From owner-freebsd-security@FreeBSD.ORG Sun Jun 13 08:07:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AB7816A4CE for ; Sun, 13 Jun 2004 08:07:30 +0000 (GMT) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id F11C043D1F for ; Sun, 13 Jun 2004 08:07:28 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from peter (Ucto [192.168.1.53]) by ns.pro.sk (8.12.9p2/8.12.9) with SMTP id i5D85TQA024919 for ; Sun, 13 Jun 2004 10:05:29 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <002e01c4511d$2ad65ed0$3501a8c0@pro.sk> From: "Peter Rosa" To: References: <019101c45072$a8b9cfe0$3501a8c0@pro.sk><20040612130307.2c4483cb.thib@mi.is> <20040612174529.0dc73ac9@tarkhil.over.ru> Date: Sun, 13 Jun 2004 10:05:18 +0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Re: Hacked or not - RESULT X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2004 08:07:30 -0000 Hi all, many thanks to everybody who showed me a way. I did not expect so many advices :-) As for me, this is the another confirmation, the FreeBSD is my favorite system :-) I have checked a machine using steps you have written, and the "lkm" message seems to be a false positive. Again, many thanks for all of you, boys. Have a nice rest of weekend. Peter Rosa From owner-freebsd-security@FreeBSD.ORG Sun Jun 13 09:16:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F30AF16A4CE; Sun, 13 Jun 2004 09:16:19 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F75943D1F; Sun, 13 Jun 2004 09:16:19 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from [172.16.0.11] (helo=localhost) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.34 (FreeBSD)) id 1BZR5d-000GSr-6I; Sun, 13 Jun 2004 11:15:47 +0200 Date: Sun, 13 Jun 2004 11:15:47 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: FreeBSD ports From: Oliver Eikemeier Content-Transfer-Encoding: 7bit Message-Id: <41764F4F-BD1A-11D8-B633-00039312D914@fillmore-labs.com> User-Agent: KMail/1.5.9 cc: FreeBSD security Subject: FYI: new port security/portaudit-db X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: FreeBSD ports List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2004 09:16:20 -0000 Dear porters and port users, I've added a new port security/portaudit-db that complements security/portaudit for users that have a current ports tree and want to generate the portaudit database themselves, possibly distributing it over their local network. This will save you the traffic downloading information that is already on your local machine and avoid the lag that is currently associated with the mirroring process. Basically you just need to install security/portaudit-db and do `packaudit' every time after your ports tree has been updated. Try `portaudit -d', it should show the current date afterwards. This port also features a MOVED style file (database/portaudit.txt) where UUIDs for vulnerabilities can be allocated before they are researched thoroughly and moved to the VuXML database. When you fix a vulnerability in one of your ports, please add at least an entry to this file, so that this fact doesn't go unnoticed. Of course a full VuXML entry is preferred. I take this announcement as an opportunity to make a plea to all port maintainers: * please stick with *one* PKGNAMESUFFIX (possibly using a combined one like -sasl-client) * please *do not* change the structure of the packages version number according to included components. Lets take for example port `myport' with has optional components c1 and c2. This *should not* result in the following package names: port-v port-suf1-v+v1 port-suf2-v+v2 port-suf1-suf2-v+v1+v2 because I need 2^(number of components) entries to catch all possible combinations, for example the recent vulnerability in www/apache13-modssl would need 32 entries in the vulnerability database, which seems a little high. A net effect is that many combinations are not recognized, and users remain unprotected even though they assume the opposite. If you need to record the included components, please do this in the pkg-message, which is displayed with pkg_info -D. Again: * a port should *not* change its version numbering based on included components * restrain yourself to *one* suffix in the package name (and use a dash to seperate it from the main ports name) Thanks -Oliver From owner-freebsd-security@FreeBSD.ORG Sun Jun 13 16:17:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFDC816A4CE for ; Sun, 13 Jun 2004 16:17:24 +0000 (GMT) Received: from lakshmi.kiev.ua (sita-home-gw.Kyiv.wnet.ua [217.20.169.