@freebsd.org mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-security |To unsubscribe, send any mail to |"freebsd-security-unsubscribe@freebsd.org" | | |!DSPAM:4390bc41959652126817417! | | | ---- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. --Signature=_Sun__4_Dec_2005_13_31_04_+0200_M.mnoZJE=PidiqRy Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFDktN6P5WtpVOrzpcRAsZVAJ0f8ZpWF01kggp222p1Xy+2SLShXACfQIrr +Cc/6O9ic2BCr/M3gFXFffY= =2Ppe -----END PGP SIGNATURE----- --Signature=_Sun__4_Dec_2005_13_31_04_+0200_M.mnoZJE=PidiqRy-- From owner-freebsd-security@FreeBSD.ORG Sat Feb 7 06:16:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0042B16A4CE for ; Sat, 7 Feb 2004 06:16:56 -0800 (PST) Received: from lucidfactory.midasnetworks.com (lucidfactory.midasnetworks.com [66.112.235.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD76843D1D for ; Sat, 7 Feb 2004 06:16:55 -0800 (PST) (envelope-from jthibeaux@lucidfactory.com) Received: from THEFACTORY (adsl-64-218-163-219.dsl.austtx.swbell.net [64.218.163.219]) by lucidfactory.midasnetworks.com (Postfix) with ESMTP id 91193FA642; Sat, 7 Feb 2004 08:16:11 -0600 (CST) Message-ID: <04be01c3ed84$c5104670$3300a8c0@THEFACTORY> From: "Jeremy Thibeaux" To: "Mikhail Goriachev" References: <0FDD52D38220D611B7CC0004763B3744F80821@HNTS-04><4023AD12.6070106@sitetronics.com><6.0.0.22.2.20040206104336.0587c5a0@localhost><20040206151109.S921@cithaeron.argolis.org><6.0.0.22.2.20040206132723.058bf848@localhost><20040206212310.GJ94075@binary.net><1076133554.40247eb21c430@webmail.icenetworks.com> <3442.203.220.118.239.1076151405.squirrel@www.webanoide.org> Date: Sat, 7 Feb 2004 08:14:59 -0600 Organization: Lucid Factory MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: security@freebsd.org Subject: wanadoo.fr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jeremy Thibeaux List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2004 14:16:56 -0000 wanadoo.fr is a major ISP in france. They are the primary provider of DSL service. Regards, Jeremy ----- Original Message ----- From: "Mikhail Goriachev" To: Cc: Sent: Saturday, February 07, 2004 4:56 AM Subject: Re: SYN Attacks - how i cant stop it > > > > How i cant stop the SYN and Port Scanner Attacks. I have a attacks all > > nights. > > Check this. > > I get this phenomena from time to time too... I reckon some kiddies are > trying to get in by scanning ports. > > > Feb 6 13:33:17 TCP: port scan mode expired for > > ANancy-106-1-4-183.w81-248.abo.wanadoo.fr (81.248.192.183) - received a > > total > > Now this wanadoo.fr looks familiar. Couple of months ago a friend of mine > detected way too much activity on his FTP server which wasn't secured > (just a default installation). He later found that someone (through > wanadoo.fr) was using his FTP server as a WAREZ storage by creating a > folder with " " name (just an empty space so you couldn't see it by having > a quick look using 'ls'). Off topic but I think this is worth mentioning. > > > > > Regards, > > Jean > > > > > > > > ------------------------------------------------- > > This mail sent through ICENetworks.com: http://www.icenetworks.com > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > > -- > -------------------------------------- > Mikhail Goriachev > Telephone: +61 (0)3 62252501 > Mobile Phone: +61 (0)4 38255158 > e-mail: mikhailg@webanoide.org > URL: http://www.webanoide.org > GPG Key ID: 4E148A3B > -------------------------------------- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >