From owner-freebsd-security@FreeBSD.ORG Sun Aug 21 08:18:04 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECE1416A41F for ; Sun, 21 Aug 2005 08:18:04 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4213343D5A for ; Sun, 21 Aug 2005 08:18:03 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so569268nzd for ; Sun, 21 Aug 2005 01:18:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=A6VgH4W+kqKKPshfktlxTK0PlCfv1Ls4+YFEGCdCxFJ+N4yiBEpmelICMEim2ufjGcHg5cBJiXhg/9EUthCCAWGSLFaAXkY8C0vmzrl8SkbzNHhktPZ4dz0S0/hKjL3W9DEHggrwOd9FKhI1o+ihJz6ZO9khoAdH6aP7qEUbx88= Received: by 10.36.119.1 with SMTP id r1mr3353770nzc; Sun, 21 Aug 2005 01:18:02 -0700 (PDT) Received: by 10.36.48.17 with HTTP; Sun, 21 Aug 2005 01:18:02 -0700 (PDT) Message-ID: <810a540e05082101182e4e75fa@mail.gmail.com> Date: Sun, 21 Aug 2005 08:18:02 +0000 From: Pat Maddox To: FreeBSD Questions , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Cc: Subject: Security warning with sshd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2005 08:18:05 -0000 In my recent security email, I got the following errors: cantona.dnswatchdog.com login failures: Aug 20 02:37:19 cantona sshd[9444]: fatal: Write failed: Operation not perm= itted Aug 20 04:30:42 cantona sshd[16142]: fatal: Write failed: Operation not permitted Aug 20 21:21:51 cantona sshd[45716]: fatal: Write failed: Operation not permitted So three questions: What is it? Should I be worried? How can I fix it? Thanks, Pat From owner-freebsd-security@FreeBSD.ORG Sun Aug 21 09:34:42 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF78316A41F; Sun, 21 Aug 2005 09:34:42 +0000 (GMT) (envelope-from remko@freebsd.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58EFB43D45; Sun, 21 Aug 2005 09:34:42 +0000 (GMT) (envelope-from remko@freebsd.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id C3B69358C53; Sun, 21 Aug 2005 11:34:40 +0200 (CEST) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 37420-03; Sun, 21 Aug 2005 11:34:40 +0200 (CEST) Received: from [10.0.2.125] (home.evilcoder.org [195.64.94.120]) by caelis.elvandar.org (Postfix) with ESMTP id 29C38358C52; Sun, 21 Aug 2005 11:34:40 +0200 (CEST) Message-ID: <43084AE9.7020305@FreeBSD.org> Date: Sun, 21 Aug 2005 11:35:37 +0200 From: Remko Lodder User-Agent: Mozilla Thunderbird 1.0.5 (Macintosh/20050711) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pat Maddox References: <810a540e05082101182e4e75fa@mail.gmail.com> In-Reply-To: <810a540e05082101182e4e75fa@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by the elvandar.org maildomain X-Mailman-Approved-At: Sun, 21 Aug 2005 12:15:50 +0000 Cc: freebsd-security@freebsd.org, FreeBSD Questions Subject: Re: Security warning with sshd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: remko@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2005 09:34:42 -0000 Pat Maddox wrote: > In my recent security email, I got the following errors: > cantona.dnswatchdog.com login failures: > Aug 20 02:37:19 cantona sshd[9444]: fatal: Write failed: Operation not permitted > Aug 20 04:30:42 cantona sshd[16142]: fatal: Write failed: Operation > not permitted > Aug 20 21:21:51 cantona sshd[45716]: fatal: Write failed: Operation > not permitted > > So three questions: What is it? Should I be worried? How can I fix it? > > Thanks, > Pat A couple of messages that i read when searching through google appear to indicate that it might rely on your firewall, bad packets that are not in state anymore and such and then gets blocked by your firewall. Could you provide some more details of events happening around the same time of the messages you posted here? Perhaps something else precedes the message which gives more information on what might have happened... Url with some information: http://lists.freebsd.org/pipermail/freebsd-pf/2005-August/001337.html (and related messages) Cheers, Remko -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org Reporter DSINET ** remko@DSINet.org From owner-freebsd-security@FreeBSD.ORG Mon Aug 22 06:04:46 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 517B316A41F for ; Mon, 22 Aug 2005 06:04:46 +0000 (GMT) (envelope-from smajor@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id D539443D46 for ; Mon, 22 Aug 2005 06:04:44 +0000 (GMT) (envelope-from smajor@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so646039nzd for ; Sun, 21 Aug 2005 23:04:44 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:x-pgp-universal:from:to:cc:subject:date:mime-version:x-mailer:x-mimeole:in-reply-to:thread-index:x-content-pgp-universal-saved-content-transfer-encoding:x-content-pgp-universal-saved-content-type:content-transfer-encoding:content-type:message-id; b=BNDca06okJU0Rc62stA2gMQ7x7scmKiaEGwnqDnQ2bmJMZTRUAJ+J/TA6wJcJZHuRdGWOq7ZLRWZTPipEtoUJRoV051rhoF5YBBV8EC00cJgONxm9PhCoKiriZiqSe5/LxWYJUdTAi1CoVcU4R2XyqwqG9dAnjRJNGSl+5tXPvA= Received: by 10.36.43.13 with SMTP id q13mr952661nzq; Sun, 21 Aug 2005 23:04:44 -0700 (PDT) Received: from p3 ([24.22.147.185]) by mx.gmail.com with ESMTP id j4sm6216678nzd.2005.08.21.23.04.43; Sun, 21 Aug 2005 23:04:44 -0700 (PDT) Received: from p3 by p3 (PGP Universal service); Sun, 21 Aug 2005 23:03:32 -0800 X-PGP-Universal: processed; by p3 on Sun, 21 Aug 2005 23:03:32 -0800 From: "Stephen Major" To: , "'Pat Maddox'" Date: Sun, 21 Aug 2005 23:03:28 -0700 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 In-Reply-To: <43084AE9.7020305@FreeBSD.org> Thread-Index: AcWmShwmMLPMW1q6RK2hmZOBWHiM/QAk4ntQ X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: 7bit X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" Message-ID: <43096afc.203c14ca.61c4.6d63@mx.gmail.com> Cc: freebsd-security@freebsd.org, 'FreeBSD Questions' Subject: RE: Security warning with sshd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 06:04:46 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This is due to a mis-configured firewall. If you are using IPFW there are many tutorials out there that tell you to do the wrong thing. And almost all of them contradict each other. Below is a basic script that only allows in and out SSH sessions and blocks all the garbage. Of coarse you must add any other services you need. The key here is that you allow connections from any to any established. Then on all outgoing tcp connections be sure to use the setup keep-state flags. The keep-state flag puts the rule into the dynamic rules table. Then the allow connections from any to any established allows already established connections to flow without going through the ruleset again. When I did this the error messages you are now experiencing went away. #!/bin/sh #IPFW script by Salvia ipfwcmd="/sbin/ipfw" flags="-q" #int oif="rl0" logall="log" ### Flush the rules $ipfwcmd $flags -f flush ### Allow loopback and deny loopback spoofs $ipfwcmd $flags add 00100 allow all from any to any via lo0 $ipfwcmd $flags add 00110 deny $logall ip from any to 127.0.0.0/8 via $oif $ipfwcmd $flags add 00120 deny $logall ip from 127.0.0.0/8 to any via $oif ### Stop PNAs from connecting $ipfwcmd $flags add 00130 deny $logall ip from 192.168.0.0/16 to any via $oif $ipfwcmd $flags add 00140 deny $logall ip from 172.16.0.0/12 to any via $oif $ipfwcmd $flags add 00150 deny $logall ip from 10.0.0.0/8 to any via $oif $ipfwcmd $flags add 00160 deny $logall ip from any to 192.168.0.0/16 via $oif $ipfwcmd $flags add 00170 deny $logall ip from any to 172.16.0.0/12 via $oif $ipfwcmd $flags add 00180 deny $logall ip from any to 10.0.0.0/8 via $oif ### Deny XMAS tree, Null scan, SYN Flood, Stealth FIN, and forced packer routing $ipfwcmd $flags add 00200 deny log tcp from any to any in tcpflags fin,psh,urg recv $oif $ipfwcmd $flags add 00210 deny log tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg recv $oif $ipfwcmd $flags add 00220 deny log tcp from any to any in tcpflags syn,fin recv $oif $ipfwcmd $flags add 00230 deny log tcp from any to any in tcpflags fin,rst recv $oif $ipfwcmd $flags add 00240 deny