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82A0543D1D for ; Sun, 13 Jun 2004 16:17:23 +0000 (GMT) (envelope-from ay@lakshmi.kiev.ua) Received: from lakshmi.kiev.ua (localhost.sita.kiev.ua [127.0.0.1]) i5DGHEIJ024358; Sun, 13 Jun 2004 19:17:14 +0300 (EEST) (envelope-from ay@lakshmi.kiev.ua) Received: (from ay@localhost) by lakshmi.kiev.ua (8.12.11/8.12.9/Submit) id i5DGHE1i024357; Sun, 13 Jun 2004 19:17:14 +0300 (EEST) (envelope-from ay) Date: Sun, 13 Jun 2004 19:17:14 +0300 From: Alexander Yeremenko To: Alex Povolotsky Message-ID: <20040613161714.GA24325@lakshmi.kiev.ua> Mail-Followup-To: Alexander Yeremenko , Alex Povolotsky , freebsd-security@freebsd.org References: <016301c4506e$947644e0$3501a8c0@pro.sk> <20040612114700.GA1082@lupe-christoph.de> <01b701c4507a$49399840$3501a8c0@pro.sk> <20040612175035.739bbfa4@tarkhil.over.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040612175035.739bbfa4@tarkhil.over.ru> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ay@wnet.ua List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2004 16:17:25 -0000 On Sat, Jun 12, 2004 at 05:50:35PM +0400, Alex Povolotsky wrote: > On Sat, 12 Jun 2004 14:39:21 +0200 > "Peter Rosa" wrote: > > PR> But what about the /var/log/messages logs absence ? > PR> And, how to test the machine, if it is healthy ? > > Boot from CD and compare md5 checksums on system files. That's the first step. I'm running a frequent script, evaluating md5 for binaries, libs etc, and reports isn't something changed -- AY7-UANIC || AY15-RIPE From owner-freebsd-security@FreeBSD.ORG Sun Jun 13 16:42:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7817B16A4CE for ; Sun, 13 Jun 2004 16:42:24 +0000 (GMT) Received: from lakshmi.kiev.ua (sita-home-gw.Kyiv.wnet.ua [217.20.169.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id B247843D31 for ; Sun, 13 Jun 2004 16:42:23 +0000 (GMT) (envelope-from ay@lakshmi.kiev.ua) Received: from lakshmi.kiev.ua (localhost.sita.kiev.ua [127.0.0.1]) i5DGfxdj024457; Sun, 13 Jun 2004 19:42:00 +0300 (EEST) (envelope-from ay@lakshmi.kiev.ua) Received: (from ay@localhost) by lakshmi.kiev.ua (8.12.11/8.12.9/Submit) id i5DGfxgS024456; Sun, 13 Jun 2004 19:41:59 +0300 (EEST) (envelope-from ay) Date: Sun, 13 Jun 2004 19:41:59 +0300 From: Alexander Yeremenko To: Ondra Holecek Message-ID: <20040613164159.GA24448@lakshmi.kiev.ua> Mail-Followup-To: Alexander Yeremenko , Ondra Holecek , freebsd-security@freebsd.org References: <016301c4506e$947644e0$3501a8c0@pro.sk> <20040612175035.739bbfa4@tarkhil.over.ru> <20040613161714.GA24325@lakshmi.kiev.ua> <200406131819.43297.> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200406131819.43297.> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ay@wnet.ua List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2004 16:42:24 -0000 On Sun, Jun 13, 2004 at 06:20:11PM +0000, Ondra Holecek wrote: > On Sunday 13 June 2004 16:17, Alexander Yeremenko wrote: > > On Sat, Jun 12, 2004 at 05:50:35PM +0400, Alex Povolotsky wrote: > > > On Sat, 12 Jun 2004 14:39:21 +0200 > > > "Peter Rosa" wrote: > > > > > > PR> But what about the /var/log/messages logs absence ? > > > PR> And, how to test the machine, if it is healthy ? > > > > > > Boot from CD and compare md5 checksums on system files. That's the first > > > step. > > > > I'm running a frequent script, evaluating md5 for binaries, libs > > etc, and reports isn't something changed > > But, what if hacker modifies this script to not report changes, or change the > original MD5 checksum This smart hacker must know about this script :) -- AY7-UANIC || AY15-RIPE From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 20:27:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 784FF16A4CE for ; Mon, 7 Jun 2004 20:27:50 +0000 (GMT) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2330E43D5A for ; Mon, 7 Jun 2004 20:27:50 +0000 (GMT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-187-112.client.comcast.net[24.6.187.112]) by comcast.net (sccrmhc11) with ESMTP id <20040607202746011001jfsme>; Mon, 7 Jun 2004 20:27:47 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.11/8.12.8) with ESMTP id i57KRkJ4075920; Mon, 7 Jun 2004 13:27:46 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.11/8.12.11/Submit) id i57KRj3k075919; Mon, 7 Jun 2004 13:27:45 -0700 (PDT) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Mon, 7 Jun 2004 13:27:45 -0700 From: "Crist J. Clark" To: Darren Reed Message-ID: <20040607202745.GA75747@blossom.cjclark.org> References: <20040604195338.GA50275@blossom.cjclark.org> <200406050821.i558LUtm003296@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200406050821.i558LUtm003296@caligula.anu.edu.au> User-Agent: Mutt/1.4.2.1i X-URL: http://people.freebsd.org/~cjc/ X-Mailman-Approved-At: Mon, 14 Jun 2004 10:38:14 +0000 cc: freebsd-security@freebsd.org Subject: Re: syslogd(8) Dropping Privs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 20:27:50 -0000 On Sat, Jun 05, 2004 at 06:21:29PM +1000, Darren Reed wrote: > ...and this works in the case of SIGHUP too ? > > i.e. re-read syslogd.conf and can open new files r/w root only ? Syslogd(8) does NOT run as root by the time log files are openned at startup or a reconfig (SIGHUP). As I stated in the original message, the log files will have to be writable by the user. Same goes for writting messages to users via their ttys. Although having things set up otherwise is probably rare, make sure that the user can read the configuration file. What do we do while still root? Open the UNIX domain log sockets (/var/run/log and any others specified) and open the network socket (514/udp by default or whatever specified). The PID file is also written while still root. I'm thinking of writing a "conversion" script to make the required changes. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Wed Jun 9 14:52:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CA3416A4CE; Wed, 9 Jun 2004 14:52:46 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 285B643D2D; Wed, 9 Jun 2004 14:52:46 +0000 (GMT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-187-112.client.comcast.net[24.6.187.112]) by comcast.net (rwcrmhc11) with ESMTP id <2004060914523001300963i5e>; Wed, 9 Jun 2004 14:52:36 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.11/8.12.8) with ESMTP id i59EqUp9028132; Wed, 9 Jun 2004 07:52:31 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.11/8.12.11/Submit) id i59EqOFt028131; Wed, 9 Jun 2004 07:52:24 -0700 (PDT) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Wed, 9 Jun 2004 07:52:23 -0700 From: "Crist J. Clark" To: Doug Barton Message-ID: <20040609145223.GA53862@blossom.cjclark.org> References: <20040518160517.GA10067@therub.org> <20040520033024.GA26640@therub.org> <20040606233720.F1850@ync.qbhto.arg> <20040607204149.GC75747@blossom.cjclark.org> <20040609050217.Q5839@ync.qbhto.arg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040609050217.Q5839@ync.qbhto.arg> User-Agent: Mutt/1.4.2.1i X-URL: http://people.freebsd.org/~cjc/ X-Mailman-Approved-At: Mon, 14 Jun 2004 10:38:14 +0000 cc: "freebsd-security@freebsd.org" cc: Remko Lodder cc: "David E. Meier" cc: Dan Rue Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2004 14:52:46 -0000 On Wed, Jun 09, 2004 at 05:03:02AM -0700, Doug Barton wrote: > On Mon, 7 Jun 2004, Crist J. Clark wrote: > > >On Sun, Jun 06, 2004 at 11:38:55PM -0700, Doug Barton wrote: > >>On Wed, 19 May 2004, Dan Rue wrote: > >> > >>>You obviously havn't tried to chroot scponly users.. _that's_ the tricky > >>>part. Especially if you want it to scale up beyond a handful of users. > >>>If i'm wrong - fill me in i'd love to hear how to do it. > >> > >>Have you considered using ~/.ssh/authorized_keys to restrict the account > >>from tty access? This would allow you to do commands (like scp) without > >>the risk of the user getting an actual shell. > > > > $ ssh host /bin/sh > > > >You don't need a tty to get an interactive shell. > > You can also enforce what commands the user can run to prevent this. > Read sshd(8) for more information. If you are talking about the "command" option for an authorized key, that is a useful functionality, but it does not really apply to the scp(1) case. If there is some other way to restrict the commands a user can execute via sshd(8) (besides passing the user to a restricted shell or other external control), I'm sorry, but I'm not catching on. Using command restrictions for authorized keys doesn't work for scp(1) since doing, $ scp host1:file1 file2 Actually runs, $ ssh host1 scp -f file1 As far as the SSH client-server interaction goes, you cannot specify a command in the authorized keys file and still have scp(1) work. Also due to the fact scp(1) works in this manner, any "scp-only" setup has to be able to defeat, $ ssh host1:'file1; command arg1 ..' file2 For example, try, $ scp host1:'/etc/motd; touch scp_test' /dev/null And check for 'scp_test' in the user's home directory on the server. To do scp-only, you either need (a) a hacked up sshd(8) daemon, (b) a jailed environment, or (c) a special shell for the user that only allows scp(1) to run. The funny thing is, I think (c) is probably the easiest to implement on a mass scale, but seems to be the option most seldom considered. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Mon Jun 14 11:39:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B93E16A4D0; Mon, 14 Jun 2004 11:39:27 +0000 (GMT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91BDA43D1D; Mon, 14 Jun 2004 11:39:26 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id C2C3E65216; Mon, 14 Jun 2004 12:39:09 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 62004-03; Mon, 14 Jun 2004 12:39:09 +0100 (BST) Received: from empiric.dek.spc.org (82-147-17-88.dsl.uk.rapidplay.com [82.147.17.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id EB981651FC; Mon, 14 Jun 2004 12:38:59 +0100 (BST) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id D18716119; Mon, 14 Jun 2004 12:38:58 +0100 (BST) Date: Mon, 14 Jun 2004 12:38:58 +0100 From: Bruce M Simpson To: cjclark@alum.mit.edu Message-ID: <20040614113858.GA13028@empiric.dek.spc.org> Mail-Followup-To: cjclark@alum.mit.edu, Doug Barton , "freebsd-security@freebsd.org" , Remko Lodder , "David E. Meier" , Dan Rue References: <20040518160517.GA10067@therub.org> <20040520033024.GA26640@therub.org> <20040606233720.F1850@ync.qbhto.arg> <20040607204149.GC75747@blossom.cjclark.org> <20040609050217.Q5839@ync.qbhto.arg> <20040609145223.GA53862@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040609145223.GA53862@blossom.cjclark.org> cc: "freebsd-security@freebsd.org" cc: Doug Barton cc: "David E. Meier" cc: Remko Lodder cc: Dan Rue Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2004 11:39:27 -0000 On Wed, Jun 09, 2004 at 07:52:23AM -0700, Crist J. Clark wrote: > To do scp-only, you either need (a) a hacked up sshd(8) daemon, (b) a > jailed environment, or (c) a special shell for the user that only allows > scp(1) to run. The funny thing is, I think (c) is probably the easiest > to implement on a mass scale, but seems to be the option most seldom > considered. ports/shells/scponly BMS From owner-freebsd-security@FreeBSD.ORG Mon Jun 14 12:44:37 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DCAD16A4CE; Mon, 14 Jun 2004 12:44:37 +0000 (GMT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id D307A43D53; Mon, 14 Jun 2004 12:44:35 +0000 (GMT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])i5EChDS32346; Mon, 14 Jun 2004 14:43:13 +0200 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id D11D9B887; Mon, 14 Jun 2004 14:43:07 +0200 (CEST) Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 03298-01-4; Mon, 14 Jun 2004 14:43:07 +0200 (CEST) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id AB25CB886; Mon, 14 Jun 2004 14:43:07 +0200 (CEST) Date: Mon, 14 Jun 2004 14:43:07 +0200 To: cjclark@alum.mit.edu, Doug Barton , "freebsd-security@freebsd.org" , Remko Lodder , "David E. Meier" , Dan Rue Message-ID: <20040614124307.GD21387@lupe-christoph.de> References: <20040518160517.GA10067@therub.org> <20040520033024.GA26640@therub.org> <20040606233720.F1850@ync.qbhto.arg> <20040607204149.GC75747@blossom.cjclark.org> <20040609050217.Q5839@ync.qbhto.arg> <20040609145223.GA53862@blossom.cjclark.org> <20040614113858.GA13028@empiric.dek.spc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040614113858.GA13028@empiric.dek.spc.org> User-Agent: Mutt/1.5.5.1+cvs20040105i From: lupe@lupe-christoph.de (Lupe Christoph) X-Virus-Scanned: by amavisd-new-20030616-p7 (Debian) at lupe-christoph.de Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2004 12:44:37 -0000 On Monday, 2004-06-14 at 12:38:58 +0100, Bruce M Simpson wrote: > On Wed, Jun 09, 2004 at 07:52:23AM -0700, Crist J. Clark wrote: > > To do scp-only, you either need (a) a hacked up sshd(8) daemon, (b) a > > jailed environment, or (c) a special shell for the user that only allows > > scp(1) to run. The funny thing is, I think (c) is probably the easiest > > to implement on a mass scale, but seems to be the option most seldom > > considered. > ports/shells/scponly That's a liiiitttle short. ;-) scponly covers both (b) as scponlyc and (c). It works with scp, sftp, WinSCP, gftp and (IIRC) rsync. Great tool. Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas | From owner-freebsd-security@FreeBSD.ORG Mon Jun 14 15:17:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B6EC16A4CE; Mon, 14 Jun 2004 15:17:13 +0000 (GMT) Received: from mail.elvandar.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id C416243D58; Mon, 14 Jun 2004 15:17:10 +0000 (GMT) (envelope-from remko@elvandar.org) Received: from [10.0.3.124] (aragorn.lan.elvandar.intranet [10.0.3.124]) by mail.elvandar.org (Postfix) with ESMTP id 1CFF310689D; Mon, 14 Jun 2004 17:16:52 +0200 (CEST) Message-ID: <40CDC165.4030107@elvandar.org> Date: Mon, 14 Jun 2004 17:16:53 +0200 From: Remko Lodder X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bruce M Simpson References: <20040518160517.GA10067@therub.org> <20040520033024.GA26640@therub.org> <20040606233720.F1850@ync.qbhto.arg> <20040607204149.GC75747@blossom.cjclark.org> <20040609050217.Q5839@ync.qbhto.arg> <20040609145223.GA53862@blossom.cjclark.org> <20040614113858.GA13028@empiric.dek.spc.org> In-Reply-To: <20040614113858.GA13028@empiric.dek.spc.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at elvandar.org cc: "freebsd-security@freebsd.org" cc: Doug Barton cc: "David E. Meier" cc: cjclark@alum.mit.edu cc: Dan Rue Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2004 15:17:13 -0000 Bruce M Simpson wrote: > On Wed, Jun 09, 2004 at 07:52:23AM -0700, Crist J. Clark wrote: > >>To do scp-only, you either need (a) a hacked up sshd(8) daemon, (b) a >>jailed environment, or (c) a special shell for the user that only allows >>scp(1) to run. The funny thing is, I think (c) is probably the easiest >>to implement on a mass scale, but seems to be the option most seldom >>considered. > > > ports/shells/scponly > > BMS Bruce, Indeed that is what i said as well :-) Cheers! -- Kind regards, Remko Lodder |remko@elvandar.org Reporter DSINet |remko@dsinet.org Projectleader Mostly-Harmless |remko@mostly-harmless.nl From owner-freebsd-security@FreeBSD.ORG Wed Jun 16 18:05:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D72D316A4CE for ; Wed, 16 Jun 2004 18:05:44 +0000 (GMT) Received: from techno.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 8403643D49 for ; Wed, 16 Jun 2004 18:05:43 +0000 (GMT) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 55506 invoked by uid 0); 16 Jun 2004 18:04:34 -0000 Received: from webmail.sub.ru (HELO tarkhil.over.ru) (213.247.139.22) by techno.sub.ru with SMTP; 16 Jun 2004 18:04:34 -0000 Date: Wed, 16 Jun 2004 22:05:33 +0400 From: Alex Povolotsky To: freebsd-security@freebsd.org Message-Id: <20040616220533.2ec0bc9c@tarkhil.over.ru> Organization: sub.ru X-Mailer: Sylpheed version 0.9.9claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: nmap not scanning networks? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2004 18:05:45 -0000 Hello! Attempt to scan a network with any method except plain ping results in an error: truss nmap -sT -p 21 '172.19.17.*' [...] sendto(0x4,0x8094200,0,0x0,{ AF_INET 172.19.17.0:0 },0x10) ERR#49 'Can't assign requested address' [...] What's strange that man on send(2) doesn't state that EADDRNOTAVAIL can ever be returned from sendto(). Quick look at nmap's site didn't show me any clues. However, I've reproducted the problem under both 5.2.1 and 4.8 releases. Do I have all my boxes broken, or should I rebuild kernel with some options, or does nmap be known not to work on FreeBSD? -- Alex. From owner-freebsd-security@FreeBSD.ORG Wed Jun 16 18:26:17 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C112416A4CE for ; Wed, 16 Jun 2004 18:26:17 +0000 (GMT) Received: from mailbox.wingercom.dk (mailbox.wingercom.dk [81.19.240.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EDEA43D45 for ; Wed, 16 Jun 2004 18:26:17 +0000 (GMT) (envelope-from per@xterm.dk) Received: from mailbox.wingercom.dk (localhost.wingercom.dk [127.0.0.1]) by mailbox.wingercom.dk (Postfix) with SMTP id C79F993266; Wed, 16 Jun 2004 20:30:31 +0200 (CEST) Received: from 62.242.151.142 (SquirrelMail authenticated user per) by mailbox.wingercom.dk with HTTP; Wed, 16 Jun 2004 20:30:31 +0200 (CEST) Message-ID: <57388.62.242.151.142.1087410631.squirrel@mailbox.wingercom.dk> Date: Wed, 16 Jun 2004 20:30:31 +0200 (CEST) From: "Per Engelbrecht" To: In-Reply-To: <20040616220533.2ec0bc9c@tarkhil.over.ru> References: <20040616220533.2ec0bc9c@tarkhil.over.ru> X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-security@freebsd.org Subject: Re: nmap not scanning networks? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2004 18:26:17 -0000 Hi > Attempt to scan a network with any method except plain ping results > in an error: > > truss nmap -sT -p 21 '172.19.17.*' > [...] > sendto(0x4,0x8094200,0,0x0,{ AF_INET 172.19.17.0:0 },0x10) ERR#49 > 'Can't assign requested address' > [...] use "172.19.17.0-255" and not ' .*' > Do I have all my boxes broken, or should I rebuild kernel with some > options, or does nmap be known not to work on FreeBSD? nmap works just fine on FreeBSD - both 4.x and 5.x respectfully /per per@xterm.dk From owner-freebsd-security@FreeBSD.ORG Wed Jun 16 18:39:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96A2E16A4CE; Wed, 16 Jun 2004 18:39:20 +0000 (GMT) Received: from out011.verizon.net (out011pub.verizon.net [206.46.170.