log ip from any to any in ipoptions ssrr,lsrr,rr,ts recv $oif ### Deny late, redirect, and spoofing attacks $ipfwcmd $flags add 00250 deny $logall all from any to any frag $ipfwcmd $flags add 00270 deny $logall icmp from any to any icmptype 5 $ipfwcmd $flags add 00280 deny $logall ip from me to me in via $oif ###### inbound section ####### ### check the traffic's state $ipfwcmd $flags add 00500 check-state $ipfwcmd $flags add 00501 allow tcp from any to any established ### Allow in ssh $ipfwcmd $flags add 00620 allow tcp from any to me 22 in via $oif setup keep-state #################### Deny & Log all incoming that fall through to here ######################### $ipfwcmd $flags add 01000 deny $logall logamount 500 all from any to any in via $oif ############################################################################ ##################### ###### outbound section ###### ### Allow out ssh $ipfwcmd $flags add 02150 allow tcp from me 22 to any out via $oif setup keep-state ###### Everything Else ##### ### deny and log everything else that is trying to get out. $ipfwcmd $flags add 03000 deny $logall logamount 500 all from any to any out via $oif ############## deny and log all packets that fell through to see what they are #################### $ipfwcmd $flags add 04000 deny $logall logamount 500 all from any to any - -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Remko Lodder Sent: Sunday, August 21, 2005 2:36 AM To: Pat Maddox Cc: freebsd-security@freebsd.org; FreeBSD Questions Subject: Re: Security warning with sshd Pat Maddox wrote: > In my recent security email, I got the following errors: > cantona.dnswatchdog.com login failures: > Aug 20 02:37:19 cantona sshd[9444]: fatal: Write failed: Operation not permitted > Aug 20 04:30:42 cantona sshd[16142]: fatal: Write failed: Operation > not permitted > Aug 20 21:21:51 cantona sshd[45716]: fatal: Write failed: Operation > not permitted > > So three questions: What is it? Should I be worried? How can I fix it? > > Thanks, > Pat A couple of messages that i read when searching through google appear to indicate that it might rely on your firewall, bad packets that are not in state anymore and such and then gets blocked by your firewall. Could you provide some more details of events happening around the same time of the messages you posted here? Perhaps something else precedes the message which gives more information on what might have happened... Url with some information: http://lists.freebsd.org/pipermail/freebsd-pf/2005-August/001337.html (and related messages) Cheers, Remko - -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org Reporter DSINET ** remko@DSINet.org _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQwlqtKKXvLS903/FAQqVxQf+K3+E/dEYVrN2znbBnSyNRCOspyhrsG1t 2pJnEkyldzc8wKE0dIRv1GZA1OFvyOwsQ8Bt2V5Hz/I3w0liXN5y2JRzl5VB2mPF wCtT01Y9gFyvuf16yzlv2YkS8sr1AcChAlttOYq/b8xUTSOynyLVaVe90un9CQE/ EmiKkafaJOOlqMle1GyluOKlnsHRfVdENFAqXjm9Q5yEhedjUduHQF4RHp8v+COz i8AFpTyO3m/M/tgRYo5fhBoPzFkm8P70TMJhvDnF26xRzrcWCQtJqAhlVzzGsgSZ Eo/z1W2xOsLlZL/DuaS4SIXZtR7Yk0DYxzw1qn31JuI2kM55kKnsCQ== =40+R -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Aug 22 12:24:10 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA1E316A41F for ; Mon, 22 Aug 2005 12:24:10 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47FD343D45 for ; Mon, 22 Aug 2005 12:24:10 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 249166147; Mon, 22 Aug 2005 14:23:49 +0200 (CEST) Received: from xps.des.no (des.no [80.203.228.37]) by tim.des.no (Postfix) with ESMTP id A637460F8; Mon, 22 Aug 2005 14:23:48 +0200 (CEST) Received: by xps.des.no (Postfix, from userid 1001) id EF26933D44; Mon, 22 Aug 2005 14:23:59 +0200 (CEST) To: smalone@udallas.edu References: <430659EF.2060202@udallas.edu> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Mon, 22 Aug 2005 14:23:59 +0200 In-Reply-To: <430659EF.2060202@udallas.edu> (Sean P. Malone's message of "Fri, 19 Aug 2005 17:15:11 -0500") Message-ID: <86oe7q5fds.fsf@xps.des.no> User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Tests: ALL_TRUSTED,AWL,BAYES_00 X-Spam-Learn: ham X-Spam-Score: -5.2/3.0 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on tim.des.no Cc: FreeBSD Security Subject: Re: pam_radius fail open? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 12:24:10 -0000 "Sean P. Malone" writes: > I recently installed pam_radius according to the instructions located > at the following address: > > https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=3D= print.patern why? 5.3 ships with pam_radius(8). > However, I'm not sure if I've mistakenly stumbled onto a fail open > situation in that I'm fairly new to FreeBSD. Namely, while > configuring /etc/pam.conf to validate SSH login credentials via radius > against our existing Active Directory, I mistakenly typed the line for > ssh as follows: [...] I am surprised that editing /etc/pam.conf had any effect at all, since /etc/pam.d/sshd takes precedence. Are you running a clean 5.3 install, or did you upgrade from 4.x? And yes, PAM does fail open when no configuration exists. You can easily change that by creating /etc/pam.d/default with the following contents: auth required pam_deny.so account required pam_deny.so session required pam_deny.so password requires pam_deny.so or slightly less easily by adding the appropriate check around line 100 of src/contrib/openpam/lib/openpam_dispatch.c, like NetBSD did: if (chain =3D=3D NULL) RETURNC(PAM_SYSTEM_ERR); DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Aug 23 10:07:27 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05B9F16A41F; Tue, 23 Aug 2005 10:07:27 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from www.ebusiness-leidinger.de (jojo.ms-net.de [84.16.236.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 539AD43D45; Tue, 23 Aug 2005 10:07:25 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from Andro-Beta.Leidinger.net (p54A5D60A.dip.t-dialin.net [84.165.214.10]) (authenticated bits=0) by www.ebusiness-leidinger.de (8.13.1/8.13.1) with ESMTP id j7N9xvbd047316; Tue, 23 Aug 2005 12:00:09 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from localhost (localhost [127.0.0.1]) by Andro-Beta.Leidinger.net (8.13.3/8.13.3) with ESMTP id j7NA6UjJ019474; Tue, 23 Aug 2005 12:06:30 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from 141.113.101.31 ([141.113.101.31]) by netchild.homeip.net (Horde MIME library) with HTTP for ; Tue, 23 Aug 2005 12:06:30 +0200 Message-ID: <20050823120630.q2tfbx2kg44w8o4s@netchild.homeip.net> X-Priority: 3 (Normal) Date: Tue, 23 Aug 2005 12:06:30 +0200 From: Alexander Leidinger To: Stephen Major References: <43096afc.203c14ca.61c4.6d63@mx.gmail.com> In-Reply-To: <43096afc.203c14ca.61c4.6d63@mx.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.3) / FreeBSD-4.11 X-Virus-Scanned: by amavisd-new X-Mailman-Approved-At: Tue, 23 Aug 2005 12:07:48 +0000 Cc: freebsd-security@freebsd.org, remko@freebsd.org, 'Pat Maddox' , 'FreeBSD Questions' Subject: RE: Security warning with sshd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 10:07:27 -0000 Stephen Major wrote: > This is due to a mis-configured firewall. If you are using IPFW there are > many tutorials out there that tell you to do the wrong thing. And almost all > of them contradict each other. Below is a basic script that only allows in > and out SSH sessions and blocks all the garbage. Of coarse you must add any > other services you need. The key here is that you allow connections from any > to any established. Then on all outgoing tcp connections be sure to use the > setup keep-state flags. The keep-state flag puts the rule into the dynamic > rules table. Then the allow connections from any to any established allows > already established connections to flow without going through the ruleset > again. When I did this the error messages you are now experiencing went > away. I'm *dis*allowing established connections in my firewall, and