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FACD43D2F; Wed, 16 Jun 2004 18:39:20 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.161.84.3]) by out011.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040616183919.IDVL18566.out011.verizon.net@[192.168.1.3]>; Wed, 16 Jun 2004 13:39:19 -0500 Message-ID: <40D093CE.6020603@mac.com> Date: Wed, 16 Jun 2004 14:39:10 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Alex Povolotsky References: <20040616220533.2ec0bc9c@tarkhil.over.ru> In-Reply-To: <20040616220533.2ec0bc9c@tarkhil.over.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out011.verizon.net from [68.161.84.3] at Wed, 16 Jun 2004 13:39:18 -0500 cc: freebsd-security@freebsd.org cc: eik@FreeBSD.org Subject: Re: nmap not scanning networks? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2004 18:39:20 -0000 Alex Povolotsky wrote: > Attempt to scan a network with any method except plain ping results in an error: > > truss nmap -sT -p 21 '172.19.17.*' I can confirm the problem, anyway, although I'm not sure it's germane to freebsd-security. :-) > [...] > sendto(0x4,0x8094200,0,0x0,{ AF_INET 172.19.17.0:0 },0x10) ERR#49 'Can't assign > requested address' > [...] > > What's strange that man on send(2) doesn't state that EADDRNOTAVAIL can ever be returned from sendto(). nmap interprets the wildcard character in a network address to include the all-zeros "base network address" and the all-ones "network broadcast address". I seem to recall that some systems won't let you send traffic to the all-zeros address which might explain the EADDRNOTAVAIL, although my explanation is not entirely satisfactory as there are still problems: Consider trying "nmap -sT -p 21 '172.19.17.1-255'", only it results in similar behavior: # nmap -sT -p 21 '10.1.1.1-10' Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-16 14:29 EDT sendto in send_ip_raw: sendto(4, packet, 28, 0, 10.1.1.1, 16) => Can't assign requested address Sleeping 15 seconds then retrying -- -Chuck PS: I would suggest CC'ing the port maintainer of nmap about this and maybe moving the discussion to freebsd-ports...? From owner-freebsd-security@FreeBSD.ORG Wed Jun 16 19:01:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 597E616A4CE for ; Wed, 16 Jun 2004 19:01:53 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E77443D1F for ; Wed, 16 Jun 2004 19:01:53 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from [172.16.0.12] (helo=localhost) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.34 (FreeBSD)) id 1BaffE-0007id-0F; Wed, 16 Jun 2004 21:01:38 +0200 Date: Wed, 16 Jun 2004 21:01:35 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: Chuck Swiger From: Oliver Eikemeier In-Reply-To: <40D093CE.6020603@mac.com> Message-Id: <9671B9BE-BFC7-11D8-9250-00039312D914@fillmore-labs.com> Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-security@freebsd.org Subject: Re: nmap not scanning networks? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2004 19:01:53 -0000 Chuck Swiger wrote: > Alex Povolotsky wrote: >> Attempt to scan a network with any method except plain ping results in >> an error: >> truss nmap -sT -p 21 '172.19.17.*' > > I can confirm the problem, anyway, although I'm not sure it's germane > to freebsd-security. :-) > >> [...] >> sendto(0x4,0x8094200,0,0x0,{ AF_INET 172.19.17.0:0 },0x10) ERR#49 >> 'Can't assign requested address' >> [...] >> What's strange that man on send(2) doesn't state that EADDRNOTAVAIL >> can ever be returned from sendto(). Have you checked the firewall rules and routing tables on your machines? Do you have the same problems with non-private IP ranges? -Oliver From owner-freebsd-security@FreeBSD.ORG Thu Jun 17 11:23:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7394316A4CE for ; Thu, 17 Jun 2004 11:23:11 +0000 (GMT) Received: from mail.geocell.com.ge (mail.geocell.com.ge [212.72.145.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F9C443D54 for ; Thu, 17 Jun 2004 11:23:07 +0000 (GMT) (envelope-from FreeBSD@access.sanet.ge) Received: from prepaid1 (io.geocell.com.ge [212.72.145.14]) by mail.geocell.com.ge (8.11.6/8.11.6) with ESMTP id i5HBTOV02718; Thu, 17 Jun 2004 16:29:26 +0500 Date: Thu, 17 Jun 2004 16:22:07 +0500 From: FreeBSD User X-Mailer: The Bat! (v2.10.01) Personal X-Priority: 3 (Normal) Message-ID: <1426783068.20040617162207@access.sanet.ge> To: Oliver Eikemeier In-Reply-To: <9671B9BE-BFC7-11D8-9250-00039312D914@fillmore-labs.com> References: <40D093CE.6020603@mac.com> <9671B9BE-BFC7-11D8-9250-00039312D914@fillmore-labs.