everything works as expected. You just need to expect the right thing. :-) "established" is a non-stateful filter rule, so it matches on the presence/absence of some TCP flags. I can't get to the ipfw statistics yet, but tere are a lot of established packets which are rejected. Needless to say that there's normal traffic (ssh, https, smtp, imaps, ...) which goes through the firewall just well. > ### check the traffic's state > $ipfwcmd $flags add 00500 check-state Here you have the statefull equivalent of the "established" rule, so every successfully setup connection ("keep-state") already passes because of this rule. > $ipfwcmd $flags add 00501 allow tcp from any to any established Here you can switch to "reject" or "deny" instead of allowing it. Everything should just continue to work (if it doesn't, most likely you forgot a "keep-state" somewhere). With this a reconfiguration of the firewall results in dropping established connections. > ###### outbound section ###### > > ### Allow out ssh > $ipfwcmd $flags add 02150 allow tcp from me 22 to any out via $oif > setup keep-state What are you trying to do here? Outgoing connections from ssh clients have a src port above 1024. Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 Avoid strange women and temporary variables. From owner-freebsd-security@FreeBSD.ORG Tue Aug 23 12:16:12 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9225416A41F for ; Tue, 23 Aug 2005 12:16:12 +0000 (GMT) (envelope-from smajor@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1090A43D5C for ; Tue, 23 Aug 2005 12:16:10 +0000 (GMT) (envelope-from smajor@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so823869nzd for ; Tue, 23 Aug 2005 05:16:10 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:x-pgp-universal:from:to:cc:subject:date:mime-version:x-mailer:x-mimeole:in-reply-to:thread-index:x-content-pgp-universal-saved-content-transfer-encoding:x-content-pgp-universal-saved-content-type:content-transfer-encoding:content-type:message-id; b=ofMT/TRTYM6cKBBU/WXaKJJXN4ioypsS8vM30lCaFq1eTh3Ipcu8/Im8HC024QU8AuM9Ct2GnddQLapNmvxoZmJbjn1SGJInsowDCS6R0yglyWlIich0CGNqM4fmVeJ4D0FB91wp+LB6GFV+mpPAjpr2143r9qE2VCKoShgYIXY= Received: by 10.36.115.19 with SMTP id n19mr5322198nzc; Tue, 23 Aug 2005 05:16:10 -0700 (PDT) Received: from p3 ([24.22.147.185]) by mx.gmail.com with ESMTP id i5sm653471nzi.2005.08.23.05.16.09; Tue, 23 Aug 2005 05:16:10 -0700 (PDT) Received: from p3 by p3 (PGP Universal service); Tue, 23 Aug 2005 05:14:58 -0800 X-PGP-Universal: processed; by p3 on Tue, 23 Aug 2005 05:14:58 -0800 From: "Stephen Major" To: "'Alexander Leidinger'" Date: Tue, 23 Aug 2005 05:14:55 -0700 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 In-Reply-To: <20050823120630.q2tfbx2kg44w8o4s@netchild.homeip.net> Thread-Index: AcWnynurs+gIEzv3R02GY4jMvC/YyAAETfOQ X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: 7bit X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" Message-ID: <430b138a.7c0e796e.1155.547a@mx.gmail.com> Cc: freebsd-security@freebsd.org, remko@freebsd.org, 'Pat Maddox' , 'FreeBSD Questions' Subject: RE: Security warning with sshd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 12:16:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The issue he is having I had the exact same problems, as soon as I changed my config to the one below poof no more problems. You can set your firewall however you want. I was just saying what gets rid of the problem he is having with ssh. So instead of ripping apart what I have said why do you not provide a better solution to the original question asked. - -----Original Message----- From: Alexander Leidinger [mailto:Alexander@Leidinger.net] Sent: Tuesday, August 23, 2005 3:07 AM To: Stephen Major Cc: remko@freebsd.org; 'Pat Maddox'; freebsd-security@freebsd.org; 'FreeBSD Questions' Subject: RE: Security warning with sshd Stephen Major wrote: > This is due to a mis-configured firewall. If you are using IPFW there are > many tutorials out there that tell you to do the wrong thing. And almost all > of them contradict each other. Below is a basic script that only allows in > and out SSH sessions and blocks all the garbage. Of coarse you must add any > other services you need. The key here is that you allow connections from any > to any established. Then on all outgoing tcp connections be sure to use the > setup keep-state flags. The keep-state flag puts the rule into the dynamic > rules table. Then the allow connections from any to any established allows > already established connections to flow without going through the ruleset > again. When I did this the error messages you are now experiencing went > away. I'm *dis*allowing established connections in my firewall, and everything works as expected. You just need to expect the right thing. :-) "established" is a non-stateful filter rule, so it matches on the presence/absence of some TCP flags. I can't get to the ipfw statistics yet, but tere are a lot of established packets which are rejected. Needless to say that there's normal traffic (ssh, https, smtp, imaps, ...) which goes through the firewall just well. > ### check the traffic's state > $ipfwcmd $flags add 00500 check-state Here you have the statefull equivalent of the "established" rule, so every successfully setup connection ("keep-state") already passes because of this rule. > $ipfwcmd $flags add 00501 allow tcp from any to any established Here you can switch to "reject" or "deny" instead of allowing it. Everything should just continue to work (if it doesn't, most likely you forgot a "keep-state" somewhere). With this a reconfiguration of the firewall results in dropping established connections. > ###### outbound section ###### > > ### Allow out ssh > $ipfwcmd $flags add 02150 allow tcp from me 22 to any out via $oif > setup keep-state What are you trying to do here? Outgoing connections from ssh clients have a src port above 1024. Bye, Alexander. - -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 Avoid strange women and temporary variables. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQwsTQqKXvLS903/FAQr/wgf8C6OO/3Y3iMoP4KZo3KvYD9JwcffcPtKC dU3aeiGLYNpcJstUJLQ5TqjNg7fSjhGZ9f8cz5SneLY4KUny/PNLtRIc2r6dUyJ0 Du92KyQTdh8LTnExARcyIFnFpGCn0w83SVKIhmO7Ia6kQohLH2MhTr1EwJrZtry7 enG6E9FsZuBggjw7rp1J8N/pUfeof42igmg0ZLL4A3NQfTSZA0CKl6rX93rFVgc1 dSy9AOcC5QeVKXRbnFsIj5qoxjeHQvpQwtwQ1yXq9jwndGKBP49/nZXq0Yrs1Rvb qcsmmr/FRzdDjm3oTvocroajIPsd+8AkeI3s5mmvYa9CtSBGy3IiYQ== =Z+R6 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Aug 24 03:34:48 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26D7F16A41F; Wed, 24 Aug 2005 03:34:48 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [204.156.12.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDA7743D48; Wed, 24 Aug 2005 03:34:47 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by cyrus.watson.org (Postfix) with ESMTP id 45BE946B55; Tue, 23 Aug 2005 23:34:47 -0400 (EDT) Date: Tue, 23 Aug 2005 23:34:47 -0400 (EDT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Jacques Vidrine In-Reply-To: Message-ID: <20050823233311.C85679@fledge.watson.org> References: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-862194231-1124854487=:85679" Cc: freebsd-security@FreeBSD.org Subject: Re: New FreeBSD Security Officer X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 03:34:48 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-862194231-1124854487=:85679 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Thu, 18 Aug 2005, Jacques Vidrine wrote: > It has been my pleasure and privilege to serve as the FreeBSD Security=20 > Officer for the past 3+ years. With the crucial support of the FreeBSD= =20 > Security Team members, a lot has been accomplished: hundreds of security= =20 > issues have been researched and tracked, with some resulting in security= =20 > advisories and patches; software in the Ports Collection are updated=20 > more quickly to remove vulnerabilities; flaws