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re[2]: nmap not scanning networks? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: FreeBSD User List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jun 2004 11:23:11 -0000 OE> Chuck Swiger wrote: >> Alex Povolotsky wrote: >>> Attempt to scan a network with any method except plain ping results in >>> an error: >>> truss nmap -sT -p 21 '172.19.17.*' >> >> I can confirm the problem, anyway, although I'm not sure it's germane >> to freebsd-security. :-) >> >>> [...] >>> sendto(0x4,0x8094200,0,0x0,{ AF_INET 172.19.17.0:0 },0x10) ERR#49 >>> 'Can't assign requested address' >>> [...] >>> What's strange that man on send(2) doesn't state that EADDRNOTAVAIL >>> can ever be returned from sendto(). OE> Have you checked the firewall rules and routing tables on your machines? OE> Do you have the same problems with non-private IP ranges? I had the same problem because my host IP address was inclusive in the IP range. Make sure your host IP is not inclusive and see the result. OE> -Oliver OE> _______________________________________________ OE> freebsd-security@freebsd.org mailing list OE> http://lists.freebsd.org/mailman/listinfo/freebsd-security OE> To unsubscribe, send any mail to OE> "freebsd-security-unsubscribe@freebsd.org" -- Best regards, FreeBSD mailto:FreeBSD@access.sanet.ge From owner-freebsd-security@FreeBSD.ORG Fri Jun 18 06:58:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31E8A16A4CE for ; Fri, 18 Jun 2004 06:58:20 +0000 (GMT) Received: from smtp2.eunet.yu (smtp2.EUnet.yu [194.247.192.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E84443D2D for ; Fri, 18 Jun 2004 06:58:16 +0000 (GMT) (envelope-from kolicz@eunet.yu) Received: from smtp2.EUnet.yu (root@localhost) by smtp2.eunet.yu (8.12.10/8.12.10) with SMTP id i5I6v68F010399 for ; Fri, 18 Jun 2004 08:57:06 +0200 Received: from kolic.net (P-2.15.EUnet.yu [213.240.2.15]) by smtp2.eunet.yu (8.12.10/8.12.10) with ESMTP id i5I6v5nc010064 for ; Fri, 18 Jun 2004 08:57:06 +0200 Received: by kolic.net (Postfix, from userid 1001) id 1DF4A4148; Fri, 18 Jun 2004 08:25:57 +0200 (CEST) Date: Fri, 18 Jun 2004 08:25:57 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Message-ID: <20040618062557.GA616@kolic.net> References: <20040617120329.8AA7216A4D5@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040617120329.8AA7216A4D5@hub.freebsd.org> Subject: Re: nmap not scanning networks? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 06:58:20 -0000 > nmap -sT -p 21 '172.19.17.*' Have you tried without "'"? Or 172.19.17.1-254? Nmap works for me. Maybe port 21? ZK From owner-freebsd-security@FreeBSD.ORG Fri Jun 18 14:16:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61CB216A573 for ; Fri, 18 Jun 2004 14:16:12 +0000 (GMT) Received: from bm.netm.net.ru (bm.netm.net.ru [213.148.26.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4833D43D49 for ; Fri, 18 Jun 2004 14:16:11 +0000 (GMT) (envelope-from bm@netmaster.ru) Received: from bm.netm.net.ru (localhost [127.0.0.1]) by bm.netm.net.ru (8.12.11/8.12.11) with SMTP id i5IEGk7a040951 for ; Fri, 18 Jun 2004 18:16:47 +0400 (MSD) (envelope-from bm@netmaster.ru) Date: Fri, 18 Jun 2004 18:16:46 +0400 From: Alexey Karguine To: freebsd-security@freebsd.org Message-Id: <20040618181646.6468ba8f.bm@netmaster.ru> In-Reply-To: <40D093CE.6020603@mac.com> References: <20040616220533.2ec0bc9c@tarkhil.over.ru> <40D093CE.6020603@mac.com> Organization: ISP Netmaster.ru X-Mailer: Sylpheed version 0.9.11 (GTK+ 1.2.10; i386-portbld-freebsd4.10) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: nmap not scanning networks? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 14:16:13 -0000 On Wed, 16 Jun 2004 14:39:10 -0400 Chuck Swiger wrote: > Alex Povolotsky wrote: > > Attempt to scan a network with any method except plain ping results in an error: > > truss nmap -sT -p 21 '172.19.17.*' > I can confirm the problem, anyway, although I'm not sure it's germane to > freebsd-security. :-) > > [...] > > sendto(0x4,0x8094200,0,0x0,{ AF_INET 172.19.17.0:0 },0x10) ERR#49 'Can't assign > > requested address' > > [...] > > What's strange that man on send(2) doesn't state that EADDRNOTAVAIL can ever be returned from sendto(). > nmap interprets the wildcard character in a network address to include the > all-zeros "base network address" and the all-ones "network broadcast address". > I seem to recall that some systems won't let you send traffic to the > all-zeros address which might explain the EADDRNOTAVAIL, although my > explanation is not entirely satisfactory as there are still problems: > Consider trying "nmap -sT -p 21 '172.19.17.1-255'", only it results in similar > behavior: > # nmap -sT -p 21 '10.1.1.1-10' > Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-16 14:29 EDT > sendto in send_ip_raw: sendto(4, packet, 28, 0, 10.1.1.1, 16) => Can't assign > requested address > Sleeping 15 seconds then retrying Try the 'su' command to became root. May be it helps you. --bm From owner-freebsd-security@FreeBSD.ORG Fri Jun 18 16:50:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FDD916A4CE for ; Fri, 18 Jun 2004 16:50:58 +0000 (GMT) Received: from ox.eicat.ca (ox.eicat.ca [66.96.30.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1194543D1F for ; Fri, 18 Jun 2004 16:50:58 +0000 (GMT) (envelope-from dgilbert@daveg.ca) Received: by ox.eicat.ca (Postfix, from userid 66) id 2580CC11A; Fri, 18 Jun 2004 12:50:00 -0400 (EDT) Received: by canoe.dclg.ca (Postfix, from userid 101) id 81F411D26A8; Fri, 18 Jun 2004 12:49:59 -0400 (EDT) Message-ID: <16595.7479.439833.235009@canoe.dclg.ca> Date: Fri, 18 Jun 2004 12:49:59 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit In-Reply-To: <20040618062557.GA616@kolic.net> References: <20040617120329.8AA7216A4D5@hub.freebsd.org> <20040618062557.GA616@kolic.net> X-Mailer: VM 7.17 under 21.5 (beta15) "celery" XEmacs Lucid From: David Gilbert To: Zoran Kolic cc: freebsd-security@freebsd.org Subject: Re: nmap not scanning networks? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 16:50:58 -0000 >>>>> "Zoran" == Zoran Kolic writes: >> nmap -sT -p 21 '172.19.17.*' Zoran> Have you tried without "'"? Or 172.19.17.1-254? Nmap works Zoran> for me. Maybe port 21? I've noticed that nmap on FreeBSD is particularly lame at scanning the local network. If the majority of the addresses on the local network are unoccupied, then it will pause with a 'no buffer space available' message and pause for 15 or 20 seconds each. This seems to be due to it wanting to send a number of packets to the same addresses and when the arp is not resolved we're putting a negative entry in the routing table. ... or at least that was the behaviour. Recent -CURRENTS don't even seem to try to send arp entries as the arp table isn't full of incomplete entries as it was before. Dave. -- ============================================================================ |David Gilbert, Independent Contractor. | Two things can only be | |Mail: dave@daveg.ca | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================ From owner-freebsd-security@FreeBSD.ORG Fri Jun 18 20:27:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DF4916A4CE for ; Fri, 18 Jun 2004 20:27:02 +0000 (GMT) Received: from util.inch.com (shellutil.inch.com [216.223.208.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7964343D1F for ; Fri, 18 Jun 2004 20:27:01 +0000 (GMT) (envelope-from spork@inch.com) Received: from shell.inch.com (www.inch.com [216.223.192.20]) i5IKQnjH031618 for ; Fri, 18 Jun 2004 16:26:49 -0400 (EDT) (envelope-from spork@inch.com) Received: from shell.inch.com (localhost [127.0.0.1]) by shell.inch.com (8.12.8p2/8.12.8) with ESMTP id i5IKQJm1094465 for ; Fri, 18 Jun 2004 16:26:30 -0400 (EDT) (envelope-from spork@inch.com) Received: from localhost (spork@localhost)i5IKQJY4094462 for ; Fri, 18 Jun 2004 16:26:19 -0400 (EDT) X-Authentication-Warning: shell.inch.com: spork owned process doing -bs Date: Fri, 18 Jun 2004 16:26:19 -0400 (EDT) From: Charles Sprickman To: freebsd-security@freebsd.org Message-ID: <20040618161910.C70190@shell.inch.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: 4.x, PAM, password facility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 20:27:02 -0000 Hi, I've been playing around with pam_mysql, and have it working for interactive logins (backed by /etc/passwd entries for uid/gid w/*'d password field) and it works well so far. Looking at the source to the module, it does support password changing. So I put in the following entry in pam.conf: sshd password required pam_mysql.so user=root db=pam table=users crypt=1 However, it doesn't seem to hit the module at all for password changes. I also noticed the default line is like so: sshd password required pam_permit.so I would have expected a "pam_unix.so" there instead. Is the password facility implemented in 4.x? And since I know there's someone lurking here that knows this, is there any way to have OpenSSH deny a login when a user has key-based auth setup on their account? I never found a good way to take care of that; changing the shell, etc. is a bit awkward. Thanks, Charles -- Charles Sprickman spork@inch.com