are well-documented in=20 > the Vulnerabilities and Exposures Markup Language (VuXML); communication= =20 > with other software and hardware vendors, security researchers, and=20 > emergency response organizations has grown greatly; and the FreeBSD=20 > Security Branches are now supported for much longer period of time over= =20 > a greater number of releases. I'd like to thank the members of the=20 > security team over the past few years for these accomplishments:=20 > Eivind Eklund, Julian Elischer, Chris Faulhaber, Bill Fumerola, Daniel=20 > Harris, Trevor Johnson, Remko Lodder, Simon Nielsen, Christian Peron,=20 > Wes Peters, Josef El-Rayes, Tom Rhodes, Gregory Shapiro, Bruce Simpson,= =20 > Dag-Erling Sm=F8rgrav, and Robert Watson. Several of our previous=20 > security officers have also given much help: Kris Kennaway, Warner Losh,= =20 > and Guido van Rooij. Jacques, Just wanted to let you know that the FreeBSD community greatly appreciates= =20 the work you've put in over the last few years. Your work has been=20 invaluable! Thanks, Robert N M Watson --0-862194231-1124854487=:85679-- From owner-freebsd-security@FreeBSD.ORG Tue Aug 23 16:54:41 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E36F16A41F; Tue, 23 Aug 2005 16:54:41 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from www.ebusiness-leidinger.de (jojo.ms-net.de [84.16.236.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B12443D48; Tue, 23 Aug 2005 16:54:39 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from Andro-Beta.Leidinger.net (p54A5D60A.dip.t-dialin.net [84.165.214.10]) (authenticated bits=0) by www.ebusiness-leidinger.de (8.13.1/8.13.1) with ESMTP id j7NGl874049369; Tue, 23 Aug 2005 18:47:20 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from localhost (localhost [127.0.0.1]) by Andro-Beta.Leidinger.net (8.13.3/8.13.3) with ESMTP id j7NGri8q077121; Tue, 23 Aug 2005 18:53:44 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from 141.113.101.31 ([141.113.101.31]) by netchild.homeip.net (Horde MIME library) with HTTP for ; Tue, 23 Aug 2005 18:53:44 +0200 Message-ID: <20050823185344.8wuabf44ys0cgw44@netchild.homeip.net> X-Priority: 3 (Normal) Date: Tue, 23 Aug 2005 18:53:44 +0200 From: Alexander Leidinger To: Stephen Major References: <430b138a.7c0e796e.1155.547a@mx.gmail.com> In-Reply-To: <430b138a.7c0e796e.1155.547a@mx.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.3) / FreeBSD-4.11 X-Virus-Scanned: by amavisd-new X-Mailman-Approved-At: Wed, 24 Aug 2005 12:11:18 +0000 Cc: freebsd-security@freebsd.org, remko@freebsd.org, 'Pat Maddox' , 'FreeBSD Questions' Subject: RE: Security warning with sshd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 16:54:41 -0000 Stephen Major wrote: > The issue he is having I had the exact same problems, as soon as I changed > my config to the one below poof no more problems. You can set your firewall > however you want. I was just saying what gets rid of the problem he is > having with ssh. I wasn't commenting the ssh issue, since it isn't clear why the problem exists. At least I haven't seen a problem analysis where the cause of this was shown. Maybe I missed it. So your posting may be the right solution or not. I don't know yet, and I don't care about this in this mail, since I wasn't talking about the ssh issue (see below). > So instead of ripping apart what I have said why do you not provide a better > solution to the original question asked. I wasn't ripping apart what you said. I just wanted to be helpful and share a little bit of knowledge. You're mixing stateful with non-stateful rules and this may result in unwanted packets traveling through the firewall. I thought you (and maybe others) may be interested in this. BTW.: in some environments this is a hole in the firewall and needs to be fixed, so one shouldn't use this part of your example. Since the security mailinglist is in the CC, we can't let this problem be uncommented. Another helpful suggestion: Please don't quote everything and please write your comments below the parts where they belong. This is common behavior in the FreeBSD lists and doing the opposide will result in less (useful) responses from some members of the lists (because it makes the mail harder to read and people may decide to not spend the time to read the mail and point out problem solutions or small bugs in your offering of a solution). Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 To add insult to injury. -- Phaedrus From owner-freebsd-security@FreeBSD.ORG Fri Aug 26 10:33:13 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCEF816A41F; Fri, 26 Aug 2005 10:33:13 +0000 (GMT) (envelope-from anders@fupp.net) Received: from totem.fix.no (totem.fix.no [80.91.36.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B3C743D48; Fri, 26 Aug 2005 10:33:13 +0000 (GMT) (envelope-from anders@fupp.net) Received: from localhost (totem.fix.no [80.91.36.20]) by totem.fix.no (Postfix) with ESMTP id 1A46F5F3823; Fri, 26 Aug 2005 12:33:11 +0200 (CEST) Received: from totem.fix.no ([80.91.36.20]) by localhost (totem.fix.no [80.91.36.20]) (amavisd-new, port 10024) with LMTP id 94125-02; Fri, 26 Aug 2005 12:33:10 +0200 (CEST) Received: by totem.fix.no (Postfix, from userid 1000) id 88CD25F380D; Fri, 26 Aug 2005 12:33:10 +0200 (CEST) Date: Fri, 26 Aug 2005 12:33:10 +0200 From: Anders Nordby To: freebsd-net@FreeBSD.org, freebsd-security@FreeBSD.org Message-ID: <20050826103310.GA94494@totem.fix.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 User-Agent: Mutt/1.5.6i X-Mailman-Approved-At: Fri, 26 Aug 2005 12:08:25 +0000 Cc: Subject: Filtering jail IP traffic X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2005 10:33:13 -0000 Hi, IP traffic from one jail to another jail, arrives on destination jail on lo0 having the destination jails IP as source IP. Why not the source jail's IP address? How can I filter traffic from one jail to another, using ipfw of ipf? Cheers, -- Anders. From owner-freebsd-security@FreeBSD.ORG Fri Aug 26 14:41:23 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA28316A41F; Fri, 26 Aug 2005 14:41:23 +0000 (GMT) (envelope-from bra@fsn.hu) Received: from people.fsn.hu (people.fsn.hu [195.228.252.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3065D43D45; Fri, 26 Aug 2005 14:41:22 +0000 (GMT) (envelope-from bra@fsn.hu) Received: from localhost (localhost [127.0.0.1]) by people.fsn.hu (Postfix) with ESMTP id 0B8EE8441E; Fri, 26 Aug 2005 16:41:20 +0200 (CEST) Received: from people.fsn.hu ([127.0.0.1]) by localhost (people.fsn.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 59952-01-3; Fri, 26 Aug 2005 16:41:13 +0200 (CEST) Received: from [172.16.129.72] (japan.t-online.co.hu [195.228.243.99]) by people.fsn.hu (Postfix) with ESMTP id 7795C8441F; Fri, 26 Aug 2005 16:41:13 +0200 (CEST) Message-ID: <430F2A09.5000301@fsn.hu> Date: Fri, 26 Aug 2005 16:41:13 +0200 From: Attila Nagy User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050725) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Anders Nordby References: <20050826103310.GA94494@totem.fix.no> In-Reply-To: <20050826103310.GA94494@totem.fix.no> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at fsn.hu Cc: freebsd-net@FreeBSD.org, freebsd-security@FreeBSD.org Subject: Re: Filtering jail IP traffic X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2005 14:41:23 -0000 Anders Nordby wrote: > IP traffic from one jail to another jail, arrives on destination jail on > lo0 having the destination jails IP as source IP. Why not the source > jail's IP address? > How can I filter traffic from one jail to another, using ipfw of ipf? AFAIK (at least with pf), you can't really filter on loopback interfaces. Last time I tried, I could not filter on TCP or UDP ports, filtering from and to IP and protocol worked. -- Attila Nagy e-mail: Attila.Nagy@fsn.hu Adopt a directory on our free software phone @work: +361 371 3536 server! http://www.fsn.hu/?f=brick cell.: +3630 306 6758